OpenSSH 存在輸入驗證錯誤漏洞(CVE-2019-16905),需要對版本進行升級到8.3。
1、下載openssh8.3升級包及依賴的zlib和openssl。
openssh-8.3p1.tar.gz、zlib-1.2.11.tar.gz、openssl-1.1.1g.tar.gz
https://files-cdn.cnblogs.com/files/luckjinyan/zlib-1.2.11.tar.gz
https://files-cdn.cnblogs.com/files/luckjinyan/openssh-8.3p1.tar.gz
https://files-cdn.cnblogs.com/files/luckjinyan/openssl-1.1.1g.tar.gz
2、解壓升級包
tar --no-same-owner -zxvf zlib-1.2.11.tar.gz tar --no-same-owner -zxvf openssh-8.3p1.tar.gz tar --no-same-owner -zxvf openssl-1.1.1g.tar.gz
3、編譯安裝zlib
cd zlib-1.2.11 ./configure --prefix=/usr/local/zlib make && make install
cd openssl-1.1.1g ./config --prefix=/usr/local/ssl -d shared make && make install echo '/usr/local/ssl/lib' >> /etc/ld.so.conf ldconfig -v
5、安裝openssh
cd openssh-8.3p1 ./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl make && make install
6、sshd_config文件修改
echo 'PermitRootLogin yes' >>/usr/local/openssh/etc/sshd_config echo 'PubkeyAuthentication yes' >>/usr/local/openssh/etc/sshd_config echo 'PasswordAuthentication yes' >>/usr/local/openssh/etc/sshd_config
7、備份原有文件,並將新的配置復制到指定目錄
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config mv /usr/sbin/sshd /usr/sbin/sshd.bak cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd mv /usr/bin/ssh /usr/bin/ssh.bak cp /usr/local/openssh/bin/ssh /usr/bin/ssh mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen mv /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub.bak cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
8、啟動sshd
service sshd restart
9、查看信息版本
ssh -V
10、升級完成后sftp登錄后瞬間斷開問題
修改/etc/ssh/sshd_config 文件中sftp路徑,改為
Subsystem sftp /usr/libexec/sftp-server