SSH upgrade (linux, centOS7x or above, SSH upgrade to version 8.6p1)

Posted by matt2012 on Mon, 24 Jan 2022 03:04:45 +0100

Upgrade linux system to OpenSSH, CentOS7x or above, and ssh to version 8.6p1

1. If the linux system has no other back-up platform that can backup snapshots, you need to start telnet first to prevent ssh from crashing and unable to log in to the system. See resources https://www.cnblogs.com/wangyang0210/p/12552040.html . The telnet tutorial is as follows: (if there is a general management background, such as Tencent cloud, Alibaba cloud, Huawei cloud, etc., this step can be ignored)

Install, start and configure telnet service to prevent ssh upgrade failure and unable to access the server

yum install -y telnet-server* telnet xinetd
systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd.service
echo 'pts/0' >>/etc/securetty
echo 'pts/1' >>/etc/securetty
echo 'pts/2' >>/etc/securetty

Note: first check whether selinux of the system is turned off:

/usr/sbin/sestatus -v off: disabled on: enable getenforce off: Permissive
On: enforcementtemporary shutdown (server restart failure): setenforce0
Configuration file shutdown (server restart required): / etc/selinux/config
Change SELINUX=enforcing to SELINUX=disabled

2. View the current version information

ssh -V

3. Start downloading and upgrading ssh dependent packages

Upgrade ssh

yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel
yum install  -y pam* zlib*

4. Download the tar package of the corresponding version of openSSH. You can go to the official website to download it yourself. The path is as follows:
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
Note: This paper takes openssh-8.6p1 tar. GZ is the installation case.
After downloading, upload it to the target server. The above is transmitted in the / home/openssh directory below as an example.

5. Back up the existing ssh related configuration of the system

mv /etc/ssh /etc/ssh_bak
cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.bak
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

6. Uninstall the old version of ssh

rpm -qa | grep openssh


rpm -e The above command will search the results --nodeps  
For example: rpm -e openssh-7.4p1-11.e17.x86_64 --nodeps

7. Installation / compilation
Enter the / home/openssh directory, unzip the downloaded tar package and enter the directory,
Modify file permissions:

chown -R root:root File directory

Then execute the configure command

tar zxf openssh-8.6p1.tar.gz  &&  cd openssh-8.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers

Then execute the compile command, make & & make install

8. Configure ssh related configuration files
You can find the previously backed up SSH here_ The configuration file in bak will SSH_ The configuration information in config is copied to the newly installed ssh_config file.
In addition, sshd_ The config configuration file information is also copied into the newly installed sshd_ In the config file, the following details are listed:
a) You need to add Ciphers, MACs and KexAlgorithms related configurations in the configuration file to solve the connection problems of xshell and other connection tools

Ciphers 3des-cbc,aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

MACs hmac-sha1,hmac-sha1-96,hmac-sha2-256,hmac-sha2-512,hmac-md5,hmac-md5-96,umac-64@openssh.com,umac-128@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-md5-etm@openssh.com,hmac-md5-96-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,curve25519-sha256,curve25519-sha256@libssh.org,sntrup761x25519-sha512@openssh.com

The contents after Ciphers need to be viewed by ssh -Q Ciphers and assembled with commas;
The contents behind MACs need to be viewed by ssh -Q mac and assembled with commas;
The contents after KexAlgorithms need to be viewed by ssh -Q kex and assembled with commas;

9. Set the startup item, enter the ssh installation directory, and execute the following command:
Configure service startup entry

cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd

10. Start sshd service

systemctl restart sshd.service perhaps service sshd restart
systemctl status sshd.service perhaps service sshd status

Here, the ssh upgrade is over. Many articles on the Internet have mentioned the problem of selinux. The system installed here does not appear because selinux has been shut down.

reference material:
Dependent package installation reference:
https://www.cnblogs.com/wangyang0210/p/12552040.html
Remote connection account password cannot be entered. Reference:
https://blog.csdn.net/ance779/article/details/95031345
http://www.voidcn.com/article/p-zxirrqlt-buo.html
Sshd_ For details of config configuration parameters, refer to:
https://ftp.openssl.org/source/
And backup information, etc. refer to ssh7.0 provided in the folder X version upgrade documentation

Topics: Linux CentOS ssh

Hot Topics

©2024 Programmer Think