概述

由于安全漏洞扫描显示OpenSSH版本过低需升级至最新版,故编写该文档。

查看服务器基本信息

[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@localhost ~]# cat /etc/redhat-release 
CentOS Linux release 7.8.2003 (Core)

安装Telnet

yum -y install telnet-server
# 添加Telent安全端口
semanage port -a -t telnetd_port_t -p tcp 2312
# 修改Telnet默认端口
sed -i 's/\(^ListenStream=\).*/\12312/' /usr/lib/systemd/system/telnet.socket
systemctl daemon-reload
Service_Restart_Manage telnet.socket
# 自动添加tty
for telnet_tty in {0..9};do
    if [[ ! "$(cat /etc/securetty)" =~ "pts/${telnet_tty}" ]];then
        sed -i "\$apts/${telnet_tty}" /etc/securetty
    fi
done

安装升级依赖

[root@localhost ~]# yum -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel

升级OPENSSL

备份旧版openssl
[root@localhost ~]# mv /usr/bin/openssl{,.bak}
[root@localhost ~]# mv /usr/include/openssl{,.bak}
解压并编译安装
[root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
[root@localhost ~]# tar zxf openssl-1.1.1k.tar.gz -C /usr/src/
[root@localhost ~]# cd /usr/src/openssl-1.1.1k/
[root@localhost openssl-1.1.1k]# ./config --prefix=/usr/local/openssl
[root@localhost openssl-1.1.1k]# make -j 2 && make install
配置调整
[root@localhost openssl-1.1.1k]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@localhost openssl-1.1.1k]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
[root@localhost openssl-1.1.1k]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
[root@localhost openssl-1.1.1k]# ldconfig -v
验证版本
[root@localhost openssl-1.1.1k]# openssl version
OpenSSL 1.1.1k  25 Mar 2021

升级OPENSSH

停止原有服务及备份数据
[root@localhost ~]# systemctl stop sshd
[root@localhost ~]# mv /etc/ssh{,.bak}
[root@localhost ~]# mv /etc/pam.d/sshd{,.bak}
卸载原有openssh包
[root@localhost ~]# rpm -e --nodeps `rpm -qa | grep openssh`
下载并解压安装包
[root@localhost ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
[root@localhost ~]# tar zxf openssh-8.6p1.tar.gz 
[root@localhost ~]# cd openssh-8.6p1
编译安装
[root@localhost openssh-8.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-hardening
[root@localhost openssh-8.6p1]# make -j 2 && make install
拷贝配置文件并启动
[root@localhost openssh-8.6p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-8.6p1]# mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
[root@localhost openssh-8.6p1]# mv /etc/ssh /etc/ssh_update.bak
[root@localhost openssh-8.6p1]# mv /etc/ssh.bak /etc/ssh
[root@localhost openssh-8.6p1]# chmod 600 /etc/ssh/*key
[root@localhost openssh-8.6p1]# chkconfig --add sshd
[root@localhost openssh-8.6p1]# chkconfig sshd on
[root@localhost openssh-8.6p1]# systemctl restart sshd
允许Root登陆
[root@localhost ~]# sed -i 's/^#\(PermitRootLogin \).*/\1yes/' /etc/ssh/sshd_config
版本验证
[root@localhost openssh-8.6p1]# ssh -V
OpenSSH_8.6p1, OpenSSL 1.1.1k  25 Mar 2021

遇到的问题

Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

解决办法

grep sshd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
END

本文标题:Centos7 OpenSSH-8.6p1升级文档

本文作者:宇宙最帅的男人

本文链接:https://www.ym68.cc/linux/202130166.html

版权声明:转载或者引用本文内容请注明来源及原作者,本文著作权归作者 (宇宙最帅的男人) 所有。

除非另有说明,本作品采用知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议

最后修改:2021 年 09 月 06 日
如果觉得我的文章对你有用,请随意赞赏