Linux-SSH升级

相信很多金融行业的科技伙伴都会碰到某盟的一个漏洞检测工具，检测Linux操作系统的时候，都会报一个高危的SSH的漏洞，但是修复过程中都会遇到一些未知的问题，如root用户无法登陆，新建用户可以，或者升级完成后用户无法远程登陆。这里记录一次实际操作成功的过程，仅作参考。

环境

CENTOS7，openssl-1.0.2n.tar.gz，openssh-7.6p1.tar.gz

升级步骤

安装TELNET（可选）

安装Telnet的目的是为了在ssh不能登录的情况下，使用Telnet来登录远程操作，如果能直接在主机面前操作，那么这一步可选。

关闭SeLinux和防火墙

1. vi /etc/selinux/config
2. 修改“SELINUX=enforcing”值改为“disabled”

1. systemctl stop firewalld.service
2. systemctl disable firewalld.service
3. systemctl status firewalld.service

完成后重启下。

卸载原先版本

卸载原先的openssl和openssh版本，通过：

1. rpm -qa|grep openssl
2. # 会出现相关安装的包
3. rpm -e --nodeps xxxxxx（出现的包）
4. # 依次卸载
5. rpm -qa|grep openssh
6. # 会出现相关安装的包
7. rpm -e --nodeps xxxxxxx（出现的包）
8. # 依次卸载

• 卸载后建议服务器重启。

下载安装文件

下载 
openssl-1.0.2n.tar.gz，openssh-7.6p1.tar.gz 
上传至服务器，如果不能直接拷贝到主机，那么这一步最好之前就做好下载后上传到服务器的/usr目录。 
解压：

1. tar xvf openssl-1.0.2n.tar.gz
2. tar xvf openssh-7.6p1.tar.gz

解压后生成两个对应的文件夹。

升级openssl

先进入openssl文件夹,编译。

1. cd /openssl-1.0.2m
2. ./config shared && make && make install

过程稍微需要点时间，等待结束后,更新ld.

1. echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
2. ldconfig -v

配置openssl库

1. cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64
2. cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64
3. chmod 555 /usr/lib64/libssl.so.1.0.0
4. chmod 555 /usr/lib64/libcrypto.so.1.0.0
5. ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10
6. ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
7. ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
8. ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so
9. ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
10. ln -s /usr/local/ssl/include/openssl /usr/include/openssl

完成后检查：

1. 查看openssl版本
2. openssl version -a

升级openssh

进入对应文件夹。

编译：

1. ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords--with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl--without-hardening
2. ?
3. make && make install

完成后会提示一些key过于open，那么修改权限。 
进入/etc/ssh目录。

1. chmod 600 ssh_host_ecdsa_key
2. chmod 600 ssh_host_rsa_key
3. chmod 600 ssh_host_ed25519_key

完成后再到openssh目录，再次：

1. make && make install

替换key.

