Linux-SSH升级

夏侯枫
2023-12-01

相信很多金融行业的科技伙伴都会碰到某盟的一个漏洞检测工具,检测Linux操作系统的时候,都会报一个高危的SSH的漏洞,但是修复过程中都会遇到一些未知的问题,如root用户无法登陆,新建用户可以,或者升级完成后用户无法远程登陆。这里记录一次实际操作成功的过程,仅作参考。


环境

CENTOS7,openssl-1.0.2n.tar.gz,openssh-7.6p1.tar.gz


升级步骤

安装TELNET(可选)

安装Telnet的目的是为了在ssh不能登录的情况下,使用Telnet来登录远程操作,如果能直接在主机面前操作,那么这一步可选。

关闭SeLinux和防火墙

 
  1. vi /etc/selinux/config
  2. 修改“SELINUX=enforcing”值改为“disabled”
 
  1. systemctl stop firewalld.service
  2. systemctl disable firewalld.service
  3. systemctl status firewalld.service

完成后重启下。

卸载原先版本

卸载原先的openssl和openssh版本,通过:

 
  1. rpm -qa|grep openssl
  2. # 会出现相关安装的包
  3. rpm -e --nodeps xxxxxx(出现的包)
  4. # 依次卸载
  5. rpm -qa|grep openssh
  6. # 会出现相关安装的包
  7. rpm -e --nodeps xxxxxxx(出现的包)
  8. # 依次卸载
  • 卸载后建议服务器重启。

下载安装文件

下载 
openssl-1.0.2n.tar.gz,openssh-7.6p1.tar.gz 
上传至服务器,如果不能直接拷贝到主机,那么这一步最好之前就做好下载后上传到服务器的/usr目录。 
解压:

 
  1. tar xvf openssl-1.0.2n.tar.gz
  2. tar xvf openssh-7.6p1.tar.gz

解压后生成两个对应的文件夹。


升级openssl

先进入openssl文件夹,编译。

 
  1. cd /openssl-1.0.2m
  2. ./config shared && make && make install

过程稍微需要点时间,等待结束后,更新ld.

 
  1. echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
  2. ldconfig -v

配置openssl库

 
  1. cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64
  2. cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64
  3. chmod 555 /usr/lib64/libssl.so.1.0.0
  4. chmod 555 /usr/lib64/libcrypto.so.1.0.0
  5. ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10
  6. ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
  7. ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
  8. ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so
  9. ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
  10. ln -s /usr/local/ssl/include/openssl /usr/include/openssl

完成后检查:

 
  1. 查看openssl版本
  2. openssl version -a

升级openssh

进入对应文件夹。

编译:

 
  1. ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords--with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl--without-hardening
  2. ?
  3. make && make install

完成后会提示一些key过于open,那么修改权限。 
进入/etc/ssh目录。

 
  1. chmod 600 ssh_host_ecdsa_key
  2. chmod 600 ssh_host_rsa_key
  3. chmod 600 ssh_host_ed25519_key

完成后再到openssh目录,再次:

 
  1. make && make install

替换key.

 
  1. cp ./contrib/redhat/sshd.init /etc/init.d/sshd
  2. chmod u+x /etc/init.d/sshd

复制配置

 
  1. cp ssh_config /etc/ssh/ssh_config
  2. y 覆盖
 
  1. cp -p sshd_config /etc/ssh/sshd_config
  2. y 覆盖

修改ssh的配置文件,这里直接粘贴上来:

