【OpenSSH】CentOS7.x 上升級(jí)OpenSSH到8.3p1版本


一、實(shí)驗(yàn)背景

客戶請(qǐng)第三方安全公司掃描了下他們的服務(wù)器,發(fā)現(xiàn) SSH 存在許多安全漏洞摹量,原因是 CentOS 7.2 使用了一個(gè)比較舊的 OpenSSH 版本 v6.6.1,而這些漏洞在新版的 OpenSSH 中均已被修復(fù)馒胆,所以出于安全考慮缨称,需要升級(jí)。

yum 倉(cāng)庫(kù)中并沒(méi)有最新版的 OpenSSH祝迂,我們需要自己從官方下載最新的opeenSSh源碼包編譯制作 rpm 安裝包睦尽。

因?yàn)榭蛻舴?wù)器不能連外網(wǎng),所以還需要將其做成離線升級(jí)包型雳。



二当凡、實(shí)驗(yàn)環(huán)境


操作系統(tǒng): CentOS7.2 Mininal

serverA? 192.168.1.104? ?模擬開(kāi)發(fā)機(jī),能聯(lián)網(wǎng)纠俭,用于制作離線升級(jí)包

serverB? 192.168.1.106? 模擬客戶服務(wù)器沿量,不能聯(lián)網(wǎng),openSSH相關(guān)包及其依賴版本較低



三冤荆、實(shí)驗(yàn)預(yù)期



在severA上完成openSSH相關(guān)編譯及依賴下載朴则,寫成一鍵升級(jí)腳本,拖到serverB上完成openSSH的升級(jí)钓简。

OpenSSH源碼包官網(wǎng):http://www.openssh.com?

截止目前乌妒,最新OpenSSH源碼包版本為?openssh-8.3p1.tar.gz

What?is?the?difference?between?OpenSSH?Release?and?OpenSSH?Portable?Release?

https://www.openssh.com/portable.html

http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/



四、實(shí)驗(yàn)操作



在serverA

# useradd rpmbuilder

# mkdir -p? /home/rpmbuilder/rpmbuild/{SOURCES,SPECS}

# yum -y install? vim? wget epel-release

# yum? -y? install? rpm-build? gcc make

# yum -y installopenssl? openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel?gtk2-devel

# wget? http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz

# wget https://src.fedoraproject.org/lookaside/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

# tar -zxf openssh-8.3p1.tar.gz

# cp ./openssh-8.3p1/contrib/redhat/openssh.spec? ?/home/rpmbuilder/rpmbuild/SPECS/

# cp openssh-8.3p1.tar.gz? ? /home/rpmbuilder/rpmbuild/SOURCES/

# cp??x11-ssh-askpass-1.2.4.1.tar.gz??/home/rpmbuilder/rpmbuild/SOURCES/

# chown? -R??rpmbuilder:rpmbuilder? ?/home/rpmbuilder/

#? su? -? rpmbuilder

# cd?/home/rpmbuilder/rpmbuild/SPECS/?

$? sed? -i? ?"s/%global no_gnome_askpass?0/%global no_gnome_askpass?1/g"? ? openssh.spec

$ sed? -i? ?"s/%global?no_x11_askpass 0/%global?no_x11_askpass 1/g"? ? openssh.spec

$? sed? -i? ?"s/BuildRequires: openssl-devel >= 1.0.1/#BuildRequires: openssl-devel >= 1.0.1/g" openssh.spec

$? sed -i? ? "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec

$sed? -i? ?'s/^%__check_fil/#&/'? ? ?/usr/lib/rpm/macros? ??

$ rpmbuild? -bb? openssh.spec

編譯完成后記得將編譯機(jī)上的?/usr/lib/rpm/macros文件改回來(lái):

$ exit?

# sed? -i? ?'s/^#%__check_files/%__check_files/g'? ? ?/usr/lib/rpm/macros? ??

編譯好后的文件被放在/home/rpmbuilder/rpmbuild/RPMS/x86_64/ 目錄下:

#? ll??/home/rpmbuilder/rpmbuild/RPMS/x86_64/?

