Centos6.5升级OpenssH
介绍
漏扫发现OpenssH很多漏洞,升级OpenssH版本解决
当前版本
# ssh -V OpenSSH_7.0p1, OpenSSL 1.0.1e-fips 11 Feb 2013
建议升级版本OpenssH7.9.p1
注意:OpenSSH 7.9p1要求OpenSSL的版本> = 1.0.1 <1.1.0
#配置YUM
cd /mnt mkdir cdrom mount -o loop -t iso9660 /dev/cdrom /mnt/cdrom/ cd /etc/yum.repos.d/ mkdir bk mv *.repo bk vi centos6.repo
[CentOS65] name=CentOS65 baseurl=file:///mnt/cdrom enabled=1 gpgcheck=0 gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-CentOS-6
yum list ##list显示出来 说明yum安装成功
#安装telnet并配置服务
cd /mnt/cdrom/Packages rpm -i telnet-0.17-47.el6_3.1.x86_64.rpm yum -y install telnet-server* #安装配置telnet,暂时允许root用户远程telnet,以防ssh升级后远程登录不了 echo "Y"|/usr/bin/yum install telnet-server /bin/sed -i 's/= yes/= no/g' /etc/xinetd.d/telnet /etc/init.d/xinetd start /etc/init.d/xinetd restart
mv /etc/securetty /etc/securetty.bak
#安装依赖包(gcc、make、perl、zlib、zlib-devel、pam、pam-devel)
find - /name zlib yum install -y gcc openssl-devel pam-devel rpm-build pam-devel tcp_wrappers-devel
#关闭iptables防火墙和selinux
/etc/init.d/iptables stop /bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux /usr/sbin/setenforce 0
#备份ssh原来配置
cp -rf /etc/ssh /etc/ssh.bak
#安装配置新版本openssh
echo "Y"|/usr/bin/yum install -y gcc openssl-devel pam-devel rpm-build cd /usr/local/src /usr/bin/wget http://10.0.8.50/software/openssh-7.9p1.tar.gz /bin/tar -zvxf openssh-7.9p1.tar.gz cd /usr/local/src/openssh-7.9p1 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers make && make install /bin/sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config /bin/sed -i 's_#PermitRootLogin yes_PermitRootLogin yes_g' /etc/ssh/sshd_config sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config service sshd start service sshd restart
#查询当前版本
/usr/bin/ssh -V
# 关闭telnet远程登录
vi /etc/xinetd.d/telnet no改为yes
# 关闭telnet远程登录
NUM=$(/usr/sbin/lsof -i:23|wc -l)
if [ $NUM -ne 0 ];then
mv /etc/securetty.bak /etc/securetty
fi
/etc/init.d/xinetd stop
#其他备注策略命令:
允许root用户通过telnet登陆
编辑/etc/pam.d/login,注释掉下面这行 vi /etc/pam.d/login #auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
/etc/init.d/xinetd restart
配置/etc/securetty
cp /etc/securetty /etc/securetty.bak echo "pts/1" >> /etc/securetty echo "pts/2" >> /etc/securetty echo "pts/3" >> /etc/securetty echo "pts/4" >> /etc/securetty echo "pts/5" >> /etc/securetty echo "pts/6" >> /etc/securetty echo "pts/7" >> /etc/securetty echo "pts/8" >> /etc/securetty echo "pts/9" >> /etc/securetty echo "pts/10" >> /etc/securetty echo "pts/11" >> /etc/securetty
报错问题解决
1、错误信息 检查OpenSSL是否标头与库匹配…否配置:错误:您的OpenSSL标头与库不匹配。检查config.log以获取详细信息。 原因: 配置时需要注意-with-ssl-dir需要使用当前SSL的安装路径/ usr / local / ssl 如果是32位的系统可能位置有所不同:/ usr / local / ssl / lib / 解决办法: ./configure -prefix=/usr -sysconfdir=/etc/ssh -with-ssl-dir=/usr/local/ssl -with-zlib -with-pam -with-md5-passwords -with-kerberos5 --without-zlib-version-check 2、错误信息 无法开启 /var/lib/rpm 的套件资料库 rpmdb: unable to join the environment 解决方案: 1.kill掉正在运行的rpm程序 2.rm -f /var/lib/rpm/__db.* 3.rpm --rebuilddb 4.rpm时加上后缀--nodeps
参考感谢:
http://leung4080.github.io/linux/2013/08/07/OpenSSL-OpenSSH-%E5%8D%87%E7%BA%A7%E9%85%8D%E7%BD%AE/
