redhat6.4升级openssh至6.7
1:简介
最近浙江电信对线上服务器进行漏洞扫描,暴露出原有的openssh有漏洞,建议升级openssh版本;
2:操作环境
Red Hat Enterprise Linux Server release 6.4
3:所需软件包
(1)gcc zlib zlib-devel make pam pam-devel (升级过程中所需依赖包)
(2)dropbear-2014.66.tar.bz2(代替原有用pm包安装openssh环境)
(3)openssh-6.7.tar.gz(升级的软件包)
4:操作过程
(1)安装dropbear包代替openssh
[root@localhost ~]#tar -xvf dropbear-2014.66.tar.bz2
[root@localhost ~]# cd dropbear-2014.66
[root@localhost dropbear-2014.66]#./configure --prefix=/usr/local/dropbear
[root@localhost dropbear-2014.66]# make
[root@localhost dropbear-2014.66]#make install
[root@localhost dropbear-2014.66]#./configure --prefix=/usr/local/dropbear
[root@localhost dropbear-2014.66]# make
[root@localhost dropbear-2014.66]#make install
[root@localhost ~]# mkdir /etc/dropbear
[root@localhost ~]#/usr/local/dropbear/bin/dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCCBQJeoEhvNKkoEO3Y43++TOJl6dneodImEqnfyrfeFpjPQatYH5aQTxghO71KptR5pWYitdRarUcBJGw1fKsfhpwa6is6n6/YyQ2VljqFV+2caHSM3MxmPUHx+A6fzBbvw8u9kDFBz22xXKKSeNpmUyzqvXw8xxt2iu24kkvUYfGfxcHUyauFyiwEDBtz3JbfxlNpTO7eggMi0FT1Q8ndpgf2rg1FbflPweYjjuEtJwqEP6z0CHBsK5/KOAeanlhrkGiJ7EtyP19JxLinNWQeenknERA9IOWox928BjE3ZQ8Fa3JqAQg/w9jNNaugTgxedeLxn897DQBe9lgaatwR root@localhost.localdomain
Fingerprint: md5 dd:75:10:cf:a0:0f:19:96:bd:49:69:05:ab:d6:d6:51
[root@localhost ~]#/usr/local/dropbear/bin/dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCCBQJeoEhvNKkoEO3Y43++TOJl6dneodImEqnfyrfeFpjPQatYH5aQTxghO71KptR5pWYitdRarUcBJGw1fKsfhpwa6is6n6/YyQ2VljqFV+2caHSM3MxmPUHx+A6fzBbvw8u9kDFBz22xXKKSeNpmUyzqvXw8xxt2iu24kkvUYfGfxcHUyauFyiwEDBtz3JbfxlNpTO7eggMi0FT1Q8ndpgf2rg1FbflPweYjjuEtJwqEP6z0CHBsK5/KOAeanlhrkGiJ7EtyP19JxLinNWQeenknERA9IOWox928BjE3ZQ8Fa3JqAQg/w9jNNaugTgxedeLxn897DQBe9lgaatwR root@localhost.localdomain
Fingerprint: md5 dd:75:10:cf:a0:0f:19:96:bd:49:69:05:ab:d6:d6:51
[root@localhost ~]# /usr/local/dropbear/sbin/dropbear -p 1213
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 809/rpcbind
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1281/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1651/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1123/master
tcp 0 0 0.0.0.0:1213 0.0.0.0:* LISTEN 8037/dropbear
tcp 0 0 0.0.0.0:40328 0.0.0.0:* LISTEN 827/rpc.statd
tcp 0 0 :::111 :::* LISTEN 809/rpcbind
tcp 0 0 :::59889 :::* LISTEN 827/rpc.statd
tcp 0 0 :::22 :::* LISTEN 1651/sshd
tcp 0 0 ::1:25 :::* LISTEN 1123/master
tcp 0 0 :::1213 :::* LISTEN 8037/dropbear
tcp 0 0 :::3306 :::* LISTEN 14315/mysqld
udp 0 0 0.0.0.0:1003 0.0.0.0:* 827/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 809/rpcbind
udp 0 0 0.0.0.0:38790 0.0.0.0:* 827/rpc.statd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:984 0.0.0.0:* 809/rpcbind
udp 0 0 :::111 :::* 809/rpcbind
udp 0 0 :::40854 :::* 827/rpc.statd
udp 0 0 :::984 :::* 809/rpcbind
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 809/rpcbind
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1281/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1651/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1123/master
tcp 0 0 0.0.0.0:1213 0.0.0.0:* LISTEN 8037/dropbear
tcp 0 0 0.0.0.0:40328 0.0.0.0:* LISTEN 827/rpc.statd
tcp 0 0 :::111 :::* LISTEN 809/rpcbind
tcp 0 0 :::59889 :::* LISTEN 827/rpc.statd