注:openssh-debuginfo-8.3p1-1.el7.centos.x86_64.rpm 這個(gè)包是一個(gè)debug包涌庭,升級(jí)時(shí)用不到芥被,需要?jiǎng)h除欧宜。

將上述操作腳本化:

# cat build.sh

#####################################################

#!/bin/bash

useradd rpmbuilder

mkdir -p /home/rpmbuilder/rpmbuild/{SOURCES,SPECS}

yum -y install? vim? wget epel-release

yum -y install? rpm-build? gcc make

yum -y install openssl? openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel

wget? http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz

wget? https://src.fedoraproject.org/lookaside/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

tar -zxf openssh-8.3p1.tar.gz

cp? ./openssh-8.3p1/contrib/redhat/openssh.spec? /home/rpmbuilder/rpmbuild/SPECS/

cp? openssh-8.3p1.tar.gz? ? /home/rpmbuilder/rpmbuild/SOURCES/

cp? x11-ssh-askpass-1.2.4.1.tar.gz? /home/rpmbuilder/rpmbuild/SOURCES/

chown -R rpmbuilder:rpmbuilder? /home/rpmbuilder/

su - rpmbuilder

cd /home/rpmbuilder/rpmbuild/SPECS/

sed? -i? "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g"? ? ? ? ? ? ? ? ? ? ? ? ? ?openssh.spec

sed? -i? "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? openssh.spec

sed? -i? "s/BuildRequires: openssl-devel >= 1.0.1/#BuildRequires: openssl-devel >= 1.0.1/g"? openssh.spec

sed? -i? "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g"? ? ? ? ? ? ?openssh.spec

sed? -i? 's/^%__check_fil/#&/'? ? /usr/lib/rpm/macros

rpmbuild? -bb? openssh.spec

########################################################

五坐榆、在開(kāi)發(fā)機(jī)上做openSSH升級(jí)測(cè)試



在serverA

# cd? ?/home/rpmbuilder/rpmbuild/RPMS/x86_64/?

# rm? -f??openssh-debuginfo-8.3p1-1.el7.centos.x86_64.rpm

# rpm -Uvh *.rpm

# rpm -qa | grep openssh

本來(lái)到此,我們升級(jí)就完成了冗茸,但是從客戶端登陸的時(shí)候卻失敗了席镀!

開(kāi)始我們以為自己制作的 rpm 包有問(wèn)題匹中,幾經(jīng)折騰,最后發(fā)現(xiàn)還是默認(rèn)的配置不正確導(dǎo)致的結(jié)果豪诲。

無(wú)法用 ssh key 方式登錄顶捷,默認(rèn)的 host key 文件授權(quán)太大,需要修改 key 文件的權(quán)限屎篱!

# ll? /etc/ssh/ssh_host_*_key

# chmod 600? /etc/ssh/ssh_host_*_key

# ll /etc/ssh/ssh_host_*_key

# systemctl restart sshd

# systemctl status sshd

升級(jí)完后的openSSH默認(rèn)不允許用密碼方式登錄服赎,我們需要更改配置文件:

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# sed -i -e? "s/#PasswordAuthentication yes/PasswordAuthentication yes/g"? /etc/ssh/sshd_config

# sed -i -e? "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g"? ? /etc/ssh/sshd_config

# sed -i -e? "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"? /etc/ssh/sshd_config

# sed -i? -e? "s/#UsePAM no/UsePAM yes/g"? /etc/ssh/sshd_config

默認(rèn)的 /etc/pam.d/sshd 中使用了過(guò)時(shí)的 pam_stack.so 動(dòng)態(tài)庫(kù),需要更新:

# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

# cat >? /etc/pam.d/sshd? <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

重啟ssh服務(wù)交播,查看服務(wù)狀態(tài):

# systemctl restart sshd

# systemctl enable? sshd

# systemctl status sshd

你會(huì)發(fā)現(xiàn)重虑,升級(jí)后的sshd服務(wù),是用的啟動(dòng)腳本秦士,不是/usr/lib/systemd/system/sshd.service文件了缺厉。

實(shí)際上升級(jí)過(guò)程中,程序已經(jīng)將 /usr/lib/systemd/system/sshd.service 刪除了隧土,并且添加了服務(wù)啟動(dòng)腳本?/etc/init.d/sshd

細(xì)心的你還會(huì)發(fā)現(xiàn)提针,升級(jí)完后,我們經(jīng)常用于做免密登錄的公鑰拷貝命令 ssh-copy-id也沒(méi)有了曹傀!

