OpenSSH smooth upgrade-solves OpenSSH and openssh Vulnerabilities

OpenSSH smooth upgrade-solves OpenSSH and openssh Vulnerabilities

I. Environment Description

1) Operating System: CentOS 6.5 64-bit

2) Openssl version before Upgrade: openssl 0.9.8e

3) Openssl version after upgrade: openssl 1.0.1j (source code installation)

4) Openssh pre-upgrade version: openssh-4.3p2-41.el5

5) Openssh version after upgrade: openssh_6.7p1 (source code installation)

6) Connection Tool SecureCrt

Ii. Install Dropbear instead of OpenSSH

To install dropbear, you can still log on to the system when the sshd fails to be started. You can also use other tools, such as telnet.

1) download the dropbear installation package

Https://matt.ucc.asn.au/dropbear/releases/dropbear-2014.66.tar.bz2

2) Check the installation dependency package

Rpm-qa zlib * gcc make

3) Compile and install dropbear

# Tar jxf dropbear-2014.66.tar.bz2

# Cd dropbear-2014.66

#./Configure

# Make & make install

Check whether the generated file is correct:

4) generate a certificate

#/Usr/local/bin/dropbearkey-t dss-f/etc/dropbear/dropbear_dss_host_key (note: the system does not have the/etc/dropbear directory by default and needs to be created by itself)

#/Usr/local/bin/dropbearkey-t rsa-s 4096-f/etc/dropbear/dropbear_rsa_host_key

5) Start dropbear

#/Usr/local/sbin/dropbear-p 2222 // listen to port 2222

Check whether startup is successful:

# Netstat-antup | grep 2222

3. Upgrade OpenSSL to openssl-1.0.1j and delete old versions

1) preparations before Upgrade

Download openssl-1.0.1j

Http://www.openssl.org/source/openssl-1.0.1j.tar.gz

2) Delete the old version

# Rpm-e 'rpm-qa | grep openssl '-- allmatches -- nodeps

3) when installing openssl, remember to add the -- shared option. Otherwise, the newly installed openssl library cannot be found during openssh compilation, and an error is reported: The openssl header does not match the library version.

(Note: Here LZ has been entangled for a long time, if you follow the steps. /config -- prefix =/usr -- shared still reports the error: the openssl header and library version do not match, probably because the installed Openssl is also installed in the source code and is not deleted, you need to manually search for ssl-Related Files

1. Execute find/-name ssl

2. Rename the results in the/usr/lib/usr/lib64/lib64/lib directories in the search results one by one. Do not delete them in disorder and try them one by one. This is a stupid method, and no good method has been found yet .)

#./Config -- prefix =/usr -- shared

# Make

# Make test

# Make install

Check whether the openssl version is correctly installed.

# Openssl version-

4. Upgrade sshd to OpenSSH-6.7 and delete old version ssh

1) preparations before Upgrade

Check whether the package is missing

# Rpm-qa | egrep "gcc | make | perl | pam-devel"

If you have configured yum, you can directly install these packages using yum to check whether the packages are installed. Yum-y install gcc * make perl pam-devel

If you cannot connect to the Internet, you need to download the rpm installation package and install it directly using the rpm command.

2. Download openssh-6.7p1.tar.gz

Http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz

Back up ssh:

# Mv/etc/ssh. bak

# Openssl version-

3) Compile and install the new openssh version.

# Tar zxf openssh-6.7p1.tar.gz & cd openssh-6.7p1

#./Configure -- prefix =/usr -- sysconfdir =/etc/ssh -- with-pam -- with-zlib -- with-md5-passwords

# Make

Uninstall the old version of openssh and then make install

# Rpm-qa | grep openssh

# Rpm-e 'rpm-qa | grep openssh'

Openssh-askpass is used to enter a password in the graphic interface.

# Make install

4) Check whether to upgrade to the new version.

5) copy the startup script to/etc/init. d.

# Cp/root/openssh-6.7p1/contrib/RedHat/sshd. init/etc/init. d/sshd

Add to startup

# Chkconfig -- add sshd

6) start sshd and use start or reload. Do not restart. restart will disconnect directly, but will not start the sshd service. In this case, you need to enter the machine through other channels and then start the sshd service.

4. Delete dropbear.

Re-open a tag in the terminal software,

Here, Dropbear is used to prevent the upgrade from being successful and replace openssh to connect to the server.

When port 2222 is enabled (the port at dropbear startup can be set to another), the connection method is as follows:

Ssh 192.168.0.1 2222 (192.168.0.1 is the ip address of the server to be connected)

Delete the dropbear file and kill the process.

# Rm-rf/etc/dropbear // usr/local/sbin/dropbear/usr/local/bin/dropbear *