升级openssh漏洞

Scroll Down

openssh 低版本存在漏洞,所以需要升级到最新版,由于客户是离线环境所以 采用离线安装。

下载依赖openssl、zlib、openssh
在有网络的主机上下载依赖 拷贝到目标服务器

升级前请看注意事项 看注意事项 看注意事项

wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.4p1.tar.gz 
wget http://www.zlib.net/zlib-1.2.11.tar.gz 
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

解压升级包

tar --no-same-owner -zxvf zlib-1.2.11.tar.gz 
tar --no-same-owner -zxvf openssh-8.4p1.tar.gz 
tar --no-same-owner -zxvf openssl-1.1.1g.tar.gz

编译安装zlib

cd zlib-1.2.11 
./configure --prefix=/usr/local/zlib 
make && make install 

编译安装openssl

cd .. 
cd openssl-1.1.1g 
./config --prefix=/usr/local/ssl -d shared 
make && make install 
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf 
ldconfig -v 

安装openssh

cd ..
cd openssh-8.4p1 
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl- dir=/usr/local/ssl 
make && make install 

#sshd_config文件修改

echo 'PermitRootLogin yes' >>/usr/local/openssh/etc/sshd_config 
echo 'PubkeyAuthentication yes' >>/usr/local/openssh/etc/sshd_config
echo 'PasswordAuthentication yes' >>/usr/local/openssh/etc/sshd_config

#备份原有文件,并将新的配置复制到指定目录

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak 
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config mv /usr/sbin/sshd /usr/sbin/sshd.bak 
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd 
mv /usr/bin/ssh /usr/bin/ssh.bak 
cp /usr/local/openssh/bin/ssh /usr/bin/ssh 
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak 
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen 
mv /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub.bak 
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub 

#启动sshd

sed -­i 's/^Type/#&/' /usr/lib/systemd/system/sshd.service systemctl daemon­reload 
service sshd restart 
ssh -V 
OpenSSH_8.4p1, OpenSSL 1.1.1g 21 Apr 2020