CentOS 6.8 upgrade ssh

Hmm. Okay. This is new. CentOS 6.8 is the platform – and it is patched up to date – however appears to be running a dark ages version of OpenSSH. This is far from ideal, and a fix that involves upgrading that rather than a host migration is the way forwards if at all possible.

So – breaking the “sure want the new version I will compile from source” mantra of years gone by and realising that in the production environment if its not on an RPM or DEB you are asking for trouble – here is an outline of how to restore a little magic to your SSH – without looking at a full migration to get around that.

This is generally BAD – as while the wider world does not have access to this port – the PCI scanner does as it is allowed through all the good stuff to get to the soft underbelly. Xauth Command Injection, J-PAKE, Child_set_env() Bypass, the list is long and distinguished.

This story starts looking a little like this:

[~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

[~]# cat /etc/redhat-release
CentOS release 6.8 (Final)

…and ends looking a lot like this:

[~/rpmbuild/RPMS/x86_64]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Happy days.

So these were the steps involved.

cd /usr/src

wget http://mirror.jmu.edu/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz

tar -xvzf openssh-7.3p1.tar.gz

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

mkdir -p /root/rpmbuild/{SOURCES,SPECS}

cp ./openssh-7.3p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

cp openssh-7.3p1.tar.gz /root/rpmbuild/SOURCES/

cd /root/rpmbuild/SPECS

Make the changes here:

sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” openssh.spec
sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” openssh.spec
sed -i -e “s/BuildPreReq/BuildRequires/g” openssh.spec

Build that to RPM:

rpmbuild -bb openssh.spec

Go find the goodness:

/root/rpmbuild/RPMS/

There should be four RPM’s in there – lets have that – and cross our fingers:

rpm -Uvh *.rpm

Now you can do the whole:

ssh -V

to show the new version number and then BEFORE YOU LOG OUT – try logging in from another console.

If it would appear that it has all gone horribly wrong… then it is a good job you have backups!

Equally you can roll this back with:

yum downgrade openssh-server

Done. Kettle on.

*The original article was found here: http://thecpaneladmin.com/upgrading-openssh-on-centos-5/ – who have been quite the lifesaver today. Many thanks : )

3 Responses to “CentOS 6.8 upgrade ssh

  • Oh.

    Oh dear.

    I have just had cause to revisit this to find the files are no longer there.

    There has been much wailing and gnashing of teeth.

    This will never do!

  • Okay – so an update on that – as I am sure you have managed to find a (more) current source from another equally trusted location – looks a little like this:

    ============================================================================

    wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz

    tar -xvzf openssh-7.6p1.tar.gz

    yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

    mkdir -p /root/rpmbuild/{SOURCES,SPECS}

    cp ./openssh-7.6p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

    cp openssh-7.6p1.tar.gz /root/rpmbuild/SOURCES/

    cd /root/rpmbuild/SPECS

    sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” openssh.spec

    sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” openssh.spec

    sed -i -e “s/BuildPreReq/BuildRequires/g” openssh.spec

    rpmbuild -bb openssh.spec

    cd /root/rpmbuild/RPMS/x86_64

    rpm -Uvh *.rpm
    Preparing… ########################################### [100%]
    1:openssh ########################################### [ 25%]
    2:openssh-clients ########################################### [ 50%]
    3:openssh-server warning: /etc/pam.d/sshd created as /etc/pam.d/sshd.rpmnew
    warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew
    ########################################### [ 75%]
    4:openssh-debuginfo ########################################### [100%]

    ssh -V
    OpenSSH_7.6p1, OpenSSL 1.0.1e-fips 11 Feb 2013

    ============================================================================

    Same rule stands – make sure you can log in again before you go logging out.

    The location of the RPM has changes to have an x86_64 on the end.

    Copy pasting from my notes threw in some ugly – namely, it trying to make the quotes look more like 66 99 which is nice – but NO. Be sure to replace them if brave enough to copy paste. I know, I know, the code option in this theme sucks. Sorry.

  • Attempts to log back in showing:

    ssh_exchange_identification: read: Connection reset by peer

    Following the upgrade. Oh. Oh dear. Well that was poorly timed.

    First comes the removal of the specification of the specific HMAC that is mentioned in the sshd_config, after seeing in tail -f /var/log/messages | grep ssh – that the following was being complained about:

    sshd[1045079]: fatal: rexec line 115: Bad SSH2 mac spec ‘hmac-sha1,hmac-ripemd160’.

    This specific HMAC is mentioned in the /etc/ssh/sshd_config – great stuff. Remove it.

    “please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home.”

    # /etc/init.d/sshd restart
    Stopping sshd: [ OK ]
    ssh-keygen: generating new host keys: ECDSA ED25519
    Starting sshd: [ OK ]

    Where the self-doubt blossoms into “I AM A GOD”.

    Thank fsck for that.

    Logging in continues as usual.

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: