CentOS升级OpenSSL和OpenSSH

Updated on with 2,973 views

前言

因CentOS 7自带的ssh版本较低,存在高危漏洞,故升级到最新版本 (目前是7.9p1)

注意事项

  • 升级ssh存在一定的危险性,一旦不成功可能无法通过远程连接到系统
    因此在升级之前最好先准备好 telnet等远程服务以防万一
  • 升级的openssh需要依赖于 opensslzlib,不同的 openssh版本依赖的版本不同,太高或者太低的版本都不行

下载地址
http://www.zlib.net/
https://www.openssl.org/source/
http://www.openssh.com/portable.html

安装telnet服务

安装软件

# yum -y install xinetd telnet-server* telnet

启用telnet服务

# vi /etc/xinetd.d/telnet   #centos7没有这个配置文件
将其中disable#段的yes改为no以启用telnet服务

linux默认情况下root用户使用telnet是登录不了的
需要修改/etc/secruetty文件
允许root 账号登陆


# vi /etc/securetty

末尾添加两行
pts/0
pts/1
# mv /etc/securetty /etc/securetty.old    #允许root用户通过telnet登录 

centos6:
# service xinetd start   #启动telnet服务 

# chkconfig xinetd on    #使telnet服务开机启动,避免升级过程中服务器意外重启后无法远程登录系统

centos7:

# systemctl enable telnet.socket  
# systemctl start telnet.socket
# systemctl enable xinetd
# systemctl start xinetd

切记测试telnet功能正常连接了再继续,还有防火墙相关的端口问题,这里不做说明

安装(升级)OpenSSL

安装所需环境

# yum install wget vim gcc gcc-c++ zlib zlib-devel

下载安装包

# wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz

编译安装

# yum remove openssl #卸载系统自带的openssl
# tar -zxvf openssl-1.1.1b.tar.gz
# cd openssl-1.1.1b
# ./config  --prefix=/usr --openssldir=/etc/pki/tls
# make && make install_sw   #install_sw为只安装组件,如果需要安装文档改为install即可
# openssl version -a  #查看是否安装成功

安装(升级)OpenSSH

安装所需环境

# yum install -y gcc openssl-devel pam-devel rpm-build

下载安装包

# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz

编译安装

# for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done #卸载原Openssh
# tar -zxvf openssh-7.9p1.tar.gz
# cd openssh-7.9p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam
# make && make install

安装配置
# cp contrib/redhat/sshd.init /etc/init.d/sshd
# chkconfig --add sshd
# chkconfig sshd on
# chkconfig --list|grep sshd

修改配置项 
# sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
# sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
# sed -i '/^UsePAM/s/UsePAM yes/#UsePAM yes/' /etc/ssh/sshd_config
# sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
# sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
# service sshd restart

可能遇到的问题

1、如果启用(UsePAM yes)pam管理会话需要创建sshd到/etc/pam.d/目录下,
切记不要用安装包里面自带的
vi /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

2、WARNING: UNPROTECTED PRIVATE KEY FILE!
修改/etc/ssh下三个key文件的权限为600,或直接删除生成

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key
Responses
取消