CentOS 6.4 64位
查看当前的ssl版本
1
2
|
[root@localhost ~]# ssh -V
OpenSSH_5.3p1, OpenSSL
1.0
.
0
-fips
29
Mar
2010
|
升级openssl
升级前请关闭selinux
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
yum install zlib zlib-devel krb5-devel.x86_64 -y
wget http:
//www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xzf openssl-
1.0
.1g.tar.gz
cd openssl-
1.0
.1g
./config --prefix=/usr/local/ssl shared zlib-
dynamic
enable-camellia -DOPENSSL_NO_HEARTBEATS #添加 -DOPENSSL_NO_HEARTBEATS 选项
make
make install
openssl version
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/
include
/openssl /usr/
include
/opensslold
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/
include
/openssl/ /usr/
include
/openssl
echo
"/usr/local/ssl/lib/"
>> /etc/ld.so.conf
ldconfig -v|grep ssl
openssl version
|
升级后截图
1
|
openssl version -a
|
为什么升级openssh,因为用xshell或者SecureCRT等终端连接服务器是用ssh,现在查看ssh所用openssl所用的版本还是这样的
1
2
|
[root@localhost ~]# ssh -V
OpenSSH_5.3p1, OpenSSL
1.0
.
0
-fips
29
Mar
2010
|
验证:
# rpm -qa openssl
openssl-1.0.1e-16.el6_5.14.x86_64
# rpm -q --changelog openssl-1.0.1e | grep CVE-2014-0160
- fix CVE-2014-0160 - information disclosure in TLS heartbeat extension
说明漏洞已经修复
升级 openssh (编译时候请按文章最下面,添加--
with
-kerberos5=/usr/lib64/libkrb5.so 参数编译,不然会出现下面的问题
)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
wget http:
//mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
yum install pam*
tar -xzf openssh-
6
.6p1.tar.gz
cd openssh-
6
.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --
with
-pam --
with
-zlib --
with
-ssl-dir=/usr/local/ssl --
with
-md5-passwords --mandir=/usr/share/man
make
make install
ssh -V
OpenSSH_6.6p1, OpenSSL
1.0
.1g
7
Apr
2014
service sshd restart
停止 sshd: [确定]
正在启动 sshd: [确定]
|
升级完成后打开新的终端连接
升级完成
当执行service sshd restart 的时候有错误提示
vim /etc/ssh/sshd_config 把81和83行注释
再执行就没问题了
1
2
3
|
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
|
附:
Unsupported option GSSAPIAuthentication 和 Unsupported option GSSAPICleanupCredentials
这两个认证机制的解决方法:
1
2
3
4
5
|
service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line
81
: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line
83
: Unsupported option GSSAPICleanupCredentials
[ OK ]
|
在编译openssh-
6
.6p1的时候把kerberos5的选项指定,即添加选项
--
with
-kerberos5=/usr/lib64/libkrb5.so
就不会出现问题
1
|
[root@localhost openssh-
6
.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --
with
-pam --
with
-zlib --
with
-ssl-dir=/usr/local/ssl --
with
-md5-passwords --mandir=/usr/share/man --
with
-kerberos5=/usr/lib64/libkrb5.so
|
下面是sshd_config的配置文件,认证不受影响的,重启sshd服务也没问题
vim /etc/ssh/sshd_config
上述的代码
升级前关闭selinux
升级ssl,ssh
yum install zlib zlib-devel -y
yum install krb5-devel.x86_64 -y
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
tar -xzf openssl-1.0.1g.tar.gz
cd openssl-1.0.1g
./config --prefix=/usr/local/ssl shared zlib-dynamic enable-camellia -DOPENSSL_NO_HEARTBEATS
make
make install
openssl version
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/opensslold
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl
echo "/usr/local/ssl/lib/" >>/etc/ld.so.conf
ldconfig -v|grep ssl
openssl version
cd ..
wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
yum install pam* -y
tar -xzf openssh-6.6p1.tar.gz
cd openssh-6.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man --with-kerberos5=/usr/lib64/libkrb5.so
make
make install
ssh -V
cd ..