The lifecycle (EOL) of CentOS Linux 7 will end on June 30, 2024. Currently, there are still a large number of servers using CentOS 7.
OpenSSH stopped in version 7.4 in the official YUM repository. Every year, new vulnerabilities are discovered in lower versions of OpenSSH. Upgrading to the latest version of OpenSSH often requires downloading the source code and compiling it. However, many internal servers lack the necessary compilation environment. boypt on Github provides a script for building rpm packages with the latest version of OpenSSH source code, which also includes the new version of OpenSSL, making it easier to upgrade to the latest version of OpenSSH.
Generating rpm packages#
Preparing the packaging environment#
It is best to package in a CentOS 7 environment. You can use a CentOS 7 virtual machine or deploy CentOS 7's WSL. Enter CentOS 7 and execute the following command to install development tools and dependencies. The packaging environment for this session is CentOS 7.9.
yum groupinstall -y "Development Tools"
yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel perl perl-IPC-Cmd
Downloading the packaging script#
You can use git clone to pull the script, or you can download the zip from GitHub and unzip it. Here, we use git.
git clone https://github.com/boypt/openssh-rpms.git
Executing pullsrc.sh to download the source code#
Executing the pullsrc.sh script in the script directory will automatically download the latest version of the source code files for OpenSSH, OpenSSL, and x11-ssh-askpass.
After the download is complete, it will be saved in the openssh-rpms/downloads directory. openssh-rpms is the script directory downloaded in the previous step.
[root@localhost ~]# cd openssh-rpms/
[root@localhost openssh-rpms]# ./pullsrc.sh
Executing compile.sh to compile the source code and build the rpm package#
Executing the compile.sh script in the script directory will extract the source code package and compile it. Finally, the latest version of OpenSSH rpm package will be generated in the openssh-rpms/el7/RPMS/x86_64/ directory.
The compilation process is related to system performance. It takes about 3 minutes to package using WSL's CentOS 7, and the time may vary for a virtual machine CentOS 7 depending on the allocated CPU and memory size.
[root@localhost openssh-rpms]# ./pullsrc.sh
Archiving the rpm package#
After the rpm is built, you can use tar to archive the 4 rpm packages into a .tar.gz file, and then copy it to the CentOS server that needs to upgrade SSH and unzip it for installation.
[root@localhost openssh-rpms]# cd el7/RPMS/x86_64/
[root@localhost x86_64]# tar czvf openssh-9.8_el7.tar.gz openssh*.rpm
Installing the new version of OpenSSH on the server#
Note: If you use SSH to log in to the upgrade server, do not disconnect the SSH connection. The upgrade is considered complete only after a new SSH window can log in normally. The test upgrade server is CentOS 7.9.
Copying the installation package and uninstalling the old version of OpenSSH#
First, use scp or sftp to copy the packaged openssh-9.8_el7.tar.gz to the target server. Here, it is copied to the opt directory. Then uninstall the old version of openssh on the server.
[root@server ~]# yum remove openssh* -y
Installing the new version of OpenSSH#
Enter the opt directory, unzip openssh-9.8_el7.tar.gz, and then use the rpm command to install it.
[root@server ~]# cd /opt
[root@server opt]# tar xf openssh-9.8_el7.tar.gz
[root@server opt]# rpm -ivh openssh*.rpm
Troubleshooting#
After installation, restarting sshd will result in an error. By checking the error message, it is found that the /etc/ssh/ssh_host_ed25519_key file has a permission error with 0640. After modifying the permissions of the ssh_host_*_key files, restart sshd.
[root@server opt]# chmod 0600 /etc/ssh/ssh_host_*_key
[root@server opt]# systemctl restart sshd
After the sshd service is running normally, create a new ssh connection window to test if it can log in normally. If everything is normal, the upgrade is complete.