Centos/RHEL升级openssh-8.1p1应对漏洞扫描
centos6的系统关于openssh版本太低只有openssh5.3,需要升级到最新版openssh8.1p1,
为了方便,这个制作了一个RPM版本的安装包,可以在centos6、RHEL6系统安装,确认正常。
安装方法,先下载附件中的openssh8.1p1的RPM包,执行下列命令
#: yum -y install gcc gcc-c++ zlib zlib-devel openssl openssl-devel pam-devel pam-devel rpm-build pam-devel openssl pam libedit pam-devel initscripts libXt-devel imake gtk2-devel unzip
安装依赖包,不是所有包都需要。
#: rpm -e `rpm -qa |grep openssh` --nodeps
删除旧版openssh软件包。
#: rpm -ivh *.rpm
安装所有新版openssh8.1p1安装包。
当然还有一个很重要的事情,安装好后,请修改配置文件启用root账号。
如果在升级时使用ssh远程,那么重启sshd服务会掉线,导致ssh程序没有重启完成,
所需要可以先安装好 screen程序,然后把下面的命令写到脚本里面,再执行新写的脚本文件,这样就可以正常重启ssh,
重启后,也可以正常连接ssh:
#: /etc/init.d/sshd stop 停止服务
#:/etc/init.d/sshd restart 测试重启服务。
最好远程测试下ssh是否正常登陆。
当然也可以使用以下方法编译安装Openssh8.1p1
OpenSSH-8.1p1
Introduction to OpenSSH
The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementations of telnet and rcp respectively.
This package is known to build and work properly using an LFS-9.0 platform.
Package Information
-
Download (HTTP): http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz
-
Download MD5 sum: 513694343631a99841e815306806edf0
-
Download size: 1.5 MB
-
Estimated disk space required: 45 MB (add 12 MB for tests)
-
Estimated build time: 0.4 SBU (running the tests takes 17+ minutes, irrespective of processor speed)
OpenSSH Dependencies
Optional
GDB-8.3.1 (for tests), Linux-PAM-1.3.1, X Window System, MIT Kerberos V5-1.17.1, libedit, LibreSSL Portable, OpenSC, and libsectok
Optional Runtime (Used only to gather entropy)
OpenJDK-12.0.2, Net-tools-CVS_20101030, and Sysstat-12.2.0
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH
Installation of OpenSSH
OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root
user:
install -v -m700 -d /var/lib/sshd && chown -v root:sys /var/lib/sshd && groupadd -g 50 sshd && useradd -c 'sshd PrivSep' \ -d /var/lib/sshd \ -g sshd \ -s /bin/false \ -u 50 sshd
Install OpenSSH by running the following commands:
./configure --prefix=/usr \ --sysconfdir=/etc/ssh \ --with-md5-passwords \ --with-privsep-path=/var/lib/sshd && make
The testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin
, making sure that you backup any existing copy first.
To test the results, issue: make tests.
Now, as the root
user:
make install && install -v -m755 contrib/ssh-copy-id /usr/bin && install -v -m644 contrib/ssh-copy-id.1 \ /usr/share/man/man1 && install -v -m755 -d /usr/share/doc/openssh-8.1p1 && install -v -m644 INSTALL LICENCE OVERVIEW README* \ /usr/share/doc/openssh-8.1p1
Command Explanations
--sysconfdir=/etc/ssh
: This prevents the configuration files from being installed in /usr/etc
.
--with-md5-passwords
: This enables the use of MD5 passwords.
--with-pam
: This parameter enables Linux-PAM support in the build.
--with-xauth=/usr/bin/xauth
: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config
with the XAuthLocation keyword. You can omit this switch if Xorg is already installed.
--with-kerberos5=/usr
: This option is used to include Kerberos 5 support in the build.
--with-libedit
: This option enables line editing and history features for sftp.
Configuring OpenSSH
Config Files
~/.ssh/*
, /etc/ssh/ssh_config
, and /etc/ssh/sshd_config
There are no required changes to any of these files. However, you may wish to view the /etc/ssh/
files and make any changes appropriate for the security of your system. One recommended change is that you disable root
login via ssh. Execute the following command as the root
user to disable root
login via ssh:
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed:
ssh-keygen && ssh-copy-id -i ~/.ssh/id_rsa.pub REMOTE_USERNAME@REMOTE_HOSTNAME
Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root
user:
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config && echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
If you added Linux-PAM support and you want ssh to use it then you will need to add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to check passwords, if you've disabled password logins these commands are not needed. If you want to use PAM, issue the following commands as the root
user:
sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && chmod 644 /etc/pam.d/sshd && echo "UsePAM yes" >> /etc/ssh/sshd_config
Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.
Boot Script
To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd
init script included in the blfs-bootscripts-20191204 package.
make install-sshd
Contents
Installed Programs: scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd Installed Libraries: None Installed Directories: /etc/ssh, /usr/share/doc/openssh-8.1p1, and /var/lib/sshd
Short Descriptions
scp |
is a file copy program that acts like rcp except it uses an encrypted protocol. |
sftp |
is an FTP-like program that works over the SSH1 and SSH2 protocols. |
slogin |
is a symlink to ssh. |
ssh |
is an rlogin/rsh-like client program except it uses an encrypted protocol. |
sshd |
is a daemon that listens for ssh login requests. |
ssh-add |
is a tool which adds keys to the ssh-agent. |
ssh-agent |
is an authentication agent that can store private keys. |
ssh-copy-id |
is a script that enables logins on remote machine using local keys. |
ssh-keygen |
is a key generation tool. |
ssh-keyscan |
is a utility for gathering public host keys from a number of hosts. |
Last updated on 2019-10-12 12:26:41 -0500
目录 返回
首页