需求:node
因openssh掃描存在漏洞,基於安全考慮,須要將openssh_7.1p1升級爲openssh_7.4p1。vim
操做以下:安全
1.下載安裝包:bash
openssh的安裝須要依賴zlib和openssl,所以要一併下載下來。ssh
注意:openssh最新版7.4p1依賴的openssl版本爲1.0.2k,而不是其最新版1.1.0e(使用此版會升級失敗)。工具
官網地址:oop
http://www.zlib.neturl
http://www.openssl.orgspa
http://www/openssl.org.net
下載的安裝包展現:
openssh-7.4p1.tar.gz
openssl-1.0.2k.tar.gz
zlib-1.2.11.tar.gz
2.查看系統當前安裝的版本
# ssh -V # rpm -qa zlib # openssl version
3.配置本地yum源
# vim /etc/fstab /mnt/rhel-server-6.8-x86_64-dvd.iso /media/RedHat-6.8-x86_64-DVD iso9660 loop 0 0
# vim /etc/yum.repos.d/rhel-6.8-media.repo [RedHat-6.8-Media] name=Red Hat Enterprise Linux $releasever - $basearch -Media baseurl=file://media/RedHat-6.8-x86_64-DVD enabled=1 gpgcheck=0 gpgkey=file://media/RedHat-6.8-x86_64-DVD/RPM-GPG-KEY-redhat-release # mount /media/RedHat-6.8-x86_64-DVD
4.安裝telnet並啓動telnet服務
openssh升級過程當中須要刪除openssh,爲了保證主機不失聯,須要開啓telnet鏈接通道。
# yum安裝telnet # yum -y install telnet-server* # 先關閉防火牆,不然telnet可能沒法鏈接 # service iptables stop # chkconfig iptables off # 編譯/etc/xinetd.d/telnet,來啓動telnet服務 # vim /etc/xinetd.d/telnet disable值變動: (yes ----> no) # 容許root用戶經過telnet登陸 # mv /etc/securetty /etc/securetty.old # 啓動telnet服務 # service xinetd start # 設置telnet服務開機啓動 # chkconfig xinetd on # telnet登陸驗證 # telnet x.x.x.x
5.安裝編譯工具包
# yum install gcc pam-devel zlib-devel -y
6.升級zlib
# tar -zxvf zlib-1.2.11.tar.gz # cd zlib-1.2.11 # ./configure --prefix=/usr # make # 注意:此處須要卸載當前zlib(必須按順序操做,lib64下涉及的模塊丟失) # rpm -e --nodeps zlib # make install # 共享庫文件註冊到系統 # echo '/usr/lib' >> /etc/ld.so.conf # 更新共享庫cache # ldconfig
7.升級openssl
# 備份當前的openssl # mv /usr/lib64/openssl /usr/lib64/openssl.old # mv /usr/bin/openssl /usr/bin/openssl.old # mv /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old #以下兩個庫文件必須先備份,因系統內部分工具(如yum、wget等)依賴此庫,而新版OpenSSL不包含這兩個庫 # cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old # cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old # 卸載但錢openssl # rpm -qa |grep openssl|xargs -i rpm -e --nodeps {} # 安裝openssl # tar -zxvf openssl-1.0.2k.tar.gz # cd openssl-1.0.2k # 必須加上--shared,不然編譯時會因找不到新安裝的openssl的類庫而報錯 # ./config --prefix=/usr/local/ssl --openssldir=/etc/ssl --shared zlib # make # make test # make install # 驗證 # openssl version -a # 恢復共享庫 # mv /usr/lib64/libcrypto.so.10.old /usr/lib64/libcrypto.so.10 # mv /usr/lib64/libssl.so.10.old /usr/lib64/libssl.so.10
8.升級openssh
# 備份當前openssh # mv /etc/ssh /etc/ssh.old # 卸載當前openssh # 查看已安裝的openssh # rpm -qa | grep openssh # 刪除 # rpm -qa |grep openssh|xargs -i rpm -e --nodeps {} # openssh安裝前環境配置 (要保證這裏的命令都能執行正確) # install -v -m700 -d /var/lib/sshd # chown -v root:sys /var/lib/sshd # groupadd -g 51 sshd # useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 51 sshd # openssh_7.4p1源碼安裝 # tar -zxvf openssh-7.4p1.tar.gz # cd openssh-7.4p1 # 關聯的檢查配置項要特別注意 # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd # make # make install # openssh安裝後環境配置 # install -v -m755 contrib/ssh-copy-id /usr/bin # install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 # install -v -m755 -d /usr/share/doc/openssh-7.4p1 # install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.4p1 #驗證是否升級成功 # ssh -V # 啓動openssh服務 # echo 'X11Forwarding yes' >> /etc/ssh/sshd_config # 配置容許root用戶經過ssh登陸 # echo "PermitRootLogin yes" >> /etc/ssh/sshd_config # cp -p contrib/redhat/sshd.init /etc/init.d/sshd # chmod +x /etc/init.d/sshd # chkconfig --add sshd # chkconfig sshd on # chkconfig --list sshd #注意:ssh鏈接會因重啓openssh斷開 # service sshd restart # 此時須要經過telnet登入再執行sshd服務重啓命令 # telnet x.x.x.x # service sshd restart # 整理操做前備份 # mv /etc/securetty.old /etc/securetty # chkconfig xinetd off # service xinetd stop #若有必要,可從新開啓防火牆 # service iptables start # chkconfig iptables on # 如須要還原操做前的ssh配置信息,可直接刪除升級後的配置信息(不想修復的,請忽略) # rm -rf /etc/ssh # mv /etc/ssh.old /etc/ssh # (若有必要)最後能夠從新配置主機間的ssh互信