Basic environment
CentOS Linux release 7.6.1810 (Core)
OpenSSH_7.9p1, OpenSSL 1.0.2k-fips 26 Jan 2017

Upgrade preparation

1. Open the file transfer tool (such as xftp) while opening the ssh connection tool (such as xshell). Because the upgrade process cannot create new connections for the need to upload files manually.
2. The package to be upgraded is downloaded in advance, such as openssl-1.1.1c.tar.gz and openssh-8.0p1.tar.gz. Delete after the upgrade is completed.
   • Openssl: https://ftp.openssl.org/source/
     Enter a personal directory at will and download it using wget:

     cd /tmp
     wget https://ftp.openssl.org/source/openssl-1.1.1c.tar.gz
     

   • Openssh: https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
     Enter a personal directory at will and download it using wget:

     cd /tmp
     wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
     

Matters needing attention

1. Backup libssl.so.1.0.2k and libcrypto.so.1.0.2k in the / usr/lib64 directory. In the process of updating openssl, two files will be deleted, resulting in many commands such as yum, wget, ping and so on can not be used.

   cd /usr/lib64
   cp libssl.so.1.0.2k /bak --/bak To backup directories
   cp libcrypto.so.1.0.2k /bak
   

Close selinux
Temporary shutdown: setenforce 0 -- use temporary shutdown
Permanent shutdown: vi/etc/sysconfig/selinux
Change SELINUX=enforcing to SELINUX=disabled
Restart service reboot

Close the firewall
Firewall related operations

• View firewall status: firewall-cmd-state
• Open the firewall:

  firewall-cmd-reload -- overload configuration that does not disconnect existing tcp sessions. Recommended use
   System CTL restart firewalld -- Restart the service and disconnect the existing tcp session. Not recommended
  

• Stop firewalls: system CTL stop firewalld. Service -- Suggested closure during upgrade
• No boot-up: system CTL disable firewalld.service
• Open Designated Port (22 for example): firewall-cmd --permanent --add-port=22/tcp

Install telnet
Standby login scheme when ssh cannot login
6.1 yum install xinetd telnet-server -y
6.2 Configuration of telnet
If you configure telnet to log in root, change disable = no to disable = yes
Vi/etc/xinetd.d/telnet enter the following:

# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    # if allow root login, disable = yes
    disable = no
    flags       = REUSE
    socket_type = stream
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}

6.3 Configure the terminal type of telnet login, add some pts terminals at the end of the / etc / security file, as follows

pts/0
pts/1
pts/2
pts/3

6.4 Start telnet service

systemctl enable xinetd
systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
systemctl start telnet.socket
systemctl start xinetd
netstat -lntp|grep 23
tcp6 0 0 :::23 :::* LISTEN 1/systemd     

Installation of dependency packages (required for subsequent upgrades)

yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel 
yum install  -y pam* zlib*

Upgrade openssl

cd /tmp
tar -zxvf openssl-1.1.1c.tar.gz
cd penssl-1.1.1c
./config --prefix=/usr/local/openssl --If this step reports an error,Need to install perl as well as gcc package
echo $?  --Check to see if the previous command reported an error
0
make
echo $?  --Check to see if the previous command reported an error
0
make install
echo $?  --Check to see if the previous command reported an error
0
mv /usr/bin/openssl /usr/bin/openssl.bak –backups
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl  --Creating Soft Connections
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf --Write in openssl Search Path for Library Files
ldconfig -v                    --Set up/etc/ld.so.conf Take effect
openssl version
OpenSSL 1.1.1c  28 May 2019

Upgrade openssh
9.1 Installation

cp -r /etc/ssh /etc/ssh.bak –backups
cd /tmp
tar -zxvf openssh-8.0p1.tar.gz
cd openssh-8.0p1
./configure --prefix=/usr --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl   --with-zlib   --with-md5-passwords   --with-pam  --Notice the path of the parameter
echo $?  --Check to see if the previous command reported an error
0
make && make install
echo $?  --Check to see if the previous command reported an error
0

9.2 Configuration

vi /etc/ssh/sshd_config
 Modify to the following
PasswordAuthentication yes
UseDNS no

cd /tmp/openssh-8.0p1
 Mv/etc/init.d/sshd/etc/init.d/sshd.bak-Backup
 CP-A contrib/redhat/sshd.init/etc/init.d/sshd -- Using the new version of the execution file
 CP-A contrib/redhat/sshd.pam/etc/pam.d/sshd.pam-no matter it does not exist
 Sudo Chmod +x/etc/init.d/sshd -- Adding execution permissions required for non-root users to install
 chkconfig --add sshd --- Set sshd service to boot
 System CTL enable sshd -- Allows sshd services to self-start
 Mv/usr/lib/systemd/system/sshd.service/tmp-Delete or remove the original sshd file. Otherwise, it will affect sshd service restart
 System CTL restart sshd -- Restart ssh service. (Restart after service configuration modification to make configuration effective)

- Optional
 - Modify the default port
vi /etc/ssh/sshd_config
 Modify Port to other ports, such as 2222
 firewall-cmd --permanent --add-port=2222/tcp-firewall opens 2222 ports
 firewall-cmd-reload-restart firewall

9.3 Verification

chkconfig sshd on  --View Service Running Level

--Verify that the startup is normal
/etc/init.d/sshd restart  
/etc/init.d/sshd stop
/etc/init.d/sshd start

systemctl restart sshd
systemctl stop sshd
systemctl start sshd

netstat -lntp  --See sshd Whether the service is started and the port to listen on(Default 22)
ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019

Repairing problems caused by upgrades
10.1 error while loading shared libraries: libssl.so.10: cannot open shared. Because of libssl.so ,libcrypto.so Missing libraries such as yum, ping, wget

cd /usr/lib64
cp /u01/libssl.so.1.0.2k ./
cp /u01/libcrypto.so.1.0.2k ./
ln -s libssl.so.1.0.2k ./libssl.so  --Creating Soft Connections
ln -s libssl.so.1.0.2k ./libssl.so.10
ln -s libcrypto.so.1.0.2k ./libcrypto.so
ln -s libcrypto.so.1.0.2k ./libcrypto.so.10

Restore temporary configuration beyond upgrade
11.1 Close telnet
Ensure that the telnet service is shut down after ssh login is okay.

systemctl disable xinetd.service
Removed symlink /etc/systemd/system/multi-user.target.wants/xinetd.service.
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket

–-See telnet Whether the service is closed or not, choose one of them.
netstat -lntp –-Check whether port 23 is monitored
netstat -antp –-Check whether port 23 is monitored
chkconfig –list –No, telnet Appearance is enough.

11.2. Restore the firewall to its initial state