tcp 0 0 :::22 :::* LISTEN 1651/sshd
tcp 0 0 ::1:25 :::* LISTEN 1123/master
tcp 0 0 :::1213 :::* LISTEN 8037/dropbear
tcp 0 0 :::3306 :::* LISTEN 14315/mysqld
udp 0 0 0.0.0.0:1003 0.0.0.0:* 827/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 809/rpcbind
udp 0 0 0.0.0.0:38790 0.0.0.0:* 827/rpc.statd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:984 0.0.0.0:* 809/rpcbind
udp 0 0 :::111 :::* 809/rpcbind
udp 0 0 :::40854 :::* 827/rpc.statd
udp 0 0 :::984 :::* 809/rpcbind
注:以上操作,已经做到替代原有的openssh软件,还需要注意的是关闭防火墙;或者放行1213端口,该端口是我们任意指定;
5:dropbear环境测试
操作方法:
登陆别的主机对该主机进行ssh登陆
[root@localhost ~]# ssh -p1213 192.168.10.120
The authenticity of host '192.168.10.120 (192.168.10.120)' can't be established.
RSA key fingerprint is 46:de:1b:14:42:5d:83:56:d6:29:15:13:c2:b2:d6:05.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.120' (RSA) to the list of known hosts.
root@192.168.10.120's password:
Last login: Tue Feb 3 10:18:15 2015 from 192.168.10.130
RSA key fingerprint is 46:de:1b:14:42:5d:83:56:d6:29:15:13:c2:b2:d6:05.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.120' (RSA) to the list of known hosts.
root@192.168.10.120's password:
Last login: Tue Feb 3 10:18:15 2015 from 192.168.10.130
说明:测试主机地址:192.168.10.130,升级主机地址:192.168.10.120
6:升级openssh
(1)操作步骤
[root@localhost ~]# mv /etc/ssh /etc/ssh.bak
[root@localhost ~]# rpm -qa |grep openssh
openssh-server-5.3p1-84.1.el6.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
[root@localhost ~]# rpm -e --nodeps `rpm -qa |grep openssh`
[root@localhost ~]# tar -xvf openssh-6.7p1.tar.gz
[root@localhost openssh-6.7p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
[root@localhost openssh-6.7p1]#make
[root@localhost openssh-6.7p1]#make install
[root@localhost ~]# /usr/sbin/sshd -t -f /etc/ssh/sshd_config
[root@localhost openssh-6.7p1]# ssh -V
OpenSSH_6.7p1, OpenSSL 1.0.0-fips 29 Mar 2010
[root@localhost openssh-6.7p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-6.7p1]# /etc/init.d/sshd start
[root@localhost ~]# killall dropbear
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 809/rpcbind
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1281/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 20720/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1123/master
tcp 0 0 0.0.0.0:40328 0.0.0.0:* LISTEN 827/rpc.statd
tcp 0 0 :::111 :::* LISTEN 809/rpcbind
tcp 0 0 :::59889 :::* LISTEN 827/rpc.statd
tcp 0 0 :::22 :::* LISTEN 20720/sshd
tcp 0 0 ::1:25 :::* LISTEN 1123/master
tcp 0 0 :::3306 :::* LISTEN 14315/mysqld
udp 0 0 0.0.0.0:1003 0.0.0.0:* 827/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 809/rpcbind
udp 0 0 0.0.0.0:38790 0.0.0.0:* 827/rpc.statd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:984 0.0.0.0:* 809/rpcbind
udp 0 0 :::111 :::* 809/rpcbind
udp 0 0 :::40854 :::* 827/rpc.statd
udp 0 0 :::984 :::* 809/rpcbind
[root@localhost openssh-6.7p1]# /etc/init.d/sshd start
/sbin/restorecon: lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd:[ OK ]
[root@localhost openssh-6.7p1]# service sshd start
/sbin/restorecon: lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd:[ OK ]
[root@localhost openssh-6.7p1]# service sshd status
sshd (pid 20720) is running...
