【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

一、实验背景

客户请第三方安全公司扫描了下他们的服务器,发现 SSH 存在许多安全漏洞,原因是 CentOS 7.2 使用了一个比较旧的 OpenSSH 版本 v6.6.1,而这些漏洞在新版的 OpenSSH 中均已被修复,所以出于安全考虑,需要升级。

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

yum 仓库中并没有最新版的 OpenSSH,我们需要自己从官方下载最新的opeenSSh源码包编译制作 rpm 安装包。

因为客户服务器不能连外网,所以还需要将其做成离线升级包。

二、实验环境

操作系统: CentOS7.2 Mininal

serverA  192.168.1.104  模拟开发机,能联网,用于制作离线升级包

serverB  192.168.1.106  模拟客户服务器,不能联网,openSSH相关包及其依赖版本较低

三、实验预期

在severA上完成openSSH相关编译及依赖下载,写成一键升级脚本,拖到serverB上完成openSSH的升级。

当前最新openSSh源码包版本为 openssh-7.9p1.tar.gz

四、实验操作

在serverA

# yum -y install  vim  wget epel-release

# yum  -y  install  rpm-build  gcc make

# yum -y install  openssl  openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

# wget  http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz

# tar -zxf openssh-7.9p1.tar.gz

# mkdir -p  /root/rpmbuild/{SOURCES,SPECS}

# cp ./openssh-7.9p1/contrib/redhat/openssh.spec    /root/rpmbuild/SPECS/

# cp openssh-7.9p1.tar.gz    /root/rpmbuild/SOURCES/

# cd  /root/rpmbuild/SPECS/

# sed  -i  -e  "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g"    openssh.spec

# sed  -i  -e  "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g"    openssh.spec

# sed  -i  -e  "s/BuildPreReq/BuildRequires/g"    openssh.spec

# sed -i  -e  "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec

# rpmbuild  -bb  openssh.spec

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

编译好后的文件被放在 /root/rpmbuild/RPMS/x86_64/ 目录下:

# ll  /root/rpmbuild/RPMS/x86_64

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

 

将上述操作脚本化:

# cat build.sh

#####################################################

#!/bin/bash

OPENSSH_VERSION=7.9p1

yum -y install  vim  wget epel-release

yum -y install  rpm-build  gcc make

yum -y install  openssl  openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

# cd /root

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz

tar -zxf  openssh-${OPENSSH_VERSION}.tar.gz

mkdir -p /root/rpmbuild/{SOURCES,SPECS}

cp ./openssh-${OPENSSH_VERSION}/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

cp openssh-${OPENSSH_VERSION}.tar.gz /root/rpmbuild/SOURCES/

cd /root/rpmbuild/SPECS/

sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec

sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec

sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec

sed -i -e  "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec

rpmbuild -bb openssh.spec

ls -l /root/rpmbuild/RPMS/x86_64

########################################################

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

 

五、在开发机上做openSSH升级测试

在serverA

# cd  /root/rpmbuild/RPMS/x86_64

# rpm -Uvh *.rpm

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

# rpm -qa | grep openssh

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

 

本来到此,我们升级就完成了,但是从客户端登陆的时候却失败了!

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

开始我们以为自己制作的 rpm 包有问题,几经折腾,最后发现还是默认的配置不正确导致的结果。

无法用 ssh key 方式登录,默认的 host key 文件授权太大,需要修改 key 文件的权限

# ll  /etc/ssh/ssh_host_*_key

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

# chmod 600  /etc/ssh/ssh_host_*_key

# ll /etc/ssh/ssh_host_*_key

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

升级完后的openSSH默认不允许用密码方式登录,我们需要更改配置文件:

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# sed -i -e  "s/#PasswordAuthentication yes/PasswordAuthentication yes/g"  /etc/ssh/sshd_config

# sed -i -e  "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g"    /etc/ssh/sshd_config

# sed -i -e  "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"  /etc/ssh/sshd_config

# sed -i  -e  "s/#UsePAM no/UsePAM yes/g"  /etc/ssh/sshd_config

 

默认的 /etc/pam.d/sshd 中使用了过时的 pam_stack.so 动态库,需要更新:

# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

# cat >  /etc/pam.d/sshd  <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

重启ssh服务,查看服务状态:

# systemctl restart sshd

# systemctl enable  sshd

# systemctl status sshd

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

你会发现,升级后的sshd服务,是用的启动脚本,不是/usr/lib/systemd/system/sshd.service文件了。

实际上升级过程中,程序已经将 /usr/lib/systemd/system/sshd.service 删除了,并且添加了服务启动脚本 /etc/init.d/sshd

细心的你还会发现,升级完后,我们经常用于做免密登录的公钥拷贝命令 ssh-copy-id也没有了!

