Warning – this procedure is extremely risky (but has worked every time for me).
It is suggested that you do a dry run on a VM before attempting this on a live server. If anything goes wrong, you may be left with a dead server.
The servers in question are ns1.mydomain.co.uk and ns2.mydomain.co.uk, functioning as DNS servers for almost all of the company domains.
The normal method of updating CentOS is to type
yum update
at the root prompt.
If the kernel gets upgraded, make sure you reboot, by typing (after first checking that the other server is still OK).
shutdown -r now
before you continue.
Keep doing
yum update
and
shutdown -r now
until there is nothing left for your unsupported distro.
From here on, these instructions will also work with Slackware.
- Ensure that you have backups of the /etc, /usr/exim and /var/named folders before you go any further. Send them back home using the scp command.
CentOS 5.1 is no longer supported, so it is necessary now to manually build from source any further updates required for PCI compliance, or other reasons.
This is a completely unsupported solution, so you are on your own with this server from hereon. Maybe you should have used Slackware instead?
1/. Download necessary packages:
zlib must be up to date
openssl must be up to date
openssh must be up to date
cd /usr/src
Visit:
http://www.zlib.net/ https://www.openssl.org/source/ http://www.mirrorservice.org/pub/OpenBSD/OpenSSH/portable/
use the wget command to fetch the files.
It is good practice to check the file signatures using the
md5sum filename
command.
2/.
cd /usr/src
tar xvfz zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure --prefix=/usr
make
make test
(if all is OK)
make install
3/.
cd /usr/src
tar xvfz openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr shared
make
make test
make install
openssl
OpenSSL> version
OpenSSL 1.0.1g 7 Apr 2014
OpenSSL>
ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING
4/.
cd /usr/src
tar xvfz openssh-6.6p1.tar.gz
./configure --prefix=/usr --with-tcp-wrappers
make
make install
sshd -?
**OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
**usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
ENSURE THIS MATCHES THE VERSION YOU WANT BEFORE CONTINUING
NOW FOR THE REALLY RISKY PART
which sshd
/usr/sbin/sshd
ps -deaf | grep ssh
root 2529 1 0 11:26 ? 00:00:00 /usr/sbin/sshd
root 4442 2529 0 11:29 ? 00:00:02 sshd: root@pts/0
root 9794 4444 0 12:18 pts/0 00:00:00 grep ssh
DO THESE PATHS MATCH? IF THEY DO:
kill -15 2529
/usr/sbin/sshd
ps -deaf | grep ssh
root 4442 1 0 11:29 ? 00:00:02 sshd: root@pts/0
root 9804 1 0 12:20 ? 00:00:00 /usr/sbin/sshd
root 9806 4444 0 12:20 pts/0 00:00:00 grep ssh
HAS SSHD RESTARTED – IF NOT YOU WILL HAVE TO FORCE AND RPM REINSTALL (NOT DESCRIBED HERE). IF YOU DON’T, YOU WILL NEVER BE ABLE TO LOG IN AGAIN!!!!!!!!!!!!!!!
Now, from another window, launch another ssh session to the server
ssh root@ns1.mydomain.co.uk
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
78:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:11.
Please contact your system administrator.
Add correct host key in /home/mylogin/.ssh/known_hosts to get rid of this message.
Offending RSA key in /home/mylogin/.ssh/known_hosts:4
RSA host key for ns1.mydomain.co.uk has changed and you have requested strict checking.
Host key verification failed.
This is normal, as when OpenSSL was reinstalled, it changes the server RSA keys.
Edit the /home/mylogin/.ssh/known_hosts file and remove the line for the server.
Is it still all OK?
Restart the server and pray that you don’t have to ask for a KVM over IP session to repair the damage.
NEXT STEPS
It’s time to recompile anything that uses SSL or TLS, i.e. exim, squid? Apache?
And the after steps
All of the above is out of date now after OpenSSL1.0.1h – so we have to do it all again.