OpenSSH权限提升漏洞(CVE-2021-41617)-升级OpenSSH至最新8.8p1
在升级Openssh之后,确保还可以通过其它方式远程登录到服务器上,比如Telnet或阿里云控制台。
1. 当前系统版本信息
# /usr/bin/ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1g FIPS 21 Apr 2020
# openssl version
OpenSSL 1.1.1g FIPS 21 Apr 2020
# lsb_release -a
LSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: AlibabaCloud
Description: Alibaba Cloud Linux release 3 (Soaring Falcon)
Release: 3
Codename: SoaringFalcon
2. Update system(生产环境慎重执行该命令,否则升级后有可能导致应用系统出现兼容性问题)
# yum update
3. 安装开发环境及依赖包
# yum groupinstall "Development Tools"
# yum install pam-devel libselinux-devel zlib-devel openssl-devel
4. 备份原ssh配置文件(直接重命名/etc/ssh目录,否则在安装新版本Openssh时,无法替换配置文件)
mv /etc/ssh /opt/ssh_bak
5. 下载并安装最新版本的Openssh
# wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
# tar -zxvf openssh-8.8p1.tar.gz
6. 编译并安装openssh-8.8p1
# ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
# make
# make install
7. PermitRootLogin 修改配置文件的下列参数,允许root帐号远程登录到服务器上。
# vi /etc/ssh/sshd_config
PermitRootLogin Yes
8. restart SSH and check the version of OpenSSH
# systemctl restart sshd
# ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1g FIPS 21 Apr 2020