为了解决openssh的安全漏洞,开启了升级openssh版本之旅。
1. 开启telnet服务
1) 在终端输入命令:apt-get install xinetd telnetd
2) vim /etc/inetd.conf 并加入以下一行
telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
3) 输入vim /etc/xinetd.conf并加入内容:
# Simple configuration file for xinetd
#
# Some defaults, and include /etc/xinetd.d/
defaults
{
# Please note that you need a log_type line to be able to use log_on_success
# and log_on_failure. The default is the following :
# log_type = SYSLOG daemon info
instances = 60
log_type = SYSLOG authpriv
log_on_success = HOST PID
log_on_failure = HOST
cps = 25 30
}
includedir /etc/xinetd.d
4) vim /etc/xinetd.d/telnet并加入以下内容:
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
5) 重启机器或重启网络服务/etc/init.d/xinetd restart
6) 将所需要的安装包zlib-1.2.8.tar.gz,openssl-1.0.2h.tar.gz,openssh-7.3p1.tar.gz上传
7) 因为不能root用户登录telnet,所以需要新建用户:
useradd user1
passwd user1
8) 然后telnet用user1用户登录后, su root
2. 解压安装zlib包:
# tar -zxvf zlib-1.2.8.tar.gz //首先安装zlib库,否则会报zlib.c错误无法进行
# cd zlib-1.2.8
# ./configure
# make&&make install
3.解压安装openssl包:
# tar -zxvf openssl-1.0.2h.tar.gz
# cd openssl-1.0.2h
# ./config shared zlib
# make
# make test
# make install
# mv /usr/bin/openssl /usr/bin/openssl.OFF
# mv /usr/include/openssl /usr/include/openssl.OFF
//该步骤可能提示无文件,忽略即可
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# ln -s /usr/local/ssl/include/openssl /usr/include/openssl
//移走原先系统自带的openssl,将自己编译产生的新文件进行链接。
4.设置环境变量(重要):
# DEFAULT_LIBPATH=/usr/local/ssl/include/openssl:/usr/local/ssl/lib/
# LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}
# LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH}
# LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH}
# export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
# /usr/bin/updatedb
# echo "/usr/local/ssl/lib/" >> /etc/ld.so.conf.d/openssh.1.0.2.conf
# ldconfig -v
5.解压安装openssh包:
# tar -zxvf openssh-7.3p1.tar.gz
# cd openssh-7.3p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man
# make
# make install
# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 2016
6. 清理现场:卸载telnet,删除用户: user1,删除安装包
# apt-get purge xinetd telnetd
# userdel -r user1
# rm -rf openssh* openssl* zlib*
终于大功告成,真是废了九牛二虎之力,在设置环境变量折腾了很久。