openssh9.8p1更新 修复漏洞（CVE-2024-6387）

2024 年 7 月，互联网公开披露了一个 OpenSSH 的远程代码执行漏洞（CVE-2024-6387）。鉴于该漏洞虽然利用较为困难但危害较大，建议所有使用受影响的企业尽快修复该漏洞。

centos7 为例

yum -y install gcc make openssl-devel zlib-devel

wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
tar -xzvf openssl-1.1.1k.tar.gz
cd openssl-1.1.1k/

./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
make -j4 && make install

mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib/openssl /usr/lib/openssl.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo “/usr/local/openssl/lib” >> /etc/ld.so.conf
ldconfig -v

验证
openssl version

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar -xzvf openssh-9.8p1.tar.gz
cd openssh-9.8p1/

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-engine=openssl

如果报版本不对
checking OpenSSL library version… configure: error: OpenSSL >= 1.1.1 required (have “100020bf (OpenSSL 1.0.2k-fips 26 Jan 2017)”)

如果报找不到
checking OpenSSL library version… not found
configure: error: OpenSSL library not found.

那么添加环境变量
cat < /etc/profile.d/openssl.sh
export LDFLAGS=“-L/usr/local/openssl/lib”
export CPPFLAGS=“-I/usr/local/openssl/include”
EOF
source /etc/profile.d/openssl.sh

如果报错
configure: error: PAM headers not found

那么安装
yum -y install pam-devel

然后继续构建
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-engine=openssl
make -j4 && make install

如果又报错
WARNING: UNPROTECTED PRIVATE KEY FILE!
Permissions 0640 for ‘/etc/ssh/ssh_host_ed25519_key’ are too open.
sshd: no hostkeys available – exiting.

那么执行
chmod 0600 /etc/ssh/ssh_host_ed25519_key

开启 root 远程登录
sed -i ‘s/^#PermitRootLogin yes/PermitRootLogin yes/’ /etc/ssh/sshd_config
sed -i ‘s/^PermitRootLogin no/PermitRootLogin yes/’ /etc/ssh/sshd_config

systemctl restart sshd
systemctl enable sshd

ssh -V
OpenSSH_9.8p1, OpenSSL 1.1.1k 25 Mar 2021