Centos6.5升级OpenssH

介绍

漏扫发现OpenssH很多漏洞，升级OpenssH版本解决

当前版本

# ssh -V
OpenSSH_7.0p1, OpenSSL 1.0.1e-fips 11 Feb 2013

建议升级版本OpenssH7.9.p1

注意：OpenSSH 7.9p1要求OpenSSL的版本> = 1.0.1 <1.1.0

#配置YUM

cd /mnt
mkdir cdrom
mount -o loop -t iso9660 /dev/cdrom /mnt/cdrom/
cd /etc/yum.repos.d/
mkdir bk
mv *.repo bk
vi centos6.repo

[CentOS65]

name=CentOS65

baseurl=file:///mnt/cdrom

enabled=1

gpgcheck=0

gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-CentOS-6

yum list ##list显示出来 说明yum安装成功

#安装telnet并配置服务

cd /mnt/cdrom/Packages

rpm -i telnet-0.17-47.el6_3.1.x86_64.rpm

yum -y install telnet-server*

#安装配置telnet，暂时允许root用户远程telnet，以防ssh升级后远程登录不了
echo "Y"|/usr/bin/yum install telnet-server
/bin/sed -i 's/= yes/= no/g' /etc/xinetd.d/telnet
/etc/init.d/xinetd start
/etc/init.d/xinetd restart

mv /etc/securetty /etc/securetty.bak

#安装依赖包（gcc、make、perl、zlib、zlib-devel、pam、pam-devel）

find - /name zlib
yum install -y gcc openssl-devel pam-devel rpm-build pam-devel tcp_wrappers-devel

#关闭iptables防火墙和selinux

/etc/init.d/iptables stop
/bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
/usr/sbin/setenforce 0

#备份ssh原来配置
cp -rf /etc/ssh /etc/ssh.bak

#安装配置新版本openssh

echo "Y"|/usr/bin/yum install -y gcc openssl-devel pam-devel rpm-build
cd /usr/local/src
/usr/bin/wget http://10.0.8.50/software/openssh-7.9p1.tar.gz
/bin/tar -zvxf openssh-7.9p1.tar.gz
cd /usr/local/src/openssh-7.9p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make && make install

/bin/sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
/bin/sed -i 's_#PermitRootLogin yes_PermitRootLogin yes_g' /etc/ssh/sshd_config

sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config

service sshd start 
service sshd restart

#查询当前版本

/usr/bin/ssh -V

# 关闭telnet远程登录

vi /etc/xinetd.d/telnet

no改为yes

# 关闭telnet远程登录
NUM=$(/usr/sbin/lsof -i:23|wc -l)
if [ $NUM -ne 0 ];then
mv /etc/securetty.bak /etc/securetty
fi

/etc/init.d/xinetd stop

 

 #其他备注策略命令：

允许root用户通过telnet登陆

编辑/etc/pam.d/login，注释掉下面这行

vi /etc/pam.d/login

#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

/etc/init.d/xinetd restart

 配置/etc/securetty

cp /etc/securetty /etc/securetty.bak

echo "pts/1" >> /etc/securetty
echo "pts/2" >> /etc/securetty
echo "pts/3" >> /etc/securetty
echo "pts/4" >> /etc/securetty
echo "pts/5" >> /etc/securetty
echo "pts/6" >> /etc/securetty
echo "pts/7" >> /etc/securetty
echo "pts/8" >> /etc/securetty
echo "pts/9" >> /etc/securetty
echo "pts/10" >> /etc/securetty
echo "pts/11" >> /etc/securetty

 报错问题解决

1、错误信息
检查OpenSSL是否标头与库匹配…否配置：错误：您的OpenSSL标头与库不匹配。检查config.log以获取详细信息。

原因：
配置时需要注意-with-ssl-dir需要使用当前SSL的安装路径/ usr / local / ssl
如果是32位的系统可能位置有所不同：/ usr / local / ssl / lib /
解决办法：
./configure -prefix=/usr -sysconfdir=/etc/ssh -with-ssl-dir=/usr/local/ssl -with-zlib -with-pam -with-md5-passwords -with-kerberos5 --without-zlib-version-check

2、错误信息
无法开启 /var/lib/rpm 的套件资料库
rpmdb: unable to join the environment
解决方案：
1.kill掉正在运行的rpm程序
2.rm -f /var/lib/rpm/__db.*
3.rpm --rebuilddb
4.rpm时加上后缀--nodeps

 

参考感谢：

http://leung4080.github.io/linux/2013/08/07/OpenSSL-OpenSSH-%E5%8D%87%E7%BA%A7%E9%85%8D%E7%BD%AE/

https://www.bbsmax.com/A/VGzlNOa85b/ 

https://blog.csdn.net/qq_25934401/article/details/83419849?utm_medium=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase&depth_1-utm_source=distribute.pc_relevant.none-task-blog-BlogCommendFromMachineLearnPai2-1.nonecase