Centos6.5升級OpenssH

介紹

漏掃發現OpenssH很多漏洞，升級OpenssH版本解決

當前版本

# ssh -V
OpenSSH_7.0p1, OpenSSL 1.0.1e-fips 11 Feb 2013

建議升級版本OpenssH7.9.p1

注意：OpenSSH 7.9p1要求OpenSSL的版本> = 1.0.1 <1.1.0

#配置YUM

cd /mnt
mkdir cdrom
mount -o loop -t iso9660 /dev/cdrom /mnt/cdrom/
cd /etc/yum.repos.d/
mkdir bk
mv *.repo bk
vi centos6.repo

[CentOS65]

name=CentOS65

baseurl=file:///mnt/cdrom

enabled=1

gpgcheck=0

gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-CentOS-6

yum list ##list顯示出來 說明yum安裝成功

#安裝telnet並配置服務

cd /mnt/cdrom/Packages

rpm -i telnet-0.17-47.el6_3.1.x86_64.rpm

yum -y install telnet-server*

#安裝配置telnet，暫時允許root用戶遠程telnet，以防ssh升級后遠程登錄不了
echo "Y"|/usr/bin/yum install telnet-server
/bin/sed -i 's/= yes/= no/g' /etc/xinetd.d/telnet
/etc/init.d/xinetd start
/etc/init.d/xinetd restart

mv /etc/securetty /etc/securetty.bak

#安裝依賴包（gcc、make、perl、zlib、zlib-devel、pam、pam-devel）

find - /name zlib
yum install -y gcc openssl-devel pam-devel rpm-build pam-devel tcp_wrappers-devel

#關閉iptables防火牆和selinux

/etc/init.d/iptables stop
/bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
/usr/sbin/setenforce 0

#備份ssh原來配置
cp -rf /etc/ssh /etc/ssh.bak

#安裝配置新版本openssh

echo "Y"|/usr/bin/yum install -y gcc openssl-devel pam-devel rpm-build
cd /usr/local/src
/usr/bin/wget http://10.0.8.50/software/openssh-7.9p1.tar.gz
/bin/tar -zvxf openssh-7.9p1.tar.gz
cd /usr/local/src/openssh-7.9p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make && make install

/bin/sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
/bin/sed -i 's_#PermitRootLogin yes_PermitRootLogin yes_g' /etc/ssh/sshd_config

sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config

service sshd start 
service sshd restart

#查詢當前版本

/usr/bin/ssh -V

# 關閉telnet遠程登錄

vi /etc/xinetd.d/telnet

no改為yes

# 關閉telnet遠程登錄
NUM=$(/usr/sbin/lsof -i:23|wc -l)
if [ $NUM -ne 0 ];then
mv /etc/securetty.bak /etc/securetty
fi

/etc/init.d/xinetd stop

 

 #其他備注策略命令：

允許root用戶通過telnet登陸

編輯/etc/pam.d/login，注釋掉下面這行

vi /etc/pam.d/login

#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

/etc/init.d/xinetd restart

 配置/etc/securetty

cp /etc/securetty /etc/securetty.bak

echo "pts/1" >> /etc/securetty
echo "pts/2" >> /etc/securetty
echo "pts/3" >> /etc/securetty
echo "pts/4" >> /etc/securetty
echo "pts/5" >> /etc/securetty
echo "pts/6" >> /etc/securetty
echo "pts/7" >> /etc/securetty
echo "pts/8" >> /etc/securetty
echo "pts/9" >> /etc/securetty
echo "pts/10" >> /etc/securetty
echo "pts/11" >> /etc/securetty

 報錯問題解決

1、錯誤信息
檢查OpenSSL是否標頭與庫匹配…否配置：錯誤：您的OpenSSL標頭與庫不匹配。檢查config.log以獲取詳細信息。

原因：
配置時需要注意-with-ssl-dir需要使用當前SSL的安裝路徑/ usr / local / ssl
如果是32位的系統可能位置有所不同：/ usr / local / ssl / lib /
解決辦法：
./configure -prefix=/usr -sysconfdir=/etc/ssh -with-ssl-dir=/usr/local/ssl -with-zlib -with-pam -with-md5-passwords -with-kerberos5 --without-zlib-version-check

2、錯誤信息
無法開啟 /var/lib/rpm 的套件資料庫
rpmdb: unable to join the environment
解決方案：
1.kill掉正在運行的rpm程序
2.rm -f /var/lib/rpm/__db.*
3.rpm --rebuilddb
4.rpm時加上后綴--nodeps

 

參考感謝：

http://leung4080.github.io/linux/2013/08/07/OpenSSL-OpenSSH-%E5%8D%87%E7%BA%A7%E9%85%8D%E7%BD%AE/

https://www.bbsmax.com/A/VGzlNOa85b/ 

https://blog.csdn.net/qq_25934401/article/details/83419849?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase