场景介绍:
项目组linux服务器被绿盟扫描出openssh 5.3版本有漏洞,需要升级到7.5版本,以下是升级过程:
使用:https://www.openssl.org/source/openssl-1.1.1h.tar.gz下载未升级版本的1.1.1版本
将openssl-1.1.1h.tar.gz拖入到opt目录下
#解压
tar zxvf openssl-1.1.1h.tar.gz
#编译安装
cd openssl-1.1.1h/
#创建openssl目录
mkdir /usr/local/openssl
./config --prefix=/usr/local/openssl
make && make install
#查看安装文件
which openssl
/usr/bin/openssl
#安装openssh
yum install openssh-server -y
#查看现有版本
ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
检测之前安装的包(openssl和openssh都要更新,openssh依赖于openssl)
rpm -qa | grep openssl
xmlsec1-openssl-1.2.20-5.el7.x86_64
openssl-1.0.2k-8.el7.x86_64
openssl-libs-1.0.2k-8.el7.x86_64
rpm -qa | grep openssh
openssh-7.4p1-22.el7_9.x86_64
openssh-server-7.4p1-22.el7_9.x86_64
openssh-clients-7.4p1-22.el7_9.x86_64
yum install telnet telnet-server -y
yum install lrzsz -y
useradd beiqing
passwd beiqing
rpm -e rpm -qa | grep openssh
在官网上下载https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
openssh-7.5p1.tar.gz 安装包 拖入到opt下
#解压安装包
tar zxvf openssh-7.5p1.tar.gz
cd openssh-7.5p1/
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib
此处执行到最后经常会报错,如openssl-devel等各种rpm包没有安装,并且安装包之间都有相互依赖和冲突,依次安装即可,主要是检查rpm下列包是否安装:
keyutils-libs-devel-1.4-4.el6.x86_64.rpm
krb5-devel-1.10.3-10.el6_4.6.x86_64.rpm
libcom_err-devel-1.41.12-18.el6.x86_64.rpm
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm
libsepol-devel-2.0.41-4.el6.x86_64.rpm
openssl-1.0.1e-15.el6.x86_64.rpm
pam-devel
openssl-devel-1.0.1e-15.el6.x86_64.rpm
pkgconfig-0.23-9.1.el6.x86_64.rpm
vsftpd-3.0.2-9.el7.x86_64.rpm
zlib-devel-1.2.3-29.el6.x86_64.rpm
yum install keyutils-libs rpm-build -y
yum install krb5-devel
yum install libcom_err-devel.i686 -y
yum -y install libselinux-devel.i686
yum -y install pam-devel.x86_64
yum -y install openssl-devel.x86_64
yum -y install pkgconfig.i686
yum -y install vsftpd.x86_64
yum -y install zlib-devel.i686
#rpm安装完整后,再重新编译
cd openssh-7.5p1/
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib
如有openssl报错未发现则安装
yum install openssl-devel.i686
make && make install
#备注:此处contrib路径为解压后的安装包路径,比如:/opt/openssh-7.5p1/contrib
cp -p /opt/openssh-7.5p1/contrib/redhat/sshd.init /etc/init.d/sshd
#给用户增加执行权限
chmod u+x /etc/init.d/sshd
vim /etc/ssh/sshd_config
#把文件中的下列内容修改为下列状态:
#UsePAM no
PasswordAuthentication yes
PermitEmptyPasswords no
HostbasedAuthentication no
IgnoreRhosts yes
PermitRootLogin no
#把sshd添加到系统服务中
chkconfig --add sshd
#添加到可执行文件
cp /usr/local/sbin/sshd /usr/sbin/sshd
#启动sshd服务
systemctl restart sshd
ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.2k-fips 26 Jan 2017
sshd
#添加到可执行文件
cp /usr/local/sbin/sshd /usr/sbin/sshd
#启动sshd服务
systemctl restart sshd
ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.2k-fips 26 Jan 2017