Openssh漏洞修补
一、安全隐患
近期受到公司漏洞扫描结果,提示有OpenSSH需要升级
二、系统现状
目前OpenSSH的版本是7.4,按照提示需要升级到7.8以后的版本
[root@logdb ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级OpenSSH,需要先升级OpenSSL,本例的OpenSSL是是1.0版本,符合要求,故不在升级
三、升级OpenSSH
1. 打开telnet服务
防止万一,打开telnet服务,以免出现问题无法远程连接
# telnet依赖于xinetd
yum install xinetd telnet-server -y
# 编辑追加pts/0 pts/1 pts/2 pts/3
echo -e "pts/0\npts/1\npts/2\npts/3" >> /etc/securetty
# telnet服务 开机运行 和 启动
systemctl enable xinetd
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
2. 停止服务,卸载旧版本
[root@logdb ~]# service sshd stop
Redirecting to /bin/systemctl stop sshd.service
[root@logdb ~]# rpm -qa | grep openssh
openssh-askpass-7.4p1-21.el7.x86_64
openssh-clients-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-sysvinit-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
[root@logdb ~]# rpm -e openssh-clients-7.4p1-21.el7.x86_64
[root@logdb ~]# rpm -e openssh-server-7.4p1-21.el7.x86_64
[root@logdb ~]# rpm -e openssh-7.4p1-21.el7.x86_64
……….
[root@logdb tmp]# mv /etc/ssh/* /tmp/sshbak/ #备份
3. 安装依赖软件包
[root@logdb tmp]# yum install gcc pam-devel zlib-devel
4. 软件安装
[root@logdb tmp]# tar -xzvf openssh-8.3p1.tar.gz
[root@logdb tmp]# ls -l
total 1684
drwxr-xr-x. 5 1000 oinstall 12288 May 27 11:06 openssh-8.3p1
[root@logdb tmp]# chown -R root.root openssh-8.3p1 #修改权限
[root@logdb tmp]# ls -l
total 1684
drwxr-xr-x. 5 root root 12288 May 27 11:06 openssh-8.3p1
-rw-rw-r--. 1 yjyr yjyr 1706358 Jul 1 14:06 openssh-8.3p1.tar.gz
drwxr-xr-x. 2 root root 174 Jul 1 14:37 sshbak
a) 软件编译及安装
[root@logdb openssh-8.3p1]#./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam #编译,prefix不要改动,否则sshd里边有两项指向到/usr,就需要手动修改sshd :
[root@logdb yum.repos.d]# cat /etc/init.d/sshd
[root@logdb openssh-8.3p1]# make && make install
b) 复制启动脚本
[root@localhost openssh-8.3p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
c) 设置开机启动
[root@localhost ~]# chkconfig --add sshd
[root@localhost ~]# chkconfig sshd on
[root@localhost ~]# service sshd start
d) 如果需要root账户登录,可填写以下命令(不建议开启):
[root@localhost ~]# vim /etc/ssh/sshd_config
PermitRootLogin yes
a) 重启ssh服务
[root@localhost ~]# service sshd restart
Restarting sshd (via systemctl): [ OK ]
b) 版本验证
[root@localhost ~]# ssh -V
OpenSSH_8.3p1, OpenSSL 1.0.2k-fips 26 Jan 2017
5. 报错
有时候在软件编译的时候会报如下错误:
checking if openpty correctly handles controlling tty... yes
checking whether AI_NUMERICSERV is declared... yes
checking if SA_RESTARTed signals interrupt select()... yes
checking for getpgrp... yes
checking if getpgrp accepts zero args... yes
configure: error: *** working libcrypto not found, check config.log
yum安装openssl-devel包即可:
[root@localhost ~]# yum install openssl-devel