 
  1. vi /etc/ssh/sshd_config
  2. # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
  3.  
  4. # This is the sshd server system-wide configuration file. See
  5. # sshd_config(5) for more information.
  6.  
  7. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  8.  
  9. # The strategy used for options in the default sshd_config shipped with
  10. # OpenSSH is to specify options with their default value where
  11. # possible, but leave them commented. Uncommented options override the
  12. # default value.
  13.  
  14. #Port 22
  15. #AddressFamily any
  16. #ListenAddress 0.0.0.0
  17. #ListenAddress ::
  18.  
  19. #HostKey /etc/ssh/ssh_host_rsa_key
  20. #HostKey /etc/ssh/ssh_host_dsa_key
  21. #HostKey /etc/ssh/ssh_host_ecdsa_key
  22. #HostKey /etc/ssh/ssh_host_ed25519_key
  23.  
  24. # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
  25.  
  26. # This is the sshd server system-wide configuration file. See
  27. # sshd_config(5) for more information.
  28.  
  29. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  30.  
  31. # The strategy used for options in the default sshd_config shipped with
  32. # OpenSSH is to specify options with their default value where
  33. # possible, but leave them commented. Uncommented options override the
  34. # default value.
  35.  
  36. #Port 22
  37. #AddressFamily any
  38. #ListenAddress 0.0.0.0
  39. #ListenAddress ::
  40.  
  41. #HostKey /etc/ssh/ssh_host_rsa_key
  42. #HostKey /etc/ssh/ssh_host_dsa_key
  43. #HostKey /etc/ssh/ssh_host_ecdsa_key
  44. #HostKey /etc/ssh/ssh_host_ed25519_key
  45.  
  46. # Ciphers and keying
  47. #RekeyLimit default none
  48.  
  49. # Logging
  50. #SyslogFacility AUTH
  51. SyslogFacility AUTHPRIV
  52. #LogLevel INFO
  53.  
  54. # Authentication:
  55.  
  56. #LoginGraceTime 2m
  57. PermitRootLogin yes
  58. #PermitRootLogin prohibit-password
  59. #StrictModes yes
  60. #MaxAuthTries 6
  61. #MaxSessions 10
  62.  
  63. #PubkeyAuthentication yes
  64.  
  65. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
  66. # but this is overridden so installations will only check .ssh/authorized_keys
  67. AuthorizedKeysFile .ssh/authorized_keys
  68.  
  69. #AuthorizedPrincipalsFile none
  70.  
  71. #AuthorizedKeysCommand none
  72. #AuthorizedKeysCommandUser nobody
  73.  
  74. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  75. #HostbasedAuthentication no
  76. # Change to yes if you don't trust ~/.ssh/known_hosts for
  77. # HostbasedAuthentication
  78. #IgnoreUserKnownHosts no
  79. # Don't read the user's ~/.rhosts and ~/.shosts files
  80. #IgnoreRhosts yes
  81.  
  82. # To disable tunneled clear text passwords, change to no here!
  83. #PasswordAuthentication yes
  84. #PermitEmptyPasswords no
  85. PasswordAuthentication yes
  86.  
  87. # Change to no to disable s/key passwords
  88. #ChallengeResponseAuthentication yes
  89.  
  90. # Kerberos options
  91. #KerberosAuthentication no
  92. #KerberosOrLocalPasswd yes
  93. #KerberosTicketCleanup yes
  94. #KerberosGetAFSToken no
  95.  
  96. # GSSAPI options
  97. #GSSAPIAuthentication no
  98. #GSSAPICleanupCredentials yes
  99.  
  100. # Set this to 'yes' to enable PAM authentication, account processing,
  101. # and session processing. If this is enabled, PAM authentication will
  102. # be allowed through the ChallengeResponseAuthentication and
  103. # PasswordAuthentication. Depending on your PAM configuration,
  104. # PAM authentication via ChallengeResponseAuthentication may bypass
  105. # the setting of "PermitRootLogin without-password".
  106. # If you just want the PAM account and session checks to run without
  107. # PAM authentication, then enable this but set PasswordAuthentication
  108. # and ChallengeResponseAuthentication to 'no'.
  109. #UsePAM no
  110. UsePAM yes
  111.  
  112. #AllowAgentForwarding yes
  113. #AllowTcpForwarding yes
  114. #GatewayPorts no
  115. #X11Forwarding no
  116. #X11DisplayOffset 10
  117. #X11UseLocalhost yes
  118. #PermitTTY yes
  119. #PrintMotd yes
  120. #PrintLastLog yes
  121. #TCPKeepAlive yes
  122. #UseLogin no
  123. #PermitUserEnvironment no
  124. #Compression delayed
  125. #ClientAliveInterval 0
  126. #ClientAliveCountMax 3
  127. #UseDNS no
  128. UseDNS no
  129. #PidFile /var/run/sshd.pid
  130. #MaxStartups 10:30:100
  131. #PermitTunnel no
  132. #ChrootDirectory none
  133. #VersionAddendum none
  134. # no default banner path
  135. #Banner none
  136. # override default of no subsystems
  137. Subsystem sftp /usr/libexec/sftp-server
  138.  
  139. # Example of overriding settings on a per-user basis
  140. #Match User anoncvs
  141. # X11Forwarding no
  142. # AllowTcpForwarding no
  143. # PermitTTY no
  144. # ForceCommand cvs server
  145. #KexAlgorithms
  146. #diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1
  147. Banner /etc/sshbanner

新建/etc/pam.d/sshd

 
  1. #%PAM-1.0
  2. auth required pam_sepermit.so
  3. auth include password-auth
  4. account required pam_nologin.so
  5. account include password-auth
  6. password include password-auth
  7. # pam_selinux.so close should be thefirst session rule
  8. session required pam_selinux.so close
  9. session required pam_loginuid.so
  10. # pam_selinux.so open should only befollowed by sessions to be executed in the user context
  11. session required pam_selinux.so open env_params
  12. session optional pam_keyinit.so force revoke
  13. session include password-auth

完成, 重启服务即可。用户包括root都可以登录。

 类似资料: