【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

First, the experimental background

Customers ask a third party security firm scanned at their servers, SSH find there are many security vulnerabilities, because CentOS 7.2 uses an older version of OpenSSH v6.6.1, and these vulnerabilities have been fixed in the new version of OpenSSH, so for security reasons, needs to be upgraded.

 

 

yum repository is not the latest version of OpenSSH, we need to own the latest from the official download source packages compiled opeenSSh make rpm installation package.

Because the client can not connect server outside the network, so it needs to be made offline upgrade package.

Second, the experimental environment

Operating System: CentOS7.2 Mininal

serverA 192.168.1.104 analog development machine, can be networked, for making offline upgrade package

serverB 192.168.1.106 simulate client-server, not networking, openSSH related packages and their dependent older version

Third, the experiment is expected to

Done on severA openSSH related and dependent on compiler download, fill a key upgrade script, complete the upgrade openSSH drag on serverB.

The current version is the latest openSSh source package openssh-7.9p1.tar.gz

Fourth, the experimental operation

In serverA

# yum -y install  vim  wget epel-release

# yum  -y  install  rpm-build  gcc make

# yum -y install  openssl  openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

# wget  http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz

# tar -zxf openssh-7.9p1.tar.gz

# mkdir -p  /root/rpmbuild/{SOURCES,SPECS}

# cp ./openssh-7.9p1/contrib/redhat/openssh.spec    /root/rpmbuild/SPECS/

# cp openssh-7.9p1.tar.gz    /root/rpmbuild/SOURCES/

# cd  /root/rpmbuild/SPECS/

# sed  -i  -e  "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g"    openssh.spec

# sed  -i  -e  "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g"    openssh.spec

# sed  -i  -e  "s/BuildPreReq/BuildRequires/g"    openssh.spec

# sed -i  -e  "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec

# rpmbuild  -bb  openssh.spec

 

Good compiled files are placed in the / root / rpmbuild / RPMS / x86_64 / directory:

# ll  /root/rpmbuild/RPMS/x86_64

 

The above operation scripted:

# cat build.sh

#####################################################

#!/bin/bash

OPENSSH_VERSION=7.9p1

yum -y install  vim  wget epel-release

yum -y install  rpm-build  gcc make

yum -y install  openssl  openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

# cd /root

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz

tar -zxf  openssh-${OPENSSH_VERSION}.tar.gz

mkdir -p /root/rpmbuild/{SOURCES,SPECS}

cp ./openssh-${OPENSSH_VERSION}/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

cp openssh-${OPENSSH_VERSION}.tar.gz /root/rpmbuild/SOURCES/

cd /root/rpmbuild/SPECS/

sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec

sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec

sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec

sed -i -e  "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec

rpmbuild -bb openssh.spec

ls -l /root/rpmbuild/RPMS/x86_64

########################################################

 

 

Fifth, do openSSH upgrade testing on a development machine

In serverA

# cd  /root/rpmbuild/RPMS/x86_64

# Rpm -Uvh * .rpm

 

# rpm -qa | grep openssh

 

 

Originally this, we upgrade is complete, but the landing from the client when they failed!

 

At first we thought to produce their own rpm package in question, tossing several times, finally found the result was the default configuration is incorrect due.

Permissions can not log in using ssh key mode, the default host key document authorizing too, need to modify the key file

# ll  /etc/ssh/ssh_host_*_key

# chmod 600  /etc/ssh/ssh_host_*_key

# ll /etc/ssh/ssh_host_*_key

 

After the upgrade of openSSH not allowed to use the default password to log on, we need to change the configuration file:

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# sed -i -e  "s/#PasswordAuthentication yes/PasswordAuthentication yes/g"  /etc/ssh/sshd_config

# sed -i -e  "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g"    /etc/ssh/sshd_config

# sed -i -e  "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"  /etc/ssh/sshd_config

# sed -i  -e  "s/#UsePAM no/UsePAM yes/g"  /etc/ssh/sshd_config

 

默认的 /etc/pam.d/sshd 中使用了过时的 pam_stack.so 动态库，需要更新：

# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

# cat >  /etc/pam.d/sshd  <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

 

重启ssh服务，查看服务状态：

# systemctl restart sshd

# systemctl enable  sshd

# systemctl status sshd

你会发现，升级后的sshd服务，是用的启动脚本，不是/usr/lib/systemd/system/sshd.service文件了。

实际上升级过程中，程序已经将 /usr/lib/systemd/system/sshd.service 删除了，并且添加了服务启动脚本 /etc/init.d/sshd