其實(shí)不是沒(méi)有了辐脖,而是我們需要去解壓后源碼包拷貝到/usr/bin/目錄

# cp /root/openssh-7.9p1/contrib/ssh-copy-id? /usr/bin/

# chmod? 755? /usr/bin/ssh-copy-id


六、制作離線升級(jí)安裝包


在serverA

# yum -y install? yum-utils createrepo

# mkdir? /root/localrepo

# repotrack? openssl? -p /root/localrepo/

你可能會(huì)疑惑:不是找openssh相關(guān)包的依賴么皆愉,怎么找的是openssl了揖曾?

其實(shí)從上面安裝可以,升級(jí)opennsh版本并不會(huì)缺少依賴亥啦,我們們只是需要相應(yīng)地升級(jí)一下openssl的版本:

# rm? -f???/home/rpmbuilder/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.3p1-1.el7.centos.x86_64.rpm

# cp? ?/home/rpmbuilder/rpmbuild/RPMS/x86_64/*.rpm? /root/localrepo

# createrepo -v? ? /root/localrepo

編寫離線升級(jí)安裝腳本:

cat install.sh

######################################################

#!/bin/bash

# 定位腳本當(dāng)前路徑

parent_path=$( cd "$(dirname "${BASH_SOURCE}")"; pwd -P )

cd "$parent_path"

mkdir -p /etc/yum.repos.d/backup

mv /etc/yum.repos.d/*.repo? /etc/yum.repos.d/backup

rm -rf /tmp/localrepo

mkdir -p /tmp/localrepo

cp -rf? ./localrepo/*? /tmp/localrepo

echo "[localrepo]"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? > /etc/yum.repos.d/localrepo.repo

echo "name=Local Repository"? ? ? ? ? >> /etc/yum.repos.d/localrepo.repo

echo "baseurl=file:///tmp/localrepo"? ? >> /etc/yum.repos.d/localrepo.repo

echo "gpgcheck=0"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> /etc/yum.repos.d/localrepo.repo

echo "enabled=1"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> /etc/yum.repos.d/localrepo.repo

yum clean all

yum -y? install openssl

yum -y install openssh*? --disablerepo="*" --enablerepo="localrepo"

rm -rf /tmp/localrepo

rm -f /etc/yum.repos.d/localrepo.repo

mv /etc/yum.repos.d/backup/*.repo? /etc/yum.repos.d

rm -rf /etc/yum.repos.d/backup

chmod 600? /etc/ssh/ssh_host_*_key

# modify /etc/ssh/sshd_config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"? ? ? /etc/ssh/sshd_config

sed -i -e "s/#UsePAM no/UsePAM yes/g"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? /etc/ssh/sshd_config

# modify /etc/pam.d/sshd

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

cat > /etc/pam.d/sshd <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

# copy ssh-copy-id

cp ssh-copy-id /usr/bin

chmod 755 /usr/bin/ssh-copy-id

systemctl restart sshd

systemctl enable sshd

systemctl status sshd

rpm -qa | grep open

systemctl status? sshd| grep? "Active: active (running)"

if [ $? -eq 0 ]; then

? echo -e "\033[32m[INFO] OpenSSH upgraded to 8.3p1? successfully炭剪!\033[0m"

else

echo -e "\033[31m[ERROR] OpenSSH upgraded to 8.3p1 faild!\033[0m"

