rhel 7.6 升级openssl/openssh
rhel 7.6 升级openssl/openssh
前几天公司安全扫描发现一批rhel 5 openSSL/SSH漏洞,作为运维就要及时漏洞升级提高安全性。今天又扫出一批rhel 7.6,预计7.6,7.3及6.9,6.5都要进行安全加固。
依旧是源码编译处理,rpm升级虽然省事,但是我还是倾向于源码编译添加需要的模块更适合各种场景。
1.环境
Red Hat Enterprise Linux Server release 7.6 (Maipo)
2.升级版本
| 名称 | 当前版本 | 升级后版本 |
|---|---|---|
| perl | v5.16.3 | v5.30.3 |
| OpenSSL | 1.0.2k | 1.1.1o |
| openSSH | 8.6p1 | 8.8p1 |
# openssl version -a OpenSSL 1.0.2k-fips 26 Jan 2017 # ssh -V OpenSSH_8.6p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级的源码包:
openssh-8.8p1.tar.gz
3.升级方案
3.1 安装编译的依赖包
需配置源进行安装
yum -y install gcc gcc-c++ glibc make zlib zlib-devel pam-devel
3.2 升级Perl
#编译操作 cd /home/wei tar zxvf perl-5.30.3.tar.gz cd /home/wei/perl-5.30.3 ./Configure -des -Dprefix=/usr/local/perl && echo $? || exit make && echo $? make test make install #替换版本 mv /usr/bin/perl /usr/bin/perl.bak ln -s /usr/local/perl/bin/perl /usr/bin/perl perl -v
3.3 升级OpenSSL
#编译操作 cd /home/wei tar zxvf openssl-1.1.1o.tar.gz cd /home/wei/openssl-1.1.1o ./config --prefix=/usr/local/ssl shared zlib make install && echo $? #替换版本 mv /usr/bin/openssl /usr/bin/openssl.bak ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl cat > /etc/ld.so.conf.d/ssl.conf <<EOF /usr/local/ssl/lib EOF ldconfig openssl version
3.4 升级openSSH
#备份配置 cp -ar /etc/ssh/ /etc/ssh.bak cp -ar /etc/pam.d /etc/pam.d.bak cd /usr/bin/ cp ssh ssh.bak cp ssh-add ssh-add.bak cp ssh-keygen ssh-keygen.bak cp ssh-keyscan ssh-keyscan.bak cp scp scp.bak cp sftp sftp.bak cp /usr/sbin/sshd /usr/sbin/sshd.bak cp /etc/init.d/sshd /etc/init.d/sshd.bak #编译部署 cd /home/wei tar zxvf openssh-8.8p1.tar.gz cd ./openssh-8.8p1 ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-zlib --without-openssl-header-check --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd make && echo $? make install #更换版本 ln -sf /usr/local/openssh/bin/ssh /usr/bin/ssh ln -sf /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add ln -sf /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agent ln -sf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen ln -sf /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan ln -sf /usr/local/openssh/bin/scp /usr/bin/scp ln -sf /usr/local/openssh/bin/sftp /usr/bin/sftp ln -sf /usr/local/openssh/sbin/sshd /usr/sbin/sshd cp contrib/redhat/sshd.init /etc/init.d/sshd chmod a+x /etc/init.d/sshd chmod a+x -R /usr/local/openssh/* chkconfig --del sshd chkconfig --add sshd chkconfig --list|grep sshd #恢复pam cp /etc/pam.d.bak/sshd /etc/pam.d/sshd -------------------------------------- sed -i.bak 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config sed -ri "/^GSSAPICleanupCredentials.*/s/(.*)/#\1/" /etc/ssh/sshd_config service sshd restart # ssh -V && openssl version OpenSSH_8.8p1, OpenSSL 1.1.1o 3 May 2022 OpenSSL 1.1.1o 3 May 2022
4.回退方案
回退安装升级的顺序依次降级到旧版本
4.1 降级perl
rm -f /usr/bin/perl cp /usr/bin/perl.bak /usr/bin/perl perl -v
4.2 降级OpenSSL
rm -f /usr/bin/openssl /etc/ld.so.conf.d/ssl.conf cp /usr/bin/openssl.bak /usr/bin/openssl ldconfig openssl version
4.3 降级openssh
\cp -ar /etc/ssh.bak /etc/ssh/ \cp -ar /etc/pam.d.bak /etc/pam.d cd /usr/bin/ rm -f ssh ssh-add ssh-keygen ssh-keyscan scp sftp \cp ssh.bak ssh \cp ssh-add.bak ssh-add \cp ssh-keygen.bak ssh-keygen \cp ssh-keyscan.bak ssh-keyscan \cp scp.bak scp \cp sftp.bak sftp \cp /usr/sbin/sshd.bak /usr/sbin/sshd \cp /etc/init.d/sshd.bak /etc/init.d/sshd chmod a+x /etc/init.d/sshd /sbin/chkconfig --del sshd /sbin/chkconfig --add sshd /sbin/chkconfig --list|grep sshd #恢复pam cp /etc/pam.d.bak/sshd /etc/pam.d/sshd service sshd restart # ssh -V && openssl version OpenSSH_8.6p1, OpenSSL 1.0.1e-fips 11 Feb 2013 OpenSSL 1.0.2k-fips 26 Jan 2017
下载地址
OpenSSH官网地址:https://www.openssh.com/openbsd.html
本人博客文章地址: http://t.csdn.cn/0FjQK