细心的你还会发现，升级完后，我们经常用于做免密登录的公钥拷贝命令 ssh-copy-id也没有了！

其实不是没有了，而是我们需要去解压后源码包拷贝到/usr/bin/目录

# cp /root/openssh-7.9p1/contrib/ssh-copy-id  /usr/bin/

# chmod  755  /usr/bin/ssh-copy-id

 

六、制作离线升级安装包

 

在serverA

# yum -y install  yum-utils createrepo

# mkdir  /root/localrepo

# repotrack  openssl  -p /root/localrepo/

 

你可能会疑惑：不是找opennsh相关包的依赖么，怎么找的是openssl了？

其实从上面安装可以，升级opennsh版本并不会缺少依赖，我们们只是需要相应地升级一下openssl的版本

那么

 

# cp  /root/rpmbuild/RPMS/x86_64/*.rpm  /root/localrepo

# createrepo -v    /root/localrepo

编写离线升级安装脚本：

cat install.sh

######################################################

#!/bin/bash

# 定位脚本当前路径

parent_path=$( cd "$(dirname "${BASH_SOURCE}")"; pwd -P )

cd "$parent_path"

mkdir -p /etc/yum.repos.d/backup

mv /etc/yum.repos.d/*.repo  /etc/yum.repos.d/backup

rm -rf /tmp/localrepo

mkdir -p /tmp/localrepo

cp -rf  ./localrepo/*  /tmp/localrepo

echo "[localrepo]"                              > /etc/yum.repos.d/localrepo.repo

echo "name=Local Repository"          >> /etc/yum.repos.d/localrepo.repo

echo "baseurl=file:///tmp/localrepo"    >> /etc/yum.repos.d/localrepo.repo

echo "gpgcheck=0"                              >> /etc/yum.repos.d/localrepo.repo

echo "enabled=1"                                >> /etc/yum.repos.d/localrepo.repo

yum clean all

yum -y  install openssl

yum -y install openssh*  --disablerepo="*" --enablerepo="localrepo"

rm -rf /tmp/localrepo

rm -f /etc/yum.repos.d/localrepo.repo

mv /etc/yum.repos.d/backup/*.repo  /etc/yum.repos.d

rm -rf /etc/yum.repos.d/backup

chmod 600  /etc/ssh/ssh_host_*_key

# modify /etc/ssh/sshd_config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"      /etc/ssh/sshd_config

sed -i -e "s/#UsePAM no/UsePAM yes/g"                                  /etc/ssh/sshd_config

# modify /etc/pam.d/sshd

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

cat > /etc/pam.d/sshd <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

# copy ssh-copy-id

cp ssh-copy-id /usr/bin

chmod 755 /usr/bin/ssh-copy-id

systemctl restart sshd

systemctl enable sshd

systemctl status sshd

rpm -qa | grep open

systemctl status  sshd| grep  "Active: active (running)"

if [ $? -eq 0 ]; then

  echo -e "\033[32m[INFO] OpenSSH upgraded to 7.9p1  successfully！\033[0m"

else

  echo -e "\033[31m[ERROR] OpenSSH upgraded to 7.9p1 faild！\033[0m"

fi

##############################################################

 

打包离线安装包

# mkdir  /root/opensshUpgrade

# cp install.sh  /root/opensshUpgrade

# cp  -r  lcoalrepo /root/opensshUpgrade

# cp /root/openssh-7.9p1/contrib/ssh-copy-id  /root/opensshUpgrade

# tar openssshUpgrade.tar.gz  opensshUpgrade

七、离线安装升级openSSH

将离线升级安装包 openssshUpgrade.tar.gz拷贝到serverB 服务器

#  tar  -zxf  openssshUpgrade.tar.gz

# cd  openssshUpgrade

#  bash install.sh | tee install.log

 

 

# rpm -qa | grep openssl

# rpm -qa | grep openssh

 

# systemctl  status sshd

 

测试登录

[C:\~]$  ssh  [email protected]

 

八、参考

Upgrade OpenSSH in CentOS 7

https://blog.forhot2000.cn/linux/2017/09/04/upgrade-openssh-in-centos-7.html

编译升级OpenSSH 7.9

https://blog.csdn.net/weixin_42123737/article/details/85283972

Centos 6.5升级openssh到7.9p1

https://blog.csdn.net/qq_25934401/article/details/83419849

openssh升级脚本分享(openssh-7.7p1版)

https://blog.csdn.net/GX_1_11_real/article/details/82152459

Upgrade OpenSSH to 7.7p1 in CentOS 6

https://docs.junyangz.com/upgrade-openssh-to-7.7p1-in-centos-6

createrepo生成仓库元数据，搭建本地yum源

https://www.jianshu.com/p/5cb5af152e75

解决离线安装依赖包的方法

https://www.jianshu.com/p/6f4f9a80a726