升级OpenSSL和OpenSSH 修复漏洞
升级OpenSSL和OpenSSH
目前版本OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级到OpenSSH_9.8p1, OpenSSL 1.1.1u 30 May 2023
服务器CentOS Linux release 7.6.1810 (Core)
一、升级OpenSSL到1.1.1u
-
下载并编译 OpenSSL(推荐目录
/usr/local/openssl)wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz tar zxvf openssl-1.1.1u.tar.gz cd openssl-1.1.1u./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib make -j$(nproc) make install -
设置 OpenSSL 环境变量
echo "/usr/local/openssl/lib" > /etc/ld.so.conf.d/openssl.conf ldconfigexport PATH=/usr/local/openssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/openssl/libvim /etc/profile追加下边两行,避免重启后失效。export PATH=/usr/local/openssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/openssl/libsource /etc/profile -
验证 OpenSSL 是否生效
openssl versionOpenSSL 1.1.1u 30 May 2023
二、升级OpenSSH到9.8p1
-
安装依赖
yum groupinstall -y "Development Tools" yum install -y wget pam-devel zlib-devel openssl-devel -
下载并准备 OpenSSH 9.8p1
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz tar -zxvf openssh-9.8p1.tar.gz cd openssh-9.8p1 -
备份旧 SSHD
cp /usr/sbin/sshd /usr/sbin/sshd.bak.$(date +%F-%H-%M-%S) cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%F-%H-%M-%S) -
配置并编译安装 OpenSSH 9.8p1(指定新版 OpenSSL 路径)
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/openssl make -j$(nproc) make install -
设置 sshd 服务(如无 systemd 单元文件)
if [ ! -f /usr/lib/systemd/system/sshd.service ]; thencp contrib/redhat/sshd.init /etc/init.d/sshdchmod +x /etc/init.d/sshdsystemctl daemon-reexecsystemctl daemon-reloadsystemctl enable sshd fi -
重启 SSH 服务并验证版本
安全提示(强烈建议)
在你执行
systemctl restart sshd之前:- 开两个 SSH 会话,防止断连;
- 设置自动回滚任务(如果失败自动恢复旧版本):
echo "cp /usr/sbin/sshd.bak* /usr/sbin/sshd && systemctl restart sshd" | at now + 5 minutessystemctl restart sshd /usr/sbin/sshd -VOpenSSH_10.0p1, OpenSSL 1.1.1u ...
三、解决yum install -y wget pam-devel zlib-devel openssl-devel下载失败问题
在可以正常执行 yum install -y wget pam-devel zlib-devel openssl-devel的服务器执行下列命令
- 安装
yum-utils(包含yumdownloader)
yum install -y yum-utils
-
创建存放 RPM 的目录并下载所有依赖包
mkdir -p /tmp/rpms cd /tmp/rpms yumdownloader --resolve wget pam-devel zlib-devel openssl-devel -
检查下载的 RPM 文件
ls -l /tmp/rpms/*.rpm-rw-r--r-- 1 root root 1582172 Jun 17 16:17 openssl-devel-1.0.2k-26.el7_9.i686.rpm -rw-r--r-- 1 root root 1582400 Jun 17 16:17 openssl-devel-1.0.2k-26.el7_9.x86_64.rpm -rw-r--r-- 1 root root 1021796 Jun 17 16:17 openssl-libs-1.0.2k-26.el7_9.i686.rpm -rw-r--r-- 1 root root 736976 Jun 17 16:17 pam-1.1.8-23.el7.i686.rpm -rw-r--r-- 1 root root 189152 Jun 17 16:17 pam-devel-1.1.8-23.el7.i686.rpm -rw-r--r-- 1 root root 189124 Jun 17 16:17 pam-devel-1.1.8-23.el7.x86_64.rpm -rw-r--r-- 1 root root 430428 Jun 17 16:17 pcre-8.32-17.el7.i686.rpm -rw-r--r-- 1 root root 560272 Jun 17 16:17 wget-1.14-18.el7_6.1.x86_64.rpm -rw-r--r-- 1 root root 93224 Jun 17 16:17 zlib-1.2.7-21.el7_9.i686.rpm -rw-r--r-- 1 root root 51524 Jun 17 16:17 zlib-devel-1.2.7-21.el7_9.i686.rpm -rw-r--r-- 1 root root 51488 Jun 17 16:17 zlib-devel-1.2.7-21.el7_9.x86_64.rpm ...... -
将 RPM 包复制到目标服务器
scp -r /tmp/rpms root@目标服务器IP:/tmp/ -
在目标服务器上手动安装
cd /tmp/rpms rpm -ivh *.rpm --nodeps --force
四、OpenSSH make install 报如下错误
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
make: [Makefile:396: check-config] Error 1 (ignored)
解决方案:修复私钥权限
chmod 600 /etc/ssh/ssh_host_*_key