ubuntu升级ssh

引言

2024年7月1日接到安全部门同事邮件通知,目前生产环境及测试环境服务器Openssh存在远程代码执行漏洞(CVE-2024-6387),漏洞等级高,且攻击者可以成功利用该漏洞获得远程root shell最高权限从而执行任意代码及命令，主要受影响版本为8.5p1<=Openssh<9.8p1,安全版本为openssh>=9.8p1。官方给出的修改建议是升级openssh版本至9.8p1,安全部门同事及项目侧领导邮件确认升级至9.8p1版本并对服务器添加hosts.allow、hosts.deny文件，仅允许通过堡垒机连接服务器。

一、准备编译环境

sudo apt-get -y install openbsd-inetd telnetd telnet make gcc libpam0g-dev

sudo /etc/init.d/openbsd-inetd restart

        [ ok ] Restarting openbsd-inetd (via systemctl): openbsd-inetd.service.

sudo netstat -antp | grep 23

tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1560834/inetd

使用telnet登录服务器

        telnet 192.168.1.163

                Trying 192.168.1.163...

                Connected to 192.168.1.163.

                Escape character is '^]'.

                Password:Login incorrectubuntu

                login:用户名

                Password:密码

                Last login: Thu Jan 2 13:25:57 CST 2020 from 192.168.1.113 on pts/0.

                ...

获取编译安装包

mkdir openssh

cd openssh/

wget https://zlib.net/zlib-1.3.1.tar.gz

wget --no-check-certificate https://www.openssl.org/source/openssl-3.3.0.tar.gz

wget --no-check-certificate https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz

ls *gz | xargs -n1 -i{} tar zxf {}

ls

        openssh-9.7p1 openssh-9.7p1.tar.gz openssl-3.3.0 openssl-3.3.0.tar.gz zlib-1.3.1 zlib-1.3.1.tar.gz

二、升级zlib

        sudo ./configure --prefix=/usr/local/zlib

        sudo make && sudo make install

三、升级openssl

        编译安装

                sudo ./config shared zlib --prefix=/usr/local/ssl

                sudo make

                sudo make install

        调整配置路径

                sudo mv /usr/bin/openssl /usr/bin/openssl.bak

                sudo mv /usr/include/openssl /usr/include/openssl.bak

                sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

                sudo ln -s /usr/local/ssl/include/openssl /usr/include/openssl

                sudo vi /etc/ld.so.conf.d/openssl.conf

                sudo cat /etc/ld.so.conf.d/openssl.conf

                        /usr/local/ssl/lib64

                sudo ldconfig

        检测openssl版本        

                openssl version

四、升级openssh

        备份ssh配置文件        

                sudo cp /etc/init.d/ssh /etc/init.d/ssh.old

                sudo cp -r /etc/ssh /etc/ssh.old

        卸载openssh，避免出现重启后版本变更的问题

                sudo apt-get remove openssh-server openssh-client

        编译安装

                sudo ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd

                sudo make

                sudo make install

        配置新版本openssh 

                cd /etc/ssh

                sudo cp -r ../ssh.old/* ./

                sudo mv /etc/init.d/ssh.old /etc/init.d/ssh

        设置开机启动ssh

                sudo systemctl unmask ssh

                        Removed symlink /etc/systemd/system/ssh.service.

                sudo systemctl daemon-reload

                sudo systemctl restart ssh       

五、ubuntu遇到错误

        1.PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory

                sudo apt-get install pam

                sudo apt-get install libpam0g-dev

                sudo ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/local --with-privsep-path=/var/lib/sshd

                sudo make

        2.Permission denied, please try again.

                vim /etc/ssh/ sshd_config

                        UsePAM no

        3.fatal error: zlib.h: No such file or directory

                sudo apt-get install zlib1g-dev