前言因第三方软件安全扫描 ssh存在漏洞,此次需将openssh升级至OpenSSH_7.5p1
操作系统版本
[root@fbtest ~]# uname -a
Linux fbtest.gdccs.com.cn 3.10.0-514.el7.x86_64 #1 SMP Tue Nov 22 16:42:41 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
[root@fbtest ~]# cat /etc/redhat-release
CentOS Linux release 7.3.1611 (Core)
[root@fbtest ~]#
验证现有版本
[root@fbtest home]# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@fbtest home]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@fbtest home]# rpm -q zlib
zlib-1.2.7-17.el7.x86_64
[root@fbtest home]# rpm -qa | grep openssl
openssl-libs-1.0.1e-60.el7_3.1.x86_64
openssl-1.0.1e-60.el7_3.1.x86_64
注 官方链接地址:http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL
[root@fbtest home]# rpm -qa | grep openssh
openssh-server-6.6.1p1-35.el7_3.x86_64
openssh-6.6.1p1-35.el7_3.x86_64
openssh-clients-6.6.1p1-35.el7_3.x86_64
[root@fbtest home]#
下载最新的openssh软件
wget
安装辅助包
yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
创建对应目录
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cp ./openssh-7.5p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-7.5p1.tar.gz /root/rpmbuild/SOURCES/
cd /root/rpmbuild/SPECS/
修改openssh.spec文件
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
生成RPM文件
rpmbuild -bb openssh.spec查看生成的RPM文件
[root@fbtest SPECS]# cd /root/rpmbuild/RPMS/x86_64/
[root@fbtest x86_64]# ll
total 1320
-rw-r--r--. 1 root root 470800 Jun 29 18:18 openssh-7.5p1-1.x86_64.rpm
-rw-r--r--. 1 root root 490688 Jun 29 18:18 openssh-clients-7.5p1-1.x86_64.rpm
-rw-r--r--. 1 root root 16992 Jun 29 18:18 openssh-debuginfo-7.5p1-1.x86_64.rpm
-rw-r--r--. 1 root root 367472 Jun 29 18:18 openssh-server-7.5p1-1.x86_64.rpm
升级
升级前需确保如下几点:
1、/etc/ssh目录下有ssh_host_key和ssh_host_key.pub两个文件,若没有这两个文件,可从旧版本的/etc/ssh目录下拷贝这两个文件,本次是从openssh5.3的版本将这两个文件拷贝过来的(不拷贝会提示找不到ssh_host_key文件,造成ssh无法远程登陆主机)
2、不要卸载旧版本的ssh,以免升级不成功造成无法登陆,升级时使用 –Uvh(更新)参数,不要使用 –ivh(安装)参数
开始升级:
[root@fbtest x86_64]# rpm -Uvh *.rpm
Preparing... ################################# [100%]
Updating / installing...
1:openssh-7.5p1-1 ################################# [ 14%]
2:openssh-clients-7.5p1-1 ################################# [ 29%]
3:openssh-server-7.5p1-1 ################################# [ 43%]
4:openssh-debuginfo-7.5p1-1 ################################# [ 57%]
Cleaning up / removing...
5:openssh-server-6.6.1p1-31.el7 ################################# [ 71%]
6:openssh-clients-6.6.1p1-31.el7 ################################# [ 86%]
7:openssh-6.6.1p1-31.el7 ################################# [100%]
[root@fbtest x86_64]#
查看是否升级成功
[root@fbtest x86_64]# ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@fbtest x86_64]# rpm -qa | grep openssh
openssh-debuginfo-7.5p1-1.x86_64
openssh-7.5p1-1.x86_64
openssh-server-7.5p1-1.x86_64
openssh-clients-7.5p1-1.x86_64
[root@fbtest x86_64]#
报错解决情况
若使用systemctl status sshd –l查看到0640警告,则需修改/etc/ssh目录下对应的key文件权限,命令如下: chmod 0600 ssh*key
相关报错信息:
若root用户无法登陆,则需修改/etc/ssh/sshd_config文件,在文件末尾添加:
PermitRootLogin yes
mv /etc/ssh/sshd_config /etc/ssh/sshd_configbak
cd /opt/rpmbuild/RPMS/x86_64/ && rpm -Uvh *.rpmsed -i '$a\PermitRootLogin yes' /etc/ssh/sshd_configservice sshd restart