1.現象
通過綠盟等安掃軟件掃描到服務器ssh存在漏洞,需要升級修復,升級openssh後,出現的問題:
- 問題1:多個服務器之間免祕鑰登陸失效
- 問題2:單個服務器通過ulimit -a查看到的打開文件數被重置爲1024,過小
2.解決方法
#1.安裝pam-devel
yum install -y pam-devel
#2.下載最新版本openssh並解包、編譯安裝
#下載
cd /temp
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
#解壓
tar zxf openssh-8.0p1.tar.gz
#配置
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
#編譯安裝
make && make install
#覆蓋老的安裝,加入開機啓動
cp /tmp/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd --add
#3.修改/etc/ssh/sshd_config
vi /etc/ssh/sshd_config
添加UsePAM yes
修改PermitRootLogin yes
#4.修改/etc/security/limits.conf
編輯vi /etc/security/limits.conf
* soft nofile 40960
* hard nofile 81920
#5.修改/etc/pam.d/sshd
編輯vi /etc/pam.d/sshd
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_limits.so