因爲客戶服務器OpenSSH檢查出高危漏洞(用戶枚舉漏洞(CVE-2018-15473)),因此須要對OpenSSH進行升級,客戶的服務器是內網服務器,只能進行離線升級,不能用yum更新node
離線包準備
因爲依賴包太多,很差在網上所有找出版本對應的依賴,因此推薦用一臺測試服務器,用yum緩存包python
yum緩存包
修改yum配置文件linux
vi /etc/yum.conf
修改配置緩存
cachedir=/var/cache/yum/$basearch/$releasever /#緩存包路徑 keepcache=1 /#0不保存緩存包 1保存緩存包
修改完配置後,直接用yum安裝gcc、openssl-dev、pam,而後去緩存包路徑,導出全部離線包,注意:openssl、openssh、perl5用的是源碼安裝。bash
安裝gcc
一、安裝kernel-headers服務器
rpm -ivh kernel-headers-3.10.0-1127.18.2.el7.x86_64.rpm
二、安裝glibc-headersapp
rpm -ivh glibc-headers-2.17-307.el7.1.x86_64.rpm
三、安裝glibc-develssh
rpm -ivh glibc-devel-2.17-307.el7.1.x86_64.rpm
四、安裝mpfr測試
rpm -ivh mpfr-3.1.1-4.el7.x86_64.rpm
五、安裝libmpcspa
rpm -ivh libmpc-1.0.1-3.el7.x86_64.rpm
六、安裝cpp
rpm -ivh cpp-4.8.5-39.el7.x86_64.rpm
七、安裝gcc
rpm -ivh gcc-4.8.5-39.el7.x86_64.rpm
安裝perl5
#解壓perl5 tar -xvf perl-5.30.1.tar.gz #進入到解壓後的文件夾 cd perl-5.30.1/ #配置 ./Configure -des -Dprefix=$HOME/localperl #編譯 make #測試 make test #安裝 make install
安裝OpenSSL
#卸載以前的舊包 for i in $(rpm -qa |grep openssl);do rpm -e $i --nodeps;done #解壓包 tar -xvf openssl-1.1.1c.tar.gz #進入到解壓後的目錄 cd openssl-1.1.1c #配置 ./config shared #編譯並安裝 make && make install #安裝完成後執行命令 echo "/usr/local/ssl/lib" >> /etc/ld.so.conf #加載庫 ldconfig #配置ssl庫 cp /opt/software/openssh/openssl-1.1.1c/libssl.so.1.1 /usr/lib64 cp /opt/software/openssh/openssl-1.1.1c/libcrypto.so.1.1 /usr/lib64 ln -s /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.10 ln -s /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so ln -s /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so.10 ln -s /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so ln -s /opt/software/openssh/openssl-1.1.1c/apps/openssl /usr/bin/openssl ln -s /opt/software/openssh/openssl-1.1.1c/apps/openssl /usr/include/openssl #查看OpenSSL版本 openssl version
安裝openssl-devel
#依次按順序安裝
rpm -ivh e2fsprogs-1.42.9-17.el7.x86_64.rpm
rpm -ivh e2fsprogs-libs-1.42.9-17.el7.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm
rpm -ivh libcom_err-1.42.9-17.el7.x86_64.rpm
rpm -ivh libcom_err-devel-1.42.9-17.el7.x86_64.rpm
rpm -ivh libkadm5-1.15.1-46.el7.x86_64.rpm
rpm -ivh libsepol-devel-2.5-10.el7.x86_64.rpm
rpm -ivh libss-1.42.9-17.el7.x86_64.rpm
rpm -ivh libverto-devel-0.2.5-4.el7.x86_64.rpm
rpm -ivh libselinux-2.5-15.el7.x86_64.rpm
rpm -ivh libselinux-utils-2.5-15.el7.x86_64.rpm
rpm -ivh libselinux-python-2.5-15.el7.x86_64.rpm
rpm -ivh pcre-devel-8.32-17.el7.x86_64.rpm
rpm -ivh libselinux-devel-2.5-15.el7.x86_64.rpm
rpm -ivh krb5-devel-1.15.1-46.el7.x86_64.rpm
rpm -ivh krb5-libs-1.15.1-46.el7.x86_64.rpm
rpm -ivh zlib-devel-1.2.7-18.el7.x86_64.rpm
rpm -ivh openssl-devel-1.0.2k-19.el7.x86_64.rpm
安裝pam
rpm -ivh pam-1.1.8-23.el7.x86_64.rpm rpm -ivh pam-devel-1.1.8-23.el7.x86_64.rpm
安裝OpenSSH
#卸載舊版本 for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done #刪除原ssh rm -rf /etc/ssh #配置 ./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-ssl-dir=/opt/software/openssh/openssl-1.1.1c/ --with-pam --with-zlib --mandir=/usr/share/man --with-md5-passwords #編譯安裝 make && make install #安裝完成,執行配置 cp ./contrib/redhat/sshd.init /etc/init.d/sshd chkconfig --add sshd chkconfig sshd on chkconfig --list|grep sshd #查看版本 ssh -V #執行命令,容許ssh root用戶遠程登陸 sed -i "32 aPermitRootLogin yes" /etc/ssh/sshd_config #重啓sshd服務 service sshd restart
注意:若是遠程登陸服務器時,報錯帳號密碼錯誤,須要修改配置,修改完配置後,須要重啓服務器
vi /etc/selinux/config #修改配置 #將 SELINUX=enforcing #改成 SELINUX=disabled