热门标签
热门文章
- 1在windows上安装hadoop以及案例实现_windows hadoop 例子
- 2自己实现链表的基本操作方法(详细)(Java实现)_public boolean
- 3GPT背后原理详解:从T5到GPT-4,国内20余位顶级大牛联合撰写
- 4opengl中VAO和VBO的关系_vao vbo原理
- 5深度对比 Delta、Iceberg 和 Hudi 三大开源数据湖方案_hive acid hudi
- 6计算机网络 王道考研2021 第三章:数据链路层 -- 滑动窗口协议:后退N帧协议(GBN)、选择重传协议(SR)_多帧滑动窗口与后退n帧协议
- 7【文末附gpt升级秘笈】深入解读苹果 AGI 第一枪:创新引领与未来展望
- 8【计算机网络】数据链路层 : CSMA 协议 ( 载波监听多路访问协议 | 监听 | 1-坚持 CSMA | 非坚持 CSMA | p-坚持 CSMA )_p坚持
- 9从华为数字化转型看IT自动化运维重要性_it 新技术 自动化运维
- 10如何在windows上安装Zookeeper
当前位置: article > 正文
centos7升级openssh9.8_openssh 9.8
作者:酷酷是懒虫 | 2024-07-17 01:23:39
赞
踩
openssh 9.8
前言
处理新发布的CVE-2024-6387关于openssh的漏洞,升级openssh到9.8版本。
一、升级准备?
确认系统版本
[root@CentOS7 ~]# uname -a
Linux CentOS7 3.10.0-1160.el7.x86_64 #1 SMP Mon
Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
[root@CentOS7 ~]# cat /etc/centos-release
CentOS Linux release 7.9.2009 (Core)
[root@CentOS7 ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
备份配置文件
cp -rf /etc/ssh /etc/ssh.bak
cp -rf /usr/bin/openssl /usr/bin/openssl.bak
cp -rf /etc/pam.d /etc/pam.d.bak
cp -rf /usr/lib/systemd/system /usr/lib/systemd/system.bak
- 1
- 2
- 3
- 4
安装编译依赖工具包
这里要更换阿里的yum源,否则gcc升级不了版本,后边编译会失败
yum install -y vim gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers libedit-devel perl-IPC-Cmd wget tar lrzsz1
- 1
下载升级,依赖包
cd /usr/local/src
wget https://www.zlib.net/zlib-1.3.1.tar.gz
wget https://www.openssl.org/source/openssl-3.2.1.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar -zxvf zlib-1.3.1.tar.gz
tar -zxvf openssl-3.2.1.tar.gz
tar -zxvf openssh-9.8p1.tar.gz
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
二、使用步骤
编译升级zlib
cd zlib-1.3.1
ls /usr/local/
./configure --prefix=/usr/local/zlib
make -j 2
make test
make install
ls /usr/local/zlib/
echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
编译升级openssl
cd
openssl-3.2.1
ls /usr/local/
./config --prefix=/usr/local/openssl
make -j2
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ll /usr/bin/open*
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf.d/ssl.conf
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
确认openssl版本
[root@CentOS7 openssl-3.2.1]# openssl version -v
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL
3.2.1 30 Jan 2024)
[root@CentOS7 openssl-3.2.1]# openssl version -a
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL
3.2.1 30 Jan 2024)
built on: Mon May 20 03:16:20 2024 UTC
platform: linux-x86_64
options:
bn(64,64)
compiler: gcc -fPIC -pthread -m64
-Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/local/openssl/ssl"
ENGINESDIR: "/usr/local/openssl/lib64/engines-3"
MODULESDIR: "/usr/local/openssl/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO:
OPENSSL_ia32cap=0xfffa32034f8bffff:0x18405fdef1bf27eb
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
卸载旧的sshd服务(切记不能关掉或重启远程工具)
[root@CentOS7 openssl-3.2.1]# yum remove openssh
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package openssh.x86_64 0:7.4p1-21.el7
will be erased
--> Processing Dependency: openssh =
7.4p1-21.el7 for package: openssh-clients-7.4p1-21.el7.x86_64
--> Processing Dependency: openssh =
7.4p1-21.el7 for package: openssh-server-7.4p1-21.el7.x86_64
--> Running transaction check
---> Package openssh-clients.x86_64
0:7.4p1-21.el7 will be erased
---> Package openssh-server.x86_64
0:7.4p1-21.el7 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================
Package Arch Version
================================================================================================================
Removing:
openssh
x86_64
7.4p1-21.el7
Removing for dependencies:
openssh-clients x86_64 7.4p1-21.el7
openssh-server x86_64 7.4p1-21.el7
Transaction Summary
================================================================================================================
Remove 1
Package (+2 Dependent packages)
Installed size: 5.4 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing :openssh-server-7.4p1-21.el7.x86_64
Erasing :openssh-clients-7.4p1-21.el7.x86_64
Erasing :openssh-7.4p1-21.el7.x86_64
Verifying :openssh-clients-7.4p1-21.el7.x86_64
Verifying :openssh-7.4p1-21.el7.x86_64
Verifying :openssh-server-7.4p1-21.el7.x86_64
Removed:
openssh.x86_64 0:7.4p1-21.el7
Dependency Removed:
openssh-clients.x86_64 0:7.4p1-21.el7
openssh-server.x86_64 0:7.
