一、實(shí)驗(yàn)背景

客戶請(qǐng)第三方安全公司掃描了下他們的服務(wù)器，發(fā)現(xiàn) SSH 存在許多安全漏洞摹量，原因是 CentOS 7.2 使用了一個(gè)比較舊的 OpenSSH 版本 v6.6.1，而這些漏洞在新版的 OpenSSH 中均已被修復(fù)馒胆，所以出于安全考慮缨称，需要升級(jí)。

yum 倉(cāng)庫(kù)中并沒(méi)有最新版的 OpenSSH祝迂，我們需要自己從官方下載最新的opeenSSh源碼包編譯制作 rpm 安裝包睦尽。

因?yàn)榭蛻舴?wù)器不能連外網(wǎng)，所以還需要將其做成離線升級(jí)包型雳。

二当凡、實(shí)驗(yàn)環(huán)境

操作系統(tǒng)： CentOS7.2 Mininal

serverA? 192.168.1.104? ?模擬開(kāi)發(fā)機(jī)，能聯(lián)網(wǎng)纠俭，用于制作離線升級(jí)包

serverB? 192.168.1.106? 模擬客戶服務(wù)器沿量，不能聯(lián)網(wǎng)，openSSH相關(guān)包及其依賴版本較低

三冤荆、實(shí)驗(yàn)預(yù)期

在severA上完成openSSH相關(guān)編譯及依賴下載朴则，寫成一鍵升級(jí)腳本，拖到serverB上完成openSSH的升級(jí)钓简。

OpenSSH源碼包官網(wǎng)：http://www.openssh.com?

截止目前乌妒，最新OpenSSH源碼包版本為?openssh-8.3p1.tar.gz

What?is?the?difference?between?OpenSSH?Release?and?OpenSSH?Portable?Release?

https://www.openssh.com/portable.html

http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

四、實(shí)驗(yàn)操作

在serverA

# useradd rpmbuilder

# mkdir -p? /home/rpmbuilder/rpmbuild/{SOURCES,SPECS}

# yum -y install? vim? wget epel-release

# yum? -y? install? rpm-build? gcc make

# yum -y installopenssl? openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel?gtk2-devel

# wget? http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz

# wget https://src.fedoraproject.org/lookaside/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

# tar -zxf openssh-8.3p1.tar.gz

# cp ./openssh-8.3p1/contrib/redhat/openssh.spec? ?/home/rpmbuilder/rpmbuild/SPECS/

# cp openssh-8.3p1.tar.gz? ? /home/rpmbuilder/rpmbuild/SOURCES/

# cp??x11-ssh-askpass-1.2.4.1.tar.gz??/home/rpmbuilder/rpmbuild/SOURCES/

# chown? -R??rpmbuilder:rpmbuilder? ?/home/rpmbuilder/

#? su? -? rpmbuilder

# cd?/home/rpmbuilder/rpmbuild/SPECS/?

$? sed? -i? ?"s/%global no_gnome_askpass?0/%global no_gnome_askpass?1/g"? ? openssh.spec

$ sed? -i? ?"s/%global?no_x11_askpass 0/%global?no_x11_askpass 1/g"? ? openssh.spec

$? sed? -i? ?"s/BuildRequires: openssl-devel >= 1.0.1/#BuildRequires: openssl-devel >= 1.0.1/g" openssh.spec

$? sed -i? ? "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec

$sed? -i? ?'s/^%__check_fil/#&/'? ? ?/usr/lib/rpm/macros? ??

$ rpmbuild? -bb? openssh.spec

編譯完成后記得將編譯機(jī)上的?/usr/lib/rpm/macros文件改回來(lái)：

$ exit?

# sed? -i? ?'s/^#%__check_files/%__check_files/g'? ? ?/usr/lib/rpm/macros? ??

編譯好后的文件被放在/home/rpmbuilder/rpmbuild/RPMS/x86_64/ 目錄下：

#? ll??/home/rpmbuilder/rpmbuild/RPMS/x86_64/?

注：openssh-debuginfo-8.3p1-1.el7.centos.x86_64.rpm 這個(gè)包是一個(gè)debug包涌庭，升級(jí)時(shí)用不到芥被，需要?jiǎng)h除欧宜。

