OpenSSH Update Script - Amazon Linux 2

OpenSSH Update Script - Amazon Linux 2

#!/bin/bash
sudo yum install gcc -y
sudo yum install openssl-devel -y
sudo yum install zlib-devel -y
sudo yum install mlocate -y
sudo yum install autoconf -y
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz
tar zxvf openssh-9.1p1.tar.gz
cd openssh-9.1p1 && ./configure && make && sudo make install

OK so that installs openssl 11, but does that replace openssl 1.0.2? When I run openssl, it is still returning 1.0.2

…

________________________________ From: andrew1q9o ***@***.***> Sent: Wednesday, March 6, 2024 8:38 AM To: andrew1q9o ***@***.***> Cc: Comment ***@***.***> Subject: Re: roommen/OpenSSH Update Script - Amazon Linux 2 @andrew1q9o commented on this gist.

________________________________ Use: yum install -y openssl11 openssl11-devel I was able to upgrade to 9.6p1 with that. — Reply to this email directly, view it on GitHub<https://gist.github.com/roommen/18cd78d07b0fbc962de4e79c1d468f92#gistcomment-4973015> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACQI2BSARSLXIVZF4F2RND3YW4L63BFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TOMBTHA3TINFHORZGSZ3HMVZKMY3SMVQXIZI>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Both versions are installed. Executing this:
openssl11 version

returns 1.1.1

OK so how do I tell the ./configure to use openssl 1.1.1? It still fails with the 1.0.2 version being detected Sorry I do not have much experience with having multiple versions of OpenSSL on a server

…

________________________________ From: andrew1q9o ***@***.***> Sent: Wednesday, March 6, 2024 8:47 AM To: andrew1q9o ***@***.***> Cc: Comment ***@***.***> Subject: Re: roommen/OpenSSH Update Script - Amazon Linux 2 @andrew1q9o commented on this gist.

________________________________ Both versions are installed. Executing this: openssl11 version returns 1.1.1 — Reply to this email directly, view it on GitHub<https://gist.github.com/roommen/18cd78d07b0fbc962de4e79c1d468f92#gistcomment-4973036> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACQI2BXA77DJMCKQCH7CU53YW4M7NBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TOMBTHA3TINFHORZGSZ3HMVZKMY3SMVQXIZI>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

I literally just did the yum install above and ./configure and everything following worked.
ssh -V afterwards gave me:
OpenSSH_9.6p1, OpenSSL 1.1.1g FIPS 21 Apr 2020

well darn, not working for me

…

________________________________ From: andrew1q9o ***@***.***> Sent: Wednesday, March 6, 2024 8:59 AM To: andrew1q9o ***@***.***> Cc: Comment ***@***.***> Subject: Re: roommen/OpenSSH Update Script - Amazon Linux 2 @andrew1q9o commented on this gist.

________________________________ I literally just did the yum install above and ./configure and everything following worked. ssh -V afterwards gave me OpenSSH_9.6p1. — Reply to this email directly, view it on GitHub<https://gist.github.com/roommen/18cd78d07b0fbc962de4e79c1d468f92#gistcomment-4973073> or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACQI2BXQ7NSAQSMX2OAU7NLYW4ONNBFKMF2HI4TJMJ2XIZLTSKBKK5TBNR2WLJDUOJ2WLJDOMFWWLO3UNBZGKYLEL5YGC4TUNFRWS4DBNZ2F6YLDORUXM2LUPGBKK5TBNR2WLJDHNFZXJJDOMFWWLK3UNBZGKYLEL52HS4DFVRZXKYTKMVRXIX3UPFYGLK2HNFZXIQ3PNVWWK3TUUZ2G64DJMNZZDAVEOR4XAZNEM5UXG5FFOZQWY5LFVA4TOMBTHA3TINFHORZGSZ3HMVZKMY3SMVQXIZI>. You are receiving this email because you commented on the thread. Triage notifications on the go with GitHub Mobile for iOS<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.

