因安全漏扫软件扫描业务虚机,发现有openssh ssh存在漏洞,此次需将openssh5.3P1升级至OpenSSH_8.0p1
[root@APP ~]# uname -a
Linux APP168 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@APP ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
[root@APP~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
如果想升级到OpenSSH_8.0p1,对应的openssl也要升级
首先卸载原有的openssh,卸载之前先停止sshd服务
[root@APP ~]# rpm -e rpm -qa | grep openssh’rpm -qa | grep openssl
error: Failed dependencies:
openssh-clients is needed by (installed) python-meh-0.12.1-3.el6.noarch
[root@APP ~]# rpm -e--nodeps rpm -qa | grep openssh`
[root@APP ~]# rpm -e firstboot-1.110.15-1.el6.x86_64
[root@APP ~]# rpm -e python-meh-0.12.1-3.el6.noarch
[root@APP ~]# rpm -e
[root@APP ~]# yum install firstboot
或者用rpm删除,同时清除系统/etc/ssh目录
[root@APP ~]# service sshd stop
Stopping sshd: [ OK ]
[root@APP ~]# rpm -qa openssh
openssh-5.3p1-94.el6.x86_64
[root@APP ~]# rpm -e --nodeps openssh-server
[root@APP ~]# rpm -e --nodeps openssh-clients
[root@APP ~]# rpm -e --nodeps openssh-askpass
[root@APP ~]# rpm -e --nodeps openssh
[root@APP ~]# rm -rf /etc/ssh
重启!!!
然后安装openssl-1.1.1c
[root@APP ~]# cd ../openssl-1.1.1c/
[root@APP ~openssl-1.1.1c]# ./config --prefix=/usr/local/openssl --shared
[root@dbAPP ~ openssl-1.1.1c]# make && make install
[root@APP ~]# openssl version
OpenSSL 1.1.1c 28 May 2019
然后安装openssh-8.0p1
上传openssh文件,解压,开始安装
[root@APP ~openssh-8.0p1]#./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-md5-passwords --without-hardening &&make && make install
修改配置文件
[root@APP ~openssh-8.0p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@APP ~]# chmod +x /etc/init.d/sshd 一般自带x权限
不用再修改文件了
加入到系统服务
[[email protected]]# chkconfig --add sshd
[[email protected]]# service sshd start
最后检查版本
ssh -V 注意大写
[root@APP ~]# ssh -V
OpenSSH_8.0P1 , OpenSSL 1.1.1c 28 May 2019
几个问题回顾:
1、安装openssh8.0在make时报错
缺少头文件,原有的OpenSSL 1.0.0版本不行,升级到openssl-1.1.1c即可
2、putty输入密码后闪退
修改sshd的配置文件 /etc/ssh/sshd_config
在配置文件中添加如下:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group1-sha1,[email protected] (此行中去掉ecdh-sha2-nistp521)
重新启动sshd服务即可
3、替换查看版本
查找sshd的位置
#whereis sshd
备份sshd
#cp /usr/sbin/sshd /usr/sbin/sshd.bak.20190730
[root@APP ~]# strings /usr/sbin/sshd | grep OpenSSH
OpenSSH_3.
OpenSSH_5
OpenSSH_6.6.1
OpenSSH_6.5,OpenSSH_6.6
OpenSSH
OpenSSH_2.,OpenSSH_3.0,OpenSSH_3.1
OpenSSH_2,OpenSSH_3,OpenSSH_4
OpenSSH_7.0,OpenSSH_7.1,OpenSSH_7.2,OpenSSH_7.3,OpenSSH_7.4,OpenSSH_7.5,OpenSSH_7.6,OpenSSH_7.7
替换版本信息
#sed -i 's/OpenSSH_5.3/OpenSSH_8.0/g' /usr/sbin/sshd
///重起sshd
#service sshd restart