將上述操作腳本化：

# cat build.sh

#####################################################

#!/bin/bash

useradd rpmbuilder

mkdir -p /home/rpmbuilder/rpmbuild/{SOURCES,SPECS}

yum -y install? vim? wget epel-release

yum -y install? rpm-build? gcc make

yum -y install openssl? openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel

wget? http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz

wget? https://src.fedoraproject.org/lookaside/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

tar -zxf openssh-8.3p1.tar.gz

cp? ./openssh-8.3p1/contrib/redhat/openssh.spec? /home/rpmbuilder/rpmbuild/SPECS/

cp? openssh-8.3p1.tar.gz? ? /home/rpmbuilder/rpmbuild/SOURCES/

cp? x11-ssh-askpass-1.2.4.1.tar.gz? /home/rpmbuilder/rpmbuild/SOURCES/

chown -R rpmbuilder:rpmbuilder? /home/rpmbuilder/

su - rpmbuilder

cd /home/rpmbuilder/rpmbuild/SPECS/

sed? -i? "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g"? ? ? ? ? ? ? ? ? ? ? ? ? ?openssh.spec

sed? -i? "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? openssh.spec

sed? -i? "s/BuildRequires: openssl-devel >= 1.0.1/#BuildRequires: openssl-devel >= 1.0.1/g"? openssh.spec

sed? -i? "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g"? ? ? ? ? ? ?openssh.spec

sed? -i? 's/^%__check_fil/#&/'? ? /usr/lib/rpm/macros

rpmbuild? -bb? openssh.spec

########################################################

五坐榆、在開(kāi)發(fā)機(jī)上做openSSH升級(jí)測(cè)試

在serverA

# cd? ?/home/rpmbuilder/rpmbuild/RPMS/x86_64/?

# rm? -f??openssh-debuginfo-8.3p1-1.el7.centos.x86_64.rpm

# rpm -Uvh *.rpm

# rpm -qa | grep openssh

本來(lái)到此，我們升級(jí)就完成了冗茸，但是從客戶端登陸的時(shí)候卻失敗了席镀！

開(kāi)始我們以為自己制作的 rpm 包有問(wèn)題匹中，幾經(jīng)折騰，最后發(fā)現(xiàn)還是默認(rèn)的配置不正確導(dǎo)致的結(jié)果豪诲。

無(wú)法用 ssh key 方式登錄顶捷，默認(rèn)的 host key 文件授權(quán)太大，需要修改 key 文件的權(quán)限屎篱！

# ll? /etc/ssh/ssh_host_*_key

# chmod 600? /etc/ssh/ssh_host_*_key

# ll /etc/ssh/ssh_host_*_key

# systemctl restart sshd

# systemctl status sshd

升級(jí)完后的openSSH默認(rèn)不允許用密碼方式登錄服赎，我們需要更改配置文件：

# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

# sed -i -e? "s/#PasswordAuthentication yes/PasswordAuthentication yes/g"? /etc/ssh/sshd_config

# sed -i -e? "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g"? ? /etc/ssh/sshd_config

# sed -i -e? "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"? /etc/ssh/sshd_config

# sed -i? -e? "s/#UsePAM no/UsePAM yes/g"? /etc/ssh/sshd_config

默認(rèn)的 /etc/pam.d/sshd 中使用了過(guò)時(shí)的 pam_stack.so 動(dòng)態(tài)庫(kù)，需要更新：

# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

# cat >? /etc/pam.d/sshd? <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

重啟ssh服務(wù)交播，查看服務(wù)狀態(tài)：

# systemctl restart sshd

# systemctl enable? sshd

# systemctl status sshd

你會(huì)發(fā)現(xiàn)重虑，升級(jí)后的sshd服務(wù)，是用的啟動(dòng)腳本秦士，不是/usr/lib/systemd/system/sshd.service文件了缺厉。

實(shí)際上升級(jí)過(guò)程中，程序已經(jīng)將 /usr/lib/systemd/system/sshd.service 刪除了隧土，并且添加了服務(wù)啟動(dòng)腳本?/etc/init.d/sshd

細(xì)心的你還會(huì)發(fā)現(xiàn)提针，升級(jí)完后，我們經(jīng)常用于做免密登錄的公鑰拷貝命令 ssh-copy-id也沒(méi)有了曹傀！

其實(shí)不是沒(méi)有了辐脖，而是我們需要去解壓后源碼包拷貝到/usr/bin/目錄

# cp /root/openssh-7.9p1/contrib/ssh-copy-id? /usr/bin/

# chmod? 755? /usr/bin/ssh-copy-id

六、制作離線升級(jí)安裝包

在serverA

# yum -y install? yum-utils createrepo

# mkdir? /root/localrepo

# repotrack? openssl? -p /root/localrepo/

你可能會(huì)疑惑：不是找openssh相關(guān)包的依賴么皆愉，怎么找的是openssl了揖曾？

其實(shí)從上面安裝可以，升級(jí)opennsh版本并不會(huì)缺少依賴亥啦，我們們只是需要相應(yīng)地升級(jí)一下openssl的版本：

# rm? -f???/home/rpmbuilder/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.3p1-1.el7.centos.x86_64.rpm

# cp? ?/home/rpmbuilder/rpmbuild/RPMS/x86_64/*.rpm? /root/localrepo

# createrepo -v? ? /root/localrepo

編寫離線升級(jí)安裝腳本：

cat install.sh

######################################################

#!/bin/bash

# 定位腳本當(dāng)前路徑

parent_path=$( cd "$(dirname "${BASH_SOURCE}")"; pwd -P )

