一、实验背景
客户请第三方安全公司扫描了下他们的服务器,发现 SSH 存在许多安全漏洞,原因是 CentOS 7.2 使用了一个比较旧的 OpenSSH 版本 v6.6.1,而这些漏洞在新版的 OpenSSH 中均已被修复,所以出于安全考虑,需要升级。
yum 仓库中并没有最新版的 OpenSSH,我们需要自己从官方下载最新的opeenSSh源码包编译制作 rpm 安装包。
因为客户服务器不能连外网,所以还需要将其做成离线升级包。
二、实验环境
操作系统: CentOS7.2 Mininal
serverA 192.168.1.104 模拟开发机,能联网,用于制作离线升级包
serverB 192.168.1.106 模拟客户服务器,不能联网,openSSH相关包及其依赖版本较低
三、实验预期
在severA上完成openSSH相关编译及依赖下载,写成一键升级脚本,拖到serverB上完成openSSH的升级。
OpenSSH源码包官网:http://www.openssh.com
截止目前,最新OpenSSH源码包版本为 openssh-7.9p1.tar.gz
What is the difference between OpenSSH Release and OpenSSH Portable Release?
https://www.openssh.com/portable.html
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
四、实验操作
在serverA
# yum -y install vim wget epel-release
# yum -y install rpm-build gcc make
# yum -y install openssl openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel
# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
# tar -zxf openssh-7.9p1.tar.gz
# mkdir -p /root/rpmbuild/{SOURCES,SPECS}
# cp ./openssh-7.9p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
# cp openssh-7.9p1.tar.gz /root/rpmbuild/SOURCES/
# cd /root/rpmbuild/SPECS/
# sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
# sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
# sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
# sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec
# rpmbuild -bb openssh.spec
编译好后的文件被放在 /root/rpmbuild/RPMS/x86_64/ 目录下:
# ll /root/rpmbuild/RPMS/x86_64
将上述操作脚本化:
# cat build.sh
#####################################################
#!/bin/bash
OPENSSH_VERSION=7.9p1
yum -y install vim wget epel-release
yum -y install rpm-build gcc make
yum -y install openssl openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
# cd /root
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz
tar -zxf openssh-${OPENSSH_VERSION}.tar.gz
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cp ./openssh-${OPENSSH_VERSION}/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-${OPENSSH_VERSION}.tar.gz /root/rpmbuild/SOURCES/
cd /root/rpmbuild/SPECS/
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec
rpmbuild -bb openssh.spec
ls -l /root/rpmbuild/RPMS/x86_64
########################################################
五、在开发机上做openSSH升级测试
在serverA
# cd /root/rpmbuild/RPMS/x86_64
# rpm -Uvh *.rpm
# rpm -qa | grep openssh
本来到此,我们升级就完成了,但是从客户端登陆的时候却失败了!
开始我们以为自己制作的 rpm 包有问题,几经折腾,最后发现还是默认的配置不正确导致的结果。
无法用 ssh key 方式登录,默认的 host key 文件授权太大,需要修改 key 文件的权限
# ll /etc/ssh/ssh_host_*_key
# chmod 600 /etc/ssh/ssh_host_*_key
# ll /etc/ssh/ssh_host_*_key
升级完后的openSSH默认不允许用密码方式登录,我们需要更改配置文件:
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
# sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
# sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
# sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
默认的 /etc/pam.d/sshd 中使用了过时的 pam_stack.so 动态库,需要更新:
# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
