#!/bin/bash # OpenSSH/OpenSSL upgrade script # Installs and Upgrades OpenSSH for SSH remote # access and OpenSSL cryptography provider for # SSH. Also sets up admin accounts with sudo # rights to avoid using root user # Andrew Reis, MCTS 2010 DBMS Inc. # # changed OPENSSL_VER to 1.1.1h to match ftp://ftp.openssl.org/source/ - ZKG 2/10/21 # changed OPENSSH_VER to 8.4p1 to match https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/ - ZKG 11/9/20 OPENSSL_VER="1.1.1h"; clear; if [ ! -d /usr/local/cookies ]; then mkdir -p /usr/local/cookies; fi; ##### START CHECK FOR ADMIN ACCOUNTS ##### secfile="http://www.dbmsinc.com/support/setupNewSecurityModel.sh"; if ! grep -q 'andyadmin\|jimadmin' /etc/passwd; then clear; echo "DBMS Support admin accounts not found, please run the following commands before running this script:"; echo "curl $secfile | bash"; exit 99; fi; ##### END CHECK FOR ADMIN ACCOUNTS ##### OPENSSH_VER="8.4p1"; OPENSSH_COOKIE_PATH="/usr/local/cookies/openssh-$OPENSSH_VER"; ZLIB_VER="1.2.11"; ZLIB_COOKIE_PATH="/usr/local/cookies/zlib-$ZLIB_VER"; ZLIB_INSTALL_PREFIX="/opt/zlib-$ZLIB_VER"; #Zlib update if [ ! -f "$ZLIB_COOKIE_PATH" ]; then echo "Downloading Zlib Version: $ZLIB_VER"; wget -O "/tmp/zlib-$ZLIB_VER.tar.gz" "http://zlib.net/zlib-$ZLIB_VER.tar.gz"; echo "Unpacking Zlib Version: $ZLIB_VER"; tar -xzf /tmp/zlib-$ZLIB_VER.tar.gz -C /tmp > /dev/null; cd /tmp/zlib-$ZLIB_VER || exit 99; echo "Configuring Zlib Version: $ZLIB_VER"; ./configure --prefix="$ZLIB_INSTALL_PREFIX" > /dev/null; echo "Cleaning compile directory"; CFLAGS="-w" make clean > /dev/null; echo "Compiling Zlib Version: $ZLIB_VER"; CFLAGS="-w" make > /dev/null; echo "Testing Zlib Version: $ZLIB_VER"; CFLAGS="-w" make test > /dev/null; if [ "$?" -eq 0 ]; then echo "Installing Zlib Version: $ZLIB_VER"; CFLAGS="-w" make install > /dev/null; if [ "$?" -eq 0 ]; then echo "Zlib Version: $ZLIB_VER installed successfully to $ZLIB_INSTALL_PREFIX"; echo "Writing installation cookie to $ZLIB_COOKIE_PATH"; touch "$ZLIB_COOKIE_PATH"; else echo "SOMETHING WENT WRONG DURING INSTALLATION"; exit 99; fi; else echo "SOMETHING WENT WRONG DURING TESTING"; exit 100; fi; echo "Press enter to continue..."; #read; rm /tmp/zlib-$ZLIB_VER -rf; else echo "Zlib Version: $ZLIB_VER already installed"; echo "Zlib Cookie: $ZLIB_COOKIE_PATH exists"; fi; # Get Openssl.tar.gz from openssl.org echo "Downloading OpenSSL latest to determine version"; wget --no-check-certificate \ -O "/tmp/openssl.tar.gz" \ "ftp://ftp.openssl.org/source/old/1.1.1/openssl-$OPENSSL_VER.tar.gz"; if [ -f "/tmp/openssl.tar.gz" ]; then tar -xzf /tmp/openssl.tar.gz -C /tmp > /dev/null; #OPENSSL_VER=$(find /tmp | sed -n 's/^.*openssl-\(.