最近因爲綠盟掃描到AIX5.3 AIX6.1系統有openssh高危漏洞,OPENSSH6.4之前的都報高危漏洞,IBM官網上也只有最新的openssh6.0安裝文件供下載,沒辦法只有自己試驗的用源碼來安裝升級,期間各種報錯,搞了差不多一週的時間,才順利的安裝的把openssh版本升上去了。以下是安裝步驟
1,修改/etc/profile文件
cp -p /etc/profile /etc/profile_bak
/etc/profile文件添加
export LIBPATH=/opt/freeware/lib
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
source /etc/profile
2,安裝openssl1.0.1g
從http://www-frec.bull.com/recherche.php下載所需的opensslRPM安裝包,並安裝:
openssl-1.0.1g-1.aix6.1.ppc.rpm
openssl-devel-1.0.1g-1.aix6.1.ppc.rpm
root@SHDNSDB02:/home/weihu>rpm -Uvh openssl-1.0.1g-1.aix6.1.ppc.rpm
warning: /var/ssl/openssl.cnf saved as /var/ssl/openssl.cnf.rpmorig
openssl ##################################################
root@SHDNSDB02:/home/weihu>rpm -Uvh openssl-devel-1.0.1g-1.aix6.1.ppc.rpm
openssl-devel ##################################################
接下來需要安裝zlib,由於沒有安裝GCC,需要首先安裝GCC
從http://www-frec.bull.com/recherche.php下載GCC RPM包,並下載相關的倚賴安裝包,並安裝:
2503gcc-cpp-4.8.1-2.aix6.1.ppc.rpm-with-deps.zip
gcc-4.8.1-2.aix6.1.ppc.rpm
首先將2503gcc-cpp-4.8.1-2.aix6.1.ppc.rpm-with-deps.zip解壓出來
root@SHDNSDB02:/home/weihu>jar -xvf 2503gcc-cpp-4.8.1-2.aix6.1.ppc.rpm-with-deps.zip
inflated: libmpc-0.9-1.aix5.3.ppc.rpm
inflated: zlib-1.2.5-6.aix6.1.ppc.rpm
inflated: info-5.0-2.aix6.1.ppc.rpm
inflated: gettext-0.17-8.aix6.1.ppc.rpm
inflated: libiconv-1.14-1.aix6.1.ppc.rpm
inflated: gmp-5.1.3-1.aix6.1.ppc.rpm
inflated: mpfr-3.1.2-1.aix6.1.ppc.rpm
inflated: gcc-4.8.1-2.aix6.1.ppc.rpm
inflated: gcc-cpp-4.8.1-2.aix6.1.ppc.rpm
inflated: libgcc-4.8.1-2.aix6.1.ppc.rpm
inflated: bash-4.2-9.aix6.1.ppc.rpm
root@SHDNSDB02:/home/weihu>rpm -Uvh libgcc-4.8.1-2.aix6.1.ppc.rpm
libgcc ##################################################
root@SHDNSDB02:/home/weihu>rpm -Uvh gmp-5.1.3-1.aix6.1.ppc.rpm
gmp ##################################################
root@SHDNSDB02:/home/weihu>rpm -Uvh gettext-0.17-8.aix6.1.ppc.rpm --nodeps
/
gettext ##################################################
add libintl.so.1 (32bits) shared member to /opt/freeware/lib/libintl.a
add libintl.so.1 (64bits) shared member to /opt/freeware/lib/libintl.a
/
root@SHDNSDB02:/home/weihu>rpm -Uvh libiconv-1.14-1.aix6.1.ppc.rpm
libiconv ##################################################
add shr4.o shared members from /usr/lib/libiconv.a to /opt/freeware/lib/libiconv.a
add shr.o shared members from /usr/lib/libiconv.a to /opt/freeware/lib/libiconv.a
add shr4_64.o shared members from /usr/lib/libiconv.a to /opt/freeware/lib/libiconv.a
/
root@SHDNSDB02:/home/weihu>rpm -Uvh mpfr-3.1.2-1.aix6.1.ppc.rpm
mpfr ##################################################
root@SHDNSDB02:/home/weihu>rpm -Uvh zlib-1.2.5-6.aix6.1.ppc.rpm
zlib ##################################################
root@SHDNSDB02:/home/weihu>rpm -Uvh info-5.0-2.aix6.1.ppc.rpm
warning: /opt/freeware/info/dir created as /opt/freeware/info/dir.rpmnew
info ##################################################
Please check that /etc/info-dir does exist.
You might have to rename it from /etc/info-dir.rpmsave to /etc/info-dir.