cd "$parent_path"

mkdir -p /etc/yum.repos.d/backup

mv /etc/yum.repos.d/*.repo? /etc/yum.repos.d/backup

rm -rf /tmp/localrepo

mkdir -p /tmp/localrepo

cp -rf? ./localrepo/*? /tmp/localrepo

echo "[localrepo]"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? > /etc/yum.repos.d/localrepo.repo

echo "name=Local Repository"? ? ? ? ? >> /etc/yum.repos.d/localrepo.repo

echo "baseurl=file:///tmp/localrepo"? ? >> /etc/yum.repos.d/localrepo.repo

echo "gpgcheck=0"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> /etc/yum.repos.d/localrepo.repo

echo "enabled=1"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? >> /etc/yum.repos.d/localrepo.repo

yum clean all

yum -y? install openssl

yum -y install openssh*? --disablerepo="*" --enablerepo="localrepo"

rm -rf /tmp/localrepo

rm -f /etc/yum.repos.d/localrepo.repo

mv /etc/yum.repos.d/backup/*.repo? /etc/yum.repos.d

rm -rf /etc/yum.repos.d/backup

chmod 600? /etc/ssh/ssh_host_*_key

# modify /etc/ssh/sshd_config

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config

sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"? ? ? /etc/ssh/sshd_config

sed -i -e "s/#UsePAM no/UsePAM yes/g"? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? /etc/ssh/sshd_config

# modify /etc/pam.d/sshd

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

cat > /etc/pam.d/sshd <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

# pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

# copy ssh-copy-id

cp ssh-copy-id /usr/bin

chmod 755 /usr/bin/ssh-copy-id

systemctl restart sshd

systemctl enable sshd

systemctl status sshd

rpm -qa | grep open

systemctl status? sshd| grep? "Active: active (running)"

if [ $? -eq 0 ]; then

? echo -e "\033[32m[INFO] OpenSSH upgraded to 8.3p1? successfully炭剪！\033[0m"

else

echo -e "\033[31m[ERROR] OpenSSH upgraded to 8.3p1 faild！\033[0m"

fi

##############################################################

打包離線安裝包

# mkdir? /root/opensshUpgrade

# cp install.sh? /root/opensshUpgrade

# cp? -r? lcoalrepo /root/opensshUpgrade

# cp /root/openssh-8.3p1/contrib/ssh-copy-id? /root/opensshUpgrade

# tar openssshUpgrade.tar.gz? opensshUpgrade

七翔脱、離線安裝升級(jí)openSSH

將離線升級(jí)安裝包 openssshUpgrade.tar.gz拷貝到serverB 服務(wù)器

#? tar? -zxf? openssshUpgrade.tar.gz

# cd? openssshUpgrade

#? bash install.sh | tee install.log

# rpm -qa | grep openssl

# rpm -qa | grep openssh

# systemctl? status sshd

測(cè)試登錄

八奴拦、參考

Linux系統(tǒng) SSHD服務(wù)安全優(yōu)化方案

https://www.cnblogs.com/xiaogan/p/5902846.html

Linux上編譯升級(jí)到OpenSSH-8.3p1官方文檔

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

rpmbuild 檢查未打包 openssh ssh-sk-helper 錯(cuò)誤 解決方法

https://bbs.aqzt.com/thread-1079-1-1.html

https://aq2.cn/c/openssh

Upgrade OpenSSH in CentOS 7

https://blog.forhot2000.cn/linux/2017/09/04/upgrade-openssh-in-centos-7.html

編譯升級(jí)OpenSSH 7.9

https://blog.csdn.net/weixin_42123737/article/details/85283972

Centos 6.5升級(jí)openssh到7.9p1

https://blog.csdn.net/qq_25934401/article/details/83419849

openssh升級(jí)腳本分享(openssh-7.7p1版)

https://blog.csdn.net/GX_1_11_real/article/details/82152459

Upgrade OpenSSH to 7.7p1 in CentOS 6

https://docs.junyangz.com/upgrade-openssh-to-7.7p1-in-centos-6

createrepo生成倉(cāng)庫(kù)元數(shù)據(jù)，搭建本地yum源

http://www.reibang.com/p/5cb5af152e75

解決離線安裝依賴包的方法

http://www.reibang.com/p/6f4f9a80a726

升級(jí)操作系統(tǒng)OpenSSH及其OpenSSL的正確姿勢(shì)

https://blog.51cto.com/techsnail/2138927

Openssh版本升級(jí)修復(fù)漏洞

https://www.cnblogs.com/Dev0ps/p/9629694.html

CentOS7 openssh升級(jí)到7.9p1

http://www.reibang.com/p/220f7fd908b0

OpenSSH-8.0p1

http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

CenOS7.2 升級(jí)OpenSSH 8.0 升級(jí)步驟及排錯(cuò)

https://blog.csdn.net/weixin_40592911/article/details/90519686