Centos7 OpenSSH升级 低版本安全漏洞修复
Centos7 OpenSSH升级 低版本安全漏洞修复
- 绿盟检查出的漏洞
- 修复方案-升级OpenSSH版本
- 查看当前版本
- 升级到最新版本
- 官网查看最新版本
- 下载并升级
- 下载openssh-8.1p1.tar.gz
- 卸载原Openssh
- 解压openssh安装包
- 检测环境是否满足
- 可能出现的问题 解决问题之后重新检测环境 ./configure
- 编译安装
- 配置
- 拷贝ssh服务文件
- 允许root用户远程登录
- 加入系统服务
- 重启openssh,查看版本
- 打开新窗口,并查看版本
- SELinux如果是开启状态,断开后或者新开窗口无法连接
绿盟检查出的漏洞
修复方案-升级OpenSSH版本
查看当前版本
[root@k8s-node1 ~]# ssh -VOpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级到最新版本
官网查看最新版本
http://www.openssh.com/portable.html\#http
目前是8.1pl
下载并升级
下载openssh-8.1p1.tar.gz
[root@k8s-node1 ~]# cd /usr/local/software/[root@k8s-node1 software]# lltotal 1936drwxrwxr-x 7 root root 4096 Nov 4 23:19 redis-5.0.5-rw-r--r-- 1 root root 1975750 May 16 00:26 redis-5.0.5.tar.gz[root@k8s-node1 software]# wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz--2019-11-12 17:26:01-- https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gzResolving openbsd.hk (openbsd.hk)... 74.82.48.34, 2404:bb40::2Connecting to openbsd.hk (openbsd.hk)|74.82.48.34|:443... connected.HTTP request sent, awaiting response... 200 OKLength: 1625894 (1.5M) [application/x-gzip]Saving to: ‘openssh-8.1p1.tar.gz’32% [====================================> ] 532,480 21.4KB/s eta 52s
卸载原Openssh
[root@k8s-node1 software]# rpm -qa |grep opensshopenssh-clients-7.4p1-11.el7.x86_64openssh-7.4p1-11.el7.x86_64openssh-server-7.4p1-11.el7.x86_64[root@k8s-node1 software]# for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done[root@k8s-node1 software]#
解压openssh安装包
[root@k8s-node1 software]# tar -zxvf openssh-8.1p1.tar.gzopenssh-8.1p1·············openssh-8.1p1/config.h.in[root@k8s-node1 software]# cd openssh-8.1p1[root@k8s-node1 openssh-8.1p1]#
检测环境是否满足
[root@k8s-node1 openssh-8.1p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappersconfigure: WARNING: unrecognized options: --with-tcp-wrapperschecking for cc... ccchecking whether the C compiler works... yes······config.status: creating config.hconfigure: WARNING: unrecognized options: --with-tcp-wrappersOpenSSH has been configured with the following options:User binaries: /usr/binSystem binaries: /usr/sbinConfiguration files: /etc/sshAskpass program: /usr/libexec/ssh-askpassManual pages: /usr/share/man/manXPID file: /var/runPrivilege separation chroot path: /var/emptysshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbinManpage format: docPAM support: yesOSF SIA support: noKerberosV support: noSELinux support: noMD5 password support: yeslibedit support: nolibldns support: noSolaris process contract support: noSolaris project support: noSolaris privilege support: noIP address in $DISPLAY hack: noTranslate v4 in v6 hack: yesBSD Auth support: noRandom number source: OpenSSL internal ONLYPrivsep sandbox style: seccomp_filterHost: x86_64-pc-linux-gnuCompiler: ccCompiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIEPreprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCELinker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pieLibraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv+for sshd: -lpamPAM is enabled. You may need to install a PAM control filefor sshd, otherwise password authentication may fail.Example PAM control files can be found in the contrib/subdirectory
可能出现的问题 解决问题之后重新检测环境 ./configure
1)configure: error: no acceptable C compiler found in $PATHyum install -y gcc2)configure: error: *** zlib.h missing - please install first or check config.log ***yum install -y zlib-devel3)configure: error: *** working libcrypto not found, check config.logyum install -y openssl-devel4)configure: error: PAM headers not foundyum install -y pam-devel
