Complete Ansible Playbook (<span>upgrade_openssh_openssl.yml</span>)
yaml
----
name: Upgrade OpenSSH and OpenSSL to fix vulnerabilities
hosts: all
become: yes
serial: 1 # Operate on one host at a time to reduce risk
vars:
# Target versions (modify according to actual needs)
target_openssh_version: "8.9p1"
target_openssl_version: "3.0.11"
# Fallback versions (for emergency recovery)
fallback_openssh_version: "8.4p1"
fallback_openssl_version: "1.1.1w"
tasks:
- name: Check current SSH connection
debug:
msg: "Ensure at least one active SSH connection!"
tags: always
- name: Gather package facts
package_facts:
manager: auto
- block:
# Upgrade OpenSSL
- name: Upgrade OpenSSL (RedHat)
yum:
name: "openssl >= {{ target_openssl_version }}"
state: latest
when: ansible_os_family == 'RedHat'
register: openssl_upgrade
- name: Upgrade OpenSSL (Debian)
apt:
name: "openssl >= {{ target_openssl_version }}"
state: latest
when: ansible_os_family == 'Debian'
register: openssl_upgrade
# Upgrade OpenSSH
- name: Upgrade OpenSSH server (RedHat)
yum:
name: "openssh-server >= {{ target_openssh_version }}"
state: latest
when: ansible_os_family == 'RedHat'
register: openssh_upgrade
- name: Upgrade OpenSSH server (Debian)
apt:
name: "openssh-server >= {{ target_openssh_version }}"
state: latest
when: ansible_os_family == 'Debian'
register: openssh_upgrade
# Verify installation
- name: Verify OpenSSL version
command: openssl version
register: openssl_ver
changed_when: false
- name: Verify OpenSSH version
command: ssh -V
register: ssh_ver
changed_when: false
ignore_errors: yes
- name: Show versions
debug:
msg: |
OpenSSL: {{ openssl_ver.stdout }}
OpenSSH: {{ ssh_ver.stderr | default(ssh_ver.stdout) }}
# Restart SSH service
- name: Restart SSH service
service:
name: sshd
state: restarted
when: openssh_upgrade.changed or openssl_upgrade.changed
rescue:
# Emergency rollback
- name: "Rollback to safe version ({{ fallback_openssh_version }}/{{ fallback_openssl_version }})"
debug:
msg: "Upgrade failed! Executing rollback..."
- name: Revert OpenSSL (RedHat)
yum:
name: "openssl-{{ fallback_openssl_version }}"
state: present
when: ansible_os_family == 'RedHat'
- name: Revert OpenSSL (Debian)
apt:
name: "openssl={{ fallback_openssl_version }}"
state: present
when: ansible_os_family == 'Debian'
- name: Revert OpenSSH (RedHat)
yum:
name: "openssh-server-{{ fallback_openssh_version }}"
state: present
when: ansible_os_family == 'RedHat'
- name: Revert OpenSSH (Debian)
apt:
name: "openssh-server={{ fallback_openssh_version }}"
state: present
when: ansible_os_family == 'Debian'
- name: Force restart SSH after rollback
service:
name: sshd
state: restarted
force: yes
- fail:
msg: "Upgrade failed! Rolled back to safe version {{ fallback_openssh_version }}/{{ fallback_openssl_version }}"
Usage Instructions
-
Preparation:
-
# Install Ansiblesudo apt install ansible # Debian/Ubuntusudo yum install ansible # RHEL/CentOS # Create host inventory file echo "[servers]" > hosts.ini echo "server1 ansible_host=192.168.1.10" >> hosts.ini echo "server2 ansible_host=192.168.1.11" >> hosts.ini -
Configuration Parameters:
-
Modify
<span>target_openssh_version</span>and<span>target_openssl_version</span>to the target versions -
Set
<span>fallback_versions</span>to known stable versions -
Adjust package manager logic according to the actual environment
Execute Upgrade:
# Test connection
ansible -i hosts.ini all -m ping
# Execute upgrade (recommended to use screen/tmux)
ansible-playbook -i hosts.ini upgrade_openssh_openssl.yml
Key Security Measures
-
Serial Execution (
<span>serial: 1</span>):
-
Upgrade servers one at a time to avoid bulk failure risks
Rollback Mechanism:
-
Automatically roll back to known stable versions
-
Force restart SSH service to ensure connection recovery
Connection Protection:
-
Clearly prompt to maintain active connections before upgrade
-
Use safe mode for service restarts
-
Use
<span>force: yes</span>to ensure service availability after rollback
Version Verification:
-
Immediately check the actual installed version after upgrade
-
Clearly display component version information
Best Practice Recommendations
-
Pre-Upgrade Check:
# Check current version
ansible all -i hosts.ini -m shell -a“openssl version; ssh -V 2>&1”# Check available package versionsansible redhat_servers -m yum -a“list=openssh-server”ansible debian_servers -mapt-a“update_cache=yes list=openssh-server”
-
Backup Configuration:
- name: Backup SSH config copy: src: /etc/ssh/sshd_config dest: /etc/ssh/sshd_config.bak-{{ ansible_date_time.epoch }} remote_src: yes -
Test Connection:
- name: Test SSH connectivity wait_for: port: 22 timeout: 30 delegate_to: localhost -
Test Using Containers:
# Test upgrade process using Docker docker run -it centos:7 /bin/bash docker run -it ubuntu:20.04 /bin/bash
Notes
-
Key Warnings:
-
Ensure to maintain at least one active SSH connection (e.g., using screen/tmux)
-
Validate in a test system before production environment
-
Prepare console access in case of network interruption
Version Compatibility:
-
Confirm new versions are compatible with existing applications
-
Check dependencies (e.g.,
<span>libssl</span>compatibility) -
Pay special attention to changes when upgrading from OpenSSL 1.x to 3.x
Audit Requirements:
# Scan for vulnerabilities after upgrade
openssl version | grep -q '3.0.11' && echo "OpenSSL upgrade successful"
ssh -V 2>&1 | grep -q '8.9p1' && echo "OpenSSH upgrade successful"
This solution provides a complete vulnerability remediation workflow, including a secure rollback mechanism and strict verification steps to minimize upgrade risks. Please adjust version numbers and package management commands according to your specific environment before execution.
#ansible
#operations