the need to upgrade the OpenSSH to OPENSSH_7.1P2 as a result of third party monitoring software scanning Linux SSH vulnerabilities
System version:
[Root@db ~]# Uname-a
Linux db 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 22:19:54 EST 2013 x86_64 x86_64 x86_64 gnu/linux
[Root@db ~]# Cat/etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
Upgrade Step:
1, verify the existing version
[Root@db 1]# Yum Install Pam-devel
[Root@db 1]# pwd
/home/1
[Root@db 1]# ls
OPENSSH-7.1P2 Openssl-1.1.0-pre3 zlib-1.2.8
[Root@db 1]# Ssh-v
openssh_5.3p1, OpenSSL 1.0.0-fips <<<--current SSH version
[Root@db 1]# OpenSSL version
OpenSSL 1.0.1e-fips Feb 2013
[Root@db 1]# rpm-q zlib
Zlib-1.2.3-29.el6.x86_64
[Root@db 1]# Rpm-qa | grep OpenSSL
Openssl-1.0.1e-15.el6.x86_64
[Root@db 1]# Rpm-qa | grep OpenSSH
Openssh-5.3p1-94.el6.x86_64
Openssh-clients-5.3p1-94.el6.x86_64
Openssh-server-5.3p1-94.el6.x86_64
Openssh-askpass-5.3p1-94.el6.x86_64
2, uninstall the existing version
[Root@db 1]# rpm-e ' Rpm-qa | grep OpenSSH '
error:failed dependencies:
Openssh-clients is needed by (installed) Python-meh-0.12.1-3.el6.noarch
[Root@db 1]# rpm-e ' Rpm-qa | grep OpenSSL '--nodeps
[Root@db 1]# rpm-e firstboot-1.110.15-1.el6.x86_64
[Root@db 1]# rpm-e Python-meh-0.12.1-3.el6.noarch
[Root@db 1]# rpm-e ' Rpm-qa | grep OpenSSH '
[Root@db 1]# Yum Install Firstboot
There was a problem importing one of the Python modules
Required to run Yum. The error leading to this problem is:
Libssl.so.10:cannot open Shared object file:no such file or directory
Please install a package which provides this module, or
Verify that's the module is installed correctly.
It ' s possible that the above module doesn ' t match the
Current version of Python, which is:
2.6.6 (r266:84292, Sep 4 2013, 07:46:00)
[GCC 4.4.7 20120313 (Red Hat 4.4.7-3)]
If you are cannot solve this problem yourself
The Yum FAQ at:
Http://yum.baseurl.org/wiki/Faq
3. Installation zlib
[Root@db 1]# CD zlib-1.2.8/
[Root@db zlib-1.2.8]# ls
[Root@db zlib-1.2.8]#./configure--prefix=/usr/local/zlib
[Root@db zlib-1.2.8]# make && make install
[Root@db zlib-1.2.8]# CD ... /openssl-1.1.0-pre3/
[Root@db openssl-1.1.0-pre3]#./config--prefix=/usr/local/openssl
[Root@db openssl-1.1.0-pre3]# make && make install
4. Installation OpenSSH
[Root@db openssl-1.1.0-pre3]# CD ... /openssh-7.1p2/
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib
Checking for gcc ... gcc
...
Configure:error: * * * OpenSSL headers missing-please Install a/check config.log * * *
[Root@db openssh-7.1p2]# Rpm-qa |grep Pam
Pam-1.1.1-17.el6.x86_64
Pam-devel-1.1.1-17.el6.x86_64
Pam_krb5-2.3.11-9.el6.x86_64
Pam_passwdqc-1.0.5-6.el6.x86_64
pam-devel-1.1.1-17.el6.i686
Fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64
pam-1.1.1-17.el6.i686
Gnome-keyring-pam-2.28.2-8.el6_3.x86_64
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib ^C
[Root@db openssh-7.1p2]# rpm-ivh/media/rhel/packages/openssl-1.0.1e-15.el6.x86_64.rpm
Preparing ... ########################################### [100%]
1:openssl ########################################### [100%]
[Root@db openssh-7.1p2]# RPM-IVH openssl-1.0.1e-15.el6.x86_64.rpm
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib
Checking for gcc ... gcc
...
