Rate this post

I check the security of the server with a scanner, you can find many ssh vulnerabilities. The problem is that recent Centos releases use old OpenSSH v7.4 packages. To fix vulnerabilities, you need to update this package.

[ [email protected] ~ ]# cat /etc/redhat-releaseCentOS Linux release 7.9.2009 ( Core )

Checking the version of the installed ssh package

[ [email protected] ~ ]# rpm-qa | grep opensshopenssh-clients-7.4 p1-21.el7.x86_64openssh-server-7.4 p1-21.el7.x86_64openssh-7.4 p1-21.el7._ x86_64

The yum command is often used to update or install packages on Centos. But in this case, it will not help us, since there is no new version of the openssh package in the repository.

What is the fastest way to install a new openssh package? For this, a script was written on github that builds the package from source codes and installs it.

Supported installation versions for this OpenSSH script are {7.9p1,8.0p1,8.1p1,8.2p1,8.3p1}.

bash <( curl-sSL https://github.com/Junyangz/upgrade-openssh-centos/raw/master/build-RPMs-OpenSSH-CentOS.sh ) --version 8.3p1 -output_rpm_dir /tmp/tmp. dirs --upgrade_now yes>

–output_rpm_dir Mandatory option, you must specify the directory to build the package.

Script content.

build_RPMs() {
local output_rpm_dir="${1}"
yum install-y pam-devel rpm-build rpmdevtools zlib-devel openssl-devel krb5-devel gcc wget libx11-dev gtk2-devel libXt-devel
mkdir-p ~/rpmbuild/SOURCES && cd ~/rpmbuild/SOURCES

wget-c https://mirrors.tuna.tsinghua.edu.cn/OpenBSD/OpenSSH/portable/openssh-${version}.tar.gz
wget-c https://mirrors.tuna.tsinghua.edu.cn/OpenBSD/OpenSSH/portable/openssh-${version}.tar.gz.asc
wget-c https://mirrors.tuna.tsinghua.edu.cn/slackware/slackware64-current/source/xap/x11-ssh-askpass/x11-ssh-askpass-1.2.4.1.tar.gz

tar zxvf openssh-${version}.tar.gz
yes | cp /etc/pam.d/sshd openssh-${version}/contrib/redhat/sshd.pam
mv openssh-${version}.tar.gz{,.orig}
tar zcpf openssh-${version}.tar.gz openssh-${version}
cd
tar zxvf ~/rpmbuild/SOURCES/openssh-${version}.tar.gz openssh-${version}/contrib/redhat/openssh.spec

cd openssh-${version}/contrib/redhat/ && chown root.root openssh.spec
sed-i-e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed-i-e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed-i-e "s/BuildPreReq/BuildRequires/g" openssh.spec
sed-i-e "s/PreReq: initscripts >= 5.00/#PreReq: initscripts >= 5.00/g" openssh.spec
sed-i-e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec
sed-i-e "/check-files/ s/^#*/#/" /usr/lib/rpm/macros

rpmbuild-ba openssh.spec
cd /root/rpmbuild/RPMS/x86_64/
tar zcvf ${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz openssh*
rm-rf ~/rpmbuild ~/openssh-${version}
}

As the version parameter, you need to specify the version of the package that you want to build.
It is also possible to upgrade the current version of the openssh package by specifying the–upgrade_now yes option

upgrade_openssh() {
local temp_dir="$(mktemp-d)"
local output_rpm_dir="$1"
trap "rm-rf ${temp_dir}" EXIT
pushd "${temp_dir}"

timestamp=$(date +%s)
if [ !-f ${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz ]; then
echo "${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz not exist"
exit 1
fi
cp ${output_rpm_dir}/openssh-${version}-RPMs.el${rhel_version}.tar.gz ./
tar zxf openssh-${version}-RPMs.el${rhel_version}.tar.gz
cp /etc/pam.d/sshd pam-ssh-conf-${timestamp}
rpm-U *.rpm
mv /etc/pam.d/sshd /etc/pam.d/sshd_${timestamp}
yes | cp pam-ssh-conf-${timestamp} /etc/pam.d/sshd
sed-i '/PermitRootLogin yes/ s/^#*//' /etc/ssh/sshd_config
chmod 600 /etc/ssh/ssh*
/etc/init.d/sshd restart
echo "New version upgrades as to lastest:" ; $(ssh-V)
}

Using this option will automatically build and install the package of the required version.

The script uses options as version, so it can be used to install the latest available version of the openssh package.

Need help setting up the server , please contact [email protected]