Mise à jour d'OpenSSH vers la version 8.2 sur CentOS 7.6

Installez les services Telnet comme solution de repli avant la mise à jour :

yum -y install xinetd telnet-server telnet
echo -e "pts/0\npts/1\npts/2\npts/3" >> /etc/securetty
systemctl enable telnet.socket --now
systemctl enable xinetd --now

Vérifiez la version du système :

cat /etc/redhat-release

Installez les dépendances requises :

yum -y install gcc gcc-c++ glibc make autoconf openssl openssl-devel \
pcre-devel pam-devel zlib-devel tcp_wrappers-devel

Procédez à la compilation des composants :

cd /tmp
tar -xf openssh-8.2p1.tar.gz
tar -xf openssl-1.1.1g.tar.gz
tar -xf zlib-1.2.11.tar.gz

# Installation de zlib
cd zlib-1.2.11
./configure && make && make install

# Installation d'OpenSSL
cd ../openssl-1.1.1g
./config --prefix=/usr/local/ssl shared zlib
make -j 4 && make install
mv /usr/bin/openssl /usr/bin/openssl.old
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/
ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/

Compilation et configuration d'OpenSSH :

cd ../openssh-8.2p1
mv /etc/ssh /etc/ssh_backup
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords \
--with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
make -j 4 && make install

install -m755 contrib/ssh-copy-id /usr/bin
install -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
systemctl daemon-reload
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
systemctl restart sshd

Vérification finale et désactivation de Telnet :

systemctl status sshd
systemctl disable telnet.socket --now
systemctl disable xinetd --now

Scénarios spécifiques

Installation hors-ligne des dépendances :

mkdir /tmp/offline_pkgs
yum install --downloadonly --downloaddir=/tmp/offline_pkgs \
gcc gcc-c++ glibc make autoconf openssl openssl-devel \
pcre-devel pam-devel zlib-devel tcp_wrappers-devel

Résolution des limites de fichiers :

echo "UsePAM yes" >> /etc/ssh/sshd_config
cat > /etc/pam.d/sshd << EOF
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
session    required     pam_limits.so
EOF
systemctl restart sshd

Étiquettes: CentOS OpenSSH OpenSSL Zlib compilation

Publié le 1 juillet à 16h22