root@SHDNSDB02:/home/weihu>rpm -Uvh libmpc-0.9-1.aix5.3.ppc.rpm
libmpc ##################################################
root@SHDNSDB02:/home/weihu>rpm -Uvh bash-4.2-9.aix6.1.ppc.rpm
bash ##################################################
## Binary "bash" is avaible on 32bit and 64bit ##
The default used is 64bit
Please change symbolic link
from "bash" into /bin directory
To do that tape:
# rm -f /bin/bash
# ln -sf /opt/freeware/bin/bash_32 /bin/bash
root@SHDNSDB02:/home/weihu>mv /bin/bash /bin/bash_bak
root@SHDNSDB02:/home/weihu>ln -sf /opt/freeware/bin/bash_
bash_32 bash_64
root@SHDNSDB02:/home/weihu>ln -sf /opt/freeware/bin/bash_32 /bin/bash
root@SHDNSDB02:/home/weihu>rpm -Uvh gcc-cpp-4.8.1-2.aix6.1.ppc.rpm gcc-4.8.1-2.aix6.1.ppc.rpm
gcc-cpp ##################################################
gcc ##################################################
root@SHDNSDB02:/home/weihu>type gcc
gcc is /usr/bin/gcc
到此GCC已經安裝好。
接下來編譯zlib,我用的zlib版本是zlib-1.2.5.tar.bz2,解壓並編譯它
(*注意這裏一定要安裝,否則會報錯:configure: error: *** zlib.h missing - please install first or check config.log ****)
root@SHDNSDB02:/home/weihu>bzip2 -d zlib-1.2.5.tar.bz2
root@SHDNSDB02:/home/weihu>tar -xvf zlib-1.2.5.tar
root@SHDNSDB02:/home/weihu>cd zlib-1.2.5
root@SHDNSDB02:/home/weihu>./configure
root@SHDNSDB02:/home/weihu>make
root@SHDNSDB02:/home/weihu>make install
編譯openssh,並將openssh源碼包打包成
root@SHDNSDB02:/home/weihu>gzip -d openssh-6.6p1.tar.gz
root@SHDNSDB02:/home/weihu>tar xvf openssh-6.6p1.tar
root@SHDNSDB02:/home/weihu>cd openssh-6.6p1
root@SHDNSDB02:/home/weihu>./configure
root@SHDNSDB02:/home/weihu/openssh-6.6p1>contrib/aix/buildbff.sh (*這條命令生成BFF格式可安裝文件,如果腳本最後沒有生成openssh-6.6p1.bff文件,你需要檢查LIB_ PATH是否設置好,並且source /etc/profile讓設置立即生效,同時需要make clean清空上次configure的文件,然後再次./configure並執行buildbff.sh文件*)
root@SHDNSDB02:/home/weihu/openssh-6.6p1>ls -lat openssh
openssh-6.6p1.bff openssh.xml opensshd.init
openssh-exec(): openssh.xml.in opensshd.init.in
root@SHDNSDB02:/home/weihu/openssh-6.6p1>ls -lat openssh-6.6p1.bff
-rw-r--r-- 1 root system 4966400 Oct 16 16:17 openssh-6.6p1.bff
在當前目錄下安裝openssh-6.6p1.bff文件
root@SHDNSDB02:/home/weihu/openssh-6.6p1>inutoc .
(*注意運行上面的命令出現此錯誤sh: 0403-057 Syntax error at line 1 : `(' is not expected.,只需要刪除當前目錄下的openssh-exec(): 文件即可正常運行*)
root@SHDNSDB02:/home/weihu/openssh-6.6p1>installp -acgNQqX -d . -f .toc
到此OPENSSH安裝成功
這個時候看ssh版本還是以前的
root@SHDNSDB02:/>type sshd
sshd is /usr/sbin/sshd
關閉sshd
root@SHDNSDB02:/>stopsrc -s sshd
備份老版本sshd,建立軟鏈接到新版本
root@SHDNSDB02:/>mv /usr/sbin/sshd /usr/sbin/sshd_bak
root@SHDNSDB02:/>ln -s /usr/local/sbin/sshd /usr/sbin/sshd
啓動ssh
root@SHDNSDB02:/>/usr/sbin/sshd
Could not load host key: /usr/local/etc/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh_host_dsa_key
Could not load host key: /usr/local/etc/ssh_host_ecdsa_key
Could not load host key: /usr/local/etc/ssh_host_ed25519_key
建立KEY文件
root@SHDNSDB02:/>/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key
root@SHDNSDB02:/>/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key
root@SHDNSDB02:/>/usr/local/bin/ssh-keygen -t ecdsa -f /usr/local/etc/ssh_host_ecdsa_key
root@SHDNSDB02:/>/usr/local/bin/ssh-keygen -t ed25519 -f /usr/local/etc/ssh_host_ed25519_key
重新開啓ssh服務
root@SHDNSDB02:/>/usr/sbin/sshd
至此ssh服務啓動完成,可以正常遠程連接
查看以下ssh服務進程和OPENSSH的版本
root@SHDNSDB02:/>ps -ef|grep sshd
weihu 44957866 5767496 0 14:38:48 - 0:00 /usr/sbin/sftp-server -m /etc/ssh/sshd_config
weihu 45481992 48365574 0 13:55:31 - 0:00 sshd: weihu@pts/3
weihu 46661832 7340288 0 13:09:51 - 0:00 sshd: weihu@pts/1
root 48365574 1 0 13:55:18 - 0:00 sshd: weihu [priv]
root 3998086 1 0 16:47:30 - 0:00 sshd: weihu [priv]
root 4063686 6357374 0 16:59:02 pts/0 0:00 grep sshd
weihu 4194786 3998086 0 16:47:52 - 0:00 sshd: weihu@pts/0
weihu 5767496 6750580 0 14:38:48 - 0:01 sshd: weihu@notty
root 6750580 1 0 14:38:47 - 0:00 sshd: weihu [priv]
root 7340288 1 0 13:09:44 - 0:00 sshd: weihu [priv]
root 7406052 1 0 16:58:54 - 0:00 /usr/sbin/sshd
root@SHDNSDB02:/>sshd -v
unknown option -- v
OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
做到這一步openssh的版本就算是升上去了,但是有一個問題還未解決
root@SHDNSDB02:/>stopsrc -s sshd
root@SHDNSDB02:/>startsrc -s sshd
上面的命令無法對ssh進程產生重啓和關閉的作用,而且當我重啓系統後,ssh是不會自啓動的,還好開啓了telnet,這個問題暫時還未解決,希望看到此文的網絡大牛們給指導指導。
上文所需要的全部安裝包,我已經上傳,有需要的可以下載,下載地址如下:
http://down.51cto.com/data/1884215