OpenSSH and OpenSSL upgrade

preface

After upgrading to Centos 7.9.2009, I have to upgrade OpenSSH and OpenSSL. After entering too many pits, I finally found some experience. By the way, I jumped over the pit
1. After upgrading OpenSSH first and then OpenSSL, the ssh -V comes out of the old version, which leads to missing scanning
2. Some articles fail due to missing words or steps. For example, the system started by the firewall needs to open port 23 of telnet, and the firewall is written as firewall
3. Always report / lib64 / libssl after soft connection so. 10: version `libssl. so. 10 'not found error

1, Check version

[root@localhost ~]# cat /etc/redhat-release    #View system version
CentOS Linux release 7.9.2009 (Core)
[root@localhost ~]# ssh -V  #Where V is capitalized
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

The two latest are openssh8 4. OpenSSL 1.1.1 (version 3.0.0 is not studied)

2, Preparation before upgrade

1. Backup files

[root@localhost ~]# cp -r /etc/pam.d /etc/pam.d.bak
[root@localhost ~]# cp -af  /usr/bin/openssl  /usr/bin/openssl.old
[root@localhost ~]# cp -af  /etc/pki/ca-trust/extracted/openssl  /etc/pki/ca-trust/extracted/openssl.old
[root@localhost ~]# cp -af  /usr/lib64/openssl /usr/lib64/openssl.old
[root@localhost ~]# cp -af  /usr/lib64/libcrypto.so.10  /usr/lib64/libcrypto.so.10.old
[root@localhost ~]# cp -af  /usr/lib64/libssl.so.10  /usr/lib64/libssl.so.10.old 
[root@localhost ~]# cp -arf /etc/ssh/ /etc/ssh_old

2. Install and configure telnet server and xinetd (telnet can be connected in case of failure)

Use the yum command to report an error or prompt that if you are not connected, ping the external network first. This is an online update. There may also be an error if DNS is not configured. For other problems, please find the documentation yourself

[root@localhost ~]#yum install xinetd telnet-server -y

According to the upgrade of the old version written in other documents, the configuration file needs to be modified to let root log in. Anyway, I installed telnet and didn't see this

[root@localhost ~]# ll /etc/xinetd.d/telnet
ls: cannot access /etc/xinetd.d/telnet: No such file or directory

If the document exists, follow the steps below to change the configuration so that root can log in to telnet and change disable = no to disable = yes
#The command to modify the file is vi, but some systems can use vim. The difference is that VIM is more powerful
#vim xxxxx opens a file. If you need to edit it, press i to enter the editing mode. After editing, press ESC to exit the editing mode. Directly enter: wq is hold and exit,: q! Yes, do not save and force exit

[root@localhost ~]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = no
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}
 
[root@localhost ~]# vim /etc/xinetd.d/telnet
[root@localhost ~]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = yes
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}

Configure the terminal type of telnet login, edit the / etc / secure file, and add some pts terminals at the end

[root@localhost ~]# vim /etc/securetty

Then add the following information at the end of the text

pts/0
pts/1
pts/2
pts/3

After configuration, the display is as follows

[root@localhost ~]# tail -5 /etc/securetty
xvc0
pts/0
pts/1
pts/2
pts/3

Then start the telnet service, set the startup to start automatically and check the port status

[root@localhost ~]# systemctl enable xinetd
[root@localhost ~]# systemctl enable telnet.socket
[root@localhost ~]# systemctl start telnet.socket
[root@localhost ~]# systemctl start xinetd
[root@localhost ~]# netstat -lntp|grep 23
tcp6       0      0 :::23                   :::*                    LISTEN      1/systemd        

Many articles here let you log in to the system using telnet to check, but there are still firewall ports that are not open. I studied Xiaobai for a long time to know that this also involves a typo pit. Some articles write firewall as firewall, which leads to my failure to command, and then go to find out the reasons

