虚拟化容器,大数据,DBA,中间件,监控。

Centos/RHEL升级openssh-8.1p1应对漏洞扫描

30 03月
作者:admin|分类:应用管理

 

centos6的系统关于openssh版本太低只有openssh5.3,需要升级到最新版openssh8.1p1,

为了方便,这个制作了一个RPM版本的安装包,可以在centos6、RHEL6系统安装,确认正常。

安装方法,先下载附件中的openssh8.1p1的RPM包,执行下列命令

#:   yum -y install gcc gcc-c++ zlib zlib-devel openssl openssl-devel  pam-devel pam-devel rpm-build pam-devel openssl pam libedit pam-devel  initscripts libXt-devel imake gtk2-devel unzip

 安装依赖包,不是所有包都需要。

#:  rpm -e `rpm -qa |grep openssh` --nodeps

删除旧版openssh软件包。

#:  rpm -ivh *.rpm 

  安装所有新版openssh8.1p1安装包。

openssh8.1p1_x86_64 RPM安装包

 

当然还有一个很重要的事情,安装好后,请修改配置文件启用root账号。

如果在升级时使用ssh远程,那么重启sshd服务会掉线,导致ssh程序没有重启完成,

所需要可以先安装好 screen程序,然后把下面的命令写到脚本里面,再执行新写的脚本文件,这样就可以正常重启ssh,

重启后,也可以正常连接ssh:

#: /etc/init.d/sshd stop     停止服务

#:/etc/init.d/sshd restart   测试重启服务。

 

最好远程测试下ssh是否正常登陆。

 

 

当然也可以使用以下方法编译安装Openssh8.1p1

OpenSSH-8.1p1

Introduction to OpenSSH

The OpenSSH package contains          ssh clients and the          sshd daemon. This is          useful for encrypting authentication and subsequent traffic over a          network. The ssh and          scp commands are          secure implementations of telnet and rcp respectively.

This package is known to build and work properly using an LFS-9.0          platform.

Package Information

OpenSSH Dependencies

Optional

GDB-8.3.1 (for tests), Linux-PAM-1.3.1,          X Window          System, MIT Kerberos V5-1.17.1, libedit,          LibreSSL          Portable, OpenSC, and libsectok        

Optional Runtime (Used only to gather entropy)

OpenJDK-12.0.2, Net-tools-CVS_20101030, and Sysstat-12.2.0        

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH        

Installation of OpenSSH

OpenSSH  runs as two processes when          connecting to other computers. The  first process is a privileged          process and controls the issuance  of privileges as necessary. The          second process communicates  with the network. Additional          installation steps are necessary  to set up the proper environment,          which are performed by  issuing the following commands as the          root user:

install  -v -m700 -d /var/lib/sshd && chown    -v root:sys /var/lib/sshd && groupadd -g 50 sshd        && useradd  -c 'sshd PrivSep' \          -d /var/lib/sshd  \          -g sshd           \          -s /bin/false     \          -u 50 sshd

       

Install OpenSSH by running the          following commands:

./configure --prefix=/usr                     \             --sysconfdir=/etc/ssh             \             --with-md5-passwords              \             --with-privsep-path=/var/lib/sshd && make

       

The testsuite requires an installed copy of scp to complete the multiplexing          tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you backup any          existing copy first.

To test the results, issue: make          tests.

Now, as the root user:

make install && install -v -m755    contrib/ssh-copy-id /usr/bin     && install -v -m644    contrib/ssh-copy-id.1 \                     /usr/share/man/man1              && install -v -m755 -d /usr/share/doc/openssh-8.1p1     && install -v -m644    INSTALL LICENCE OVERVIEW README* \                     /usr/share/doc/openssh-8.1p1

                   

Command Explanations

--sysconfdir=/etc/ssh: This          prevents the configuration files from being installed in          /usr/etc.

--with-md5-passwords: This          enables the use of MD5 passwords.

--with-pam: This parameter enables          Linux-PAM support in the build.

--with-xauth=/usr/bin/xauth: Set the          default location for the xauth binary for X          authentication. Change the location if xauth will be installed to a          different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You          can omit this switch if Xorg is          already installed.

--with-kerberos5=/usr: This option is          used to include Kerberos 5 support in the build.

--with-libedit: This option enables          line editing and history features for sftp.

Configuring OpenSSH

         

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config          

There are no required changes to any of these files. However, you            may wish to view the /etc/ssh/             files and make any changes appropriate for the security of  your            system. One recommended change is that you disable root login via ssh. Execute the following            command as the root user to            disable root login via            ssh:

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

         

If you want to be able to log in without  typing in your password,            first create ~/.ssh/id_rsa and  ~/.ssh/id_rsa.pub with            ssh-keygen  and then            copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on  the remote            computer that you want to log into. You'll need  to change            REMOTE_USERNAME and REMOTE_HOSTNAME for the  username and hostname            of the remote computer and you'll also  need to enter your            password for the ssh-copy-id command to  succeed:

ssh-keygen && ssh-copy-id -i ~/.ssh/id_rsa.pub REMOTE_USERNAME@REMOTE_HOSTNAME

         

Once you've got passwordless logins  working it's actually more            secure than logging in with a  password (as the private key is            much longer than most  people's passwords). If you would like to            now disable  password logins, as the root user:

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config && echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config

         

If you added Linux-PAM support            and you want ssh to use it then you will need to add a            configuration file for sshd and            enable use of LinuxPAM.  Note,            ssh only uses PAM to check passwords, if you've  disabled password            logins these commands are not needed. If  you want to use PAM,            issue the following commands as the root user:

sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && chmod 644 /etc/pam.d/sshd && echo "UsePAM yes" >> /etc/ssh/sshd_config

         

Additional configuration information can be found in the man            pages for sshd,            ssh and            ssh-agent.

         

Boot Script          

To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in            the blfs-bootscripts-20191204 package.

make install-sshd

                           

Contents

Installed Programs:              scp,  sftp, slogin (symlink to ssh), ssh,              ssh-add, ssh-agent,  ssh-copy-id, ssh-keygen, ssh-keyscan, and              sshd                                      Installed Libraries:              None                                      Installed Directories:              /etc/ssh, /usr/share/doc/openssh-8.1p1,              and /var/lib/sshd                                                

Short Descriptions

scp                  

is a file copy program that acts like rcp except it uses an                    encrypted protocol.

sftp                  

is an FTP-like program that works over the SSH1 and SSH2                    protocols.

slogin                  

is a symlink to ssh.

ssh                  

is an rlogin/rsh-like client program                    except it uses an encrypted protocol.

sshd                  

is a daemon that listens for ssh login requests.

ssh-add                  

is a tool which adds keys to the ssh-agent.

ssh-agent                  

is an authentication agent that can store private keys.

ssh-copy-id                  

is a script that enables logins on remote machine using                    local keys.

ssh-keygen                  

is a key generation tool.

ssh-keyscan                  

is a utility for gathering public host keys from a number                    of hosts.

Last updated on 2019-10-12 12:26:41 -0500

 

浏览1306 评论0
返回
目录
返回
首页
apache安全之修改或隐藏版本信息 轻量级运维利器pssh、pdsh和mussh的使用以及区别