一、需求背景
项目服务器备安全扫描出SSH高危漏洞,需要升级SSH最新版本。
存在以下服务器操作系统:
[root@host-192-168-66-18 ~]# cat etc/os-releaseNAME="Kylin Linux Advanced Server"VERSION="V10 (Tercel)"ID="kylin"VERSION_ID="V10"PRETTY_NAME="Kylin Linux Advanced Server V10 (Tercel)"ANSI_COLOR="0;31"
共尝试2种安装方式。
二、采用rpm包进行升级
虽然该rpm包先生为centos 7系列,但是实际安装可以成功,并未发现明显问题。
该方式进行升级更为方便快捷,先上传rpm包。
[root@host-192-168-66-18 openssh9.7p1]# lsopenssh-9.7p1-1.el7.x86_64.rpm openssh-debuginfo-9.7p1-1.el7.x86_64.rpmopenssh-clients-9.7p1-1.el7.x86_64.rpm openssh-server-9.7p1-1.el7.x86_64.rpm
yum -y install *.rpm
systemctl restart sshd
systemctl status sshd
1、如果提示权限出错,则执行以下命令,再重启sshd服务即可:
chmod 0600 etc/ssh/ssh_host_rsa_keychmod 0600 etc/ssh/ssh_host_ecdsa_keychmod 0600 etc/ssh/ssh_host_ed25519_keychmod 0755 bin/ssh-copy-idchmod u+x etc/init.d/sshd
2、如果出现:Failed to start OpenSSH server daemon.
解决:
systemctl daemon-reload
systemctl status sshd.service
三、采用源码编译方式安装升级
脚本内容如下:update.sh
#!/bin/bash#install zlib start !!!!lujing=$(pwd)cd $lujingtar -xf zlib-1.3.1.tar.gzcd zlib-1.3.1./configure --prefix=/usr/local/zlib.1.3.1make && make test && make installll /usr/local/zlib.1.3.1/ldconfig -Vsleep 2/sbin/ldconfigsleep 2#install openssl start !!!cd $lujingtar zxf openssl-3.2.0.tar.gzcd openssl-3.2.0./config --prefix=/usr/local/openssl-3.2.0 --openssldir=/usr/sharedmake clean && make -j 4 && make install#更新函数库echo "/usr/local/openssl-3.2.0/lib" >> /etc/ld.so.confldconfigsleep 3bak_data=$(date +"%Y%m%d")mv /usr/bin/openssl /usr/bin/openssl_${bak_data}.bakln -s /usr/local/openssl-3.2.0/bin/openssl /usr/bin/opensslln -s /usr/local/openssl-3.2.0/lib64/libssl.so.3 /usr/lib64/libssl.so.3ln -s /usr/local/openssl-3.2.0/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3openssl version -asleep 3#install opensssh start !!mkdir ~/ssh_openssh_${bak_data}_bakcp /etc/ssh/sshd_config ~/ssh_openssh_${bak_data}_bakcp /etc/pam.d/sshd ~/ssh_openssh_${bak_data}_bakrpm -e --nodeps `rpm -qa | grep openssh`# 安装OpenSSHcd $lujingtar -xf openssh-9.7p1.tar.gzcd openssh-9.7p1./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl-3.2.0 --with-zlib=/usr/local/zlib.1.3.1chmod 0600 /etc/ssh/ssh_host_rsa_keychmod 0600 /etc/ssh/ssh_host_ecdsa_keychmod 0600 /etc/ssh/ssh_host_ed25519_keymake -j 4 && make install/usr/local/ssh/bin/ssh -V# 复制新ssh文件cp -rf contrib/redhat/sshd.init /etc/init.d/sshdcp -rf contrib/redhat/sshd.pam /etc/pam.d/sshd.pamcp -rf sshd_config /etc/ssh/sshd_configcp -rf /usr/local/ssh/sbin/sshd /usr/sbin/sshdcp -rf /usr/local/ssh/bin/* /usr/bin/# 开启sshdcp -rf /usr/local/ssh/sbin/sshd /usr/sbin/sshdcp -rf /usr/local/ssh/bin/ssh /usr/bin/sshcp -rf /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygencp {$bak_data}/openssh-9.6p1/contrib/ssh-copy-id /bin/chmod 0755 /bin/ssh-copy-idchmod u+x /etc/init.d/sshdchkconfig --add sshdchkconfig --list | grep sshdsystemctl daemon-reloadchkconfig sshd on# 允许root登录echo "PermitRootLogin yes" >> /etc/ssh/sshd_configsed -i "/Subsystem/s/^/# /" "/etc/ssh/sshd_config"echo "Subsystem sftp /usr/local/ssh/libexec/sftp-server" >> /etc/ssh/sshd_config# 添加加密算法echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/ssh/sshd_configecho "HostKeyAlgorithms +ssh-rsa" >> /etc/ssh/sshd_config# 重启sshd服务/etc/init.d/sshd restart/etc/init.d/sshd status# 查看升级后ssh版本ssh -V
上传以下更新文件:
[root@KyLinux openssh]# ll总用量 20584-rw-r--r-- 1 root root 1848766 5月 16 16:47 openssh-9.7p1.tar.gz-rw-r--r-- 1 root root 17698352 5月 16 16:47 openssl-3.2.0.tar.gz-rwxrwxrwx 1 root root 2646 5月 16 16:49 update_ssh.sh-rw-r--r-- 1 root root 1512791 5月 16 16:47 zlib-1.3.1.tar.gz
执行sh update_ssh.sh脚本:
报错提示:解释器错误
[root@KyLinux openssh]# ./update_ssh.sh-bash: ./update_ssh.sh:/bin/bash^M:解释器错误: 没有那个文件或目录
原因:文件的换行符格式不正确。需要将文件的换行符从Windows格式转换为Unix格式
则执行:
yum install dos2unix
dos2unix update_ssh.sh
再次执行脚本,耐心等待,直到安装完成。
文章转载自巴韭特锁螺丝,如果涉嫌侵权,请发送邮件至:contact@modb.pro进行举报,并提供相关证据,一经查实,墨天轮将立刻删除相关内容。
