CentOS 7系统 OpenSSH和OpenSSL版本升级指南
2、如果/etc/pam.d/sshd不存在,添加如下配置。1、在sshd_config文件添加如下配置。如果升级后无法登录服务器。
·
环境说明
当前系统版本
[root@tamkems-yy ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)当前组件版本
[root@tamkems-yy ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@tamkems-yy ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017现存安全漏洞
当前版本存在以下安全漏洞:
- OpenSSH 安全漏洞(CVE-2023-51767)
- OpenSSH 安全漏洞(CVE-2023-38408)
- OpenSSH 命令注入漏洞(CVE-2020-15778)
- OpenSSH 欺骗安全漏洞(CVE-2019-6110)
- OpenSSH信息泄露漏洞(CVE-2020-14145)
- OpenSSH 用户枚举漏洞(CVE-2018-15919)
- OpenSSH 安全漏洞(CVE-2023-48795)
- OpenSSH CBC模式信息泄露漏洞(CVE-2008-5161)
- 等多个安全漏洞...
升级目标版本
- OpenSSH: 9.6p1
- OpenSSL: 1.1.1w
升级准备工作
在开始升级之前,需要做好以下准备:
- 系统备份# 创建备份目录
- mkdir -p /root/ssh_backup_$(date +%Y%m%d)
- # 备份当前配置
- cp -r /etc/ssh/* /root/ssh_backup_$(date +%Y%m%d)/
- cp /etc/sysconfig/sshd /root/ssh_backup_$(date +%Y%m%d)/
- 安装必要的编译工具
- # 安装开发工具组 yum groupinstall -y "Development Tools"
- # 安装依赖包 yum install -y zlib-devel openssl-devel perl perl-devel pam-devel
OpenSSL升级步骤
1. 下载和解压
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz
tar -zxf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w2. 编译安装
# 配置
./config --prefix=/usr/local/openssl shared zlib
# 编译和测试
make
make test
# 安装
make install3. 配置环境
# 配置动态链接库
echo "/usr/local/openssl/lib" > /etc/ld.so.conf.d/openssl.conf
ldconfig
# 替换原有的OpenSSL
mv /usr/bin/openssl /usr/bin/openssl.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/opensslOpenSSH升级步骤
1. 下载和解压
cd /usr/local/src
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
tar -zxf openssh-9.6p1.tar.gz
cd openssh-9.6p12. 编译安装
# 配置
./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--with-ssl-dir=/usr/local/openssl \
--with-zlib \
--with-pam \
--with-md5-passwords \
--with-tcp-wrappers
# 编译和安装
make
make install3. 创建systemd服务配置
# 创建 systemd 服务文件
cat > /usr/lib/systemd/system/sshd.service << 'EOF'
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target
[Service]
Type=exec
ExecStart=/usr/sbin/sshd -D -e
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=3s
[Install]
WantedBy=multi-user.target
EOF4. 更新SSH配置文件
# 创建新的 sshd_config 配置文件
cat > /etc/ssh/sshd_config << 'EOF'
# 基本配置
Port 22
AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::
# 协议版本
Protocol 2
# 主机密钥
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# 日志级别
SyslogFacility AUTHPRIV
LogLevel INFO
# 认证配置
PermitRootLogin yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
# 其他设置
X11Forwarding yes
PrintMotd no
UsePAM yes
UseDNS no
Subsystem sftp /usr/libexec/openssh/sftp-server
EOF5. 设置正确的文件权限
# 设置关键文件权限
chmod 755 /usr/sbin/sshd
chmod 755 /etc/ssh
chmod 644 /etc/ssh/sshd_config
chmod 600 /etc/ssh/ssh_host_*_key
chmod 644 /etc/ssh/ssh_host_*_key.pub6. 重启服务
# 重新加载 systemd 配置
systemctl daemon-reload
# 重启 sshd 服务
systemctl restart sshd
# 检查服务状态
systemctl status sshd7. 验证升级
# 检查 SSH 版本
ssh -V
# 尝试本地连接测试
ssh -v localhost如果升级后无法登录服务器
解决方法:
1、在sshd_config文件添加如下配置
vim /etc/ssh/sshd_config
UsePAM yes
2、如果/etc/pam.d/sshd不存在,添加如下配置
vim /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
centos7离线升级到OpenSSH9.9
包地址:https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.9p1.tar.gz
https://github.com/openssl/openssl/releases/download/OpenSSL_1_1_1w/openssl-1.1.1w.tar.gz
#!/bin/bash
set -e
# ==================== 颜色定义 ====================
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
info() { echo -e "${BLUE}[INFO] $* ${NC}"; }
success() { echo -e "${GREEN}[SUCCESS] $* ${NC}"; }
error() { echo -e "${RED}[ERROR] $* ${NC}"; exit 1; }
info "======================================================"
info " OpenSSL 1.1.1w + OpenSSH 9.9p1"
info " 修复 CVE-2024-6387"
info "======================================================"
echo ""
# 目录
PACKAGE_DIR="/usr/local/src"
cd ${PACKAGE_DIR}
# ==================== 备份 SSH ====================
info "备份 /etc/ssh 目录"
ssh_bak="/etc/ssh.bak.$(date +%Y%m%d%H%M%S)"
cp -rf /etc/ssh ${ssh_bak}
success "备份完成:${ssh_bak}"
echo ""
# ==================== 检查所有包 ====================
for f in zlib-1.3.tar.gz openssl-1.1.1w.tar.gz openssh-9.9p1.tar.gz; do
if [ ! -f "$f" ]; then
error "缺少文件:$f 请上传到 ${PACKAGE_DIR}"
fi
done
success "所有安装包已就绪"
echo ""
# ==================== 安装 zlib ====================
info "安装 zlib 1.3"
tar zxf zlib-1.3.tar.gz
cd zlib-1.3
./configure --prefix=/usr/local/zlib
info "zlib 编译中..."
