TheGU · February 1, 2019 02:21
diff --git a/upgrade_openssh_openssl.sh b/upgrade_openssh_openssl.sh
 #!/bin/bash

 # Prepare folder
 mkdir -p /app/ssh_upgrade && cd /app/ssh_upgrade

 # Get openssl source file : openssl-1.0.2q.tar.gz
 wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz
 # Get openssh source file : openssh-7.7p1.tar.gz
 wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz

 timestamp=$(date +%s)

 # Upgrade OpenSSL ================
 # Backup old file
 cp  /usr/lib64/libcrypto.so.10  /usr/lib64/libcrypto.so.10-${timestamp}
 cp  /usr/lib64/libssl.so.10  /usr/lib64/libssl.so.10-${timestamp}
 mv /usr/bin/openssl /usr/bin/openssl-${timestamp}
 mv /usr/include/openssl /usr/include/openssl-${timestamp}
 mv /usr/lib64/openssl/engines /usr/lib64/openssl/engines-${timestamp}
 mv /usr/lib64/openssl /usr/lib64/openssl-${timestamp}

 # Remove OpenSSL rpm package
 rpm -qa | grep openssl |xargs -i rpm -e --nodeps {}

 # Compile and install new OpenSSL
 cd /app/ssh_upgrade
 tar zxvf openssl-1.0.2q.tar.gz && cd openssl-1.0.2q
 ./config --prefix=/usr/local/openssl --openssldir=/etc/ssl --shared zlib && make && make test && make install

 # Link binary file 
 ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
 ln -s /usr/local/openssl/include/openssl /usr/include/openssl

 # Set ld.sd to recognize openssl lib folder
 echo "/usr/local/openssl/lib" >> /etc/ld.so.conf.d/openssl.conf
 chmod 655 /etc/ld.so.conf.d/openssl.conf
 ldconfig
 echo "Check if folder already in ld list"
 ldconfig -v | grep /usr/local/openssl/lib
 # if no result it may need to manually copy to /usr/lib64 folder
 # /bin/cp /usr/local/openssl/lib/* /usr/lib64/

 # mv  /usr/lib64/libcrypto.so.10-*  /usr/lib64/libcrypto.so.10
 # mv  /usr/lib64/libssl.so.10-*  /usr/lib64/libssl.so.10

 echo "OpenSSl version upgrades :" && openssl version -a


 # Upgrade OpenSSH ========================
 # Backup old file
 cp -R /etc/ssh /etc/ssh-${timestamp}
 cp /etc/init.d/sshd /etc/init.d/sshd-${timestamp}

 # Remove OpenSSH rpm package 
 rpm -qa | grep openssh
 rpm -e --nodeps `rpm -qa | grep openssh`

 # Compile and install new OpenSSH
 cd /app/ssh_upgrade
 tar zxvf openssh-7.7p1.tar.gz && cd openssh-7.7p1
 ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl && make && make install
 # chmod -R 755 /usr/local/openssh

 # link binary file
 ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
 ln -s /usr/local/openssh/bin/scp /usr/bin/scp
 ln -s /usr/local/openssh/bin/sftp /usr/bin/sftp
 ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
 ln -s /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add
 ln -s /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agent
 ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
 ln -s /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
 ln -s /usr/local/openssh/libexec/sftp-server /usr/libexec/sftp-server
 ln -s /usr/local/openssh/libexec/ssh-keysign /usr/libexec/ssh-keysign
 ln -s /usr/local/openssh/libexec/ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper
 # don't know how to copy man page in /usr/local/openssh/share folder

 # Copy default configuration file
 # Check the different from file in /etc/ssh-${timestamp} to see what need to hardenning
 /bin/cp ssh_config /etc/ssh/
 /bin/cp sshd_config /etc/ssh/
 /bin/cp moduli /etc/ssh/

 # Test config, this will fail if sshd_config files is wrong or has unsupport setting from previous version
 # Run after copy config from hardenning and delete line that show in error
 /usr/sbin/sshd -t -f /etc/ssh/sshd_config

