Upgrade CentOS 7 to openssh 8.0 7.p1

Background summary

OpenSSH (OpenBSD Secure Shell) is a set of connection tools for secure access to remote computers of the Openbsd program group. The tool is an open source implementation of SSH protocol, supports encryption of all transmissions, and can effectively prevent eavesdropping, connection hijacking and other network level attacks.
scp in OpenSSH 8.3p1 and earlier C file has an operating system command injection vulnerability. The vulnerability stems from the fact that the network system or product does not correctly filter special characters and commands in the process of constructing executable commands of the operating system from external input data. An attacker can use this vulnerability to execute illegal operating system commands.
Lvmeng scanned our server for vulnerabilities, which showed that the version of openssh service provided by centos 7 system itself was too low, and openssh would also expose openssl related vulnerabilities. Therefore, we should upgrade centos system openssl and openssh service to fix the vulnerabilities.

matters needing attention

Due to the upgrade of openssh9 0.p1 will affect the compatibility of the current fortress machine. At present, it needs to be upgraded to openssh8.0 7.p1

Repair suggestions

1. Official download link: https://www.openssh.com/openbsd.html
Alicloud image download link: https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/
2. Before upgrading, it is recommended to open the TELET port through the white list to avoid the failure of upgrading opensh and being unable to connect to the server. 3. Openssh backup is required for upgrading

System version information

Current version: OpenSSH_6.6.1p1
Updated version: OpenSSH_8.7p1

When repair is in progress

1. Download openssh-8.7.1 compressed package

cd /home/runtrend/       # Enter the user directory     
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz # download openssh-8.7
# yum install -y wget without wget

2. Install basic dependency package

yum install distro-sync rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel xmkmf libXt-devel gtk2-devel make -y

3. Back up the old version of openssh (back up the original ssh related commands of the system)

Backup 1:
cp /usr/bin/ssh /usr/bin/ssh_bak
cp /usr/sbin/sshd /usr/sbin/sshd_bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak

Backup 2:
mkdir /usr/bin/sshbak7.4/
mkdir /usr/sbin/sshbak7.4/
mkdir /usr/libexec/opensshbak7.4/
mv /usr/libexec/openssh/sftp-server  /usr/libexec/opensshbak7.4/
mv /usr/bin/ssh-copy-id /usr/bin/sshbak7.4/
mv /usr/bin/ssh-add /usr/bin/sshbak7.4/
mv /usr/bin/ssh-agent /usr/bin/sshbak7.4/
mv /usr/bin/ssh-keygen /usr/bin/sshbak7.4/
mv /usr/bin/ssh-keyscan /usr/bin/sshbak7.4/
mv /usr/bin/scp /usr/bin/sshbak7.4/
mv /usr/bin/sftp /usr/bin/sshbak7.4/
mv /usr/bin/ssh /usr/bin/sshbak7.4/
mv /usr/sbin/sshd /usr/sbin/sshbak7.4/

4. Start compiling and installing the new version of openssh

Compilation and installation instructions
# --prefix=PREFIX        #Which path to install to, default [/ usr/local]
# --sysconfdir=DIR        #Configuration path, default [PREFIX/etc] 
# --mandir=DIR           #Help document path
# -with-md5-passwords    #Open the password using MD5
# --with-zlib=PATH        #Specify the installation path of zlib
# --with-ssl-dir=PATH     #Specify the installation path of openssl

tar -zxvf openssh-8.7p1.tar.gz
cd openssh-8.7p1
./configure --prefix=/usr/local/openssh8.7 --sysconfdir=/etc/ssh8.7/ --with-md5-passwords --mandir=/usr/share/man --with-zlib --with-pam --with-ssl-dir=/usr/local/openssl
make && make install

5. Check whether the compilation and installation are successful

/usr/local/openssh8.7/bin/ssh -V    perhaps ssh -V 
# If the first backup is used, ssh -V will not report an error
# ssh -V: OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
# /usr/local/openssh8.7/bin/ssh -V: OpenSSH_8.7p1, OpenSSL 1.0.2k-fips  26 Jan 2017
# If you are using a second backup, ssh -V is wrong
# /usr/local/openssh8.7/bin/ssh -V: OpenSSH_8.7p1, OpenSSL 1.0.2k-fips  26 Jan 2017

6. Replace ssh commands and common tools

cd /home/runtrend/openssh-8.7p1/     ##Directory for decompressing the compilation package
# If it is backup one, these files need to be copied and overwritten. If it is backup two, it is not necessary
cp -p sftp-server  /usr/libexec/openssh/
cp contrib/ssh-copy-id /usr/bin/ssh-copy-id
cp -p /usr/local/openssh8.7/bin/* /usr/bin/
cp -p /usr/local/openssh8.7/sbin/* /usr/sbin/

7. Enter ssh -V here

8. Before SSH restart, you can test whether there is a problem in the configuration file to prevent SSH restart failure and the remote connection is disconnected. If it is a local terminal connection, you can restart it directly

/usr/local/openssh8.7/sbin/sshd -t -f /etc/ssh/sshd_config 

9. Configuration file error resolution

When a file permission error is encountered, it indicates that the permission of the secret key file is too open, and the permission to modify the secret key is too open
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

# Then there's another question about modifying the configuration file. Just log off the prompt (it's OK not to modify, and there will be no error)
vi /etc/ssh/sshd_config
# Comment out these three lines
# GSSAPIAuthentication yes
# GSSAPICleanupCredentials no
# UsePrivilegeSeparation sandbox		# Default for new installations.

When an error is encountered SSH2 Password specification, you need to use ssh -Q cipher perhaps ssh -Q mac To modify
# /etc/ssh/sshd_config line 155: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr'
#/etc/ssh/sshd_config line 156: Bad SSH2 mac spec 'hmac-sha1,hmac-ripemd160'.
#The content here indicates that there is an error in the content of the last added MACs, which may be caused by the inconsistent ssh version or something. This is the content we want to modify
#If the error prompted by sshd -T is Bad SSH2 mac spec, use ssh -Q mac to view and modify the contents of Macs
#If the error is Bad SSH2 cipher spe, use ssh -Q cipher and modify the contents of cipher in the configuration file
 Just add the found content to the back

10. Restart sshd service

cp /home/runtrend/openssh-8.7p1/contrib/redhat/sshd.init /etc/init.d/sshd    #Initiator of replication ssh
systemctl daemon-reload              #Restart daemon service
systemctl enable sshd.service        #Set sshd to power on and self start state
systemctl restart sshd.service       #Restart sshd service
systemctl status sshd.service        #View sshd service status

Enter ssh -V here and you can see that openssh has been updated to the latest version. That's the end.

Sprinkle flowers at the end^_^

Tags: Operation & Maintenance security Web Security

Posted by tbeinc on Fri, 20 May 2022 04:59:54 +0300