Configure:error: * * * OpenSSL headers missing-please Install a/check config.log * * *
[Root@db openssh-7.1p2]# OpenSSL version-a
OpenSSL 1.0.1e-fips Feb 2013
Built On:fri Sep 10:09:12 EDT 2013
Platform:linux-x86_64
Options:bn (64,64) md2 (int) RC4 (16x,int) des (idx,cisc,16,int) idea (int) blowfish (IDX)
Compiler:gcc-fpic-dopenssl_pic-dzlib-dopenssl_threads-d_reentrant-ddso_dlfcn-dhave_dlfcn_h-dkrb5_mit-m64-dl_en Dian-dtermio-wall-o2-g-pipe-wall-wp,-d_fortify_source=2-fexceptions-fstack-protector--param=ssp-buffer-size=4- M64-mtune=generic-wa,--NOEXECSTACK-DPURIFY-DOPENSSL_IA32_SSE2-DOPENSSL_BN_ASM_MONT-DOPENSSL_BN_ASM_MONT5- Dopenssl_bn_asm_gf2m-dsha1_asm-dsha256_asm-dsha512_asm-dmd5_asm-daes_asm-dvpaes_asm-dbsaes_asm-dwhirlpool_asm- Dghash_asm
Openssldir: "/etc/pki/tls"
Engines:rdrand Dynamic
[Root@db openssh-7.1p2]#
[root@db openssh-7.1p2]# rpm-qa |grep gcc
Gcc-4.4.7-4.el6.x86_64
Gcc-c++-4.4.7-4.el6.x86_64
Libgcc-4.4.7-4.el6.x86_64
libgcc-4.4.7-4.el6.i686
[Root@db openssh-7.1p2]# Rpm-qa |grep openssl-devel
[Root@db openssh-7.1p2]# cd/media/rhel/packages/
[Root@db packages]# RPM-IVH openssl-devel-1.0.1e-15.el6.x86_64.rpm
error:failed dependencies:
Krb5-devel is needed by openssl-devel-1.0.1e-15.el6.x86_64
Zlib-devel is needed by openssl-devel-1.0.1e-15.el6.x86_64
[Root@db packages]# RPM-IVH krb5-devel-1.10.3-10.el6_4.6.x86_64.rpm
error:failed dependencies:
Keyutils-libs-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
Libcom_err-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
Libselinux-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
[Root@db packages]# RPM-IVH Keyutils-libs-devel
Error:open of Keyutils-libs-devel failed:no such file or directory
[Root@db packages]# RPM-IVH keyutils-libs-devel-1.4-4.el6.x86_64.rpm
Preparing ... ########################################### [100%]
1:keyutils-libs-devel ########################################### [100%]
[Root@db packages]# RPM-IVH libcom_err-devel-1.41.12-18.el6.x86_64.rpm
Preparing ... ########################################### [100%]
1:libcom_err-devel ########################################### [100%]
[Root@db packages]# RPM-IVH libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm
error:failed dependencies:
Libsepol-devel >= 2.0.32-1 is needed by libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
Pkgconfig (Libsepol) is needed by libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
[Root@db packages]# Yum Install Libsepol-devel
[Root@db packages]# cd/home/1/openssh-7.1p2/
[Root@db openssh-7.1p2]#./configure--prefix=/usr/local/openssh--sysconfdir=/etc/ssh--with-pam--with-ssl-dir=/ Usr/local/openssl--with-md5-passwords--mandir=/usr/share/man--with-zlib=/usr/local/zlib
[Root@db openssh-7.1p2]# make && make install
5. Set up SSH service
[Root@db openssh-7.1p2]# cp-p contrib/redhat/sshd.init/etc/init.d/sshd
[Root@db openssh-7.1p2]# chmod u+x/etc/init.d/sshd
[Root@db openssh-7.1p2]# chkconfig--add sshd
[Root@db 1]# Cp/usr/local/openssh/sbin/sshd/usr/sbin/sshd
[root@db 1]# service sshd start
/etc/init.d/sshd:line:/usr/bin/ssh-keygen:no such file or directory