 # Set startup script in /etc/init.d
 /bin/cp contrib/redhat/sshd.init /etc/init.d/sshd
 chmod +x /etc/init.d/sshd

 # Set start service on boot
 chkconfig --add sshd
 chkconfig sshd on
 chkconfig sshd --list

 # Start service
 service sshd start

 echo "OpenSSH version upgrades :" && ssh -V
	#!/bin/bash

	# Prepare folder
	mkdir -p /app/ssh_upgrade && cd /app/ssh_upgrade

	# Get openssl source file : openssl-1.0.2q.tar.gz
	wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz
	# Get openssh source file : openssh-7.7p1.tar.gz
	wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz

	timestamp=$(date +%s)

	# Upgrade OpenSSL ================
	# Backup old file
	cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10-${timestamp}
	cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10-${timestamp}
	mv /usr/bin/openssl /usr/bin/openssl-${timestamp}
	mv /usr/include/openssl /usr/include/openssl-${timestamp}
	mv /usr/lib64/openssl/engines /usr/lib64/openssl/engines-${timestamp}
	mv /usr/lib64/openssl /usr/lib64/openssl-${timestamp}

	# Remove OpenSSL rpm package
	rpm -qa \| grep openssl \|xargs -i rpm -e --nodeps {}

	# Compile and install new OpenSSL
	cd /app/ssh_upgrade
	tar zxvf openssl-1.0.2q.tar.gz && cd openssl-1.0.2q
	./config --prefix=/usr/local/openssl --openssldir=/etc/ssl --shared zlib && make && make test && make install

	# Link binary file
	ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
	ln -s /usr/local/openssl/include/openssl /usr/include/openssl

	# Set ld.sd to recognize openssl lib folder
	echo "/usr/local/openssl/lib" >> /etc/ld.so.conf.d/openssl.conf
	chmod 655 /etc/ld.so.conf.d/openssl.conf
	ldconfig
	echo "Check if folder already in ld list"
	ldconfig -v \| grep /usr/local/openssl/lib
	# if no result it may need to manually copy to /usr/lib64 folder
	# /bin/cp /usr/local/openssl/lib/* /usr/lib64/

	# mv /usr/lib64/libcrypto.so.10-* /usr/lib64/libcrypto.so.10
	# mv /usr/lib64/libssl.so.10-* /usr/lib64/libssl.so.10

	echo "OpenSSl version upgrades :" && openssl version -a


	# Upgrade OpenSSH ========================
	# Backup old file
	cp -R /etc/ssh /etc/ssh-${timestamp}
	cp /etc/init.d/sshd /etc/init.d/sshd-${timestamp}

	# Remove OpenSSH rpm package
	rpm -qa \| grep openssh
	rpm -e --nodeps `rpm -qa \| grep openssh`

	# Compile and install new OpenSSH
	cd /app/ssh_upgrade
	tar zxvf openssh-7.7p1.tar.gz && cd openssh-7.7p1
	./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl && make && make install
	# chmod -R 755 /usr/local/openssh

	# link binary file
	ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
	ln -s /usr/local/openssh/bin/scp /usr/bin/scp
	ln -s /usr/local/openssh/bin/sftp /usr/bin/sftp
	ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
	ln -s /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add
	ln -s /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agent
	ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
	ln -s /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
	ln -s /usr/local/openssh/libexec/sftp-server /usr/libexec/sftp-server
	ln -s /usr/local/openssh/libexec/ssh-keysign /usr/libexec/ssh-keysign
	ln -s /usr/local/openssh/libexec/ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper
	# don't know how to copy man page in /usr/local/openssh/share folder

	# Copy default configuration file
	# Check the different from file in /etc/ssh-${timestamp} to see what need to hardenning
	/bin/cp ssh_config /etc/ssh/
	/bin/cp sshd_config /etc/ssh/
	/bin/cp moduli /etc/ssh/

	# Test config, this will fail if sshd_config files is wrong or has unsupport setting from previous version
	# Run after copy config from hardenning and delete line that show in error
	/usr/sbin/sshd -t -f /etc/ssh/sshd_config

	# Set startup script in /etc/init.d
	/bin/cp contrib/redhat/sshd.init /etc/init.d/sshd
	chmod +x /etc/init.d/sshd

	# Set start service on boot
	chkconfig --add sshd
	chkconfig sshd on
	chkconfig sshd --list

	# Start service
	service sshd start

	echo "OpenSSH version upgrades :" && ssh -V