常规漏洞OpenSSH版本升级

1. 任务目标

OpenSSH 7.4p1 -> OpenSSH 9.3p1

OpenSSL 1.0.2k-fips -> OpenSSL 3.1.2

2. 当前服务器版本与官方最新版本

?

1 2	[root@localhost ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

OpenSSL官网地址：https://www.openssl.org/

OpenSSH官网地址：https://www.openssh.com/

3. 关闭防火墙与selinux，开启telnet,备份openssh与openssl

systemctl stop firewalld
setenforce 0
systemctl start telnet.socket
systemctl enable telnet.socket
systemctl start xinetd
systemctl enable xinetd
mv /usr/bin/openssl /usr/bin/openssl.old
mv /etc/ssh /etc/ssh.old
mkdir /usr/bin/bak
cp -arpf /usr/bin/{cp,sftp,ssh,ssh-add,ssh-agent,ssh-keygen,ssh-keyscan} /usr/bin/bak/
cp -arpf /usr/sbin/sshd /usr/sbin/sshd.bak
cp -arpf /etc/sysconfig/sshd /etc/sysconfig/sshd.bak
cp -arpf /etc/pam.d/sshd /etc/pam.d/sshd.bak

如果cp、sftp、ssh、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan等二进制文件是软连接，这里就不需要备份，请直接删除这些软连接，后续如果还原的时候请从这些文件的源路径里拷贝即可。当前环境不是软连接，所以对这些二进制文件进行备份

4. 下载最新版本的OpenSSL、OpenSSH到本地，之后上传到服务器；或者使用wget命令直接下载

?

1 2	wget https://www.openssl.org/source/openssl-3.1.2.tar.gz --no-check-certificate wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz

另外还需要下载一个zlib，官网地址：http://www.zlib.net/

wget http://www.zlib.net/zlib-1.3.tar.gz

 技巧：如果版本号发生了变化，那么只需要在下载地址中变更对应的版本号就可以

?

1 2	[root@localhost download]# ls openssh-9.3p1.tar.gz openssl-3.1.2.tar.gz zlib-1.3.tar.gz

5. 安装依赖并解压3个压缩包

yum install -y gcc gcc-c++ perl perl-IPC-Cmd pam pam-devel
tar xvf openssh-9.3p1.tar.gz
tar xvf openssl-3.1.2.tar.gz
tar xvf zlib-1.3.tar.gz

6、安装升级zlib

cd zlib-1.3
./configure --prefix=/usr/local/zlib-1.3 && make -j 4 && make install

7、安装升级openssl

cd openssl-3.1.2
./config --prefix=/usr/local/openssl-3.1.2 make -j 4 && make install 
echo '/usr/local/openssl-3.1.2/lib64' >> /etc/ld.so.conf 
ldconfig -v 
ln -s /usr/local/openssl-3.1.2/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl-3.1.2/include/openssl /usr/include/openssl 
ll -s /usr/bin/openssl 
ll -s /usr/include/openssl
检查版本
openssl version

8、安装升级openssh

cd openssh-9.3p1
./configure --prefix=/usr/local/openssh-9.3p1 --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl-3.1.2 --with-zlib=/usr/local/zlib-1.3 --without-hardening
make && make install

cp -arpf /usr/local/openssh-9.3p1/bin/scp /usr/bin/
cp -arpf /usr/local/openssh-9.3p1/bin/sftp /usr/bin/
cp -arpf /usr/local/openssh-9.3p1/bin/ssh /usr/bin/
cp -arpf /usr/local/openssh-9.3p1/bin/ssh-add /usr/bin/
cp -arpf /usr/local/openssh-9.3p1/bin/ssh-agent /usr/bin/
cp -arpf /usr/local/openssh-9.3p1/bin/ssh-keygen /usr/bin/
cp -arpf /usr/local/openssh-9.3p1/bin/ssh-keyscan /usr/bin/
cp -arpf /usr/local/openssh-9.3p1/sbin/sshd /usr/sbin/sshd

cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak

9、检查版本，收尾

systemctl daemon-reload
systemctl enable sshd.socket
sshd -t
systemctl restart sshd
ssh -V

确认版本正确且无问题后，关闭telnet
systemctl stop telnet.socket
systemctl disable telnet.socket
systemctl stop xinetd
systemctl disable xinetd