redhat6.4升級openssh至6.7

時間 2019-12-13

標籤 redhat6.4 redhat 升級 openssh 6.7 欄目 Linux 简体版

原文原文鏈接

1：簡介node

最近浙江電信對線上服務器進行漏洞掃描，暴露出原有的openssh有漏洞，建議升級openssh版本；

2：操做環境

Red Hat Enterprise Linux Server release 6.4

3：所需軟件包

（1）gcc zlib zlib-devel make pam pam-devel (升級過程當中所需依賴包)

（2）dropbear-2014.66.tar.bz2（代替原有用pm包安裝openssh環境）

（3）openssh-6.7.tar.gz（升級的軟件包）

4：操做過程

（1）安裝dropbear包代替openssh

[root@localhost ~]#tar -xvf dropbear-2014.66.tar.bz2

[root@localhost ~]# cd dropbear-2014.66
[root@localhost dropbear-2014.66]#./configure --prefix=/usr/local/dropbear
[root@localhost dropbear-2014.66]# make
[root@localhost dropbear-2014.66]#make install

[root@localhost ~]# mkdir /etc/dropbear
[root@localhost ~]#/usr/local/dropbear/bin/dropbearkey -t rsa -s 2048 -f /etc/dropbear/dropbear_rsa_host_key
Generating key, this may take a while...
Public key portion is:
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCCBQJeoEhvNKkoEO3Y43++TOJl6dneodImEqnfyrfeFpjPQatYH5aQTxghO71KptR5pWYitdRarUcBJGw1fKsfhpwa6is6n6/YyQ2VljqFV+2caHSM3MxmPUHx+A6fzBbvw8u9kDFBz22xXKKSeNpmUyzqvXw8xxt2iu24kkvUYfGfxcHUyauFyiwEDBtz3JbfxlNpTO7eggMi0FT1Q8ndpgf2rg1FbflPweYjjuEtJwqEP6z0CHBsK5/KOAeanlhrkGiJ7EtyP19JxLinNWQeenknERA9IOWox928BjE3ZQ8Fa3JqAQg/w9jNNaugTgxedeLxn897DQBe9lgaatwR root@localhost.localdomain
Fingerprint: md5 dd:75:10:cf:a0:0f:19:96:bd:49:69:05:ab:d6:d6:51

[root@localhost ~]# /usr/local/dropbear/sbin/dropbear -p 1213
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      809/rpcbind
tcp        0      0 192.168.122.1:53            0.0.0.0:*                   LISTEN      1281/dnsmasq
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      1651/sshd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1123/master
tcp        0      0 0.0.0.0:1213                0.0.0.0:*                   LISTEN      8037/dropbear
tcp        0      0 0.0.0.0:40328               0.0.0.0:*                   LISTEN      827/rpc.statd
tcp        0      0 :::111                      :::*                        LISTEN      809/rpcbind
tcp        0      0 :::59889                    :::*                        LISTEN      827/rpc.statd
tcp        0      0 :::22                       :::*                        LISTEN      1651/sshd
tcp        0      0 ::1:25                      :::*                        LISTEN      1123/master
tcp        0      0 :::1213                     :::*                        LISTEN      8037/dropbear
tcp        0      0 :::3306                     :::*                        LISTEN      14315/mysqld
udp        0      0 0.0.0.0:1003                0.0.0.0:*                               827/rpc.statd
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               809/rpcbind
udp        0      0 0.0.0.0:38790               0.0.0.0:*                               827/rpc.statd
udp        0      0 192.168.122.1:53            0.0.0.0:*                               1281/dnsmasq
udp        0      0 0.0.0.0:67                  0.0.0.0:*                               1281/dnsmasq
udp        0      0 0.0.0.0:984                 0.0.0.0:*                               809/rpcbind
udp        0      0 :::111                      :::*                                    809/rpcbind
udp        0      0 :::40854                    :::*                                    827/rpc.statd
udp        0      0 :::984                      :::*                                    809/rpcbind

注：以上操做，已經作到替代原有的openssh軟件，還須要注意的是關閉防火牆；或者放行1213端口，該端口是咱們任意指定；

5：dropbear環境測試

操做方法：

登錄別的主機對該主機進行ssh登錄

[root@localhost ~]# ssh -p1213 192.168.10.120

The authenticity of host '192.168.10.120 (192.168.10.120)' can't be established.
RSA key fingerprint is 46:de:1b:14:42:5d:83:56:d6:29:15:13:c2:b2:d6:05.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.10.120' (RSA) to the list of known hosts.
root@192.168.10.120's password:
Last login: Tue Feb 3 10:18:15 2015 from 192.168.10.130