make -j4
if [ $? -ne 0 ]; then
error "zlib make 编译失败!"
fi
info "zlib 安装中..."
make install
if [ $? -ne 0 ]; then
error "zlib make install 失败!"
fi
cd ..
success "zlib 安装成功!"
echo ""
# ==================== 安装 OpenSSL ====================
info "安装 OpenSSL 1.1.1w"
tar zxf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
./config --prefix=/usr/local/openssl
info "OpenSSL 编译中..."
make -j4
if [ $? -ne 0 ]; then
error "OpenSSL make 编译失败!"
fi
info "OpenSSL 安装中..."
make install
if [ $? -ne 0 ]; then
error "OpenSSL make install 失败!"
fi
mv /usr/bin/openssl /usr/bin/openssl.bak 2>/dev/null
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
cd ..
success "OpenSSL 安装成功!"
echo ""
# ==================== 安装 OpenSSH ====================
info "安装 OpenSSH 9.9p1"
tar zxf openssh-9.9p1.tar.gz
cd openssh-9.9p1
export CPPFLAGS="-I/usr/local/zlib/include -I/usr/local/openssl/include"
export LDFLAGS="-L/usr/local/zlib/lib -L/usr/local/openssl/lib"
./configure --prefix=/usr/local/openssh \
--with-ssl-dir=/usr/local/openssl \
--sysconfdir=/etc/ssh \
--with-zlib=/usr/local/zlib
info "OpenSSH 编译中..."
make -j4
if [ $? -ne 0 ]; then
error "OpenSSH make 编译失败!"
fi
info "OpenSSH 安装中..."
make install
if [ $? -ne 0 ]; then
error "OpenSSH make install 失败!"
fi
cd ..
success "OpenSSH 编译安装成功!"
echo ""
# ==================== 替换二进制 ====================
info "替换系统 ssh / sshd"
mv /usr/sbin/sshd /usr/sbin/sshd.bak 2>/dev/null
mv /usr/bin/ssh /usr/bin/ssh.bak 2>/dev/null
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak 2>/dev/null
cp -f /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp -f /usr/local/openssh/bin/ssh /usr/bin/ssh
cp -f /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
echo ""
# ==================== 【关键修复】权限 + 全新配置文件 ====================
info "修复权限并生成新的 sshd_config(解决启动失败)"
cp -f /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
chmod 755 /etc/ssh
chmod 600 /etc/ssh/ssh_host_*_key 2>/dev/null
chmod 644 /etc/ssh/ssh_host_*.pub 2>/dev/null
# ==================== 重启 ====================
systemctl daemon-reload
systemctl restart sshd
# ==================== 结果 ====================
success "================================================"
success " ✅ 升级全部完成!"
success " 当前版本:$(ssh -V)"
success " sshd 已正常启动!"
