openssh版本升级
背景
漏洞扫描发现openssh版本太低,存在ssh漏洞,需升级openssh版本。
# 查看openssh版本
ssh -V
操作步骤
参考:openssh官方文档
一、开启telnet
# 记得测试telnet登录成功再升级openssh,避免ssh挂了
yum install telnet-server telnet
systemctl start telnet.socket
systemctl enable telnet.socket
netstat -ntpl |grep 23
# 开放防火墙策略
iptables -I INPUT 1 -p tcp --dport=23 -j ACCEPT
二、备份旧ssh
whereis sshd
mv /usr/sbin/sshd /usr/sbin/sshd.bak
whereis ssh
mv /usr/bin/ssh /usr/bin/ssh.bak
whereis ssh-keygen
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
三、卸载旧版openssh-server
yum remove openssh-server
四、安装新版openssh-server
cd /opt
tar -zxvf /home/deployer/openssh-8.7p1.tar.gz
cd /opt/openssh-8.7p1
./configure
make
make install
# this will install the OpenSSH binaries in /usr/local/bin, configuration files
# in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
# installation prefix, use the --prefix option to configure: ./configure --prefix=/opt
# 查看PATH
echo $PATH
# cp到PATH,全局使用
cp /usr/local/sbin/sshd /usr/sbin/
cp /usr/local/bin/ssh /usr/bin/
cp /usr/local/bin/ssh-keygen /usr/bin/
五、查看openssh版本是否已更新
ssh -V
六、启动sshd
cp /opt/openssh-8.7p1/contrib/redhat/sshd.init /etc/init.d/sshd
/etc/init.d/sshd restart
systemctl status sshd
netstat -ntpl |grep 22
# 加入开机启动
systemctl enable sshd 或 chkconfig --add sshd
# 查看开机启动状态
systemctl is-enabled sshd 或 chkconfig --list sshd
七、测试ssh是否能登录成功
八、PS:常见问题
1. 编译时依赖缺失
# 查看zlib版本
find /usr/ -name zlib.pc
cat /usr/lib64/pkgconfig/zlib.pc
# 安装zlib-devel
yum install -y zlib-devel
# 安装openssl-devel
yum install -y openssl-devel
2. 升级后Linux SSH首次登录服务器,报ECDSA host key “ip地址” for has changed and you have requested strict checking错误
解决办法:清除你当前机器里关于你的远程服务器的缓存和公钥信息,清除known_hosts里旧缓存文件
ssh-keygen -R remotehost