fi

##############################################################

打包離線安裝包

# mkdir? /root/opensshUpgrade

# cp install.sh? /root/opensshUpgrade

# cp? -r? lcoalrepo /root/opensshUpgrade

# cp /root/openssh-8.3p1/contrib/ssh-copy-id? /root/opensshUpgrade

# tar openssshUpgrade.tar.gz? opensshUpgrade


七翔脱、離線安裝升級(jí)openSSH


將離線升級(jí)安裝包 openssshUpgrade.tar.gz拷貝到serverB 服務(wù)器

#? tar? -zxf? openssshUpgrade.tar.gz

# cd? openssshUpgrade

#? bash install.sh | tee install.log

# rpm -qa | grep openssl

# rpm -qa | grep openssh

# systemctl? status sshd

測(cè)試登錄


八奴拦、參考


Linux系統(tǒng) SSHD服務(wù)安全優(yōu)化方案

https://www.cnblogs.com/xiaogan/p/5902846.html


Linux上編譯升級(jí)到OpenSSH-8.3p1官方文檔

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

rpmbuild 檢查未打包 openssh ssh-sk-helper 錯(cuò)誤 解決方法

https://bbs.aqzt.com/thread-1079-1-1.html

https://aq2.cn/c/openssh

Upgrade OpenSSH in CentOS 7

https://blog.forhot2000.cn/linux/2017/09/04/upgrade-openssh-in-centos-7.html

編譯升級(jí)OpenSSH 7.9

https://blog.csdn.net/weixin_42123737/article/details/85283972

Centos 6.5升級(jí)openssh到7.9p1

https://blog.csdn.net/qq_25934401/article/details/83419849

openssh升級(jí)腳本分享(openssh-7.7p1版)

https://blog.csdn.net/GX_1_11_real/article/details/82152459

Upgrade OpenSSH to 7.7p1 in CentOS 6

https://docs.junyangz.com/upgrade-openssh-to-7.7p1-in-centos-6

createrepo生成倉(cāng)庫(kù)元數(shù)據(jù),搭建本地yum源

http://www.reibang.com/p/5cb5af152e75

解決離線安裝依賴包的方法

http://www.reibang.com/p/6f4f9a80a726

升級(jí)操作系統(tǒng)OpenSSH及其OpenSSL的正確姿勢(shì)

https://blog.51cto.com/techsnail/2138927

Openssh版本升級(jí)修復(fù)漏洞

https://www.cnblogs.com/Dev0ps/p/9629694.html

CentOS7 openssh升級(jí)到7.9p1

http://www.reibang.com/p/220f7fd908b0

OpenSSH-8.0p1

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

CenOS7.2 升級(jí)OpenSSH 8.0 升級(jí)步驟及排錯(cuò)

