-
-
Save roommen/18cd78d07b0fbc962de4e79c1d468f92 to your computer and use it in GitHub Desktop.
#!/bin/bash | |
sudo yum install gcc -y | |
sudo yum install openssl-devel -y | |
sudo yum install zlib-devel -y | |
sudo yum install mlocate -y | |
sudo yum install autoconf -y | |
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz | |
tar zxvf openssh-9.1p1.tar.gz | |
cd openssh-9.1p1 && ./configure && make && sudo make install |
Ah well, I am not having any luck. I even renamed openssl to openssl.orig and openssl11 to openssl so that when openssl is run, it uses the newer version. The configure command still returns:
checking for openssl... /usr/bin/openssl
checking for openssl/opensslv.h... yes
checking OpenSSL header version... 100020bf (OpenSSL 1.0.2k 26 Jan 2017)
checking for OpenSSL_version... no
checking for OpenSSL_version_num... no
checking OpenSSL library version... configure: error: OpenSSL >= 1.1.1 required (have "100020bf (OpenSSL 1.0.2k-fips 26 Jan 2017)")
I did have errors trying to install openssl11-devel as it said that openssl-devel was needed for openssl 1.0.2. I told it to ignore that to get it to install.
After a period of research, here are some conclusions(which may be useful to you).
Checking configure
help doc
./configure --help |grep 'ssl'
--without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
--with-ssl-dir=PATH Specify path to OpenSSL installation
--without-openssl-header-check Disable OpenSSL version consistency check
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
As you can see, here is a param --with-ssl-dir=PATH
that can be used for specify openssl path.
Dive into openssl11
# Install yum-utils
sudo yum install -y yum-utils
# Download the rpm package
sudo yumdownloader openssl11 openssl11-devel
# Check out the package
rpm -qpl openssl11-1.1.1g-12.amzn2.0.20.x86_64.rpm
#> /usr/bin/make-dummy-cert
#> /usr/bin/openssl11
#> /usr/bin/renew-dummy-cert
#> /usr/share/doc/openssl11-1.1.1g
#> /usr/share/doc/openssl11-1.1.1g/FAQ
#> /usr/share/doc/openssl11-1.1.1g/Makefile.certificate
#> /usr/share/doc/openssl11-1.1.1g/NEWS
#> /usr/share/doc/openssl11-1.1.1g/README
#> /usr/share/doc/openssl11-1.1.1g/README.FIPS
#> /usr/share/licenses/openssl11-1.1.1g
#> /usr/share/licenses/openssl11-1.1.1g/LICENSE
#> /usr/share/man/man1/openssl11.1.gz
rpm -qpl openssl11-devel-1.1.1g-12.amzn2.0.20.x86_64.rpm
#> /usr/include/openssl
#> /usr/include/openssl/aes.h
#> /usr/include/openssl/asn1.h
#> /usr/include/openssl/asn1_mac.h
#> /usr/include/openssl/asn1err.h
#> ....
The path /usr/include/openssl
is the path that you should fill into above.
Conclusion
Run before: sudo yum install -y gcc openssl11 openssl11-devel zlib-devel mlocate autoconf
Try: ./configure --with-ssl-dir=/usr/include/openssl
BTW, The above method has been verified to work on a brand new AL2 system.
If your colleague also decided to follow these instructions on your day-off, and now finds themselves in a situation where the OpenSSH server is almost inaccessible anymore for new connections (e.g. ssh your-server-ip
returns with error "kex_exhcnage_identification: read: Connection reset by peer"), follow my instructions to restore everything back.
Assuming you (or your coworker) still have an open SSH connection and can run commands in the shell:
- Set a secure password for the root user using
sudo passwd
(you can use tools like pwgen to generate a strong password). - Log into the AWS console, navigate to your EC2 instance, select it, then go to Actions → Monitor and troubleshoot → EC2 serial console → Connect
- Press Enter a few times in the large black rectangle, and you'll get a login prompt. Type root, press Enter, and then enter the password generated in step 1
- Stop the SSH server and terminate all connections by running
systemctl stop sshd; killall sshd
- Navigate to the openssh server source code directory, most likely it would be
cd /home/ec2-user/openssh-9.1p1
- Run
make uninstall
to clean up all the files installed by the previous "make install" command (please avoid doing this on any non-personal machines in the future). - After step 6, you'll no longer have SSH client & SSH server on your system, even though the system package manager still thinks OpenSSH is installed. Reinstall the SSH-related packages to restore everything:
yum reinstall openssh openssh-server openssh-client
- Finally, start the SSH server again by running
systemctl start sshd
, and check if you can connect to the server from the server itself byssh localhost
.
P.S. If upgrading is necessary to make npm work (due to the unsupported option "accept-now"), you can use this workaround by setting an environment variable: GIT_SSH_COMMAND=ssh npm i ...
(Source)
I am use centOS 7.6, it should like this
./configure --with-ssl-dir=/usr/local/openssl
smh this broke my clones
sed -i '129a\#include <systemd/sd-daemon.h>' sshd.c sed -i '2095a\ /* Signal systemd that we are ready to accept connections */' sshd.c sed -i '2096a\ sd_notify (0, "READY=1");' sshd.c
Hi everyone, I also updated OpenSSH on EC2 this week. After performing the above steps,
systemctl restart sshd executes successfully but the client cannot connect via ssh.
I think there may be some problem with the original ec2 sshkey after the update?
Has anyone else encountered a similar situation and fixed it?
Hope to get the answer... QQ
I literally just did the yum install above and ./configure and everything following worked.
ssh -V afterwards gave me:
OpenSSH_9.6p1, OpenSSL 1.1.1g FIPS 21 Apr 2020