[root@localhost ~]# firewall-cmd --query-port=23/tcp
no
[root@localhost ~]# firewall-cmd --zone=public --add-port=23/tcp --permanent
success
[root@localhost ~]# firewall-cmd --reload
success
[root@localhost ~]# firewall-cmd --query-port=23/tcp
yes

Use telnet remote login to upgrade (to avoid upgrade failure, you must log in to Telnet, and it is recommended to restart to try in case of accidental restart and unable to log in). Don't look at the connection. You must log in successfully, or you will always prompt the account or password error as I did the first time

3, Start upgrade

1. Clean up old files and install dependent packages

The following operations are all carried out under telnet. These are the components that will be used during upgrading

[root@localhost ~]# yum remove -y openssl
[root@localhost ~]# yum remove -y openssh
[root@localhost ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel cpan

Then install pam, zlib, etc. (pam may not be used in the later upgrade operation, and there is no impact on the installation. If you don't want to install pam, please test by yourself)

[root@localhost ~]# yum install -y pam* zlib* perl*

2. Download the upgrade package

Download openssh package and openssl package
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
https://ftp.openssl.org/source/
After getting the file address, you can download it directly in the system

[root@localhost ~]# wget https://ftp.openssl.org/source/openssl-1.1.1h.tar.gz
[root@localhost ~]# wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz

3.Openssl decompression and compilation

Unzip file

[root@localhost ~]# tar -zxvf openssl-1.1.1h.tar.gz
[root@localhost ~]# cd  openssl-1.1.1h

Check whether the file exists. If so, back it up in advance

[root@localhost openssl-1.1.1h]# ll /usr/bin/openssl
-rwxr-xr-x. 1 root root 555288 Aug  9  2019 /usr/bin/openssl
[root@localhost openssl-1.1.1h]# mv /usr/bin/openssl /usr/bin/openssl_bak
[root@localhost openssl-1.1.1h]# ll /usr/include/openssl
[root@localhost openssl-1.1.1h]# mv /usr/include/openssl /usr/include/openssl_bak

Start Compiling Files

[root@localhost openssl-1.1.1h]# ./config --prefix=/usr/local --openssldir=/usr/local/openssl && make && make install
 #./config shared && make && make install

After compilation, check the result. If the output is 0, it is normal

[root@localhost openssl-1.1.1h]# echo $?
0

Rebuild the soft connection and check it. If prompted to confirm, enter y and enter

[root@localhost openssl-1.1.1h]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@localhost openssl-1.1.1h]# ln -s /usr/local/include/openssl /usr/include/openssl
[root@localhost openssl-1.1.1h]# ll /usr/bin/openssl
lrwxrwxrwx. 1 root root 22 Dec  5 16:01 /usr/bin/openssl -> /usr/local/bin/openssl
[root@localhost openssl-1.1.1h]# ll /usr/include/openssl -ld
lrwxrwxrwx. 1 root root 26 Dec  5 16:02 /usr/include/openssl -> /usr/local/include/openssl
[root@localhost openssl-1.1.1h]# echo "/usr/local/lib" >> /etc/ld.so.conf
[root@localhost openssl-1.1.1h]# echo "/usr/local/lib64/" >> /etc/ld.so.conf
[root@localhost openssl-1.1.1h]# /sbin/ldconfig
[root@localhost openssl-1.1.1h]#  cp  libcrypto.so.1.1  libssl.so.1.1 /usr/lib64  #The original text is "cp libcrypto.so libcrypto.so.1.1 libssl.so libssl.so.1.1 /usr/lib64", but the error "/ lib64 / libcrypto. So. 10: version ` libcrypto. So. 10 'not found (required by / usr / lib64 / python2. 7 / Lib dynload / _hashlib. So)" will appear, so it is changed to this
cp: overwrite '/usr/lib64/libcrypto.so'? y
cp: overwrite '/usr/lib64/libssl.so'? y

