因安全漏扫软件扫描业务虚机,发现有openssh ssh存在漏洞,此次需将openssh5.3P1升级至OpenSSH_8.0p1
[root@APP ~]# uname -a Linux APP168 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux [root@APP ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.5 (Santiago) [root@APP~]# ssh -V OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
如果想升级到OpenSSH_8.0p1,对应的openssl也要升级
首先卸载原有的openssh,卸载之前先停止sshd服务
[root@APP ~]# rpm -e rpm -qa | grep openssh’<br/>error: Failed dependencies:<br/> openssh-clients is needed by (installed) python-meh-0.12.1-3.el6.noarch<br/>[root@APP ~]# rpm -erpm -qa | grep openssl--nodeps <br/>[root@APP ~]# rpm -e firstboot-1.110.15-1.el6.x86_64<br/>[root@APP ~]# rpm -e python-meh-0.12.1-3.el6.noarch<br/>[root@APP ~]# rpm -erpm -qa | grep openssh`
[root@APP ~]# yum install firstboot
或者用rpm删除,同时清除系统/etc/ssh目录 [root@APP ~]# service sshd stop Stopping sshd: [ OK ] [root@APP ~]# rpm -qa openssh openssh-5.3p1-94.el6.x86_64 [root@APP ~]# rpm -e --nodeps openssh-server [root@APP ~]# rpm -e --nodeps openssh-clients [root@APP ~]# rpm -e --nodeps openssh-askpass [root@APP ~]# rpm -e --nodeps openssh [root@APP ~]# rm -rf /etc/ssh 重启!!!
然后安装openssl-1.1.1c [root@APP ~]# cd ../openssl-1.1.1c/ [root@APP ~openssl-1.1.1c]# ./config --prefix=/usr/local/openssl --shared [root@dbAPP ~ openssl-1.1.1c]# make && make install [root@APP ~]# openssl version OpenSSL 1.1.1c 28 May 2019
然后安装openssh-8.0p1 上传openssh文件,解压,开始安装
[root@APP ~openssh-8.0p1]#./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-md5-passwords --without-hardening &&make && make install
修改配置文件 [root@APP ~openssh-8.0p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd [root@APP ~]# chmod x /etc/init.d/sshd 一般自带x权限 不用再修改文件了
加入到系统服务
[root@openssh-8.0p1]# chkconfig --add sshd [root@openssh-8.0p1]# service sshd start
最后检查版本 ssh -V 注意大写 [root@APP ~]# ssh -V OpenSSH_8.0P1 , OpenSSL 1.1.1c 28 May 2019
几个问题回顾: 1、安装openssh8.0在make时报错
缺少头文件,原有的OpenSSL 1.0.0版本不行,升级到openssl-1.1.1c即可
2、putty输入密码后闪退 修改sshd的配置文件 /etc/ssh/sshd_config
在配置文件中添加如下: Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org (此行中去掉ecdh-sha2-nistp521)
重新启动sshd服务即可
3、替换查看版本 查找sshd的位置 #whereis sshd
备份sshd #cp /usr/sbin/sshd /usr/sbin/sshd.bak.20190730
[root@APP ~]# strings /usr/sbin/sshd | grep OpenSSH OpenSSH_3. OpenSSH_5 OpenSSH_6.6.1 OpenSSH_6.5,OpenSSH_6.6 OpenSSH OpenSSH_2.,OpenSSH_3.0,OpenSSH_3.1 OpenSSH_2,OpenSSH_3,OpenSSH_4 OpenSSH_7.0,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7
替换版本信息 #sed -i 's/OpenSSH_5.3/OpenSSH_8.0/g' /usr/sbin/sshd
///重起sshd #service sshd restart
