Fading Coder

One Final Commit for the Last Sprint

Home > Notes > Content

Manual Upgrade and Vulnerability Patching for OpenSSH and OpenSSL on Linux

Notes May 7 4

Pre-Upgrade Preparation

Check current installed versions

ssh -V

Sample output:

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

Install required system dependencies

yum install -y gcc zlib-devel

Install Telnet for fallback access

To avoid being locked out of the server during the upgrade, install and enable Telnet as a backup access method:

yum install telnet* -y
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl status telnet.socket

Connect to the target server from another machine via Telnet to keep a backup session active during the upgrade:

telnet <target-server-ip-address>

By default, root login is disabled for Telnet. Run the command below to allow root login via Telnet temporarily:

mv /etc/securetty /etc/securetty.bak

Download Latest Stable Releases

OpenSSH starting from version 9.4p1 requires OpenSSL 1.1.1 or newer, so we upgrade both components to address known vulnerabilities.

Download OpenSSH

Get the latest portable release from the official OpenBSD mirror. Example for version 9.5p1:

wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz

Download OpenSSL

Get the latest stable OpenSSL release from the official source. Example for version 1.1.1w:

wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz

Compile and Install OpenSSL

Extract and build OpenSSL with a custom installation prefix:

tar -xzvf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
mkdir -p /usr/local/openssh-upgrade/openssl-1.1.1w
./config --prefix=/usr/local/openssh-upgrade/openssl-1.1.1w
make && make install

Update environment variables

Add the new OpenSSL binary and library paths to the system environment:

cat >> /etc/profile <<EOF
export LD_LIBRARY_PATH=/usr/local/openssh-upgrade/openssl-1.1.1w/lib:$LD_LIBRARY_PATH
export PATH=/usr/local/openssh-upgrade/openssh-9.5p1/bin:/usr/local/openssh-upgrade/openssh-9.5p1/sbin:/usr/local/openssh-upgrade/openssl-1.1.1w/bin:$PATH
EOF

Verify the new OpenSSL version

source /etc/profile
openssl version

Confirm the output matches the newly installed version.

Compile and Install OpenSSH

Extract and build OpenSSH linked to the newly upgraded OpenSSL:

tar -xzvf openssh-9.5p1.tar.gz
cd openssh-9.5p1
mkdir -p /usr/local/openssh-upgrade/openssh-9.5p1
./configure --prefix=/usr/local/openssh-upgrade/openssh-9.5p1 --with-ssl-dir=/usr/local/openssh-upgrade/openssl-1.1.1w
make && make install

Update OpenSSH configuration

Edit the main sshd configuration file:

vi /usr/local/openssh-upgrade/openssh-9.5p1/etc/sshd_config

Adjust the root login setting (the default prohibit-password disables password-based login for root, change it to yes if you need to allow root password login):

PermitRootLogin yes

Create systemd service unit for the new OpenSSH server

cat > /usr/lib/systemd/system/sshd-new.service << EOF
[Unit]
Description=OpenSSH Server Daemon
After=network.target

[Service]
Type=simple
Environment=LD_LIBRARY_PATH=/usr/local/openssh-upgrade/openssl-1.1.1w/lib
ExecStart=/usr/local/openssh-upgrade/openssh-9.5p1/sbin/sshd -D -f /usr/local/openssh-upgrade/openssh-9.5p1/etc/sshd_config
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
EOF

Stop and back up the original OpenSSH service

systemctl stop sshd.service
systemctl disable sshd.service

Back up all original files to enable easy rolllback if the upgrade encounters issues:

mkdir /root/backup-sshd-old
mv /etc/ssh /root/backup-sshd-old/
mv /usr/sbin/sshd /root/backup-sshd-old/
mv /usr/lib/systemd/system/sshd*.service /root/backup-sshd-old/
mv /usr/lib/systemd/system/sshd.socket /root/backup-sshd-old/

Start the new OpenSSH service

systemctl daemon-reload
systemctl start sshd-new.service
systemctl status sshd-new.service
systemctl enable sshd-new.service

Upgrade Validation

Open a new terminal window and test connecting to the server via SSH. Verify the installed versions:

ssh -V
sshd -V

Sample expected output:

OpenSSH_9.5p1, OpenSSL 1.1.1w  11 Sep 2023
OpenSSH_9.5p1, OpenSSL 1.1.1w  11 Sep 2023

Reboot the server and confirm the service starts automatically before closing your backup Telnet session.

Clean Up Temporary Changes

Disable Telnet and restore the original root login restriction:

systemctl stop telnet.socket && systemctl disable telnet.socket
mv /etc/securetty.bak /etc/securetty
Tags: OpenSSHopenssl
Back to List

Prev: Rethinking Thread Pool Usage in Business Logic Layers

Next: Resolving ECharts Custom Map Display Issues with Anhui Province Data

Related Articles

Designing Alertmanager Templates for Prometheus Notifications

How to craft Alertmanager templates to format alert messages, improving clarity and presentation. Alertmanager uses Go’s text/template engine with additional helper functions. Alerting rules referenc...

Deploying a Maven Web Application to Tomcat 9 Using the Tomcat Manager

Tomcat 9 does not provide a dedicated Maven plugin. The Tomcat Manager interface, however, is backward-compatible, so the Tomcat 7 Maven Plugin can be used to deploy to Tomcat 9. This guide shows two...

Skipping Errors in MySQL Asynchronous Replication

When a replica halts because the SQL thread encounters an error, you can resume replication by skipping the problematic event(s). Two common approaches are available. Methods to Skip Errors 1) Skip a...

Leave a Comment

Anonymous

◎Feel free to join the discussion and share your thoughts.

Copyright © fadingcoder.top