Centos7下rpm升级OpenSSH到openssh-8.4p1版本

由于openssh爆出一个特殊漏洞，涉及到8.3p1及以下版本，操作步骤如下：

检查环境：
[root@test]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

注意：如果机器做过安全基线整改，建议先自行备份/etc/pam.d/sshd文件，升级后，此文件会被覆盖，如果未修改过，按照文章后续的进行覆盖即可。亦请务必确定系统版本为：CentOS7。

请确定openssh版本为7.x，openssl版本为 OpenSSL 1.0.2k及以上。（正常来说，系统都为以上版本。）

下载：
wget https://qqq-1253133144.cos.ap-chengdu.myqcloud.com/bbb/openssh8.4.zip
unzip openssh8.4.zip
安装方法一：

rpm -Uvh *.rpm

安装方法二：

yum install ./*.rpm

如果方法二报错先执行：

yum update *.rpm

因为OPENSSH升级后，/etc/ssh/sshd_config会还原至默认状态，我们需要进行相应配置：

cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
systemctl restart sshd

It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key “/etc/ssh/ssh_host_ed25519_key”: bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available — exiting.
[FAILED]
sshd.service: control process exited, code=exited status=1
Failed to start SYSV: OpenSSH server daemon.
Unit sshd.service entered failed state.
sshd.service failed.

chmod 0600 /etc/ssh/ssh_host_ed25519_key
service sshd restart

注意，/etc/pam.d/sshd也文件会被覆盖，我们进行还原：

/etc/pam.d/sshd;

再还原：

echo ‘#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
！# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
！# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth’>/etc/pam.d/sshd

注意：如果新开终端连接的时，root密码报错，并且已经根据上面后续操作，那可能就是SElinux的问题，我们进行临时禁用：

setenforce 0

sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config