# cat > /etc/pam.d/sshd < #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth EOF 重启ssh服务,查看服务状态: # systemctl restart sshd # systemctl enable sshd # systemctl status sshd 你会发现,升级后的sshd服务,是用的启动脚本,不是/usr/lib/systemd/system/sshd.service文件了。 实际上升级过程中,程序已经将 /usr/lib/systemd/system/sshd.service 删除了,并且添加了服务启动脚本 /etc/init.d/sshd 细心的你还会发现,升级完后,我们经常用于做免密登录的公钥拷贝命令 ssh-copy-id也没有了! 其实不是没有了,而是我们需要去解压后源码包拷贝到/usr/bin/目录 # cp /root/openssh-7.9p1/contrib/ssh-copy-id /usr/bin/ # chmod 755 /usr/bin/ssh-copy-id # yum -y install yum-utils createrepo # mkdir /root/localrepo # repotrack openssl -p /root/localrepo/ 你可能会疑惑:不是找opennsh相关包的依赖么,怎么找的是openssl了? 其实从上面安装可以,升级opennsh版本并不会缺少依赖,我们们只是需要相应地升级一下openssl的版本: # cp /root/rpmbuild/RPMS/x86_64/*.rpm /root/localrepo # createrepo -v /root/localrepo cat install.sh ###################################################### #!/bin/bash # 定位脚本当前路径 parent_path=$( cd "$(dirname "${BASH_SOURCE}")"; pwd -P ) cd "$parent_path" mkdir -p /etc/yum.repos.d/backup mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup rm -rf /tmp/localrepo mkdir -p /tmp/localrepo cp -rf ./localrepo/* /tmp/localrepo echo "[localrepo]" > /etc/yum.repos.d/localrepo.repo echo "name=Local Repository" >> /etc/yum.repos.d/localrepo.repo echo "baseurl=file:///tmp/localrepo" >> /etc/yum.repos.d/localrepo.repo echo "gpgcheck=0" >> /etc/yum.repos.d/localrepo.repo echo "enabled=1" >> /etc/yum.repos.d/localrepo.repo yum clean all yum -y install openssl yum -y install openssh* --disablerepo="*" --enablerepo="localrepo" rm -rf /tmp/localrepo rm -f /etc/yum.repos.d/localrepo.repo mv /etc/yum.repos.d/backup/*.repo /etc/yum.repos.d rm -rf /etc/yum.repos.d/backup chmod 600 /etc/ssh/ssh_host_*_key # modify /etc/ssh/sshd_config cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config # modify /etc/pam.d/sshd cp /etc/pam.d/sshd /etc/pam.d/sshd.bak cat > /etc/pam.d/sshd < #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth EOF # copy ssh-copy-id cp ssh-copy-id /usr/bin chmod 755 /usr/bin/ssh-copy-id systemctl restart sshd systemctl enable sshd systemctl status sshd rpm -qa | grep open systemctl status sshd| grep "Active: active (running)" if [ $? -eq 0 ]; then echo -e "\033[32m[INFO] OpenSSH upgraded to 7.9p1 successfully!\033[0m" else echo -e "\033[31m[ERROR] OpenSSH upgraded to 7.9p1 faild!\033[0m" fi ############################################################## # mkdir /root/opensshUpgrade # cp install.sh /root/opensshUpgrade # cp -r lcoalrepo /root/opensshUpgrade # cp /root/openssh-7.9p1/contrib/ssh-copy-id /root/opensshUpgrade # tar openssshUpgrade.tar.gz opensshUpgrade 将离线升级安装包 openssshUpgrade.tar.gz拷贝到serverB 服务器 # tar -zxf openssshUpgrade.tar.gz # cd openssshUpgrade # bash install.sh | tee install.log # rpm -qa | grep openssl # rpm -qa | grep openssh # systemctl status sshd [C:\~]$ ssh [email protected] Upgrade OpenSSH in CentOS 7 https://blog.forhot2000.cn/linux/2017/09/04/upgrade-openssh-in-centos-7.html 编译升级OpenSSH 7.9 https://blog.csdn.net/weixin_42123737/article/details/85283972 Centos 6.5升级openssh到7.9p1 https://blog.csdn.net/qq_25934401/article/details/83419849 openssh升级脚本分享(openssh-7.7p1版) https://blog.csdn.net/GX_1_11_real/article/details/82152459 Upgrade OpenSSH to 7.7p1 in CentOS 6 https://docs.junyangz.com/upgrade-openssh-to-7.7p1-in-centos-6 createrepo生成仓库元数据,搭建本地yum源 https://www.jianshu.com/p/5cb5af152e75 解决离线安装依赖包的方法 https://www.jianshu.com/p/6f4f9a80a726 升级操作系统OpenSSH及其OpenSSL的正确姿势 https://blog.51cto.com/techsnail/2138927 Openssh版本升级修复漏洞 https://www.cnblogs.com/Dev0ps/p/9629694.html CentOS7 openssh升级到7.9p1 https://www.jianshu.com/p/220f7fd908b0 OpenSSH-8.0p1 http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html CenOS7.2 升级OpenSSH 8.0 升级步骤及排错 https://blog.csdn.net/weixin_40592911/article/details/90519686六、制作离线升级安装包
在serverA
编写离线升级安装脚本:
打包离线安装包
七、离线安装升级openSSH
测试登录
八、参考