Confirm version

[root@localhost openssl-1.1.1h]# openssl version                        OpenSSL 1.1.1h  22 Sep 2020

4.Openssh decompression and compilation

Go back to the download directory and unzip openssh-8.4p1 tar. gz

[root@localhost openssl-1.1.1h]# cd
[root@localhost ~]# tar -zxvf openssh-8.4p1.tar.gz
[root@localhost ~]# cd openssh-8.4p1

Start Compiling Files

[root@localhost openssh-8.4p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening 
#./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-include=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam

After compilation, check the result. If the output is 0, it is normal

[root@localhost openssh-8.4p1]# echo $?
0

Continue with the installation and check the results and modify permissions

[root@localhost openssh-8.4p1]# make
[root@localhost openssh-8.4p1]# echo $?
0
[root@localhost openssh-8.4p1]# chmod 600 /etc/ssh/ssh_host*
[root@localhost openssh-8.4p1]# make install
[root@localhost openssh-8.4p1]# echo $?
0

Configure SSH file

[root@localhost openssh-8.4p1]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
[root@localhost openssh-8.4p1]# grep "^PermitRootLogin"  /etc/ssh/sshd_config      
PermitRootLogin yes
[root@localhost openssh-8.4p1]# echo "UseDNS no" >> /etc/ssh/sshd_config
[root@localhost openssh-8.4p1]# grep  "UseDNS"  /etc/ssh/sshd_config    
UseDNS no
[root@localhost openssh-8.4p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-8.4p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@localhost openssh-8.4p1]# chmod +x /etc/init.d/sshd
[root@localhost openssh-8.4p1]# chkconfig --add sshd
[root@localhost openssh-8.4p1]# systemctl enable sshd
[root@localhost openssh-8.4p1]# chkconfig sshd on

It doesn't matter if there is an error when the service is restarted. Otherwise, it doesn't matter if there is an error when the service is removed

[root@localhost openssh-8.4p1]# mv /usr/lib/systemd/system/sshd.service  /home/

Whether the service is normal under test

[root@localhost openssh-8.4p1]# /etc/init.d/sshd restart
Restarting sshd (via systemctl):                           [  OK  ]
[root@localhost openssh-8.4p1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name                  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1881/sshd: /usr/sbi                      
tcp6       0      0 :::22                   :::*                    LISTEN      1881/sshd: /usr/sbi         
tcp6       0      0 :::23                   :::*                    LISTEN      1/systemd    
[root@localhost openssh-8.4p1]# /etc/init.d/sshd stop
Stopping sshd (via systemctl):                             [  OK  ]
[root@localhost openssh-8.4p1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name            
tcp6       0      0 :::23                   :::*                    LISTEN      1/systemd 
[root@localhost openssh-8.4p1]# /etc/init.d/sshd start
Starting sshd (via systemctl):                             [  OK  ]  
[root@localhost openssh-8.4p1]# ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1h  22 Sep 2020

Don't exit telnet login after the test is normal. Switch to ssh login and try again if there is no problem!!!
A problem I encountered here is SELinux, which causes all my accounts and passwords to report errors: password authentication failed please verfy that the username and password are correct .

The treatment method is as follows:

[root@localhost openssh-8.4p1]# getenforce   
Enforcing
[root@localhost openssh-8.4p1]# setenforce 0
[root@localhost openssh-8.4p1]# getenforce   
Permissive
[root@localhost openssh-8.4p1]#  sed -i s#SELINUX=enforcing#SELINUX=disabled# /etc/selinux/config

After logging in after the test, it is recommended to restart the test. If there is no problem, you can turn off the relevant services of telnet to improve security.

summary

The above can only say that there is no problem in my environment. It doesn't mean that your environment is perfect. There are always many holes in the upgrade road. Remember to make a test environment first, or it will be very embarrassing if it collapses.

Tags: Linux Operation & Maintenance CentOS ssh security

Posted by alex_lana on Mon, 02 May 2022 17:01:56 +0300