openssl 升级到OpenSSL 1.0.1g 修复HEARTBEATS漏洞

CentOS 6.4 64位

查看当前的ssl版本

[root@localhost ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

升级openssl

升级前请关闭selinux

yum install zlib zlib-devel krb5-devel.x86_64 -y
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr/local/ssl shared zlib-dynamic enable-camellia -DOPENSSL_NO_HEARTBEATS  #添加 -DOPENSSL_NO_HEARTBEATS 选项
make
make install
openssl version
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/opensslold
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl
echo "/usr/local/ssl/lib/" >> /etc/ld.so.conf
ldconfig -v|grep ssl
openssl version

升级后截图

openssl version -a

为什么升级openssh，因为用xshell或者SecureCRT等终端连接服务器是用ssh，现在查看ssh所用openssl所用的版本还是这样的

[root@localhost ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010

验证：

# rpm -qa openssl
openssl-1.0.1e-16.el6_5.14.x86_64

# rpm -q --changelog openssl-1.0.1e | grep CVE-2014-0160
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension

说明漏洞已经修复

升级 openssh  （编译时候请按文章最下面，添加--with-kerberos5=/usr/lib64/libkrb5.so 参数编译，不然会出现下面的问题）

wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
yum install pam*
tar -xzf openssh-6.6p1.tar.gz
cd openssh-6.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man
make
make install
                                    
ssh -V
OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
                                    
service sshd restart
停止 sshd：                                                [确定]
正在启动 sshd：                                            [确定]

升级完成后打开新的终端连接

升级完成

当执行service sshd restart 的时候有错误提示

vim /etc/ssh/sshd_config  把81和83行注释

再执行就没问题了

service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd:                                             [  OK  ]

附：

Unsupported option GSSAPIAuthentication  和 Unsupported option GSSAPICleanupCredentials

这两个认证机制的解决方法：

service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
                                                           [  OK  ]

在编译openssh-6.6p1的时候把kerberos5的选项指定，即添加选项 --with-kerberos5=/usr/lib64/libkrb5.so 就不会出现问题

[root@localhost openssh-6.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man --with-kerberos5=/usr/lib64/libkrb5.so

下面是sshd_config的配置文件，认证不受影响的，重启sshd服务也没问题

vim /etc/ssh/sshd_config

上述的代码

升级前关闭selinux

升级ssl，ssh

yum install zlib zlib-devel -y

yum install krb5-devel.x86_64 -y

wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz

tar -xzf openssl-1.0.1g.tar.gz

cd openssl-1.0.1g

./config --prefix=/usr/local/ssl shared zlib-dynamic enable-camellia -DOPENSSL_NO_HEARTBEATS 

make

make install

openssl version

mv /usr/bin/openssl /usr/bin/openssl.old

mv /usr/include/openssl /usr/include/opensslold

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl

echo "/usr/local/ssl/lib/" >>/etc/ld.so.conf

ldconfig -v|grep ssl

openssl version

cd ..

wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz

yum install pam* -y

tar -xzf openssh-6.6p1.tar.gz

cd openssh-6.6p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords  --mandir=/usr/share/man --with-kerberos5=/usr/lib64/libkrb5.so 

make

make install

ssh -V

cd ..

转载于:https://blog.51cto.com/bbotte/1394174