Redhat linux6.5 Upgrade openssh and linux6.5openssh

Redhat linux6.5 Upgrade openssh and linux6.5openssh

1. download the latest openssh package

Http://www.openssh.com/portable.html#http

 

2. Before upgrading openssh, you must first Enable telnet on the server and log on to the server through telnet, because ssh is temporarily unavailable during the upgrade process.

Open the linux telnet Service:

Check whether telnet has been installed:

Rpm-qa | grep telnet

Telnet-0.17-48.el6.x86_64

Telnet-server-0.17-48.el6.x86_64

 

If not, use yum to install

[Root @ leotest ~] # Yum install telnet

[Root @ leotest ~] # Yum install telnet-server

 

Start the telnet service:

Edit the telnet file and change disable to no.

[Root @ leotest xinetd. d] # vi/etc/xinetd. d/telnet

# Default: on

# Description: The telnet server serves telnet sessions; it uses \

# Unencrypted username/password pairs for authentication.

Service telnet

{

Flags = REUSE

Socket_type = stream

Wait = no

User = root

Server =/usr/sbin/in. telnetd

Log_on_failure + = USERID

Disable =No

}

 

 

Restart the xinetd service:

Service xinetd restart

Or:

/Etc/rc. d/init. d/xinetd restart

 

Connect to the server via telnet:

[C: \ ~] $ Telnet 192.168.5.5

 

 

Connecting to 192.168.5.5: 23...

Connection established.

To escape to local shell, press 'ctrl + Alt +] '.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642. el6.x86 _ 64 on an x86_64

Login: test

Password:

[Test @ leotest ~] $

Because the defaultTelnetOnly common users can be connected, so you need to log on to a common user and then jumpRootUser

 

3. Back up the original openssh files:

Cp/usr/sbin/sshd. bak

Cp/etc/ssh/ssh_config/etc/ssh/ssh_config.bak

Cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak

Cp/etc/ssh/moduli. bak

 

Note: delete the following three files. Otherwise, an error will be reported during installation:

/Etc/ssh/ssh_config already exists, install will not overwrite

/Etc/ssh/sshd_config already exists, install will not overwrite

/Etc/ssh/moduli already exists, install will not overwrite

 

Rm/etc/ssh/ssh_config-fr

Rm/etc/ssh/sshd_config-fr

Rm/etc/ssh/moduli-fr

 

Yum install pam-devel

Yum install zlib-devel

Yum install openssl-devel

 

 

4. decompress and install openssh

[Root @ leotest softs] # tar-zxvf openssh-7.4p1.tar.gz

[Root @ leotest softs] # ls

Openssh-7.4p1 openssh-7.4p1.tar.gz openssh-7.4p1-vs-openbsd.diff.gz

[Root @ leotest softs] # cd openssh-7.4p1

[Root @ leotest openssh-7.4p1] #. /configure -- prefix =/usr/local/openssh -- sysconfdir =/etc/ssh -- with-pam-with-md5-passwords -- mandir =/usr/share/man

### Configure: error: *** zlib. h missing-please install first or check config. log

# Yum install zlib-devel

### Configure: error: *** Can't find recent OpenSSL libcrypto (see config. log for details )***

# Yum install openssl-devel

 

Re-compile:

Before re-compilation, clear the previous compilation information:

Make clean

Ldconfig

[Root @ leotest openssh-7.4p1] # ./Configure -- prefix =/usr/local/openssh -- sysconfdir =/etc/ssh -- with-pam -- with-md5-passwords -- mandir =/usr/share/man

OpenSSH has been configured with the following options:

User binaries:/usr/bin

System binaries:/usr/sbin

Configuration files:/etc/ssh

Askpass program:/usr/libexec/ssh-askpass

Manual pages:/usr/share/man/manX

PID file:/var/run

Privilege separation chroot path:/var/empty

Sshd default user PATH:/usr/bin:/usr/sbin:/sbin

Manpage format: doc

PAM support: no

Osf sia support: no

KerberosV support: no

SELinux support: no

Smartcard support:

S/KEY support: no

MD5 password support: no

Libedit support: no

Solaris process contract support: no

Solaris project support: no

Solaris privilege support: no

IP address in $ DISPLAY hack: no

Translate v4 in v6 hack: yes

BSD Auth support: no

Random number source: OpenSSL internal ONLY

Privsep sandbox style: rlimit

 

Host: x86_64-pc-linux-gnu

Compiler: gcc

Compiler flags: -g-O2-Wall-Wpointer-arith-Wuninitialized-Wsign-compare-Wformat-security-Wno-pointer-sign-fno-strict-aliasing-D_FORTIFY_SOURCE = 2-ftrapv-fno -builtin-memset-fstack-protector-all-fPIE

Preprocessor flags:

Linker flags:-Wl,-z, relro-Wl,-z, now-Wl,-z, noexecstack-fstack-protector-all-pie

Libraries:-lcrypto-lrt-ldl-lutil-lz-lcrypt-lresolv

 