*\)$/\1/p'); OPENSSL_INSTALL_PREFIX="/usr"; OPENSSL_COOKIE_PATH="/usr/local/cookies/openssl-$OPENSSL_VER"; echo "Latest Version: $OPENSSL_VER"; if [ ! -f "/usr/local/cookies/openssl-$OPENSSL_VER" ]; then cd "/tmp/openssl-$OPENSSL_VER" || exit 99; echo "Ready to install OpenSSL Version: $OPENSSL_VER"; echo "Configuring OpenSSL Version: $OPENSSL_VER"; ./config -shared --prefix=$OPENSSL_INSTALL_PREFIX > /dev/null; echo "Cleaning compile directory"; CFLAGS="-w" make clean > /dev/null 2>&1; echo "Making OpenSSL Version: $OPENSSL_VER"; CFLAGS="-w" make > /dev/null 2>&1; echo "Testing OpenSSL Version: $OPENSSL_VER"; CFLAGS="-w" make test > /dev/null 2>&1; if [ "$?" -eq 0 ]; then echo "Installing OpenSSL Version: $OPENSSL_VER"; CFLAGS="-w" make install > /dev/null; if [ "$?" == 0 ]; then rm /tmp/openssl* -rf; echo "OpenSSL Version: $OPENSSL_VER to directory: $OPENSSL_INSTALL_PREFIX"; echo "Writing Installation Cookie file to $OPENSSL_COOKIE_PATH"; touch "$OPENSSL_COOKIE_PATH"; else echo "SOMETHING WENT WRONG DURING INSTALLATION!"; exit 99; fi; else echo "SOMETHING WENT WRONG DURING TESTING"; exit 100; fi; else echo "OpenSSL Version: $OPENSSL_VER already installed"; echo "OpenSSL Cookie: $OPENSSL_COOKIE_PATH exists"; fi; fi; if [ ! -f "$OPENSSH_COOKIE_PATH" ]; then # Get OpenSSH package echo "Downloading OpenSSH Version: $OPENSSH_VER"; wget --no-check-certificate -O "/tmp/openssh-$OPENSSH_VER.tar.gz" \ "http://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-$OPENSSH_VER.tar.gz"; # Unpack OpenSSH package echo "Unpacking OpenSSH Version: $OPENSSH_VER"; tar -xzf "/tmp/openssh-$OPENSSH_VER.tar.gz" -C /tmp > /dev/null; cd /tmp/openssh-$OPENSSH_VER || exit 99; # Configure OpenSSH to replace rpm install echo "Configuring OpenSSH $OPENSSH_VER"; ./configure --prefix=/usr --sysconfdir=/etc/ssh \ --with-ssl-dir=/usr --with-md5-passwords --with-ipaddr-display \ --without-zlib-version-check --with-pam --with-kerberos5 \ --with-tcp-wrappers --with-zlib=/opt/zlib-$ZLIB_VER > /dev/null 2>&1; # Make and Install, restart ssh server daemon, echo openssl and openssh versions echo "Cleaning compile directory"; CFLAGS="-w" make clean > /dev/null 2>&1; echo "Compiling OpenSSH $OPENSSH_VER"; CFLAGS="-w" make > /dev/null 2>&1; echo "Testing OpenSSH $OPENSSH_VER"; make tests > /dev/null 2>&1; echo "Installing OpenSSH $OPENSSH_VER to $OPENSSL_INSTALL_PREFIX"; CFLAGS="-w" make install > /dev/null 2>&1; if [ "$?" -eq 0 ]; then echo "Installed OpenSSH $OPENSSH_VER successfully"; echo "Writing cookie file to $OPENSSH_COOKIE_PATH"; touch "$OPENSSH_COOKIE_PATH"; else echo "SOMETHING WENT WRONG DURING INSTALLATION"; exit 99; fi; echo "Generating new Moduli file. This will take some time, please wait..."; ssh-keygen -G /tmp/moduli-4096.candidates -b 4096; ssh-keygen -T /tmp/moduli-4096 -f /tmp/moduli-4096.candidates; if [ -f "/tmp/moduli-4096" ]; then echo "Moduli file created, copying to place"; mv /tmp/moduli-4096 /etc/ssh/moduli; fi; echo "Restarting SSH Service"; service sshd restart rm /tmp/openssh* -rf else echo; echo; echo "SOMETHING WENT WRONG DURING TESTS"; exit 100; fi; fi; rm ~/sshssl.sh -f; if [ -f "/tmp/moduli-4096" ]; then echo "Moduli file created, copying to /etc/ssh"; mv /tmp/moduli-4096 /etc/ssh/moduli; fi; # Display version info from txt file clear; echo; echo "SSH Version:"; ssh -V; echo; exit;