1.现象
通过绿盟等安扫软件扫描到服务器ssh存在漏洞,需要升级修复,升级openssh后,出现的问题:
- 问题1:多个服务器之间免秘钥登陆失效
- 问题2:单个服务器通过ulimit -a查看到的打开文件数被重置为1024,过小
2.解决方法
#1.安装pam-devel
yum install -y pam-devel
#2.下载最新版本openssh并解包、编译安装
#下载
cd /temp
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
#解压
tar zxf openssh-8.0p1.tar.gz
#配置
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
#编译安装
make && make install
#覆盖老的安装,加入开机启动
cp /tmp/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd --add
#3.修改/etc/ssh/sshd_config
vi /etc/ssh/sshd_config
添加UsePAM yes
修改PermitRootLogin yes
#4.修改/etc/security/limits.conf
编辑vi /etc/security/limits.conf
* soft nofile 40960
* hard nofile 81920
#5.修改/etc/pam.d/sshd
编辑vi /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_limits.so