OpenSSH離線升級,用戶枚舉漏洞(CVE-2018-15473)修復,全部依賴包離線升級

因爲客戶服務器OpenSSH檢查出高危漏洞(用戶枚舉漏洞(CVE-2018-15473)),因此須要對OpenSSH進行升級,客戶的服務器是內網服務器,只能進行離線升級,不能用yum更新node

離線包準備

因爲依賴包太多,很差在網上所有找出版本對應的依賴,因此推薦用一臺測試服務器,用yum緩存包python

yum緩存包

修改yum配置文件linux

vi /etc/yum.conf

修改配置緩存

cachedir=/var/cache/yum/$basearch/$releasever /#緩存包路徑
keepcache=1  /#0不保存緩存包 1保存緩存包

修改完配置後,直接用yum安裝gcc、openssl-dev、pam,而後去緩存包路徑,導出全部離線包,注意:openssl、openssh、perl5用的是源碼安裝。bash

安裝gcc

一、安裝kernel-headers服務器

rpm -ivh kernel-headers-3.10.0-1127.18.2.el7.x86_64.rpm

二、安裝glibc-headersapp

rpm -ivh glibc-headers-2.17-307.el7.1.x86_64.rpm

三、安裝glibc-develssh

rpm -ivh glibc-devel-2.17-307.el7.1.x86_64.rpm

四、安裝mpfr測試

rpm -ivh mpfr-3.1.1-4.el7.x86_64.rpm

五、安裝libmpcspa

rpm -ivh libmpc-1.0.1-3.el7.x86_64.rpm

六、安裝cpp

rpm -ivh cpp-4.8.5-39.el7.x86_64.rpm

七、安裝gcc

rpm -ivh gcc-4.8.5-39.el7.x86_64.rpm

安裝perl5

#解壓perl5
tar -xvf perl-5.30.1.tar.gz
#進入到解壓後的文件夾
cd perl-5.30.1/
#配置
./Configure -des -Dprefix=$HOME/localperl
#編譯
make
#測試
make test
#安裝
make install

安裝OpenSSL

#卸載以前的舊包
for i in $(rpm -qa |grep openssl);do rpm -e $i --nodeps;done
#解壓包
tar -xvf openssl-1.1.1c.tar.gz
#進入到解壓後的目錄
cd openssl-1.1.1c
#配置
./config  shared
#編譯並安裝
make  &&  make  install
#安裝完成後執行命令
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
#加載庫
ldconfig
#配置ssl庫
cp /opt/software/openssh/openssl-1.1.1c/libssl.so.1.1 /usr/lib64
cp /opt/software/openssh/openssl-1.1.1c/libcrypto.so.1.1 /usr/lib64
ln -s /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so
ln -s /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so.10
ln -s /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so
ln -s /opt/software/openssh/openssl-1.1.1c/apps/openssl /usr/bin/openssl
ln -s /opt/software/openssh/openssl-1.1.1c/apps/openssl /usr/include/openssl
#查看OpenSSL版本
openssl version

安裝openssl-devel

#依次按順序安裝
rpm -ivh e2fsprogs-1.42.9-17.el7.x86_64.rpm
rpm -ivh e2fsprogs-libs-1.42.9-17.el7.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm
rpm -ivh libcom_err-1.42.9-17.el7.x86_64.rpm
rpm -ivh libcom_err-devel-1.42.9-17.el7.x86_64.rpm
rpm -ivh libkadm5-1.15.1-46.el7.x86_64.rpm
rpm -ivh libsepol-devel-2.5-10.el7.x86_64.rpm
rpm -ivh libss-1.42.9-17.el7.x86_64.rpm
rpm -ivh libverto-devel-0.2.5-4.el7.x86_64.rpm
rpm -ivh libselinux-2.5-15.el7.x86_64.rpm
rpm -ivh libselinux-utils-2.5-15.el7.x86_64.rpm
rpm -ivh libselinux-python-2.5-15.el7.x86_64.rpm
rpm -ivh pcre-devel-8.32-17.el7.x86_64.rpm
rpm -ivh libselinux-devel-2.5-15.el7.x86_64.rpm
rpm -ivh krb5-devel-1.15.1-46.el7.x86_64.rpm
rpm -ivh krb5-libs-1.15.1-46.el7.x86_64.rpm
rpm -ivh zlib-devel-1.2.7-18.el7.x86_64.rpm
rpm -ivh openssl-devel-1.0.2k-19.el7.x86_64.rpm

安裝pam

rpm -ivh pam-1.1.8-23.el7.x86_64.rpm
rpm -ivh pam-devel-1.1.8-23.el7.x86_64.rpm

安裝OpenSSH

#卸載舊版本
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done
#刪除原ssh
rm -rf /etc/ssh
#配置
./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-ssl-dir=/opt/software/openssh/openssl-1.1.1c/ --with-pam --with-zlib --mandir=/usr/share/man --with-md5-passwords
#編譯安裝
make  &&  make  install
#安裝完成,執行配置
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list|grep sshd
#查看版本
ssh -V
#執行命令,容許ssh root用戶遠程登陸
sed -i "32 aPermitRootLogin yes" /etc/ssh/sshd_config
#重啓sshd服務
service sshd restart

注意:若是遠程登陸服務器時,報錯帳號密碼錯誤,須要修改配置,修改完配置後,須要重啓服務器

vi /etc/selinux/config
#修改配置
#將
SELINUX=enforcing
#改成
SELINUX=disabled
相關文章
相關標籤/搜索