yzbtdiy

yzbtdiy

github
bilibili
HomeArchives

Upgrade OpenSSH 9.9 on CentOS 7.9

#openssh#centos7205
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The document outlines the process of upgrading OpenSSH on a CentOS 7.9 system. It begins by preparing a virtual machine with internet access to download necessary RPM packages for telnet, specifically `xinetd`, `telnet`, and `telnet-server`. After installing telnet, the services are started, and configurations are made to allow root login via telnet by modifying the `/etc/securetty` file and adjusting firewall settings. Next, it details the steps to upgrade OpenSSH using RPM packages obtained from a GitHub repository. Before the upgrade, it is advised to back up the existing SSH configuration. The upgrade is performed with the `rpm -Uvh` command after extracting the new OpenSSH package. Post-installation, the `sshd` service is restarted, and a configuration change is made to disable DSA keys, which are disabled by default in OpenSSH 9.9. After reloading the configuration, the upgrade process is completed successfully.

Upgrade Environment

The system is CentOS 7.9, and the OpenSSH version is the default 7.4 version.

image

Package Preparation

Prepare a CentOS 7.9 virtual machine that can access the internet, and download the telnet-related rpm packages for offline use.

yum install --downloadonly --downloaddir=. xinetd telnet telnet-server

The rpm package for the new version of OpenSSH can be packaged using open-source scripts on GitHub.

https://github.com/boypt/openssh-rpms

Enable Telnet Before Upgrading OpenSSH (Optional)#

Install the telnet service offline using the rpm command.

The telnet service requires the installation of both the telnet-server and xinetd packages; telnet is the client tool.

image

Start the xinetd.service and telnet.socket services.

systemctl restart xinetd.service telnet.socket

image

To log in as root, you need to add pts terminals to the end of the /etc/securetty file.

[root@localhost ~]# echo pts/0 >> /etc/securetty
[root@localhost ~]# echo pts/1 >> /etc/securetty

If the server has a firewall enabled, you need to allow telnet.

[root@localhost ~]# firewall-cmd --add-service=telnet

image

At this point, you can use telnet to log in to the server.

image

Upgrade OpenSSH#

Since it has been packaged into an rpm package, it is much simpler than compiling from source; you can upgrade using the rpm command.

Use rpm -Uvh to upgrade directly.

Extract and install the rpm package; it is best to back up the original ssh configuration before installation.

[root@localhost ~]# tar xf openssh-9.9p1-1.el7.tar.gz
[root@localhost ~]# mv /etc/ssh /etc/ssh.bak
[root@localhost ~]# rpm -Uvh openssh*.rpm

image

37079fecf20bcb21405a4f2a86684f5

After installing the new version of OpenSSH, restart sshd and set it to start on boot.

image

The sshd service starts normally, but there is an error message indicating that OpenSSH 9.9 version has disabled dsa by default.

/sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such...

image

Modify the configuration file to disable loading of dsa_key.

image

After modification, reload the configuration and restart the sshd service; the error message disappears.

image

The OpenSSH upgrade is complete.

image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.