前因
因项目需求,过绿盟漏洞安全检查曝出了三个OpenSSH的相关漏洞“CVE-2020-15778”、“CVE-2018-15919”、“CVE-2017-15906”,故而对OpenSSH进行升级以修补漏洞
原环境
openssh-7.4p1-21.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
均为yum安装最新版本
升级必需品
openssh-8.4p1.tar.gz
openssl-1.1.1h.tar.gz
请自行官网下载
升级用脚本(脚本非原创,本人仅做了简单修改)
亲测可用,不放心可不用脚本刷
#!/bin/bash
# 使用前提 :
# 1. 配置好yum源
# 2. 防止断连,开启telnet服务
# 3. 上传最新版的软件包
#
#需要手动修改的变量
version="ssh_8.4" #定义版本号
soft_dir="opt" # 上传安装介质的目录
ssl_media="openssl-1.1.1h.tar.gz" #软件包名
ssh_media="openssh-8.4p1.tar.gz" # 软件包名
#
ssl_soft="/$soft_dir/$ssl_media"
ssh_soft="/$soft_dir/$ssh_media"
#
if [ -f "${ssl_soft}" ] && [ -f "${ssh_soft}" ];then
filepath="/$soft_dir/$version" # 定义工作目录
mkdir -p $filepath
else
echo "`date +%H:%M:%S`--升级所需安装包不存在,请检查。。。" |tee -a $filepath/check_point.log
echo "`date +%H:%M:%S`--安装已退出。。。" |tee -a $filepath/check_point.log
exit 1
fi
#安装升级所需依赖包
function InstallDeploy(){
# 对依赖包进行校验
lai=(gcc gcc-c++ pam pam-devel zlib zlib-devel perl openssl)
for install in ${lai[*]};do
b=$(rpm -qa | grep $install | wc -l)
if [ $b -lt 1 ];then
yum -y install $install
else
echo "`date +%H:%M:%S`--$install依赖已安装。。。跳过。。。" | tee -a $filepath/check_point.log
fi
done
# echo "`date +%H:%M:%S`--install the Depend on the package.." |tee -a $filepath/check_point.log
# yum -y install gcc pam-devel zlib-devel perl openssl-devel
echo "`date +%H:%M:%S`--依赖安装结束,准备正式安装。。。 " |tee -a $filepath/check_point.log
}
#
function Unpack(){
echo "`date +%H:%M:%S`--解压安装包。。。 " |tee -a $filepath/check_point.log
cd $filepath
tar zxf /$soft_dir/$ssl_media
tar zxf /$soft_dir/$ssh_media
echo "`date +%H:%M:%S`--解压完成。。。 " |tee -a $filepath/check_point.log
}
function Backup(){
echo "`date +%H:%M:%S`--重要动态库备份开始。。。。" |tee -a $filepath/check_point.log
cp -af /usr/lib64/openssl /usr/lib64/openssl.old && \
cp -af /usr/bin/openssl /usr/bin/openssl.old && \
cp -af /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old && \
cp -af /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old && \
cp -af /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old && \
cp -arf /etc/ssh/ /etc/ssh_`date +%F` cd ..
echo "`date +%H:%M:%S`--备份完成。。。 " |tee -a $filepath/check_point.log
}
function Installopenssl(){
echo "`date +%H:%M:%S`--开始安装openssl。。。" |tee -a $filepath/check_point.log
cd $filepath/openssl*/
echo "`date +%H:%M:%S`--安装openssl进行中。。。。。。。" |tee -a $filepath/check_point.log
./config --prefix=/usr/local --openssldir=/usr/local/openssl
make && make install &&
# 加载动态库
echo "/usr/local/lib64/" >> /etc/ld.so.conf
ldconfig
echo "`date +%H:%M:%S`--openssl升级完成。。。。" |tee -a $filepath/check_point.log
}
function Installopenssh(){
echo "`date +%H:%M:%S`--开始安装openssh。。。" |tee -a $filepath/check_point.log
cd $filepath/openssh*/
echo "`date +%H:%M:%S`--安装openssh进行中。。。。。。。" |tee -a $filepath/check_point.log
./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-pam \
--with-tcp-wrappers \
--with-ssl-dir=/usr/local/openssl \
--with-zlib=/usr/local/lib64 \
--without-hardening
make &&
chmod 600 /etc/ssh/ssh_host*
make install &&
echo "`date +%H:%M:%S`--openssh升级完成。。。。" |tee -a $filepath/check_point.log
}
function Configssh(){
echo "`date +%H:%M:%S`--开始配置SSH。。。" |tee -a $filepath/check_point.log
cd $filepath/openssh*/
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bk
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod a+x /etc/init.d/sshd
cp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
echo "`date +%H:%M:%S`--设置SSH开机自启。。。" |tee -a $filepath/check_point.log
chkconfig --add sshd
chkconfig sshd on
systemctl enable sshd
#echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/ssh/sshd_config
#sed -i 's/PermitRootLogin/#&/' /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "`date +%H:%M:%S`--SSH服务重启中。。。。" |tee -a $filepath/check_point.log
systemctl restart sshd
}
function start(){
InstallDeploy
Unpack
Backup
Installopenssl
Installopenssh
Configssh
}
start
ssh -V