近日漏扫爆出openssh漏洞,要求升级到最新版本,此篇用于记录升级过程。
1、获取软件包
mkdir /opt/opensshupdate
cd /opt/opensshupdate
wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1k.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
2、系统包安装(pam和pam-devel 需要32位和64位包)
cd /etc/yum.repos.d/
mv CentOS-Base.repo CentOS-Base.repo.bak
wget http://mirrors.163.com/.help/CentOS6-Base-163.repo(该网络yum源不可用,自行查找最近可用yum源)
yum -y install pam pam.i686 pam-devel pam-devel.i686 gcc gcc-c++ telnet-server
3、补丁包检查
rpm -qa|grep gcc;
rpm -qa|grep gcc-c++;
rpm -qa|grep pam;
rpm -qa|grep pam-devel;
rpm -qa|grep telnet-server
4、开启telnet连接,临时关闭防火墙
systemctl start telnet.socket
systemctl stop firewalld
setenforce Permissive
5、创建普通用户(防止重启sshd服务后root用户telnet无法登陆)
useradd -u 556 wisedu
passwd wisedu << EOF
wisedu123
wisedu123
EOF
6、配置telnet登陆
cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
EOF
7、安装zlib
tar -zxvf zlib-1.2.11.tar.gz
cd /opt/opensshupdate/zlib-1.2.11
./configure --prefix=/usr/local/zlib-1.2.11 -share
make && make install
echo “/usr/local/zlib-1.2.11/lib” >>/etc/ld.so.conf
ldconfig -v
8、升级SSL
tar -zxvf openssl-1.1.1k.tar.gz
cd /opt/opensshupdate/openssl-1.1.1k
./config shared zlib-dynamic --prefix=/usr/local/openssl-1.1.1k --with-zlib-lib=/usr/local/zlib-1.2.11/lib --with-zlib-include=/usr/local/zlib-1.2.11/include
make && make install
echo “/usr/local/openssl-1.1.1k/lib” >>/etc/ld.so.conf
ldconfig -v
cat >> /etc/profile <<EOF
#编译器只会使用/lib和/usr/lib这两个目录下的库文件,而通常通过源码包进行安装时,如果不
指定–prefix会将库安装在/usr/local目录下,而又没有在文件/etc/ld.so.conf中添加/usr/local/lib这个目录>。这样虽然安装了源码包,但是使用时仍然找不到相关的.so库
PATH=/usr/local/openssl-1.1.1k/bin:$PATH
export PATH
EOF
source /etc/profile
mv /usr/bin/openssl /usr/bin/openssl.OFF
mv /usr/include/openssl /usr/include/openssl.OFF
ln -s /usr/local/openssl-1.1.1k/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl-1.1.1k/include/openssl/ /usr/include/openssl
9、升级SSH
#备份原ssh配置
mv /etc/ssh /etc/ssh_bak
tar -zxvf openssh-8.6p1.tar.gz
yum -y remove openssh
cd /opt/opensshupdate/openssh-8.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl-1.1.1k --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib-1.2.11 --without-openssl-header-check
make && make install
cp /opt/opensshupdate/openssh-8.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
systemctl enable sshd
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
#增强客户端兼容,但安全性下降
echo “KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1” >> /etc/ssh/sshd_config
systemctl start sshd
10、验证升级
ssh -V
11、最后记得关闭 telnet,重新开启防火墙。
sed -i ‘s/no/yes/g’ /etc/xinetd.d/telnet
systemctl stop telnet.socket
systemctl start firewalld