Linux

CentOS7升级OpenSSH


0 问题现象

通过Rancher Kubernetes Engine工具来安装Kubernetes cluster时,遇到下述错误,经过排查是目标服务器172.16.6.74机器的SSH版本过低导致,

$ rke up
INFO[0000] Running RKE version: v1.3.9                  
INFO[0000] Initiating Kubernetes cluster                
INFO[0000] [dialer] Setup tunnel for host [172.16.6.74]
INFO[0000] [dialer] Setup tunnel for host [172.16.11.195]
WARN[0000] Failed to set up SSH tunneling for host [172.16.6.74]: Can't retrieve Docker Info: error during connect: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": Unable to access the Docker socket (/var/run/docker.sock). Please check if the configured user can execute `docker ps` on the node, and if the SSH server version is at least version 6.7 or higher. If you are using RedHat/CentOS, you can't use the user `root`. Please refer to the documentation for more instructions. Error: ssh: rejected: administratively prohibited (open failed)
WARN[0000] Removing host [172.16.6.74] from node lists  
INFO[0000] Checking if container [cluster-state-deployer] is running on host [172.16.11.195], try #1

检查目标机器172.16.6.74机器的上SSH版本:

[root@test-74 ~]# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@test-74 ~]#

1 OS版本

[root@test-74 ~]# cat /etc/redhat-release 
CentOS Linux release 7.2.1511 (Core)
[root@test-74 ~]# uname -rm
3.10.0-327.el7.x86_64 x86_64
[root@test-74 ~]#

2 安装依赖和开发工具包

[root@test-74 ~]# yum groupinstall "Development Tools"
已加载插件:fastestmirror
没有安装组信息文件
Maybe run: yum groups mark convert (see man yum)
Loading mirror speeds from cached hostfile
* base: mirrors.dgut.edu.cn
* epel: mirror.sjtu.edu.cn
* extras: mirrors.dgut.edu.cn
* updates: mirrors.dgut.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 automake.noarch.0.1.13.4-3.el7 将被 安装
...
作为依赖被升级:
cpp.x86_64 0:4.8.5-44.el7                 efibootmgr.x86_64 0:17-2.el7                     efivar-libs.x86_64 0:36-12.el7           elfutils-devel.x86_64 0:0.176-5.el7      
elfutils-libelf.x86_64 0:0.176-5.el7       elfutils-libelf-devel.x86_64 0:0.176-5.el7       elfutils-libs.x86_64 0:0.176-5.el7       gcc.x86_64 0:4.8.5-44.el7                
gettext.x86_64 0:0.19.8.1-3.el7           gettext-libs.x86_64 0:0.19.8.1-3.el7             libgcc.x86_64 0:4.8.5-44.el7             libgomp.x86_64 0:4.8.5-44.el7            
libstdc++.x86_64 0:4.8.5-44.el7          

完毕!
[root@test-74 ~]# yum install zlib-devel openssl-devel
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.dgut.edu.cn
* epel: mirror.sjtu.edu.cn
* extras: mirrors.dgut.edu.cn
* updates: mirrors.dgut.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 openssl-devel.x86_64.1.1.0.2k-16.el7_6.1 将被 升级
---> 软件包 openssl-devel.x86_64.1.1.0.2k-25.el7_9 将被 更新
...
更新完毕:
openssl-devel.x86_64 1:1.0.2k-25.el7_9                                                   zlib-devel.x86_64 0:1.2.7-19.el7_9                                                  

作为依赖被升级:
 openssl.x86_64 1:1.0.2k-25.el7_9                         openssl-libs.x86_64 1:1.0.2k-25.el7_9                         zlib.x86_64 0:1.2.7-19.el7_9                        

完毕!
[root@test-74 ~]#

3 Install PAM and SELinux Headers

[root@test-74 ~]# yum install pam-devel libselinux-devel
...
已安装:
pam-devel.x86_64 0:1.1.8-23.el7                                                                                                                                                

更新完毕:
libselinux-devel.x86_64 0:2.5-15.el7                                                                                                                                            

作为依赖被升级:
libselinux.x86_64 0:2.5-15.el7           libselinux-python.x86_64 0:2.5-15.el7           libselinux-utils.x86_64 0:2.5-15.el7           pam.x86_64 0:1.1.8-23.el7          

完毕!
[root@test-74 ~]#

4 Download the OpenSSH version 8.0

[root@test-74 ~]# wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
--2022-04-15 11:31:51-- https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
正在解析主机 cdn.openbsd.org (cdn.openbsd.org)... 151.101.74.217, 2a04:4e42:1a::729
正在连接 cdn.openbsd.org (cdn.openbsd.org)|151.101.74.217|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1597697 (1.5M) [application/octet-stream]
正在保存至: “openssh-8.0p1.tar.gz”

100%[========================================================================================================================================>] 1,597,697   1.28MB/s 用时 1.2s  

2022-04-15 11:31:55 (1.28 MB/s) - 已保存 “openssh-8.0p1.tar.gz” [1597697/1597697])

[root@test-74 ~]#

5 Compile and install SSH from sources.

[root@test-74 ~]# tar -zxvf openssh-8.0p1.tar.gz 
...
openssh-8.0p1/ssh_config.0
openssh-8.0p1/configure
openssh-8.0p1/config.h.in
[root@test-74 ~]# cd openssh-8.0p1
[root@test-74 openssh-8.0p1]# ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
...
config.status: creating config.h

OpenSSH has been configured with the following options:
                    User binaries: /usr/local/bin
                  System binaries: /usr/local/sbin
              Configuration files: /etc/ssh
                  Askpass program: /usr/local/libexec/ssh-askpass
                    Manual pages: /usr/local/share/man/manX
                        PID file: /var/run
Privilege separation chroot path: /var/lib/sshd/
          sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                  Manpage format: doc
                      PAM support: yes
                  OSF SIA support: no
                KerberosV support: no
                  SELinux support: yes
            MD5 password support: yes
                  libedit support: no
                  libldns support: no
Solaris process contract support: no
          Solaris project support: no
        Solaris privilege support: no
      IP address in $DISPLAY hack: no
          Translate v4 in v6 hack: yes
                BSD Auth support: no
            Random number source: OpenSSL internal ONLY
            Privsep sandbox style: seccomp_filter

            Host: x86_64-pc-linux-gnu
        Compiler: cc
  Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE  
Preprocessor flags:  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
    Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
        Libraries: -lcrypto -ldl -lutil -lz  -lcrypt -lresolv
        +for sshd:  -lpam -lselinux
         +for ssh:  -lselinux

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

[root@test-74 openssh-8.0p1]# make && make install
..
/usr/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!         @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!         @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
[root@test-74 openssh-8.0p1]#

6 Once you have installed OpenSSH, restart SSH and check the version of OpenSSH

[root@test-74 openssh-8.0p1]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@test-74 openssh-8.0p1]# 

7 参考链接

https://www.ezeelogin.com/kb/article/how-to-upgrade-openssh-in-centos-331.html

留言