一、前言
1.升级背景
因漏洞扫描扫描出openssh相关的高危漏洞,处理新发布的CVE-2024-6387关于openssh的漏洞,需要升级openssh到9.8版本。
2.确认系统
本文记录的过程是基于centos7.9(2009)系统,对于其他linux系统不一定适用,请确认自己的系统对号入座。
查看系统版本命令
cat /etc/centos-release
查看ssh版本
ssh -V
3.升级前准备
由于openssh升级可能出现问题,导致ssh连接不上,因此为防止升级过程中出现异常,导致后续无法使用ssh,我们需要先打卡telnet窗口备用。
3.1打开telnet窗口备用
如果服务器没开启telnet服务,参考步骤“启用telnet”
a)开启telnet client服务
点击程序
点击启用或关闭Windows功能
下拉找到telnet客户端或者telnet client,勾选确认即可
b)打卡telnet窗口,连接到服务器备用
搜索框搜索telnet,点击运行
执行命令连接到服务器
o ip port
输入服务器登录账号密码即可,连接成功如下所示(这里使用ssh的22端口,这里特地临时开启了服务器的23端口作为telnet连接的端口)
3.2更新依赖工具
#安装相关依赖工具
yum install -y vim gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers libedit-devel perl-IPC-Cmd wget tar lrzsz1
到此,前期准备工作全部结束,接下来就是升级openssh了
二、升级过程
1.升级zlib
#执行以下命令
cd /usr/local/src
wget https://www.zlib.net/zlib-1.3.1.tar.gz
#解压zlib
tar -xzvf zlib-1.3.1.tar.gz
#进入zlib解压目录
cd zlib-1.3.1
ls /usr/local/
./configure --prefix=/usr/local/zlib
make -j 2
make test
make install
ls /usr/local/zlib/
echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
2.升级openssl
因为openssh9.8要求openssl的版本>=1.1.1,因此,需要先升级openssl,本文将openssl升级到3.2.1版本
#备份相关文件
cp -rf /etc/ssh /etc/ssh.bak
cp -rf /usr/bin/openssl /usr/bin/openssl.bak
cp -rf /etc/pam.d /etc/pam.d.bak
cp -rf /usr/lib/systemd/system /usr/lib/systemd/system.bak
#下载openssl
cd /usr/local/src
wget https://www.openssl.org/source/openssl-3.2.1.tar.gz
#解压openssl安装包
tar -xzvf openssl-3.2.1.tar.gz
#进入解压目录
cd openssl-3.2.1
#安装
ls /usr/local/
./config --prefix=/usr/local/openssl
make -j2
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ll /usr/bin/open*
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf.d/ssl.conf
#检查openssl版本
openssl version -a
如下,则openssl升级成功
2.1卸载老的sshd
[root@CentOS7 openssl-3.2.1]# yum remove openssh
Loaded plugins: fastestmirror
Resolving Dependencies
--> Running transaction check
---> Package openssh.x86_64 0:7.4p1-21.el7
will be erased
--> Processing Dependency: openssh =
7.4p1-21.el7 for package: openssh-clients-7.4p1-21.el7.x86_64
--> Processing Dependency: openssh =
7.4p1-21.el7 for package: openssh-server-7.4p1-21.el7.x86_64
--> Running transaction check
---> Package openssh-clients.x86_64
0:7.4p1-21.el7 will be erased
---> Package openssh-server.x86_64
0:7.4p1-21.el7 will be erased
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================================================
Package Arch Version
================================================================================================================
Removing:
openssh
x86_64
7.4p1-21.el7
Removing for dependencies:
openssh-clients x86_64 7.4p1-21.el7
openssh-server x86_64 7.4p1-21.el7
Transaction Summary
================================================================================================================
Remove 1
Package (+2 Dependent packages)
Installed size: 5.4 M
Is this ok [y/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Erasing :openssh-server-7.4p1-21.el7.x86_64
Erasing :openssh-clients-7.4p1-21.el7.x86_64
Erasing :openssh-7.4p1-21.el7.x86_64
Verifying :openssh-clients-7.4p1-21.el7.x86_64
Verifying :openssh-7.4p1-21.el7.x86_64
Verifying :openssh-server-7.4p1-21.el7.x86_64
Removed:
openssh.x86_64 0:7.4p1-21.el7
Dependency Removed:
openssh-clients.x86_64 0:7.4p1-21.el7
openssh-server.x86_64 0:7.
Complete!
[root@CentOS7 openssl-3.2.1]# rm -rf /etc/ssh/*
3.升级openssh
3.1启用telnet
3.1.1安装telnet
#安装telnet备用
yum install telnet-server telnet xinetd
3.1.2启动telnet服务
# systemctl start telnet.socket
# systemctl start xinetd
# systemctl status telnet.socket
# systemctl status xinetd
3.1.3修改配置
vim /etc/pam.d/remote
#注释掉auth required pam_securetty.so这一行
3.1.4重启telnet服务
# systemctl restart xinetd
# systemctl restart telnet.socket
执行前言步骤3.1连接telnet备用
3.2openssh升级
3.2.1备份相关文件
cp /etc/ssh/sshd_config /home/sshd_config.backup
cp /etc/pam.d/sshd /home/sshd.backup
3.2.2卸载ssh
#查看openssh相关
rpm -qa | grep openssh
#openssh-6.6.1p1-31.el7.x86_64
#openssh-server-6.6.1p1-31.el7.x86_64
#openssh-clients-6.6.1p1-31.el7.x86_64
#卸载,改为自己系统打印的
rpm -e --nodeps openssh-6.6.1p1-31.el7.x86_64
rpm -e --nodeps openssh-server-6.6.1p1-31.el7.x86_64
rpm -e --nodeps openssh-clients-6.6.1p1-31.el7.x86_64
3.2.3下载openssh9.8安装包
mkdir /home/file
cd /home/file
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
3.2.4解压、变异openssh安装包
tar -xf openssh-9.7p1.tar.gz
cd openssh-9.7p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl/ --without-hardening
make && make install
3.2.5设置相关文件权限
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
3.2.6复制配置文件
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
3.2.7还原配置
mv /home/sshd.backup /etc/pam.d/sshd
mv /home/sshd_config.backup /etc/ssh/sshd_config
3.2.8修改配置/etc/ssh/sshd_config
vim /etc/ssh/sshd_config
#去掉下面两行配置前面的注释
PermitRootLogin yes
PubkeyAuthentication yes
3.2.9添加 ssh 到开机自启
chkconfig --add sshd
chkconfig sshd on
3.2.10重启ssh
systemctl restart sshd
3.2.11检查openssh版本
如上,升级成功
本文转载自: https://blog.csdn.net/Mr_hwt_123/article/details/140823164
版权归原作者 Mr_hwt_123 所有, 如有侵权,请联系我们删除。
版权归原作者 Mr_hwt_123 所有, 如有侵权,请联系我们删除。