Centos7 upgrades openssh to OpenSSH_8.0p1

Posted by htcilt on Tue, 13 Aug 2019 10:00:21 +0200

  1. Basic environment
    CentOS Linux release 7.6.1810 (Core)
    OpenSSH_7.9p1, OpenSSL 1.0.2k-fips 26 Jan 2017

  2. Upgrade preparation

    1. Open the file transfer tool (such as xftp) while opening the ssh connection tool (such as xshell). Because the upgrade process cannot create new connections for the need to upload files manually.
    2. The package to be upgraded is downloaded in advance, such as openssl-1.1.1c.tar.gz and openssh-8.0p1.tar.gz. Delete after the upgrade is completed.
  3. Matters needing attention

    1. Backup libssl.so.1.0.2k and libcrypto.so.1.0.2k in the / usr/lib64 directory. In the process of updating openssl, two files will be deleted, resulting in many commands such as yum, wget, ping and so on can not be used.
      cd /usr/lib64
      cp libssl.so.1.0.2k /bak --/bak To backup directories
      cp libcrypto.so.1.0.2k /bak
  4. Close selinux
    Temporary shutdown: setenforce 0 -- use temporary shutdown
    Permanent shutdown: vi/etc/sysconfig/selinux
    Change SELINUX=enforcing to SELINUX=disabled
    Restart service reboot

  5. Close the firewall
    Firewall related operations

    • View firewall status: firewall-cmd-state
    • Open the firewall:
      firewall-cmd-reload -- overload configuration that does not disconnect existing tcp sessions. Recommended use
       System CTL restart firewalld -- Restart the service and disconnect the existing tcp session. Not recommended
    • Stop firewalls: system CTL stop firewalld. Service -- Suggested closure during upgrade
    • No boot-up: system CTL disable firewalld.service
    • Open Designated Port (22 for example): firewall-cmd --permanent --add-port=22/tcp
  6. Install telnet
    Standby login scheme when ssh cannot login
    6.1 yum install xinetd telnet-server -y
    6.2 Configuration of telnet
    If you configure telnet to log in root, change disable = no to disable = yes
    Vi/etc/xinetd.d/telnet enter the following:

    # default: on
    # description: The telnet server serves telnet sessions; it uses \
    #   unencrypted username/password pairs for authentication.
    service telnet
        # if allow root login, disable = yes
        disable = no
        flags       = REUSE
        socket_type = stream
        wait        = no
        user        = root
        server      = /usr/sbin/in.telnetd
        log_on_failure  += USERID

    6.3 Configure the terminal type of telnet login, add some pts terminals at the end of the / etc / security file, as follows


    6.4 Start telnet service

    systemctl enable xinetd
    systemctl enable telnet.socket
    Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
    systemctl start telnet.socket
    systemctl start xinetd
    netstat -lntp|grep 23
    tcp6 0 0 :::23 :::* LISTEN 1/systemd     
  7. Installation of dependency packages (required for subsequent upgrades)

    yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel 
    yum install  -y pam* zlib*
  8. Upgrade openssl

    cd /tmp
    tar -zxvf openssl-1.1.1c.tar.gz
    cd penssl-1.1.1c
    ./config --prefix=/usr/local/openssl --If this step reports an error,Need to install perl as well as gcc package
    echo $?  --Check to see if the previous command reported an error
    echo $?  --Check to see if the previous command reported an error
    make install
    echo $?  --Check to see if the previous command reported an error
    mv /usr/bin/openssl /usr/bin/openssl.bak –backups
    ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl  --Creating Soft Connections
    echo "/usr/local/openssl/lib" >> /etc/ld.so.conf --Write in openssl Search Path for Library Files
    ldconfig -v                    --Set up/etc/ld.so.conf Take effect
    openssl version
    OpenSSL 1.1.1c  28 May 2019
  9. Upgrade openssh
    9.1 Installation

    cp -r /etc/ssh /etc/ssh.bak –backups
    cd /tmp
    tar -zxvf openssh-8.0p1.tar.gz
    cd openssh-8.0p1
    ./configure --prefix=/usr --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl   --with-zlib   --with-md5-passwords   --with-pam  --Notice the path of the parameter
    echo $?  --Check to see if the previous command reported an error
    make && make install
    echo $?  --Check to see if the previous command reported an error

    9.2 Configuration

    vi /etc/ssh/sshd_config
     Modify to the following
    PasswordAuthentication yes
    UseDNS no
    cd /tmp/openssh-8.0p1
     CP-A contrib/redhat/sshd.init/etc/init.d/sshd -- Using the new version of the execution file
     CP-A contrib/redhat/sshd.pam/etc/pam.d/sshd.pam-no matter it does not exist
     Sudo Chmod +x/etc/init.d/sshd -- Adding execution permissions required for non-root users to install
     chkconfig --add sshd --- Set sshd service to boot
     System CTL enable sshd -- Allows sshd services to self-start
     Mv/usr/lib/systemd/system/sshd.service/tmp-Delete or remove the original sshd file. Otherwise, it will affect sshd service restart
     System CTL restart sshd -- Restart ssh service. (Restart after service configuration modification to make configuration effective)
    - Optional
     - Modify the default port
    vi /etc/ssh/sshd_config
     Modify Port to other ports, such as 2222
     firewall-cmd --permanent --add-port=2222/tcp-firewall opens 2222 ports
     firewall-cmd-reload-restart firewall

    9.3 Verification

    chkconfig sshd on  --View Service Running Level
    --Verify that the startup is normal
    /etc/init.d/sshd restart  
    /etc/init.d/sshd stop
    /etc/init.d/sshd start
    systemctl restart sshd
    systemctl stop sshd
    systemctl start sshd
    netstat -lntp  --See sshd Whether the service is started and the port to listen on(Default 22)
    ssh -V
    OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019
  10. Repairing problems caused by upgrades
    10.1 error while loading shared libraries: libssl.so.10: cannot open shared. Because of libssl.so ,libcrypto.so Missing libraries such as yum, ping, wget

    cd /usr/lib64
    cp /u01/libssl.so.1.0.2k ./
    cp /u01/libcrypto.so.1.0.2k ./
    ln -s libssl.so.1.0.2k ./libssl.so  --Creating Soft Connections
    ln -s libssl.so.1.0.2k ./libssl.so.10
    ln -s libcrypto.so.1.0.2k ./libcrypto.so
    ln -s libcrypto.so.1.0.2k ./libcrypto.so.10
  11. Restore temporary configuration beyond upgrade
    11.1 Close telnet
    Ensure that the telnet service is shut down after ssh login is okay.

    systemctl disable xinetd.service
    Removed symlink /etc/systemd/system/multi-user.target.wants/xinetd.service.
    systemctl stop xinetd.service
    systemctl disable telnet.socket
    systemctl stop telnet.socket
    –-See telnet Whether the service is closed or not, choose one of them.
    netstat -lntp –-Check whether port 23 is monitored
    netstat -antp –-Check whether port 23 is monitored
    chkconfig –list –No, telnet Appearance is enough.

    11.2. Restore the firewall to its initial state

Topics: OpenSSL firewall ssh openssh