centos7升级openssh9.8

一、【关于OpenSSH远程代码执⾏漏洞（CVE-2024-6387）的风险提示】

1.1 漏洞描述

OpenSSH 是一套用于安全访问和管理远程计算机的工具，基于 SSH 协议提供加密通讯。OpenSSH 远程代码执⾏漏洞(CVE-2024-6387)是由于OpenSSH服务器 (sshd) 中的信号处理程序竞争问题，未经⾝份验证的攻击者可以利⽤此漏洞在Linux系统上以root⾝份执⾏任意代码。

1.2 漏洞编号
CVE-2024-6387

1.3 漏洞等级
高危

二、修复建议
2.1受影响版本
OpenSSH < 4.4p1，其中已针对 CVE-2006-5051 和 CVE-2008-4109 进行补丁修复的版本除外
8.5p1 <= OpenSSH < 9.8p1
2.2修复建议
目前官方已有可更新版本，建议受影响单位尽快升级至最新版本：
OpenSSH 9.8p1

相关程序包
链接: https://pan.baidu.com/s/1-KiIQY5k9o40CO3SjmgQJQ?pwd=rw7f 提取码: rw7f

一、安装编译依赖工具包

[root@VM-12-10-centos ~]# yum install -y vim gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers libedit-devel perl-IPC-Cmd wget tar lrzsz1

二、升级zlib

[root@VM-12-10-centos ~]# tar -zxvf zlib-1.3.1.tar.gz
[root@VM-12-10-centos ~]# cd /usr/local/zlib-1.3.1
[root@VM-12-10-centos ~]# ./configure --prefix=/usr/local/zlib
[root@VM-12-10-centos ~]# make -j 2
[root@VM-12-10-centos ~]# make test
[root@VM-12-10-centos ~]# make install
[root@VM-12-10-centos ~]# ldconfig -v

三、编译升级openssl

[root@VM-12-10-centos ~]# tar -zxvf openssl-1.1.1w.tar.gz
[root@VM-12-10-centos ~]# cd /usr/local/openssl-1.1.1w
[root@VM-12-10-centos ~]# ./config --prefix=/usr/local/openssl
[root@VM-12-10-centos ~]# make -j2
[root@VM-12-10-centos ~]# make install
[root@VM-12-10-centos ~]# openssl version -v
openssl version -v

四、升级openssh

[root@VM-12-10-centos ~]# tar -zxvf openssh-9.8p1.tar.gz
[root@VM-12-10-centos ~]# cd /usr/local/openssh-9.8p1
[root@VM-12-10-centos ~]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl/ --with-zlib=/usr/local/zlib

确认PAM编译成功

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/openssh/bin
                   System binaries: /usr/local/openssh/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/local/openssh/libexec/ssh-askpass
                      Manual pages: /usr/local/openssh/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
                    Manpage format: doc
                       PAM support: yes
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                   libedit support: no
                   libldns support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: seccomp_filter
                   PKCS#11 support: yes
                  U2F/FIDO support: yes

              Host: x86_64-pc-linux-gnu
          Compiler: cc -std=gnu11
    Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/openssl//include -I/usr/local/zlib/include  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L
      Linker flags: -L/usr/local/openssl//lib64 -L/usr/local/zlib/lib  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
         Libraries: -ldl -lutil  -lresolv
     +for channels: -lcrypto  -lz
         +for sshd: -lcrypt  -lpam

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

编译安装

[root@VM-12-10-centos ~]# make -j 2
[root@VM-12-10-centos ~]# make install

配置sshd服务

[root@VM-12-10-centos ~]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@VM-12-10-centos ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
 
[root@VM-12-10-centos ~]# cp /usr/local/openssh/sbin/sshd /usr/sbin/
[root@VM-12-10-centos ~]# cp /usr/local/openssh/bin/ssh /usr/bin/
[root@VM-12-10-centos ~]# cp /usr/local/openssh/bin/ssh-keygen /usr/bin/
[root@VM-12-10-centos ~]# ll /etc/init.d/
[root@VM-12-10-centos ~]# chkconfig --add sshd

五、升级OpenSSH后SFTP无法连接问题修改

1、修改配置

[root@VM-12-10-centos ~]#  vim  /etc/ssh/sshd_config
 
#override default of no subsystems
#Subsystem      sftp    /usr/local/openssh/libexec/sftp-server改成下面这句
Subsystem      sftp    internal-sftp

2、重启sshd服务

[root@VM-12-10-centos ~]# systemctl restart sshd

3、查看ssh版本

[root@VM-12-10-centos ~]# ssh -V
OpenSSH_9.8p1, OpenSSL 1.1.1w  11 Sep 2023