說明：測試主機地址：192.168.10.130，升級主機地址：192.168.10.120

6：升級openssh

（1）操做步驟

[root@localhost ~]# mv /etc/ssh /etc/ssh.bak
[root@localhost ~]# rpm -qa |grep openssh
openssh-server-5.3p1-84.1.el6.x86_64
openssh-5.3p1-84.1.el6.x86_64
openssh-clients-5.3p1-84.1.el6.x86_64
[root@localhost ~]# rpm -e --nodeps `rpm -qa |grep openssh`
[root@localhost ~]# tar -xvf openssh-6.7p1.tar.gz
[root@localhost openssh-6.7p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
[root@localhost openssh-6.7p1]#make
[root@localhost openssh-6.7p1]#make install
[root@localhost ~]# /usr/sbin/sshd -t -f /etc/ssh/sshd_config
[root@localhost openssh-6.7p1]# ssh -V
OpenSSH_6.7p1, OpenSSL 1.0.0-fips 29 Mar 2010
[root@localhost openssh-6.7p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-6.7p1]# /etc/init.d/sshd start
[root@localhost ~]# killall dropbear
[root@localhost ~]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address               Foreign Address             State       PID/Program name
tcp        0      0 0.0.0.0:111                 0.0.0.0:*                   LISTEN      809/rpcbind
tcp        0      0 192.168.122.1:53            0.0.0.0:*                   LISTEN      1281/dnsmasq
tcp        0      0 0.0.0.0:22                  0.0.0.0:*                   LISTEN      20720/sshd
tcp        0      0 127.0.0.1:25                0.0.0.0:*                   LISTEN      1123/master
tcp        0      0 0.0.0.0:40328               0.0.0.0:*                   LISTEN      827/rpc.statd
tcp        0      0 :::111                      :::*                        LISTEN      809/rpcbind
tcp        0      0 :::59889                    :::*                        LISTEN      827/rpc.statd
tcp        0      0 :::22                       :::*                        LISTEN      20720/sshd
tcp        0      0 ::1:25                      :::*                        LISTEN      1123/master
tcp        0      0 :::3306                     :::*                        LISTEN      14315/mysqld
udp        0      0 0.0.0.0:1003                0.0.0.0:*                               827/rpc.statd
udp        0      0 0.0.0.0:111                 0.0.0.0:*                               809/rpcbind
udp        0      0 0.0.0.0:38790               0.0.0.0:*                               827/rpc.statd
udp        0      0 192.168.122.1:53            0.0.0.0:*                               1281/dnsmasq
udp        0      0 0.0.0.0:67                  0.0.0.0:*                               1281/dnsmasq
udp        0      0 0.0.0.0:984                 0.0.0.0:*                               809/rpcbind
udp        0      0 :::111                      :::*                                    809/rpcbind
udp        0      0 :::40854                    :::*                                    827/rpc.statd
udp        0      0 :::984                      :::*                                    809/rpcbind
[root@localhost openssh-6.7p1]# /etc/init.d/sshd start
/sbin/restorecon: lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd:[ OK ]
[root@localhost openssh-6.7p1]# service sshd start
/sbin/restorecon: lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
Starting sshd:[ OK ]
[root@localhost openssh-6.7p1]# service sshd status
sshd (pid 20720) is running...
[root@localhost openssh-6.7p1]# chkconfig --add sshd
[root@localhost openssh-6.7p1]# chkconfig --list sshd
sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

7：考慮到主機以前使用ssh互信，升級完成後原來生成的公鑰將會失效，須要採用升級包中的工具從新生成公鑰，操做步驟以下：

7.1：生成公私祕鑰
[root@oracle openssh-7.1p1]#pwd
/root/openssh-7.1p1
[root@oracle openssh-7.1p1]#./ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
SHA256:2ErdCAuGntgVI7+Xx76hDrer1obSRVuoEznksksTDJk root@oracle
The key's randomart image is:
+---[RSA 2048]----+
| o. o            |
|E +.o           |
| o.o=...         |
| +++=ooO.o       |
|. ++.=*oS .      |
| + ooo+         |
| . +.=o o        |
| o +ooo o       |
|   o.+=..        |
+----[SHA256]-----+
注：執行這個命令的時候，不須要填寫任何的東西，「Enter」就好，完成之後會在「/root/.ssh」目錄下生成兩個文件id_rsa，id_rsa.pub；
7.2：生成「authorized_keys」文件；
[root@oracle .ssh]#cat id_rsa.pub >> authorized_keys

注：須要互通的主機之間，都想要對方的公鑰，相互拷入便可；

7.3：重啓sshd服務

service sshd restart

但願瀆者多提意見，

聯繫方式QQ:1486483698

QQ交流羣：431392633