Complete!
[root@CentOS7 openssl-3.2.1]# rm -rf /etc/ssh/*
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
编译升级openssh
cd openssh-9.8p1
ls
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl/ --with-zlib=/usr/local/zlib
- 1
- 2
- 3
确认PAM编译成功
OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc -std=gnu11
Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/openssl//include -I/usr/local/zlib/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L
Linker flags: -L/usr/local/openssl//lib64 -L/usr/local/zlib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -ldl -lutil -lresolv
+for channels: -lcrypto -lz
+for sshd: -lcrypt -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
make -j 2
make install
- 1
- 2
配置sshd服务
cp contrib/redhat/sshd.init /etc/init.d/sshd
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cp /usr/local/openssh/sbin/sshd /usr/sbin/
cp /usr/local/openssh/bin/ssh /usr/bin/
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/
ll /etc/init.d/
chkconfig --add sshd
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
echo 'UsePAM yes' >> /etc/ssh/sshd_config
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
配置PAM模块
cat /etc/pam.d/sshd #把下面内容复制进去
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
启动ssh
/etc/init.d/sshd restart
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
登录验证
[root@CentOS7 ~]# sshd -V
OpenSSH_9.8p1, OpenSSL 3.2.1 30 Jan 2024
[root@CentOS7 ~]# ssh -V
OpenSSH_9.8p1, OpenSSL 3.2.1 30 Jan 2024
[root@CentOS7 ~]#
[root@CentOS7 ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Mon 2024-05-20 11:58:59 CST; 12min ago
Docs: man:systemd-sysv-generator(8)
Process: 54017 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
Process: 54024 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 54032 (sshd)
CGroup: /system.slice/sshd.service
├─40735 sshd: root@pts/1
├─40737 sshd: root@notty
├─40739 -bash
├─40756 /usr/local/openssh/libexec/sftp-server
└─54032 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startup
May 20 11:58:59 CentOS7 systemd[1]: Starting SYSV: OpenSSH server daemon...
May 20 11:58:59 CentOS7 sshd[54032]: Server listening on 0.0.0.0 port 22.
May 20 11:58:59 CentOS7 sshd[54032]: Server listening on :: port 22.
May 20 11:58:59 CentOS7 sshd[54024]: Starting sshd:[ OK ]
May 20 11:58:59 CentOS7 systemd[1]: Started SYSV: OpenSSH server daemon.
May 20 11:59:17 CentOS7 sshd[54037]: Accepted keyboard-interactive/pam for root from 192.168.14.1 port 53027 ssh2
May 20 11:59:17 CentOS7 sshd[54040]: Accepted password for root from 192.168.14.1 port 53031 ssh2
- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
问题
问题:
1.升级完之后无法登录(需要手动更改)
echo ‘PermitRootLogin yes’ >> /etc/ssh/sshd_config
echo ‘PasswordAuthentication yes’ >> /etc/ssh/sshd_config
echo ‘UsePAM yes’ >> /etc/ssh/sshd_config
2.ssh无法启动提示(sshd: no hostkeys available – exiting)需要修改ssh权限
chown root:root /etc/ssh/*
chmod 600 /etc/ssh/*
3.启动后无法登录
关闭SElinux不重启系统的方法:
修改**/etc/sysconfig/selinux**文件(虚拟机用的是CentOS 7)
vi /etc/sysconfig/selinux
将 **#SELINUX=**enforcing 改为 **SELINUX=**disabled
命令重启后生效,如果不想重启,用命令
setenforce 0
推荐阅读
相关标签