https://blog.csdn.net/weixin_40592911/article/details/90519686

最后編輯于
?著作權(quán)歸作者所有,轉(zhuǎn)載或內(nèi)容合作請(qǐng)聯(lián)系作者
  • 序言:七十年代末届吁,一起剝皮案震驚了整個(gè)濱河市错妖,隨后出現(xiàn)的幾起案子,更是在濱河造成了極大的恐慌疚沐,老刑警劉巖暂氯,帶你破解...
    沈念sama閱讀 217,734評(píng)論 6 505
  • 序言:濱河連續(xù)發(fā)生了三起死亡事件,死亡現(xiàn)場(chǎng)離奇詭異亮蛔,居然都是意外死亡痴施,警方通過(guò)查閱死者的電腦和手機(jī),發(fā)現(xiàn)死者居然都...
    沈念sama閱讀 92,931評(píng)論 3 394
  • 文/潘曉璐 我一進(jìn)店門,熙熙樓的掌柜王于貴愁眉苦臉地迎上來(lái)辣吃,“玉大人动遭,你說(shuō)我怎么就攤上這事∩竦茫” “怎么了厘惦?”我有些...
    開(kāi)封第一講書(shū)人閱讀 164,133評(píng)論 0 354
  • 文/不壞的土叔 我叫張陵,是天一觀的道長(zhǎng)哩簿。 經(jīng)常有香客問(wèn)我宵蕉,道長(zhǎng),這世上最難降的妖魔是什么节榜? 我笑而不...
    開(kāi)封第一講書(shū)人閱讀 58,532評(píng)論 1 293
  • 正文 為了忘掉前任国裳,我火速辦了婚禮,結(jié)果婚禮上全跨,老公的妹妹穿的比我還像新娘缝左。我一直安慰自己,他們只是感情好浓若,可當(dāng)我...
    茶點(diǎn)故事閱讀 67,585評(píng)論 6 392
  • 文/花漫 我一把揭開(kāi)白布渺杉。 她就那樣靜靜地躺著,像睡著了一般挪钓。 火紅的嫁衣襯著肌膚如雪是越。 梳的紋絲不亂的頭發(fā)上,一...
    開(kāi)封第一講書(shū)人閱讀 51,462評(píng)論 1 302
  • 那天碌上,我揣著相機(jī)與錄音倚评,去河邊找鬼。 笑死馏予,一個(gè)胖子當(dāng)著我的面吹牛天梧,可吹牛的內(nèi)容都是我干的。 我是一名探鬼主播霞丧,決...
    沈念sama閱讀 40,262評(píng)論 3 418
  • 文/蒼蘭香墨 我猛地睜開(kāi)眼呢岗,長(zhǎng)吁一口氣:“原來(lái)是場(chǎng)噩夢(mèng)啊……” “哼!你這毒婦竟也來(lái)了蛹尝?” 一聲冷哼從身側(cè)響起后豫,我...
    開(kāi)封第一講書(shū)人閱讀 39,153評(píng)論 0 276
  • 序言:老撾萬(wàn)榮一對(duì)情侶失蹤,失蹤者是張志新(化名)和其女友劉穎突那,沒(méi)想到半個(gè)月后挫酿,有當(dāng)?shù)厝嗽跇?shù)林里發(fā)現(xiàn)了一具尸體,經(jīng)...
    沈念sama閱讀 45,587評(píng)論 1 314
  • 正文 獨(dú)居荒郊野嶺守林人離奇死亡愕难,尸身上長(zhǎng)有42處帶血的膿包…… 初始之章·張勛 以下內(nèi)容為張勛視角 年9月15日...
    茶點(diǎn)故事閱讀 37,792評(píng)論 3 336
  • 正文 我和宋清朗相戀三年早龟,在試婚紗的時(shí)候發(fā)現(xiàn)自己被綠了惫霸。 大學(xué)時(shí)的朋友給我發(fā)了我未婚夫和他白月光在一起吃飯的照片。...
    茶點(diǎn)故事閱讀 39,919評(píng)論 1 348
  • 序言:一個(gè)原本活蹦亂跳的男人離奇死亡拄衰,死狀恐怖,靈堂內(nèi)的尸體忽然破棺而出饵骨,到底是詐尸還是另有隱情翘悉,我是刑警寧澤,帶...
    沈念sama閱讀 35,635評(píng)論 5 345
  • 正文 年R本政府宣布居触,位于F島的核電站妖混,受9級(jí)特大地震影響,放射性物質(zhì)發(fā)生泄漏轮洋。R本人自食惡果不足惜制市,卻給世界環(huán)境...
    茶點(diǎn)故事閱讀 41,237評(píng)論 3 329
  • 文/蒙蒙 一、第九天 我趴在偏房一處隱蔽的房頂上張望弊予。 院中可真熱鬧祥楣,春花似錦、人聲如沸汉柒。這莊子的主人今日做“春日...
    開(kāi)封第一講書(shū)人閱讀 31,855評(píng)論 0 22
  • 文/蒼蘭香墨 我抬頭看了看天上的太陽(yáng)碾褂。三九已至兽间,卻和暖如春,著一層夾襖步出監(jiān)牢的瞬間正塌,已是汗流浹背嘀略。 一陣腳步聲響...
    開(kāi)封第一講書(shū)人閱讀 32,983評(píng)論 1 269
  • 我被黑心中介騙來(lái)泰國(guó)打工, 沒(méi)想到剛下飛機(jī)就差點(diǎn)兒被人妖公主榨干…… 1. 我叫王不留乓诽,地道東北人帜羊。 一個(gè)月前我還...
    沈念sama閱讀 48,048評(píng)論 3 370
  • 正文 我出身青樓,卻偏偏與公主長(zhǎng)得像鸠天,于是被迫代替她去往敵國(guó)和親逮壁。 傳聞我的和親對(duì)象是個(gè)殘疾皇子,可洞房花燭夜當(dāng)晚...
    茶點(diǎn)故事閱讀 44,864評(píng)論 2 354