Centos7.9-升级openssh9.7p1,修复安全漏洞
下载所需的安装包
- 下载SSL及SSH安装包
[root@web226 ~]#wget -P /usr/local/src/ https://www.openssl.org/source/openssl-3.1.7.tar.gz
[root@web226 ~]#wget -P /usr/local/src/ https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
- 安装依赖包
[root@web226 ~]# cat pkg_list
gcc
gcc-c++
openssl-devel
libstdc++*
libcap*
pam-devel
zlib-devel
perl
perl-IPC-Cmd
[root@web226 ~]# yum install -y `cat pkg_list`
- 安装openssl
[root@web226 ~]# cat upgrade_openssl.sh
#!/bin/bash
cd /usr/local/src/
mv /usr/lib64/openssl /usr/lib64/openssl.old
yum -y remove openssl
tar -xf openssl-3.1.7.tar.gz
cd /usr/local/src/openssl-3.1.7
./config --prefix=/usr
make && make install
[root@web226 ~]# sh ./upgrade_openssl.sh
- 安装openssh
[root@web226 ~]# cat upgrade_openssh.sh
#!/bin/bash
cd /usr/local/src/
tar -xf openssh-9.7p1.tar.gz
mkdir /etc/ssh.bak
mv /etc/ssh/ /etc/ssh.bak
cd /usr/local/src/openssh-9.7p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-md5-passwords --with-pam
make && make install
cp /usr/local/src/openssh-9.7p1/contrib/redhat/sshd.init /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
cp /etc/ssh/sshd_config{,.bak}
sed -i 's/^PermitRootLogin/#&/' /etc/ssh/sshd_config
sed -i '32i PermitRootLogin yes' /etc/ssh/sshd_config
sed -i 's/#UsePAM no/UsePAM yes/' /etc/ssh/sshd_config
chkconfig --add sshd
systemctl daemon-reload
systemctl restart sshd
[root@web226 ~]# sh upgrade_openssh.sh
- 查看升级是否成功
[root@web226 ~]# ssh -V
OpenSSH_9.7p1, OpenSSL 3.1.5 30 Jan 2024
升级后,ssh远程可能无登录
在selinux开启的情况下,openssh升级到9.0版本以后,ssh连接有可能提示Access Denied,这种情况下一般是selinux拦截了sshd:
- 解决办法1:直接关闭selinux(不推荐)
- 解决办法2:修改/etc/ssh/sshd_config UsePAM为yes
[root@web226 ~]# sed -i 's/#UsePAM no/UsePAM yes/' /etc/ssh/sshd_config
浙公网安备 33010602011771号