相信很多金融行业的科技伙伴都会碰到某盟的一个漏洞检测工具,检测Linux操作系统的时候,都会报一个高危的SSH的漏洞,但是修复过程中都会遇到一些未知的问题,如root用户无法登陆,新建用户可以,或者升级完成后用户无法远程登陆。这里记录一次实际操作成功的过程,仅作参考。
CENTOS7,openssl-1.0.2n.tar.gz,openssh-7.6p1.tar.gz
安装TELNET(可选)
安装Telnet的目的是为了在ssh不能登录的情况下,使用Telnet来登录远程操作,如果能直接在主机面前操作,那么这一步可选。
关闭SeLinux和防火墙
vi /etc/selinux/config
修改“SELINUX=enforcing”值改为“disabled”
systemctl stop firewalld.service
systemctl disable firewalld.service
systemctl status firewalld.service
完成后重启下。
卸载原先版本
卸载原先的openssl和openssh版本,通过:
rpm -qa|grep openssl
# 会出现相关安装的包
rpm -e --nodeps xxxxxx(出现的包)
# 依次卸载
rpm -qa|grep openssh
# 会出现相关安装的包
rpm -e --nodeps xxxxxxx(出现的包)
# 依次卸载
下载安装文件
下载
openssl-1.0.2n.tar.gz,openssh-7.6p1.tar.gz
上传至服务器,如果不能直接拷贝到主机,那么这一步最好之前就做好下载后上传到服务器的/usr目录。
解压:
tar xvf openssl-1.0.2n.tar.gz
tar xvf openssh-7.6p1.tar.gz
解压后生成两个对应的文件夹。
升级openssl
先进入openssl文件夹,编译。
cd /openssl-1.0.2m
./config shared && make && make install
过程稍微需要点时间,等待结束后,更新ld.
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig -v
配置openssl库
cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64
cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64
chmod 555 /usr/lib64/libssl.so.1.0.0
chmod 555 /usr/lib64/libcrypto.so.1.0.0
ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
完成后检查:
查看openssl版本
openssl version -a
升级openssh
进入对应文件夹。
编译:
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords--with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl--without-hardening
?
make && make install
完成后会提示一些key过于open,那么修改权限。
进入/etc/ssh目录。
chmod 600 ssh_host_ecdsa_key
chmod 600 ssh_host_rsa_key
chmod 600 ssh_host_ed25519_key
完成后再到openssh目录,再次:
make && make install
替换key.
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
复制配置
cp ssh_config /etc/ssh/ssh_config
y 覆盖
cp -p sshd_config /etc/ssh/sshd_config
y 覆盖
修改ssh的配置文件,这里直接粘贴上来:
vi /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
#KexAlgorithms
#diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1
Banner /etc/sshbanner
新建/etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be thefirst session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only befollowed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
完成, 重启服务即可。用户包括root都可以登录。