OpenSSH_7.4p1升级到OpenSSH_9.8p1
一、升级背景
2024 年 7 月,互联网公开披露了一个 OpenSSH 的远程代码执行漏洞(CVE-2024-6387), 8.5p1<= openssh 版本<9.8p1 之间的版本中存在条件竞争漏洞,漏洞危害等级为严重。鉴于该漏洞虽然利用较为困难但危害较大,建议升级至9.8p1版本。
二、升级步骤
1.升级前的环境
[root@rhel7-Template ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@rhel7-Template ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
[root@rhel7-Template ~]# uname -a
Linux rhel7-Template 3.10.0-1160.el7.x86_64 #1 SMP Tue Aug 18 14:50:17 EDT 2020 x86_64 x86_64 x86_64 GNU/Linux
2.安装telnet
yum install telnet-server telnet xinetd -y
systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
systemctl status telnet.socket
systemctl status xinetd
3.root用户登录需修改/etc/securetty
mv /etc/securetty /etc/securetty_bak
4.下载Openssl和升级,无互联网访问可下载包上传至服务器操作
mkdir -p /opt/software
cd /opt/software
wget --no-check-certificate https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
yum install -y gcc gcc-c++ glibc make automake autoconf zlib zlib-devel
tar -zxf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w/
./config shared zlib -fPIC --prefix=/usr/local/openssl
make -j 4
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo '/usr/local/openssl/lib' > /etc/ld.so.conf.d/openssl-x86_64.conf
ldconfig -v
openssl version
5.升级OpenSSH
1、下载安装包并备份,无互联网访问可下载包上传至服务器操作
cd /opt/software
wget --no-check-certificate https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
systemctl stop sshd
mv /etc/ssh /etc/ssh.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
mv /usr/bin/ssh /usr/bin/ssh.bak
2、卸载原有openssh
rpm -qa | grep openssh
使用rpm -e进行卸载
rpm -e openssh-7.4p1-21.el7.x86_64
rpm -e openssh-clients-7.4p1-21.el7.x86_64
rpm -e openssh-server-7.4p1-21.el7.x86_64
检查是否还有相关组件
rpm -qa | grep openssh
3、编译安装openssh
yum install -y pcre-devel perl perl-Test-Simple
tar -zxf openssh-9.8p1.tar.gz
cd openssh-9.8p1/
./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --with-zlib
make -j 4
make install
4、取消原有sshd启动方式并配置新版sshd.service
ls /usr/lib/systemd/system/ssh*
rm -f /usr/lib/systemd/system/ssh*
cp contrib/redhat/sshd.init /etc/init.d/sshd
5、复制sshd相关文件到新目录
mkdir /etc/ssh
# 修改/etc/ssh/sshd_config配置文件,打开下面配置文件,去掉下面两句的注释
vi /usr/local/openssh/etc/sshd_config
PermitRootLogin yes
PubkeyAuthentication yes
# 拷贝配置文件至/etc/ssh/
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
6、启动sshd服务并设置开机启动
systemctl daemon-reload
systemctl start sshd && systemctl enable sshd
ssh -V
7、验证升级后的结果
[root@rhel7-Template ~]# ssh -V
OpenSSH_9.8p1, OpenSSL 1.1.1w 11 Sep 2023
