• notice
  • Congratulations on the launch of the Sought Tech site

There is a security vulnerability in OpenSSH security vulnerability before 8.5-openssh7.4 is upgraded to 9.0

  Third-party detection reports that OpenSSH before 8.5 has a security vulnerability, OpenSSH security vulnerability (CVE-2016-20012). Through ssh -V, the current ssh version is 7.4. According to several reports, ssh needs to be upgraded to version 9.0. Through some methods on the Internet, but encountered difficult problems in the middle, especially after installation, sshd cannot be started, and sshd reports an error sshd.service start operation timed out. Terminating: The details are as follows:

Started Session 15 of user root.

sshd.service start operation timed out. Terminating
sshd[4900]: Received signal 15; terminating.
systemd: Failed to start OpenSSH server daemon.
systemd: Unit sshd.service entered failed state.
systemd: sshd.service failed.
systemd: sshd. service holdoff time over, scheduling restart.
systemd: Stopped OpenSSH server daemon.
systemd: Starting OpenSSH server daemon...
sshd[4988]: Server listening on port 22.

sshd[4988]: Server listening on :: port 22.

Finally, after various groping and processing, the problem was finally solved. My server environment here is Centos7.9. The download address of the list of openSSH versions: http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/ The   upgrade process is as follows.

#View the current version
[root@test 04007]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
#Must uninstall openssh first or sshd cannot be started
[root@test 04007]# yum -y remove openssh
#Download version 9.0 software for installation
[root@test 04007]# mkdir ~/openssh ; cd ~/openssh
[root@test 04007]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
[root@test 04007]# tar -zxvf openssh-9.0p1.tar.gz
[root@test 04007]# cd openssh-9.0p1

#Of course, the premise is that your openssl and zlib directories are this, if not, modify it.
[root@test 04007]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr /local/zlib --with-md5-passwords --without-hardening
[root@test 04007]# make && make install
[root@test 04007]# ln -s /usr/local/openssh/sbin/sshd /sbin/sshd
[root@test 04007]# ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
[root@test 04007]# service sshd restart

# verify upgrade
[root@test 04007]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.0.2n 7 Dec 2017

    After upgrading SSH from 7.4 to 9.0, use service sshd restart to restart sshd, and you may encounter the following errors. You can enter the /etc/ssh/sshd_config configuration file and comment out the lines that report errors.
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
    may also encounter an error report that the relevant file cannot be found as follows. At this time, first locate ssh-keygen to find the file directory and add The soft links of /usr/bin/ssh-keygen and /sbin/sshd are enough, and I also wrote the above execution command at the same time.
/etc/rc.d/init.d/sshd: line 41: /usr/bin/ssh-keygen: No such file or directory

View sshd log method command
tail -f /var/log/messages


Technical otaku

Sought technology together

Related Topic


Leave a Reply