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

其实不是没有了,而是我们需要去解压后源码包拷贝到/usr/bin/目录

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

# cp /root/openssh-7.9p1/contrib/ssh-copy-id  /usr/bin/

# chmod  755  /usr/bin/ssh-copy-id

 

六、制作离线升级安装包

 

在serverA

# yum -y install  yum-utils createrepo

# mkdir  /root/localrepo

# repotrack  openssl  -p /root/localrepo/

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

你可能会疑惑:不是找opennsh相关包的依赖么,怎么找的是openssl了?

其实从上面安装可以,升级opennsh版本并不会缺少依赖,我们们只是需要相应地升级一下openssl的版本

那么

 

# cp  /root/rpmbuild/RPMS/x86_64/*.rpm  /root/localrepo

# createrepo -v    /root/localrepo

编写离线升级安装脚本:

cat install.sh

######################################################

#!/bin/bash

# 定位脚本当前路径

parent_path=$( cd "$(dirname "${BASH_SOURCE}")"; pwd -P )

cd "$parent_path"

mkdir -p /etc/yum.repos.d/backup

mv /etc/yum.repos.d/*.repo  /etc/yum.repos.d/backup

rm -rf /tmp/localrepo

mkdir -p /tmp/localrepo

cp -rf  ./localrepo/*  /tmp/localrepo

echo "[localrepo]"                              > /etc/yum.repos.d/localrepo.repo

echo "name=Local Repository"          >> /etc/yum.repos.d/localrepo.repo

echo "baseurl=file:///tmp/localrepo"    >> /etc/yum.repos.d/localrepo.repo

echo "gpgcheck=0"                              >> /etc/yum.repos.d/localrepo.repo

echo "enabled=1"                                >> /etc/yum.repos.d/localrepo.repo

yum clean all

yum -y  install openssl

yum -y install openssh*  --disablerepo="*" --enablerepo="localrepo"

rm -rf /tmp/localrepo

rm -f /etc/yum.repos.d/localrepo.repo

mv /etc/yum.repos.d/backup/*.repo  /etc/yum.repos.d

rm -rf /etc/yum.repos.d/backup

chmod 600  /etc/ssh/ssh_host_*_key

# modify /etc/ssh/sshd_config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"      /etc/ssh/sshd_config

sed -i -e "s/#UsePAM no/UsePAM yes/g"                                  /etc/ssh/sshd_config

# modify /etc/pam.d/sshd

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

cat > /etc/pam.d/sshd <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

# copy ssh-copy-id

cp ssh-copy-id /usr/bin

chmod 755 /usr/bin/ssh-copy-id

systemctl restart sshd

systemctl enable sshd

systemctl status sshd

rpm -qa | grep open

systemctl status  sshd| grep  "Active: active (running)"

if [ $? -eq 0 ]; then

  echo -e "\033[32m[INFO] OpenSSH upgraded to 7.9p1  successfully!\033[0m"

else

  echo -e "\033[31m[ERROR] OpenSSH upgraded to 7.9p1 faild!\033[0m"

fi

##############################################################

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

打包离线安装包

# mkdir  /root/opensshUpgrade

# cp install.sh  /root/opensshUpgrade

# cp  -r  lcoalrepo /root/opensshUpgrade

# cp /root/openssh-7.9p1/contrib/ssh-copy-id  /root/opensshUpgrade

# tar openssshUpgrade.tar.gz  opensshUpgrade

七、离线安装升级openSSH

将离线升级安装包 openssshUpgrade.tar.gz拷贝到serverB 服务器

#  tar  -zxf  openssshUpgrade.tar.gz

# cd  openssshUpgrade

#  bash install.sh | tee install.log

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

 

# rpm -qa | grep openssl

# rpm -qa | grep openssh

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

# systemctl  status sshd

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

测试登录

[C:\~]$  ssh  root@192.168.1.106

 

【openSSH】How to Upgrade OpenSSH on CentOS 7.x?

八、参考

Upgrade OpenSSH in CentOS 7

https://blog.forhot2000.cn/linux/2017/09/04/upgrade-openssh-in-centos-7.html

编译升级OpenSSH 7.9

https://blog.csdn.net/weixin_42123737/article/details/85283972

Centos 6.5升级openssh到7.9p1

https://blog.csdn.net/qq_25934401/article/details/83419849

openssh升级脚本分享(openssh-7.7p1版)

https://blog.csdn.net/GX_1_11_real/article/details/82152459

Upgrade OpenSSH to 7.7p1 in CentOS 6

https://docs.junyangz.com/upgrade-openssh-to-7.7p1-in-centos-6

createrepo生成仓库元数据,搭建本地yum源

https://www.jianshu.com/p/5cb5af152e75

解决离线安装依赖包的方法

https://www.jianshu.com/p/6f4f9a80a726

上一篇:将OpenSSL生成的RSA公钥转换为OpenSSH格式(PHP)


下一篇:配置OPENSSH无密码登录[转]