CentOS 6升级OpenSSH

最近服务器做了一次安全漏扫,扫描报告显示存在多处安全漏洞,其中一项是openssh版本漏洞。服务器操作系统用的红帽RHEL6.5,默认软件源openssh版本都很低存在安全风险。由于服务器运行环境不能访问外网,软件升级下载到本地手动编译安装。听同事说手动编译安装openssh比较麻烦,外网服务器使用yum方式安装没注意手动编译安装软件的困难性,因为ssh这类工具的特殊性也记录下自己的升级安装过程,本次计划openssh版本升至OpenSSH 8.0。

查看当前版本

[root@test1 ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root@test1 ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
[root@test1 ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@test1 ~]#

查看当前版本OpenSSH_5.3p1,OpenSSL 1.0.1e-fips

安装telnet-server、xinetd

yum install telnet-server xinetd

这时通过其他机子telnet这台主机还不能登录
vim /etc/xinetd.d/telnet

<pre class="wp-block-syntaxhighlighter-code">
# default: on
# description: The telnet server serves telnet sessions; it uses \
#       unencrypted username/password pairs for authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no
}
</pre>

修改默认的disable=yes为disable=no

启动xinetd

service xinetd start

现在可以telnet登录了,但是默认情况下root账号不允许telnet直接登录,网上看有两种解决办法,为了安全起见我选择使用普通账号登录再切换到root账号

下载升级所需软件

<pre class="wp-block-syntaxhighlighter-code">
[root@test3 0319]# ll
total 8280
-rw-r--r-- 1 root root 1597697 Mar 19 21:53 openssh-8.0p1.tar.gz
-rw-r--r-- 1 root root 5376305 Mar 19 21:53 openssl-OpenSSL_1_0_2r.tar.gz
-rw-r--r-- 1 root root  675144 Mar 19 21:53 pam-1.1.1-24.el6.x86_64.rpm
-rw-r--r-- 1 root root  210356 Mar 19 21:53 pam-devel-1.1.1-24.el6.x86_64.rpm
-rw-r--r-- 1 root root  607698 Mar 19 21:53 zlib-1.2.11.tar.gz
</pre>

安装zlib

<pre class="wp-block-syntaxhighlighter-code">
tar -zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib

[root@test3 zlib-1.2.11]# make
[root@test3 zlib-1.2.11]# make check
hello world
zlib version 1.2.11 = 0x12b0, compile flags = 0xa9
uncompress(): hello, hello!
gzread(): hello, hello!
gzgets() after gzseek:  hello!
inflate(): hello, hello!
large_inflate(): OK
after inflateSync(): hello, hello!
inflate with dictionary: hello, hello!
                *** zlib test OK ***
hello world
zlib version 1.2.11 = 0x12b0, compile flags = 0xa9
uncompress(): hello, hello!
gzread(): hello, hello!
gzgets() after gzseek:  hello!
inflate(): hello, hello!
large_inflate(): OK
after inflateSync(): hello, hello!
inflate with dictionary: hello, hello!
                *** zlib shared test OK ***
hello world
zlib version 1.2.11 = 0x12b0, compile flags = 0xa9
uncompress(): hello, hello!
gzread(): hello, hello!
gzgets() after gzseek:  hello!
inflate(): hello, hello!
large_inflate(): OK
after inflateSync(): hello, hello!
inflate with dictionary: hello, hello!
                *** zlib 64-bit test OK ***
[root@test3 zlib-1.2.11]# 
[root@test3 zlib-1.2.11]# make install
</pre>

echo “/usr/local/zlib/lib” >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v

至此zlib安装完成。

安装pam

rpm -ivh pam-1.1.1-24.el6.x86_64.rpm
rpm -ivh pam-devel-1.1.1-24.el6.x86_64.rpm

安装openssl

tar -zxvf openssl-OpenSSL_1_0_2r.tar.gz
cd openssl-OpenSSL_1_0_2r

备份openssl

mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak

./config --prefix=/usr --shared zlib
make
make test
make install
[root@test3 openssl-OpenSSL_1_0_2r]# openssl version
OpenSSL 1.0.2r 26 Feb 2019
[root@test3 openssl-OpenSSL_1_0_2r]#

升级openssh

从其他机子telnet到这台机子
telnet IP

tar -zxvf openssh-8.0p1.tar.gz
cd openssh-8.0p1

备份当前openssh

mv /etc/ssh /etc/ssh_old

卸载当前openssh

<pre class="wp-block-syntaxhighlighter-code">
[root@test3 openssh-8.0p1]# rpm -qa | grep openssh
openssh-clients-5.3p1-94.el6.x86_64
openssh-5.3p1-94.el6.x86_64
openssh-server-5.3p1-94.el6.x86_64
[root@test3 openssh-8.0p1]# rpm -e --nodeps openssh-clients-5.3p1-94.el6.x86_64
[root@test3 openssh-8.0p1]# rpm -e --nodeps openssh-5.3p1-94.el6.x86_64
[root@test3 openssh-8.0p1]# rpm -e --nodeps openssh-server-5.3p1-94.el6.x86_64
[root@test3 openssh-8.0p1]# rpm -qa | grep openssh
[root@test3 openssh-8.0p1]# 
</pre>

配置

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/ssl

configure: error: PAM headers not found

yum install pam-devel

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/ssl

<pre class="wp-block-syntaxhighlighter-code">
OpenSSH has been configured with the following options:
                     User binaries: /usr/bin
                   System binaries: /usr/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/libexec/ssh-askpass
                      Manual pages: /usr/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
                    Manpage format: doc
                       PAM support: yes
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
              MD5 password support: yes
                   libedit support: no
                   libldns support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: rlimit

              Host: x86_64-pc-linux-gnu
          Compiler: cc
    Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  
Preprocessor flags: -I/usr/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
      Linker flags: -L/usr/ssl  -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie 
         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv
         +for sshd:  -lpam

PAM is enabled. You may need to install a PAM control file 
for sshd, otherwise password authentication may fail. 
Example PAM control files can be found in the contrib/ 
subdirectory
</pre>

make
make install

[root@test3 openssh-8.0p1]# cp ./contrib/redhat/sshd.init /etc/init.d/sshd
[root@test3 openssh-8.0p1]# chmod +x /etc/init.d/sshd
[root@test3 openssh-8.0p1]# chkconfig --add sshd
[root@test3 openssh-8.0p1]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@test3 openssh-8.0p1]#

验证

[root@test3 ~]# openssl version
OpenSSL 1.0.2r 26 Feb 2019
[root@test3 ~]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019
[root@test3 ~]#

验证升级成功。

启动服务

service sshd start

从其他机子ssh查看登录是否成功。

允许root账号登录

vim /etc/ssh/sshd_config
去掉注释并修改#PermitRootLogin prohibit-password为PermitRootLogin yes

重启服务

service sshd restart

最后

因为升级服务器openssh,一定要注意安装好telnet以防ssh升级失败无法远程连接服务器。升级完成后安全考虑可以关闭telnet连接服务。

发表评论

电子邮件地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据