编译安装
[root@k8s-node1 openssh-8.1p1]# rm -rf /etc/ssh[root@k8s-node1 openssh-8.1p1]# make && make install······/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8/usr/bin/mkdir -p /etc/sshssh-keygen: generating new host keys: RSA DSA ECDSA ED25519/usr/sbin/sshd -t -f /etc/ssh/sshd_config[root@k8s-node1 openssh-8.1p1]#
配置
拷贝ssh服务文件
[root@k8s-node1 openssh-8.1p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd[root@k8s-node1 openssh-8.1p1]#
允许root用户远程登录
新增33行:
[root@k8s-node1 openssh-8.1p1]# vi /etc/ssh/sshd_config1 # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $······32 #PermitRootLogin prohibit-password33 PermitRootLogin yes34 #StrictModes yes
或者执行脚本:
[root@k8s-node1 openssh-8.1p1]# sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
加入系统服务
[root@k8s-node1 openssh-8.1p1]# chkconfig --add sshd[root@k8s-node1 openssh-8.1p1]# chkconfig --list|grep sshdNote: This output shows SysV services only and does not include nativesystemd services. SysV configuration data might be overridden by nativesystemd configuration.If you want to list systemd services use 'systemctl list-unit-files'.To see services enabled on particular target use'systemctl list-dependencies [target]'.sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off[root@k8s-node1 openssh-8.1p1]#
重启openssh,查看版本
[root@k8s-node1 openssh-8.1p1]# systemctl restart sshd[root@k8s-node1 openssh-8.1p1]# systemctl status sshd● sshd.service - SYSV: OpenSSH server daemonLoaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)Active: active (running) since Tue 2019-11-12 18:00:53 HKT; 1min 52s agoDocs: man:systemd-sysv-generator(8)Process: 28425 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)Main PID: 28433 (sshd)Memory: 1.4MCGroup: /system.slice/sshd.service├─28433 /usr/sbin/sshd├─28437 sshd: root@pts/3└─28487 -bashNov 12 18:00:53 k8s-node1 systemd[1]: Starting SYSV: OpenSSH server daemon...Nov 12 18:00:53 k8s-node1 sshd[28433]: Server listening on 0.0.0.0 port 22.Nov 12 18:00:53 k8s-node1 sshd[28433]: Server listening on :: port 22.Nov 12 18:00:53 k8s-node1 sshd[28425]: Starting sshd:[ OK ]Nov 12 18:00:53 k8s-node1 systemd[1]: Started SYSV: OpenSSH server daemon.Nov 12 18:00:59 k8s-node1 sshd[28437]: Accepted password for root from 192.168.56.1 port 5002 ssh2[root@k8s-node1 openssh-8.1p1]# ssh -VOpenSSH_8.1p1, OpenSSL 1.0.2k-fips 26 Jan 2017[root@k8s-node1 openssh-8.1p1]#
打开新窗口,并查看版本
可能会提示保存密码
Connecting to 192.168.56.106:22...Connection established.To escape to local shell, press 'Ctrl+Alt+]'.WARNING! The remote SSH server rejected X11 forwarding request.Last login: Tue Nov 12 17:08:07 2019 from 192.168.56.1[root@k8s-node1 ~]# ssh -VOpenSSH_8.1p1, OpenSSL 1.0.2k-fips 26 Jan 2017[root@k8s-node1 ~]#
升级成功!!!
SELinux如果是开启状态,断开后或者新开窗口无法连接
本机之前已经关闭SELinux,所以没出现该问题
[root@k8s-node1 ~]# cat /etc/selinux/config# This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of three two values:# targeted - Targeted processes are protected,# minimum - Modification of targeted policy. Only selected processes are protected.# mls - Multi Level Security protection.SELINUXTYPE=targeted
如出现该异常,可以:
临时关闭:setenforce 0
永久关闭:sed -i s#SELINUX=enforcing#SELINUX=disabled# /etc/selinux/config
关于SELinux详细介绍,请移步:https://blog.csdn.net/iceliooo/article/details/103039756
╰+哭是因爲堅強的太久メ
喜欢ヅ旅行
骑猪看日落
向右看齐
还没有评论,来说两句吧...