Record a Centos 7.5 upgrade SpenSSH8.0p1

Keywords: Linux openssh ssh RPM yum

Previous Cause: The server was scanned for a SpenSSH vulnerability, so an upgraded version was needed to fix the vulnerability.

Server version:

# cat /etc/redhat-release
CentOS Linux release 7.5.1804 (Core)

Pre-upgrade ssh version:

# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

Upgraded ssh version:

# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

Find the upgrade method on the internet. Refer to this article, the upgrade is successful: https://www.jianshu.com/p/220f7fd908b0

To avoid link failure, I now record my operations as follows:

To prevent unsuccessful upgrade from being unable to connect remotely, install telnet:

# yum install -y telnet-server
# yum install -y xinetd 
# systemctl start telnet.socket
# systemctl start  xinetd

Allow root login:

# echo 'pts/0' >>/etc/securetty
# echo 'pts/1' >>/etc/securetty
# systemctl restart telnet.socket

Turn on telnet and xinetd to start automatically to avoid not connecting Telnet after reboot:

# systemctl enable xinetd.service
# systemctl enable telnet.socket

Test the telnet connection, and you can put it there first, just in case, and then use ssh connection as usual.

Download the latest version of the package (openssh-8.0p1.tar.gz) and upload it to the server

Backup files:

# cp -r /etc/ssh /etc/ssh.old

Unload old ssh:

# rpm -qa|grep openssh
openssh-server-7.4p1-11.el7.x86_64
openssh-7.4p1-11.el7.x86_64
openssh-clients-7.4p1-11.el7.x86_64
# rpm -e --nodeps openssh-server-7.4p1-11.el7.x86_64
# rpm -e --nodeps openssh-7.4p1-11.el7.x86_64
# rpm -e --nodeps openssh-clients-7.4p1-11.el7.x86_64
# rpm -qa|grep openssh

Installation:

# install -v -m700 -d /var/lib/sshd
# chown -v root:sys /var/lib/sshd
# groupadd -g 50 sshd
# useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd
# tar -zxvf openssh-8.0p1.tar.gz
# cd openssh-8.0p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-privsep-path=/var/lib/sshd
# make
# chmod 600 /etc/ssh/ssh_host_rsa_key
# chmod 600 /etc/ssh/ssh_host_ecdsa_key
# chmod 600 /etc/ssh/ssh_host_ed25519_key
# make install
# install -v -m755 contrib/ssh-copy-id /usr/bin
# install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
# install -v -m755 -d /usr/share/doc/openssh-8.0p1
# install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.0p1

Settings allow root login:

# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

Set boot-up self-start:

# cp -p contrib/redhat/sshd.init /etc/init.d/sshd
# chmod +x /etc/init.d/sshd
# chkconfig --add sshd
# chkconfig sshd on
# chkconfig --list sshd
# systemctl restart sshd

Upgrade completed, view version:

# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

PS1: Don't forget to restore the previous telnet settings or close telnet after the upgrade is completed.

PS2: If there is a problem in the middle and the upgrade fails, and the rpm package was installed before, the following command can be rolled back directly:

# yum -y install openssh-clients
# yum -y install openssh-server
# yum -y install openssh

Posted by student101 on Sat, 05 Oct 2019 23:16:10 -0700

Hot Keywords

©2024 Programmer Group