SSH Upgrade Version--8.2p1

preparation in advance

Execute yum update openssh to upgrade first.

The official upgrade is okay anyway.If you have previously manually compiled an upgrade of openssh, test yourself for changes to the default profile path.)

(Unified openssh version 7.4p1 is prepared here before Unified Compile Installation is upgraded to openssh 8.2p1)

[root@node1 ~]# yum update openssh -y

[root@node1 ~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

Download openssh and the openssl installation package

openssl download link: https://www.openssl.org/source/

openssh download link: http://www.openssh.com/portable.html

Install Configuration telnet

install telnet-server as well as xinetd

[root@node1 ~]# yum install -y xinetd telnet-server

Many centos7 versions now do not have a configuration file called telnet after telnet-server and xinetd are installed.

If the following telnet file does not exist, you can skip this part of the change

[root@node1 ~]# ll /etc/xinetd.d/telnet
ls: cannot access /etc/xinetd.d/telnet: No such file or directory

If the following file exists, change the configuration telnet to allow root login and change disable = no to disable = yes

[root@rhel yum.repos.d]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = no
    flags       = REUSE
    socket_type = stream        
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}
 
[root@rhel yum.repos.d]# vim /etc/xinetd.d/telnet
[root@rhel yum.repos.d]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = yes
    flags       = REUSE
    socket_type = stream        
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}

Configure the terminal type for telnet login, add some pts terminals at the end of the / etc/securetty file, as follows

pts/0

pts/1

pts/2

pts/3

Start telnet service and set boot autostart

[root@node1 ~]# systemctl start xinetd
[root@node1 ~]# systemctl enable xinetd
[root@node1 ~]# systemctl start telnet.socket
[root@node1 ~]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket

Test, switch to telnet login

Install Dependent Packages

Upgrade requires several components, some related to compilation, etc.

[root@node1 ~]# yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel

Install pam, zlib, etc. (Pam may not be used for subsequent upgrades, installation will have no impact, test yourself if you do not want to install pam)

[root@node1 ~]# yum install -y pam* zlib*

Install openssl

Back up the next two files or directories (if they exist)

[root@node1 openssl-1.1.1g]# ll /usr/bin/openssl 
-rwxr-xr-x 1 root root 555288 Aug  9  2019 /usr/bin/openssl
[root@node1 openssl-1.1.1g]# mv /usr/bin/openssl /usr/bin/openssl.20200522
[root@node1 openssl-1.1.1g]# ll /usr/include/openssl/
total 1864
-rw-r--r-- 1 root root   6146 Aug  9  2019 aes.h
-rw-r--r-- 1 root root  63204 Aug  9  2019 asn1.h
-rw-r--r-- 1 root root  24435 Aug  9  2019 asn1_mac.h
......
[root@node1 openssl-1.1.1g]# mv /usr/include/openssl /usr/include/openssl.20200522bak

Compile and install a new version of openssl

Configure, compile, install three commands to execute together

The &&symbol indicates that the previous execution succeeds before the latter

[root@node1 openssl-1.1.1g]# pwd
/root/openssh/openssl-1.1.1g
[root@node1 openssl-1.1.1g]# ./config –prefix=/usr/local/openssl && make && make install

The next 2 files or directories are soft-linked (mv backup of previous steps)

[root@node1 openssl-1.1.1g]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@node1 openssl-1.1.1g]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
[root@node1 openssl-1.1.1g]# ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so

The command line executes the following two commands to load the new configuration

[root@node1 openssl-1.1.1g]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
[root@node1 openssl-1.1.1g]# ldconfig

View Confirmation Version

[root@node1 openssl-1.1.1g]# openssl version
OpenSSL 1.1.1g  21 Apr 2020

Install openssh

Unzip File

[root@node1 openssh]# tar -xf openssh-8.2p1.tar.gz 
[root@node1 openssh]# cd openssh-8.2p1
[root@node1 openssh-8.2p1]# ll

Maybe the file defaults to 1000 for uid and gid arrays, reauthorized here.Not authorizing may or may not affect installation (test yourself) (OCD reauthorizes itself)

[root@node1 openssh-8.2p1]# chown root:root -R /root/openssh/openssh-8.2p1

Command line backup of previous ssh configuration files and directories

Then configure, compile, install

[root@node1 openssh-8.2p1]# chown root:root -R /root/openssh/openssh-8.2p1
[root@node1 openssh-8.2p1]# mv /etc/ssh /etc/ssh.20200521bak   
[root@node1 openssh-8.2p1]# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ -with-openssl-includes=/usr/include/openssl --with-ssl-dir=/usr/local/openssl/ --with-zlib --with-md5-passwords --with-pam && make && make install

Copy some files from the original decompressed package to the destination location (overwrite if the destination directory exists)

(Possibly belowSsh.pamNone of the files are needed because sshd_The config configuration file does not appear to be using it, please test it yourself.I'm a copy)

[root@node1 openssh-8.2p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@node1 openssh-8.2p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@node1 openssh-8.2p1]# chmod +x /etc/init.d/sshd
[root@node1 openssh-8.2p1]# chkconfig --add sshd
[root@node1 openssh-8.2p1]# systemctl enable sshd

Delete or remove or delete the sshd file previously managed by systemd, which will affect our restart of sshd service

[root@node1 openssh-8.2p1]# mv /usr/lib/systemd/system/sshd.service /root/

Set sshd service startup

[root@node1 openssh-8.2p1]# chkconfig sshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.

Next, test the start-stop service.All normal

[root@node1 openssh-8.2p1]# systemctl restart sshd
[root@node1 openssh-8.2p1]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: active (running) since Sat 2020-05-23 03:13:21 CST; 4s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 161820 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
  Process: 161828 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 161836 (sshd)
    Tasks: 1
   Memory: 852.0K
   CGroup: /system.slice/sshd.service
           └─161836 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups

May 23 03:13:20 node1 systemd[1]: Starting SYSV: OpenSSH server daemon...
May 23 03:13:21 node1 sshd[161836]: Server listening on 0.0.0.0 port 22.
May 23 03:13:21 node1 sshd[161836]: Server listening on :: port 22.
May 23 03:13:21 node1 sshd[161828]: Starting sshd:[  OK  ]
May 23 03:13:21 node1 systemd[1]: Started SYSV: OpenSSH server daemon.

View ssh version

[root@node1 openssh-8.2p1]# ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1g  21 Apr 2020

Posted by CleoK on Fri, 22 May 2020 21:10:07 -0700

Programmer Group