Starting sshd:[OK]
[Root@db 1]# Find/-name SSH
/etc/ssh
/usr/local/openssh/bin/ssh
/home/1/openssh-7.1p2/ssh
[Root@db 1]#/usr/local/openssh/bin/ssh-v
OPENSSH_7.1P2, OpenSSL 1.0.1e-fips Feb 2013
[Root@db 1]# cp/usr/local/openssh/bin/ssh/usr/bin/
6, verify the upgraded version and restart the test service
[Root@db 1]# Ssh-v
OPENSSH_7.1P2, OpenSSL 1.0.1e-fips Feb 2013
[Root@db 1]#
[Root@db 1]#
[root@db 1]# Service sshd restart
Stopping sshd:[OK]
/etc/init.d/sshd:line:/usr/bin/ssh-keygen:no such file or directory
Starting sshd:[OK]
[Root@db ~]# Cd/usr/local/openssh/bin
[Root@db bin]# ls
SCP sftp slogin ssh ssh-add ssh-agent ssh-keygen ssh-keyscan
[Root@db bin]# CP ssh-keygen/usr/bin/
[root@db bin]# Service sshd restart
Stopping sshd:[OK]
Starting sshd:[OK]
[Root@db bin]#
[Root@db bin]# Ssh-v
OPENSSH_7.1P2, OpenSSL 1.0.1e-fips Feb 2013
7, set to allow the root user remote login
[Root@db ~]# Cat/etc/ssh/sshd_config
# Authentication:
...
#LoginGraceTime 2m
Permitrootlogin Yes
8, SECURECRT can not upload the file solution:
The/etc/ssh/sshd_config in the
subsystem Sftp/usr/libexec/openssh/sftp-server
To
subsystem SFTP INTERNAL-SFTP
After restarting the sshd, SFTP is working properly.
9, after the upgrade of the problem
Connection is normal using the SECURECRT SSH protocol, but the operating system cannot be connected remotely using other tools:
Workaround: ================================================================= Reference Online solution is as follows: Modify sshd configuration file/etc/ssh/sshd_ Config
To add to the configuration file:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256, Arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Kexalgorithms DIFFIE-HELLMAN-GROUP1-SHA1,DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1, diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
The cause of this problem is the SSH upgrade, for security, the default no longer use some of the original encryption algorithm, we manually add it.
(Add three lines or add the last line, restart services are the following error) but the restart service error is as follows: [root@db ~]# service sshd restart stopping sshd:[OK] starting sshd:unsupported KE X algorithm "ecdh-sha2-nistp521"/etc/ssh/sshd_config line 137:bad SSH2 kexalgorithms ' Diffie-hellman-group1-sha1, DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256, ECDH-SHA2-NISTP256,ECDH-SHA2-NISTP384,ECDH-SHA2-NISTP521,DIFFIE-HELLMAN-GROUP1-SHA1, Curve25519-sha256@libssh.org '. [FAILED] [Root@db ~]#
=================================================================
Modified as follows: Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256, Arcfour,blowfish-cbc,cast128-cbc
MACs HMAC-MD5,HMAC-SHA1, umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
Kexalgorithms DIFFIE-HELLMAN-GROUP1-SHA1,DIFFIE-HELLMAN-GROUP14-SHA1,DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA1, DIFFIE-HELLMAN-GROUP-EXCHANGE-SHA256,ECDH-SHA2-NISTP256,ECDH-SHA2-NISTP384,DIFFIE-HELLMAN-GROUP1-SHA1, curve25519-sha256@libssh.org (remove ecdh-sha2-nistp521 in this row)
Start the SSHD service: