Redhat linux6.5 Upgrade openssh and linux6.5openssh
1. download the latest openssh package
Http://www.openssh.com/portable.html#http
2. Before upgrading openssh, you must first Enable telnet on the server and log on to the server through telnet, because ssh is temporarily unavailable during the upgrade process.
Open the linux telnet Service:
Check whether telnet has been installed:
Rpm-qa | grep telnet
Telnet-0.17-48.el6.x86_64
Telnet-server-0.17-48.el6.x86_64
If not, use yum to install
[Root @ leotest ~] # Yum install telnet
[Root @ leotest ~] # Yum install telnet-server
Start the telnet service:
Edit the telnet file and change disable to no.
[Root @ leotest xinetd. d] # vi/etc/xinetd. d/telnet
# Default: on
# Description: The telnet server serves telnet sessions; it uses \
# Unencrypted username/password pairs for authentication.
Service telnet
{
Flags = REUSE
Socket_type = stream
Wait = no
User = root
Server =/usr/sbin/in. telnetd
Log_on_failure + = USERID
Disable =No
}
Restart the xinetd service:
Service xinetd restart
Or:
/Etc/rc. d/init. d/xinetd restart
Connect to the server via telnet:
[C: \ ~] $ Telnet 192.168.5.5
Connecting to 192.168.5.5: 23...
Connection established.
To escape to local shell, press 'ctrl + Alt +] '.
Red Hat Enterprise Linux Server release 6.8 (Santiago)
Kernel 2.6.32-642. el6.x86 _ 64 on an x86_64
Login: test
Password:
[Test @ leotest ~] $
Because the defaultTelnetOnly common users can be connected, so you need to log on to a common user and then jumpRootUser
3. Back up the original openssh files:
Cp/usr/sbin/sshd. bak
Cp/etc/ssh/ssh_config/etc/ssh/ssh_config.bak
Cp/etc/ssh/sshd_config/etc/ssh/sshd_config.bak
Cp/etc/ssh/moduli. bak
Note: delete the following three files. Otherwise, an error will be reported during installation:
/Etc/ssh/ssh_config already exists, install will not overwrite
/Etc/ssh/sshd_config already exists, install will not overwrite
/Etc/ssh/moduli already exists, install will not overwrite
Rm/etc/ssh/ssh_config-fr
Rm/etc/ssh/sshd_config-fr
Rm/etc/ssh/moduli-fr
Yum install pam-devel
Yum install zlib-devel
Yum install openssl-devel
4. decompress and install openssh
[Root @ leotest softs] # tar-zxvf openssh-7.4p1.tar.gz
[Root @ leotest softs] # ls
Openssh-7.4p1 openssh-7.4p1.tar.gz openssh-7.4p1-vs-openbsd.diff.gz
[Root @ leotest softs] # cd openssh-7.4p1
[Root @ leotest openssh-7.4p1] #. /configure -- prefix =/usr/local/openssh -- sysconfdir =/etc/ssh -- with-pam-with-md5-passwords -- mandir =/usr/share/man
### Configure: error: *** zlib. h missing-please install first or check config. log
# Yum install zlib-devel
### Configure: error: *** Can't find recent OpenSSL libcrypto (see config. log for details )***
# Yum install openssl-devel
Re-compile:
Before re-compilation, clear the previous compilation information:
Make clean
Ldconfig
[Root @ leotest openssh-7.4p1] # ./Configure -- prefix =/usr/local/openssh -- sysconfdir =/etc/ssh -- with-pam -- with-md5-passwords -- mandir =/usr/share/man
OpenSSH has been configured with the following options:
User binaries:/usr/bin
System binaries:/usr/sbin
Configuration files:/etc/ssh
Askpass program:/usr/libexec/ssh-askpass
Manual pages:/usr/share/man/manX
PID file:/var/run
Privilege separation chroot path:/var/empty
Sshd default user PATH:/usr/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: no
Osf sia support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
Libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $ DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-pc-linux-gnu
Compiler: gcc
Compiler flags: -g-O2-Wall-Wpointer-arith-Wuninitialized-Wsign-compare-Wformat-security-Wno-pointer-sign-fno-strict-aliasing-D_FORTIFY_SOURCE = 2-ftrapv-fno -builtin-memset-fstack-protector-all-fPIE
Preprocessor flags:
Linker flags:-Wl,-z, relro-Wl,-z, now-Wl,-z, noexecstack-fstack-protector-all-pie
Libraries:-lcrypto-lrt-ldl-lutil-lz-lcrypt-lresolv
Make & make install
/Etc/init. d/sshd restart
5. overwrite the old file
Cp-p/softs/openssh-7.4p1/contrib/redhat/sshd. init/etc/init. d/sshd
Chmod u + x/etc/init. d/sshd
Chkconfig -- add sshd
Cp/usr/local/openssh/sbin/sshd/usr/sbin/sshd
[Root @ pttlstydb openssh-7.4p1] # cp/usr/local/openssh/sbin/sshd/usr/sbin/sshd
Cp: overwrite'/usr/sbin/sshd '? Y
Cp: cannot create regular file '/usr/sbin/sshd ':Text file busy
File in use
[Root @ pttlstydb openssh-7.4p1] # ps-ef | grep sshd
Root 14111 1 0 :05? 00:00:00 sshd: root @ pts/0
Root 14865 1 0 :22? 00:00:00 sshd: root @ notty
Root 24182 14779 0 00:00:00 pts/1 grep sshd
[Root @ pttlstydb openssh-7.4p1] # kill-9 14865
[Root @ pttlstydb openssh-7.4p1] # ps-ef | grep sshd
Root 24227 14779 0 00:00:00 pts/1 grep sshd
Re-coverage:
Cp/usr/local/openssh/bin/ssh/usr/bin/ssh
[Root @ leotest openssh-7.4p1] # service sshd restart
Stopping sshd: [OK]
Ssh-keygen: illegal option --
Usage: ssh-keygen [options]
Options:
Cat/etc/init. d/sshd
Start ()
{
# Create keys if necessary
/Usr/bin/ssh-keygen-
If [-x/sbin/restorecon]; then
/Sbin/restorecon/etc/ssh/ssh_host_key.pub
/Sbin/restorecon/etc/ssh/ssh_host_rsa_key.pub
/Sbin/restorecon/etc/ssh/ssh_host_dsa_key.pub
/Sbin/restorecon/etc/ssh/ssh_host_ecdsa_key.pub
Fi
Echo-n $ "Starting $ prog :"
$ SSHD $ OPTIONS & success | failure
RETVAL =$?
[$ RETVAL-eq 0] & touch/var/lock/subsys/sshd
Echo
}
Because the default version is earlierSsh-KeygenNo-A PARAMETER
Solution:
Cp/usr/local/openssh/bin/ssh-keygen/usr/bin/ssh-keygen
RestartSshdService:
[Root @ leotest ssh] # service sshd restart
Stopping sshd: [OK]
Starting sshd: [OK]
Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/Etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
Cause: the new version of openssh does not support the above parameters. You need to modify the sshd configuration file.
[Root @ leotest openssh-7.4p1] # vi/etc/ssh/sshd_config
# Remove the preceding comment and allow root users to log on via ssh
PermitRootLogin yes
# Comment out the following three parameters
# GSSAPIAuthentication yes
# GSSAPICleanupCredentials yes
# UsePAM yes
# Add the following information at the end of the file; otherwise, you still cannot log on to linux through ssh:
The cause of this problem isSshAfter the upgrade, some original encryption algorithms will not be used by default for security purposes. We can add them manually.
Ciphers aes128-cbc, aes192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, 3des-cbc, arcfour128, arcfour256, arcfour, blowfish-cbc, cast128-cbc
MACs hmac-md5, hmac-sha1, umac-64@openssh.com, hmac-ripemd160, hmac-sha1-96, hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256, ecdh-sha2-nistp256, ecdh-sha2-nistp384, ecdh-sha2-nistp521, diffie-hellman-group1-sha1
6. RestartSshdService,TestSshConnect to the server
Service sshd restart
[C: \ ~] $ Ssh 192.168.5.5
Connecting to 192.168.5.5: 22...
Connection established.
To escape to local shell, press 'ctrl + Alt +] '.
Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2
[Root @ leotest ~] # Ssh-V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
7. DisableTelnet
[Root @ leotest ~] # Vi/etc/xinetd. d/telnet
# Default: on
# Description: The telnet server serves telnet sessions; it uses \
# Unencrypted username/password pairs for authentication.
Service telnet
{
Flags = REUSE
Socket_type = stream
Wait = no
User = root
Server =/usr/sbin/in. telnetd
Log_on_failure + = USERID
Disable = yes
}
StopXinetdService:
[Root @ leotest ~] # Service xinetd stop
Stopping xinetd: [OK]
Stop and start automatically:
[Root @ leotest ~] # Chkconfig -- list xinetd
Xinetd 0: off 1: off 2: off3: on 4: on 5: on6: off
[Root @ leotest ~] # Chkconfig xinetd off
[Root @ leotest ~] # Chkconfig -- list xinetd
Xinetd 0: off 1: off 2: off3: off 4: off 5: off6: off
Resolved after upgrade:
An error is reported when you log on to linux using winscp. The solution is as follows:
[Root @ leotest ~] # Vi/etc/ssh/sshd_config
# Override default of no subsystems
# Subsystem sftp/usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
Change the original comment to the following internal-sftp
Restart the sshd service:
Service sshd restart