On July 1, OpenSSH released an official security update, and while I was busy dealing with it, I recorded the upgrade process.
system environment
root@NServer:~# cat /proc/version
Linux version 3.4.113-sun8i (root@test) (gcc version 5.5.0 (Linaro GCC 5.5-2017.10) ) #40 SMP PREEMPT Tue Mar 16 14:24:14 CST 2021
root@NServer:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.7 LTS
Release: 16.04
Codename: xenial
installer
zlib-1.3. # /
openssl-1.1. # /source/old/1.1.1/
openssh-9. # /pub/OpenBSD/OpenSSH/portable/
upgrade step
upgrade sequence
openssl -> zlib -> openssh
Install openssl
tar zxvf openssl-1.1.
cd openssl-1.1.1w
. /config --prefix=/usr/local/openssl shared
make
make install
#Create a soft connection
ln -s /usr/local/openssl/lib/.1.1 /usr/lib/
ln -s /usr/local/openssl/lib/.1.1 /usr/lib/
#Check the version of openssl, if you can output the version number normally, it means success.
/usr/local/openssl/bin/openssl version
root@NServer:~# cat /proc/version
Linux version 3.4.113-sun8i (root@test) (gcc version 5.5.0 (Linaro GCC 5.5-2017.10) ) #40 SMP PREEMPT Tue Mar 16 14:24:14 CST 2021
root@NServer:~# lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 16.04.7 LTS
Release: 16.04
Codename: xenialzlib-1.3. # /
openssl-1.1. # /source/old/1.1.1/
openssh-9. # /pub/OpenBSD/OpenSSH/portable/upgrade step
upgrade sequence
openssl -> zlib -> openssh
Install openssl
tar zxvf openssl-1.1.
cd openssl-1.1.1w
. /config --prefix=/usr/local/openssl shared
make
make install
#Create a soft connection
ln -s /usr/local/openssl/lib/.1.1 /usr/lib/
ln -s /usr/local/openssl/lib/.1.1 /usr/lib/
#Check the version of openssl, if you can output the version number normally, it means success.
/usr/local/openssl/bin/openssl version
openssl -> zlib -> opensshtar zxvf openssl-1.1.
cd openssl-1.1.1w
. /config --prefix=/usr/local/openssl shared
make
make install
#Create a soft connection
ln -s /usr/local/openssl/lib/.1.1 /usr/lib/
ln -s /usr/local/openssl/lib/.1.1 /usr/lib/
#Check the version of openssl, if you can output the version number normally, it means success.
/usr/local/openssl/bin/openssl version
Install zlib
tar zxvf zlib-1.3.
cd zlib-1.3.1
./configure --prefix=/usr/local/zlib
make
make installInstall openssh
#Uninstall the originalopenssh,Remember not to disconnect after uninstallingsshgrout
sudo apt purge --remove "openssh*"
rm -rf /usr/local/openssh
#mountingopenssh
tar zxvf openssh-9.
cd openssh-9.8p1
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --without-openssl-header-check
make
make installConfiguring openssh
Restarting the sshd service prompts“Privilege separation user sshd does not exist”need again/etc/passwdAdd a final linesshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
echo 'sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin' >> /etc/passwdRegister as a service, createfile
vim /usr/lib/systemd/system/Write in content:
[Unit]
Description=OpenSSH serve
Documentation=man:sshd(8) man:sshd_config(5)
#After=
#Wants=
After=
[Service]
#Type=notify
#EnvironmentFile=/etc/sysconfig/sshd
#ExecStart=/usr/local/openssh/sbin/sshd -D $OPTIONS
ExecStart=/usr/local/openssh/sbin/sshd
#ExecReload=/bin/kill -HUP $MAINPID
#KillMode=process
#Restart=on-failure
#RestartSec=42s
[Install]
WantedBy=Overload Systemctl and set it to self-starting
systemctl daemon-reload
systemctl restart sshdIt will fail to start here, use thesystemctl status sshdCheck the reason for the failure, it is because the original ssh service occupies port 22, so here first change the new ssh service to 8022
vim /etc/ssh/sshd_configRemove the # sign in front of Port and ListenAddress 0.0.0.0 and change the 22 after Port to 8022 as shown below:
You also need to add 8022 to the firewall, otherwise ssh will not be able to connect to it
ufw allow 8022Save the changes and continue to reboot sshd
systemctl restart sshdAfter no errors, check the sshd status.Active: active (running) Indicates that it is running, at which point you can use tools such as putty to log into the server on port 8022.
systemctl status sshdAdd boot-up
systemctl enable sshdIf prompted“: error: sshd Default-Start contains no runlevels, aborting.”If you need to modify the sshd
vim /etc//sshdIn #! /bin/bash in the second line below insert
### BEGIN INIT INFO
# Provides: sshd
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: Start sshd daemon at boot time
# Description: Start sshd daemon at boot time
### END INIT INFOAs shown in the figure below:
Save it and reset the power-on self-start:
systemctl enable sshdWhen successful, it is shown in the following figure:
Append three lines to the end of /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_configRestart the server:
reboot# View Version:
ssh -V
This is a successful upgrade!
P.S. Remember to change the ssh port back to 22.