Make & make install

/Etc/init. d/sshd restart

 

5. overwrite the old file

Cp-p/softs/openssh-7.4p1/contrib/redhat/sshd. init/etc/init. d/sshd

Chmod u + x/etc/init. d/sshd

Chkconfig -- add sshd

Cp/usr/local/openssh/sbin/sshd/usr/sbin/sshd

[Root @ pttlstydb openssh-7.4p1] # cp/usr/local/openssh/sbin/sshd/usr/sbin/sshd

Cp: overwrite'/usr/sbin/sshd '? Y

Cp: cannot create regular file '/usr/sbin/sshd ':Text file busy

File in use

[Root @ pttlstydb openssh-7.4p1] # ps-ef | grep sshd

Root 14111 1 0 :05? 00:00:00 sshd: root @ pts/0

Root 14865 1 0 :22? 00:00:00 sshd: root @ notty

Root 24182 14779 0 00:00:00 pts/1 grep sshd

[Root @ pttlstydb openssh-7.4p1] # kill-9 14865

[Root @ pttlstydb openssh-7.4p1] # ps-ef | grep sshd

Root 24227 14779 0 00:00:00 pts/1 grep sshd

 

Re-coverage:

Cp/usr/local/openssh/bin/ssh/usr/bin/ssh

 

[Root @ leotest openssh-7.4p1] # service sshd restart

Stopping sshd: [OK]

Ssh-keygen: illegal option --

Usage: ssh-keygen [options]

Options:

 

Cat/etc/init. d/sshd

Start ()

{

# Create keys if necessary

/Usr/bin/ssh-keygen-

If [-x/sbin/restorecon]; then

/Sbin/restorecon/etc/ssh/ssh_host_key.pub

/Sbin/restorecon/etc/ssh/ssh_host_rsa_key.pub

/Sbin/restorecon/etc/ssh/ssh_host_dsa_key.pub

/Sbin/restorecon/etc/ssh/ssh_host_ecdsa_key.pub

Fi

 

Echo-n $ "Starting $ prog :"

$ SSHD $ OPTIONS & success | failure

RETVAL =$?

[$ RETVAL-eq 0] & touch/var/lock/subsys/sshd

Echo

}

 

Because the default version is earlierSsh-KeygenNo-A PARAMETER

Solution:

Cp/usr/local/openssh/bin/ssh-keygen/usr/bin/ssh-keygen

 

 

RestartSshdService:

[Root @ leotest ssh] # service sshd restart

Stopping sshd: [OK]

Starting sshd: [OK]

Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication

/Etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials

 

Cause: the new version of openssh does not support the above parameters. You need to modify the sshd configuration file.

 

[Root @ leotest openssh-7.4p1] # vi/etc/ssh/sshd_config

# Remove the preceding comment and allow root users to log on via ssh

PermitRootLogin yes

 

# Comment out the following three parameters

# GSSAPIAuthentication yes

# GSSAPICleanupCredentials yes

# UsePAM yes

 

 

# Add the following information at the end of the file; otherwise, you still cannot log on to linux through ssh:

The cause of this problem isSshAfter the upgrade, some original encryption algorithms will not be used by default for security purposes. We can add them manually.

Ciphers aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, arcfour128, arcfour256, arcfour, blowfish-cbc, cast128-cbc

MACs hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-sha1-96, hmac-md5-96

KexAlgorithms diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group1-sha1

 

 

6. RestartSshdService,TestSshConnect to the server

Service sshd restart

[C: \ ~] $ Ssh 192.168.5.5

 

Connecting to 192.168.5.5: 22...

Connection established.

To escape to local shell, press 'ctrl + Alt +] '.

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[Root @ leotest ~] # Ssh-V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

7. DisableTelnet

[Root @ leotest ~] # Vi/etc/xinetd. d/telnet

 

# Default: on

# Description: The telnet server serves telnet sessions; it uses \

# Unencrypted username/password pairs for authentication.

Service telnet

{

Flags = REUSE

Socket_type = stream

Wait = no

User = root

Server =/usr/sbin/in. telnetd

Log_on_failure + = USERID

 Disable = yes

}

 

StopXinetdService:

[Root @ leotest ~] # Service xinetd stop

Stopping xinetd: [OK]

Stop and start automatically:

[Root @ leotest ~] # Chkconfig -- list xinetd

Xinetd 0: off 1: off 2: off3: on 4: on 5: on6: off

[Root @ leotest ~] # Chkconfig xinetd off

[Root @ leotest ~] # Chkconfig -- list xinetd

Xinetd 0: off 1: off 2: off3: off 4: off 5: off6: off

 

 

 

Resolved after upgrade:

An error is reported when you log on to linux using winscp. The solution is as follows:

[Root @ leotest ~] # Vi/etc/ssh/sshd_config

 

# Override default of no subsystems

# Subsystem sftp/usr/libexec/openssh/sftp-server

Subsystem sftp internal-sftp

Change the original comment to the following internal-sftp

 

Restart the sshd service:

Service sshd restart