[root@localhost openssh-6.7p1]# chkconfig --add sshd
[root@localhost openssh-6.7p1]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost ~]# rpm -qa |grep openssh
openssh-server-5.3p1-84.1.el6.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
[root@localhost ~]# rpm -e --nodeps `rpm -qa |grep openssh`
[root@localhost ~]# tar -xvf openssh-6.7p1.tar.gz
[root@localhost openssh-6.7p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
[root@localhost openssh-6.7p1]#make
[root@localhost openssh-6.7p1]#make install
[root@localhost ~]# /usr/sbin/sshd -t -f /etc/ssh/sshd_config
[root@localhost openssh-6.7p1]# ssh -V
OpenSSH_6.7p1, OpenSSL 1.0.0-fips 29 Mar 2010
[root@localhost openssh-6.7p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-6.7p1]# /etc/init.d/sshd start
[root@localhost ~]# killall dropbear
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 809/rpcbind
tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1281/dnsmasq
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 20720/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1123/master
tcp 0 0 0.0.0.0:40328 0.0.0.0:* LISTEN 827/rpc.statd
tcp 0 0 :::111 :::* LISTEN 809/rpcbind
tcp 0 0 :::59889 :::* LISTEN 827/rpc.statd
tcp 0 0 :::22 :::* LISTEN 20720/sshd
tcp 0 0 ::1:25 :::* LISTEN 1123/master
tcp 0 0 :::3306 :::* LISTEN 14315/mysqld
udp 0 0 0.0.0.0:1003 0.0.0.0:* 827/rpc.statd
udp 0 0 0.0.0.0:111 0.0.0.0:* 809/rpcbind
udp 0 0 0.0.0.0:38790 0.0.0.0:* 827/rpc.statd
udp 0 0 192.168.122.1:53 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:67 0.0.0.0:* 1281/dnsmasq
udp 0 0 0.0.0.0:984 0.0.0.0:* 809/rpcbind
udp 0 0 :::111 :::* 809/rpcbind
udp 0 0 :::40854 :::* 827/rpc.statd
udp 0 0 :::984 :::* 809/rpcbind
[root@localhost openssh-6.7p1]# /etc/init.d/sshd start
/sbin/restorecon: lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd:[ OK ]
[root@localhost openssh-6.7p1]# service sshd start
/sbin/restorecon: lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd:[ OK ]
[root@localhost openssh-6.7p1]# service sshd status
sshd (pid 20720) is running...
[root@localhost openssh-6.7p1]# chkconfig --add sshd
[root@localhost openssh-6.7p1]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
7:考虑到主机之前使用ssh互信,升级完成后原来生成的公钥将会失效,需要采用升级包中的工具重新生成公钥,操作步骤如下:
7.1:生成公私秘钥
[root@oracle openssh-7.1p1]#pwd
/root/openssh-7.1p1
[root@oracle openssh-7.1p1]#./ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2ErdCAuGntgVI7+Xx76hDrer1obSRVuoEznksksTDJk root@oracle
The key's randomart image is:
+---[RSA 2048]----+
| o. o |
|E +.o |
| o.o=... |
| +++=ooO.o |
|. ++.=*oS . |
| + ooo+ |
| . +.=o o |
| o +ooo o |
| o.+=.. |
+----[SHA256]-----+
注:执行这个命令的时候,不需要填写任何的东西,“Enter”就好,完成以后会在“/root/.ssh”目录下生成两个文件id_rsa,id_rsa.pub;
7.2:生成“authorized_keys”文件;
[root@oracle .ssh]#cat id_rsa.pub >> authorized_keys
[root@oracle openssh-7.1p1]#pwd
/root/openssh-7.1p1
[root@oracle openssh-7.1p1]#./ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2ErdCAuGntgVI7+Xx76hDrer1obSRVuoEznksksTDJk root@oracle
The key's randomart image is:
+---[RSA 2048]----+
| o. o |
|E +.o |
| o.o=... |
| +++=ooO.o |
|. ++.=*oS . |
| + ooo+ |
| . +.=o o |
| o +ooo o |
| o.+=.. |
+----[SHA256]-----+
注:执行这个命令的时候,不需要填写任何的东西,“Enter”就好,完成以后会在“/root/.ssh”目录下生成两个文件id_rsa,id_rsa.pub;
7.2:生成“authorized_keys”文件;
[root@oracle .ssh]#cat id_rsa.pub >> authorized_keys
注:需要互通的主机之间,都想要对方的公钥,相互拷入即可;
7.3:重启sshd服务
service sshd restart
希望渎者多提意见,
联系方式QQ:1486483698
QQ交流群:431392633
