linux升级openssh 8.7
一、环境
安全测评出现openssh的漏洞,根据描述需要将版本升级到openssh8.6p1之后的版本才行。
事项 | 描述 |
---|---|
操作系统 | CentOS Linux release 7.3 |
更新前openssh版本 | OpenSSH_7.9p1, OpenSSL 1.0.1e-fips |
更新后openssh版本 | openssh 8.8 openssl |
二、实施升级
1、获取升级包
openssh下载:http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
openssl下载:https://www.openssl.org/source/openssl-1.1.1l.tar.gz
zlib下载:http://www.zlib.net/zlib-1.2.11.tar.gz
2、安装依赖包
yum install -y telnet-server xinetd gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
3、备份文件
mv /etc/ssh/ /etc/ssh`date +%Y%m%d`
mv /usr/bin/openssl /usr/bin/openssl`date +%Y%m%d`
mv /usr/include/openssl /usr/include/openssl`date +%Y%m%d`
mv /usr/sbin/sshd /usr/sbin/sshd`date +%Y%m%d`
mv /usr/bin/ssh /usr/bin/ssh`date +%Y%m%d`
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen`date +%Y%m%d`
4、安装zlib
[root@localhost soft]# tar -xvf zlib-1.2.11.tar.gz -C /usr/local/src
[root@localhost soft]# cd /usr/local/src/zlib-1.2.11/
[root@localhost soft]# ./configure --prefix=/usr/local/zlib > /tmp/zlib_install.log && make -j 4 >> /tmp/zlib_install.log && make install
5、安装openssl
[root@localhost soft]# tar -xvf openssl-1.1.1l.tar.gz -C /usr/local/src/
[root@localhost openssl-1.1.1l]# cd /usr/local/src/openssl-1.1.1l/
[root@localhost openssl-1.1.1l]# ./config --prefix=/usr/local/ssl -d shared > /tmp/openssl_install.log && make -j 4
[root@localhost openssl-1.1.1l]# make install
[root@localhost openssl-1.1.1l]# echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
[root@localhost openssl-1.1.1l]# ldconfig -v
6、安装openssh
[root@localhost soft]# tar -xvf openssh-8.8p1.tar.gz -C /usr/local/src/
[root@localhost openssh-8.8p1]# cd /usr/local/src/openssh-8.8p1/
[root@localhost openssh-8.8p1]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib --with-tcp-wrappers
[root@localhost openssh-8.8p1]# make -j 4 && make install
7、配置openssh
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
echo "X11Forwarding no" >> /etc/ssh/sshd_config
echo "MaxAuthTries 4" >> /etc/ssh/sshd_config
echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config
echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
echo "XAuthLocation /usr/bin/xauth" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1' >> /etc/ssh/sshd_config
cp -rf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp -rf /usr/local/openssh/bin/ssh /usr/bin/ssh
cp -rf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
chmod -R 755 /usr/local/ssl
chmod 755 /usr/bin/ssh
ldconfig
8、重启服务
[root@localhost openssh-8.8p1]# chkconfig sshd --add
[root@localhost openssh-8.8p1]# systemctl restart sshd
[root@localhost openssh-8.8p1]# systemctl status sshd
9、查看升级后版本信息
[root@localhost ~]# ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021
[root@localhost ~]#
源码包下载地址:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz
源码安装步骤(步骤内容为8.4版本,只需要把8.4改为8.7即可)
https://blog.csdn.net/qq_46023525/article/details/109338477?spm=1001.2014.3001.5502
rpm包下载地址:
https://download.csdn.net/download/qq_46023525/21845106
rpm包制作步骤:
https://blog.csdn.net/qq_46023525/article/details/114702883?spm=1001.2014.3001.5502
升级到openssh8.8之后git无法提交了,git push会报:no matching host key type found. Their offer: ssh-rsa
在sshd_config的配置文件中添加PubkeyAcceptedKeyTypes=加号 ssh-rsa,重启服务即可