1. cp ./contrib/redhat/sshd.init /etc/init.d/sshd
2. chmod u+x /etc/init.d/sshd

复制配置

1. cp ssh_config /etc/ssh/ssh_config
2. y 覆盖

1. cp -p sshd_config /etc/ssh/sshd_config
2. y 覆盖

修改ssh的配置文件，这里直接粘贴上来：

1. vi /etc/ssh/sshd_config
2. # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
3.  
4. # This is the sshd server system-wide configuration file. See
5. # sshd_config(5) for more information.
6.  
7. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8.  
9. # The strategy used for options in the default sshd_config shipped with
10. # OpenSSH is to specify options with their default value where
11. # possible, but leave them commented. Uncommented options override the
12. # default value.
13.  
14. #Port 22
15. #AddressFamily any
16. #ListenAddress 0.0.0.0
17. #ListenAddress ::
18.  
19. #HostKey /etc/ssh/ssh_host_rsa_key
20. #HostKey /etc/ssh/ssh_host_dsa_key
21. #HostKey /etc/ssh/ssh_host_ecdsa_key
22. #HostKey /etc/ssh/ssh_host_ed25519_key
23.  
24. # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
25.  
26. # This is the sshd server system-wide configuration file. See
27. # sshd_config(5) for more information.
28.  
29. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
30.  
31. # The strategy used for options in the default sshd_config shipped with
32. # OpenSSH is to specify options with their default value where
33. # possible, but leave them commented. Uncommented options override the
34. # default value.
35.  
36. #Port 22
37. #AddressFamily any
38. #ListenAddress 0.0.0.0
39. #ListenAddress ::
40.  
41. #HostKey /etc/ssh/ssh_host_rsa_key
42. #HostKey /etc/ssh/ssh_host_dsa_key
43. #HostKey /etc/ssh/ssh_host_ecdsa_key
44. #HostKey /etc/ssh/ssh_host_ed25519_key
45.  
46. # Ciphers and keying
47. #RekeyLimit default none
48.  
49. # Logging
50. #SyslogFacility AUTH
51. SyslogFacility AUTHPRIV
52. #LogLevel INFO
53.  
54. # Authentication:
55.  
56. #LoginGraceTime 2m
57. PermitRootLogin yes
58. #PermitRootLogin prohibit-password
59. #StrictModes yes
60. #MaxAuthTries 6
61. #MaxSessions 10
62.  
63. #PubkeyAuthentication yes
64.  
65. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
66. # but this is overridden so installations will only check .ssh/authorized_keys
67. AuthorizedKeysFile .ssh/authorized_keys
68.  
69. #AuthorizedPrincipalsFile none
70.  
71. #AuthorizedKeysCommand none
72. #AuthorizedKeysCommandUser nobody
73.  
74. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
75. #HostbasedAuthentication no
76. # Change to yes if you don't trust ~/.ssh/known_hosts for
77. # HostbasedAuthentication
78. #IgnoreUserKnownHosts no
79. # Don't read the user's ~/.rhosts and ~/.shosts files
80. #IgnoreRhosts yes
81.  
82. # To disable tunneled clear text passwords, change to no here!
83. #PasswordAuthentication yes
84. #PermitEmptyPasswords no
85. PasswordAuthentication yes
86.  
87. # Change to no to disable s/key passwords
88. #ChallengeResponseAuthentication yes
89.  
90. # Kerberos options
91. #KerberosAuthentication no
92. #KerberosOrLocalPasswd yes
93. #KerberosTicketCleanup yes
94. #KerberosGetAFSToken no
95.  
96. # GSSAPI options
97. #GSSAPIAuthentication no
98. #GSSAPICleanupCredentials yes
99.  
100. # Set this to 'yes' to enable PAM authentication, account processing,
101. # and session processing. If this is enabled, PAM authentication will
102. # be allowed through the ChallengeResponseAuthentication and
103. # PasswordAuthentication. Depending on your PAM configuration,
104. # PAM authentication via ChallengeResponseAuthentication may bypass
105. # the setting of "PermitRootLogin without-password".
106. # If you just want the PAM account and session checks to run without
107. # PAM authentication, then enable this but set PasswordAuthentication
108. # and ChallengeResponseAuthentication to 'no'.
109. #UsePAM no
110. UsePAM yes
111.  
112. #AllowAgentForwarding yes
113. #AllowTcpForwarding yes
114. #GatewayPorts no
115. #X11Forwarding no
116. #X11DisplayOffset 10
117. #X11UseLocalhost yes
118. #PermitTTY yes
119. #PrintMotd yes
120. #PrintLastLog yes
121. #TCPKeepAlive yes
122. #UseLogin no
123. #PermitUserEnvironment no
124. #Compression delayed
125. #ClientAliveInterval 0
126. #ClientAliveCountMax 3
127. #UseDNS no
128. UseDNS no
129. #PidFile /var/run/sshd.pid
130. #MaxStartups 10:30:100
131. #PermitTunnel no
132. #ChrootDirectory none
133. #VersionAddendum none
134. # no default banner path
135. #Banner none
136. # override default of no subsystems
137. Subsystem sftp /usr/libexec/sftp-server
138.  
139. # Example of overriding settings on a per-user basis
140. #Match User anoncvs
141. # X11Forwarding no
142. # AllowTcpForwarding no
143. # PermitTTY no
144. # ForceCommand cvs server
145. #KexAlgorithms
146. #diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1
147. Banner /etc/sshbanner

新建/etc/pam.d/sshd

1. #%PAM-1.0
2. auth required pam_sepermit.so
3. auth include password-auth
4. account required pam_nologin.so
5. account include password-auth
6. password include password-auth
7. # pam_selinux.so close should be thefirst session rule
8. session required pam_selinux.so close
9. session required pam_loginuid.so
10. # pam_selinux.so open should only befollowed by sessions to be executed in the user context
11. session required pam_selinux.so open env_params
12. session optional pam_keyinit.so force revoke
13. session include password-auth

完成， 重启服务即可。用户包括root都可以登录。