CentOS 6.8 upgrade ssh
Hmm. Okay. This is new. CentOS 6.8 is the platform – and it is patched up to date – however appears to be running a dark ages version of OpenSSH. This is far from ideal, and a fix that involves upgrading that rather than a host migration is the way forwards if at all possible.
So – breaking the “sure want the new version I will compile from source” mantra of years gone by and realising that in the production environment if its not on an RPM or DEB you are asking for trouble – here is an outline of how to restore a little magic to your SSH – without looking at a full migration to get around that.
This is generally BAD – as while the wider world does not have access to this port – the PCI scanner does as it is allowed through all the good stuff to get to the soft underbelly. Xauth Command Injection, J-PAKE, Child_set_env() Bypass, the list is long and distinguished.
This story starts looking a little like this:
[~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[~]# cat /etc/redhat-release
CentOS release 6.8 (Final)
…and ends looking a lot like this:
[~/rpmbuild/RPMS/x86_64]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
Happy days.
So these were the steps involved.
cd /usr/src
wget http://mirror.jmu.edu/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz
tar -xvzf openssh-7.3p1.tar.gz
yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cp ./openssh-7.3p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-7.3p1.tar.gz /root/rpmbuild/SOURCES/
cd /root/rpmbuild/SPECS
Make the changes here:
sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” openssh.spec
sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” openssh.spec
sed -i -e “s/BuildPreReq/BuildRequires/g” openssh.spec
Build that to RPM:
rpmbuild -bb openssh.spec
Go find the goodness:
/root/rpmbuild/RPMS/
There should be four RPM’s in there – lets have that – and cross our fingers:
rpm -Uvh *.rpm
Now you can do the whole:
ssh -V
to show the new version number and then BEFORE YOU LOG OUT – try logging in from another console.
If it would appear that it has all gone horribly wrong… then it is a good job you have backups!
Equally you can roll this back with:
yum downgrade openssh-server
Done. Kettle on.
*The original article was found here: http://thecpaneladmin.com/upgrading-openssh-on-centos-5/ – who have been quite the lifesaver today. Many thanks : )
Previous Post
Next Post
Oh.
Oh dear.
I have just had cause to revisit this to find the files are no longer there.
There has been much wailing and gnashing of teeth.
This will never do!
Okay – so an update on that – as I am sure you have managed to find a (more) current source from another equally trusted location – looks a little like this:
============================================================================
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
tar -xvzf openssh-7.6p1.tar.gz
yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cp ./openssh-7.6p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-7.6p1.tar.gz /root/rpmbuild/SOURCES/
cd /root/rpmbuild/SPECS
sed -i -e “s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g” openssh.spec
sed -i -e “s/%define no_x11_askpass 0/%define no_x11_askpass 1/g” openssh.spec
sed -i -e “s/BuildPreReq/BuildRequires/g” openssh.spec
rpmbuild -bb openssh.spec
cd /root/rpmbuild/RPMS/x86_64
rpm -Uvh *.rpm
Preparing… ########################################### [100%]
1:openssh ########################################### [ 25%]
2:openssh-clients ########################################### [ 50%]
3:openssh-server warning: /etc/pam.d/sshd created as /etc/pam.d/sshd.rpmnew
warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew
########################################### [ 75%]
4:openssh-debuginfo ########################################### [100%]
ssh -V
OpenSSH_7.6p1, OpenSSL 1.0.1e-fips 11 Feb 2013
============================================================================
Same rule stands – make sure you can log in again before you go logging out.
The location of the RPM has changes to have an x86_64 on the end.
Copy pasting from my notes threw in some ugly – namely, it trying to make the quotes look more like 66 99 which is nice – but NO. Be sure to replace them if brave enough to copy paste. I know, I know, the code option in this theme sucks. Sorry.
Attempts to log back in showing:
ssh_exchange_identification: read: Connection reset by peer
Following the upgrade. Oh. Oh dear. Well that was poorly timed.
First comes the removal of the specification of the specific HMAC that is mentioned in the sshd_config, after seeing in tail -f /var/log/messages | grep ssh – that the following was being complained about:
sshd[1045079]: fatal: rexec line 115: Bad SSH2 mac spec ‘hmac-sha1,hmac-ripemd160’.
This specific HMAC is mentioned in the /etc/ssh/sshd_config – great stuff. Remove it.
“please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home, please don’t break I want to go home.”
# /etc/init.d/sshd restart
Stopping sshd: [ OK ]
ssh-keygen: generating new host keys: ECDSA ED25519
Starting sshd: [ OK ]
Where the self-doubt blossoms into “I AM A GOD”.
Thank fsck for that.
Logging in continues as usual.