Ah well, I am not having any luck. I even renamed openssl to openssl.orig and openssl11 to openssl so that when openssl is run, it uses the newer version. The configure command still returns:

checking for openssl... /usr/bin/openssl
checking for openssl/opensslv.h... yes
checking OpenSSL header version... 100020bf (OpenSSL 1.0.2k 26 Jan 2017)
checking for OpenSSL_version... no
checking for OpenSSL_version_num... no
checking OpenSSL library version... configure: error: OpenSSL >= 1.1.1 required (have "100020bf (OpenSSL 1.0.2k-fips 26 Jan 2017)")

I did have errors trying to install openssl11-devel as it said that openssl-devel was needed for openssl 1.0.2. I told it to ignore that to get it to install.

After a period of research, here are some conclusions(which may be useful to you).

Checking configure help doc

./configure --help |grep 'ssl'
  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
  --with-ssl-dir=PATH     Specify path to OpenSSL installation
  --without-openssl-header-check Disable OpenSSL version consistency check
  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support

As you can see, here is a param --with-ssl-dir=PATH that can be used for specify openssl path.

Dive into openssl11

# Install yum-utils
sudo yum install -y yum-utils
# Download the rpm package
sudo yumdownloader openssl11 openssl11-devel
# Check out the package
rpm -qpl openssl11-1.1.1g-12.amzn2.0.20.x86_64.rpm
#> /usr/bin/make-dummy-cert
#> /usr/bin/openssl11
#> /usr/bin/renew-dummy-cert
#> /usr/share/doc/openssl11-1.1.1g
#> /usr/share/doc/openssl11-1.1.1g/FAQ
#> /usr/share/doc/openssl11-1.1.1g/Makefile.certificate
#> /usr/share/doc/openssl11-1.1.1g/NEWS
#> /usr/share/doc/openssl11-1.1.1g/README
#> /usr/share/doc/openssl11-1.1.1g/README.FIPS
#> /usr/share/licenses/openssl11-1.1.1g
#> /usr/share/licenses/openssl11-1.1.1g/LICENSE
#> /usr/share/man/man1/openssl11.1.gz
rpm -qpl openssl11-devel-1.1.1g-12.amzn2.0.20.x86_64.rpm
#> /usr/include/openssl
#> /usr/include/openssl/aes.h
#> /usr/include/openssl/asn1.h
#> /usr/include/openssl/asn1_mac.h
#> /usr/include/openssl/asn1err.h
#> ....

The path /usr/include/openssl is the path that you should fill into above.

Conclusion

Run before: sudo yum install -y gcc openssl11 openssl11-devel zlib-devel mlocate autoconf

Try: ./configure --with-ssl-dir=/usr/include/openssl

BTW, The above method has been verified to work on a brand new AL2 system.

If your colleague also decided to follow these instructions on your day-off, and now finds themselves in a situation where the OpenSSH server is almost inaccessible anymore for new connections (e.g. ssh your-server-ip returns with error "kex_exhcnage_identification: read: Connection reset by peer"), follow my instructions to restore everything back.

Assuming you (or your coworker) still have an open SSH connection and can run commands in the shell:

1. Set a secure password for the root user using sudo passwd (you can use tools like pwgen to generate a strong password).
2. Log into the AWS console, navigate to your EC2 instance, select it, then go to Actions → Monitor and troubleshoot → EC2 serial console → Connect
3. Press Enter a few times in the large black rectangle, and you'll get a login prompt. Type root, press Enter, and then enter the password generated in step 1
4. Stop the SSH server and terminate all connections by running systemctl stop sshd; killall sshd
5. Navigate to the openssh server source code directory, most likely it would be cd /home/ec2-user/openssh-9.1p1
6. Run make uninstall to clean up all the files installed by the previous "make install" command (please avoid doing this on any non-personal machines in the future).
7. After step 6, you'll no longer have SSH client & SSH server on your system, even though the system package manager still thinks OpenSSH is installed. Reinstall the SSH-related packages to restore everything: yum reinstall openssh openssh-server openssh-client
8. Finally, start the SSH server again by running systemctl start sshd, and check if you can connect to the server from the server itself by ssh localhost.

P.S. If upgrading is necessary to make npm work (due to the unsupported option "accept-now"), you can use this workaround by setting an environment variable: GIT_SSH_COMMAND=ssh npm i ... (Source)

I am use centOS 7.6, it should like this

./configure --with-ssl-dir=/usr/local/openssl