一、漏洞情況
OpenSSH_7.4版本曝出OpenSSH 輸入驗證錯誤漏洞(CVE-2019-16905),修復方法為升級OpenSSH。
二、升級過程
(1) 檢查環境
[root@localhost ~]$ cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@localhost ~]$ uname -r 3.10.0-957.el7.x86_64 [root@localhost ~]$ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 [root@localhost ~]$ yum list installed|grep openssh Repodata is over 2 weeks old. Install yum-cron? Or run: yum makecache fast openssh.x86_64 7.4p1-16.el7 @anaconda openssh-clients.x86_64 7.4p1-16.el7 @anaconda openssh-server.x86_64 7.4p1-16.el7 @anaconda
(2) 下載rpm包
[root@localhost ~]# wget https://cikeblog.com/s/openssh8.1.tar.gz [root@localhost ~]# ll openssh8.1.tar.gz -rw-r--r-- 1 root root 4102232 Jul 13 10:18 openssh8.1.tar.gz [root@localhost ~]# tar -xf openssh8.1.tar.gz [root@localhost ~]# ll *.rpm -rw-r--r-- 1 root root 534112 Dec 2 2019 openssh-8.1p1-1.el7.x86_64.rpm -rw-r--r-- 1 root root 566080 Dec 2 2019 openssh-clients-8.1p1-1.el7.x86_64.rpm -rw-r--r-- 1 root root 2664012 Dec 2 2019 openssh-debuginfo-8.1p1-1.el7.x86_64.rpm -rw-r--r-- 1 root root 406004 Dec 2 2019 openssh-server-8.1p1-1.el7.x86_64.rpm
(3) 備份相關數據
[root@localhost ~]# cp -ra /etc/ssh /etc/ssh_bak [root@localhost ~]# cp -a /etc/pam.d/sshd /etc/pam.d/sshd_bak
(4) 安裝rpm包
[root@localhost ~]# yum install -y ./openssh-*
(5) 修改相關配置
[root@localhost ~]# cd /etc/ssh [root@localhost ssh]# chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key [root@localhost ssh]# vim sshd_config #修改以下兩項 PermitRootLogin yes PasswordAuthentication yes #還原pam文件 [root@localhost ssh]# cat /etc/pam.d/sshd_bak > /etc/pam.d/sshd #重啟sshd [root@localhost ssh]# systemctl restart sshd
(6) 至此升級完成,先別關閉終端,直接新開一個終端,連接到服務器測試