success "================================================"
######执行完后,在执行上面的4/5/6/7步骤Centos 8 离线升级openssh 9.9
#查看openssh服务版本
[root@centos8 ~]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
mkdir openssh;cd openssh
wget http://down.tag.gg/Openssh/rpm/el8/openssh-9.9-openssl-3.4.0/openssh-9.9p1-1.el8.x86_64.rpm
wget http://down.tag.gg/Openssh/rpm/el8/openssh-9.9-openssl-3.4.0/openssh-clients-9.9p1-1.el8.x86_64.rpm
wget http://down.tag.gg/Openssh/rpm/el8/openssh-9.9-openssl-3.4.0/openssh-clients-debuginfo-9.9p1-1.el8.x86_64.rpm
wget http://down.tag.gg/Openssh/rpm/el8/openssh-9.9-openssl-3.4.0/openssh-debuginfo-9.9p1-1.el8.x86_64.rpm
wget http://down.tag.gg/Openssh/rpm/el8/openssh-9.9-openssl-3.4.0/openssh-debugsource-9.9p1-1.el8.x86_64.rpm
wget http://down.tag.gg/Openssh/rpm/el8/openssh-9.9-openssl-3.4.0/openssh-server-9.9p1-1.el8.x86_64.rpm
wget http://down.tag.gg/Openssh/rpm/el8/openssh-9.9-openssl-3.4.0/openssh-server-debuginfo-9.9p1-1.el8.x86_64.rpm
1)备份原来ssh相关配置文件
cp -rp /etc/ssh /etc/ssh-bak
2)卸载老版本的openssh (不要断开终端,不然无法远程连接)
rpm -qa | grep openssh | xargs rpm -e --nodeps
3)安装新版本:安装后执行命令 ssh -V 查看新的版本。
cd /openssh
rpm -Uvh openssh-*.rpm
[root@centos8 openssh]# rpm -Uvh openssh-*.rpm
Verifying... ################################# [100%]
准备中... ################################# [100%]
正在升级/安装...
1:openssh-debugsource-9.9p1-1.el8 ################################# [ 14%]
2:openssh-debuginfo-9.9p1-1.el8 ################################# [ 29%]
3:openssh-9.9p1-1.el8 ################################# [ 43%]
4:openssh-clients-9.9p1-1.el8 ################################# [ 57%]
5:openssh-server-9.9p1-1.el8 ################################# [ 71%]
6:openssh-clients-debuginfo-9.9p1-1################################# [ 86%]
7:openssh-server-debuginfo-9.9p1-1.################################# [100%]
4)设置ssh配置文件权限:
chmod -v 600 /etc/ssh/ssh_host_*_key
mode of '/etc/ssh/ssh_host_ecdsa_key' changed from 0640 (rw-r-----) to 0600 (rw-------)
mode of '/etc/ssh/ssh_host_ed25519_key' changed from 0640 (rw-r-----) to 0600 (rw-------)
mode of '/etc/ssh/ssh_host_rsa_key' changed from 0640 (rw-r-----) to 0600 (rw-------)
5)执行如下命令检测配置文件是否正常
sshd -t
说明:若检测提示“UsePrivilegeSeparation”相关报错,则执行如下命令在检测。
sudo sed -i '/UsePrivilegeSeparation/s/^/#/' /etc/ssh/sshd_config
6)检测配置文件没问题后再考虑重启sshd服务。
重启ssh服务
[root@centos8 openssh]# systemctl restart sshd;systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; generated)
Active: active (running) since Wed 2025-02-05 02:24:35 EST; 9ms ago
Docs: man:systemd-sysv-generator(8)
Process: 2486 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
Process: 2495 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 2505 (sshd)
Tasks: 1 (limit: 25358)
Memory: 1.3M
CGroup: /system.slice/sshd.service
└─2505 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
2月 05 02:24:35 centos8 systemd[1]: Stopped SYSV: OpenSSH server daemon.
2月 05 02:24:35 centos8 systemd[1]: Starting SYSV: OpenSSH server daemon...
2月 05 02:24:35 centos8 sshd[2495]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory
2月 05 02:24:35 centos8 sshd[2505]: Server listening on 0.0.0.0 port 22.
2月 05 02:24:35 centos8 sshd[2505]: Server listening on :: port 22.
2月 05 02:24:35 centos8 sshd[2495]: Starting sshd:[ 确定 ]
2月 05 02:24:35 centos8 systemd[1]: Started SYSV: OpenSSH server daemon.
查看ssh版本:
[root@centos8 openssh]# ssh -V
OpenSSH_9.9p1, OpenSSL 3.4.0 22 Oct 2024
到此升级成功
openEuler 是由开放原子开源基金会孵化的全场景开源操作系统项目,面向数字基础设施四大核心场景(服务器、云计算、边缘计算、嵌入式),全面支持 ARM、x86、RISC-V、loongArch、PowerPC、SW-64 等多样性计算架构
更多推荐
9
0- 0
已为社区贡献3条内容
所有评论(0)