因安全漏掃軟件掃描業務虛機,發現有openssh ssh存在漏洞,此次需將openssh5.3P1升級至OpenSSH_8.0p1
[root@APP ~]# uname -a
Linux APP168 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@APP ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root@APP~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
如果想升級到OpenSSH_8.0p1,對應的openssl也要升級
首先卸載原有的openssh,卸載之前先停止sshd服務
[root@APP ~]# rpm -e rpm -qa | grep openssh’<br/>error: Failed dependencies:<br/> openssh-clients is needed by (installed) python-meh-0.12.1-3.el6.noarch<br/>[root@APP ~]# rpm -erpm -qa | grep openssl--nodeps <br/>[root@APP ~]# rpm -e firstboot-1.110.15-1.el6.x86_64<br/>[root@APP ~]# rpm -e python-meh-0.12.1-3.el6.noarch<br/>[root@APP ~]# rpm -erpm -qa | grep openssh`
[root@APP ~]# yum install firstboot
或者用rpm刪除,同時清除系統/etc/ssh目錄
[root@APP ~]# service sshd stop
Stopping sshd: [ OK ]
[root@APP ~]# rpm -qa openssh
openssh-5.3p1-94.el6.x86_64
[root@APP ~]# rpm -e --nodeps openssh-server
[root@APP ~]# rpm -e --nodeps openssh-clients
[root@APP ~]# rpm -e --nodeps openssh-askpass
[root@APP ~]# rpm -e --nodeps openssh
[root@APP ~]# rm -rf /etc/ssh
重啓!!!
然後安裝openssl-1.1.1c
[root@APP ~]# cd ../openssl-1.1.1c/
[root@APP ~openssl-1.1.1c]# ./config --prefix=/usr/local/openssl --shared
[root@dbAPP ~ openssl-1.1.1c]# make && make install
[root@APP ~]# openssl version
OpenSSL 1.1.1c 28 May 2019
然後安裝openssh-8.0p1
上傳openssh文件,解壓,開始安裝
[root@APP ~openssh-8.0p1]#./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-md5-passwords --without-hardening &&make && make install
修改配置文件
[root@APP ~openssh-8.0p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@APP ~]# chmod +x /etc/init.d/sshd 一般自帶x權限
不用再修改文件了
加入到系統服務
[[email protected]]# chkconfig --add sshd
[[email protected]]# service sshd start
最後檢查版本
ssh -V 注意大寫
[root@APP ~]# ssh -V
OpenSSH_8.0P1 , OpenSSL 1.1.1c 28 May 2019
幾個問題回顧:
1、安裝openssh8.0在make時報錯
缺少頭文件,原有的OpenSSL 1.0.0版本不行,升級到openssl-1.1.1c即可
2、putty輸入密碼後閃退
修改sshd的配置文件 /etc/ssh/sshd_config
在配置文件中添加如下:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group1-sha1,[email protected] (此行中去掉ecdh-sha2-nistp521)
重新啓動sshd服務即可
3、替換查看版本
查找sshd的位置
#whereis sshd
備份sshd
#cp /usr/sbin/sshd /usr/sbin/sshd.bak.20190730
[root@APP ~]# strings /usr/sbin/sshd | grep OpenSSH
OpenSSH_3.
OpenSSH_5
OpenSSH_6.6.1
OpenSSH_6.5,OpenSSH_6.6
OpenSSH
OpenSSH_2.,OpenSSH_3.0,OpenSSH_3.1
OpenSSH_2,OpenSSH_3,OpenSSH_4
OpenSSH_7.0,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7
替換版本信息
#sed -i 's/OpenSSH_5.3/OpenSSH_8.0/g' /usr/sbin/sshd
///重起sshd
#service sshd restart