SSH/SSL 源碼編譯安裝簡易操做說明

時間  2019-11-13
標籤 ssh ssl 源碼 編譯 安裝 簡易 說明 欄目 SSL 简体版
原文   原文鏈接

環境:CentOS 6.7
安全加固需求,因爲某盟掃描系統主機有SSL系列漏洞,客戶要求必須修復;
解決方案:將SSH/SSL升級到最新版本,刪除SSL舊版本(實測不刪除舊版本某盟掃描沒法經過)。
當前版本:OpenSSH_5.3p1, OpenSSL 1.0.1e-fips
當前最新版本:OpenSSH_7.3p1, OpenSSL 1.0.2hhtml

1.查看SSH/SSL當前版本

查看SSH/SSL當前版本:
ssh -V
openssl versionnode

[root@test0823 ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

[root@test0823 ssh]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

備份ssh配置文件:
tar zcvf /etc/ssh.tar.gz /etc/ssh/python

[root@test0823 ~]# tar zcvf /etc/ssh.tar.gz /etc/ssh/  
ssh/  
ssh/ssh_host_dsa_key.pub  
ssh/ssh_host_rsa_key.pub  
ssh/ssh_host_rsa_key  
ssh/sshd_config  
ssh/ssh_config  
ssh/moduli  
ssh/ssh_host_dsa_key  
ssh/ssh_host_key.pub  
ssh/ssh_host_key

2.下載最新的SSH/SSL

目前最新版本:
OpenSSH_7.3p1, OpenSSL 1.0.2h
本次安裝介質:
連接: http://pan.baidu.com/s/1eRW3ytc 密碼: 46sy
SSH/SSL安裝配置參考:
SSL安裝:
參考 http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html
SSH安裝:
參考 http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.htmlmysql

3.源碼編譯安裝SSL

本次測試全部源碼包均默認上傳到服務器的/root目錄下。
須要先安裝SSL,再安裝SSHlinux

3.1 解壓SSL源碼包

[root@test0823 ~]# tar -zxvf openssl-1.0.2h.tar.gz 
[root@test0823 ~]# cd openssl-1.0.2h

3.2 配置並編譯

複製下面的命令執行:git

./config --prefix=/usr         \
         --openssldir=/etc/ssl \
         --libdir=lib          \
         shared                \
         zlib-dynamic &&
make depend           &&
make

操做以下:sql

[root@test0823 openssl-1.0.2h]# ./config --prefix=/usr         \
>          --openssldir=/etc/ssl \
>          --libdir=lib          \
>          shared                \
>          zlib-dynamic &&
> make depend           &&
> make

3.3 安裝SSL

複製下面的命令執行:centos

make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
install -dv -m755 /usr/share/doc/openssl-1.0.2h  &&
cp -vfr doc/*     /usr/share/doc/openssl-1.0.2h

操做以下:安全

[root@test0823 openssl-1.0.2h]# make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
> install -dv -m755 /usr/share/doc/openssl-1.0.2h  &&
> cp -vfr doc/*     /usr/share/doc/openssl-1.0.2h

3.4 驗證SSL版本

openssl version服務器

操做以下:

[root@test0823 openssl-1.0.2h]# openssl version
OpenSSL 1.0.2h  3 May 2016
[root@test0823 openssl-1.0.2h]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

4.源碼編譯安裝SSH

4.1 解壓SSH源碼包

[root@test0823 ~]# tar -zxvf openssh-7.3p1.tar.gz 
[root@test0823 ~]# cd openssh-7.3p1

4.2 配置

4.2.1 配置前準備

複製下面的命令執行:

install  -v -m700 -d /var/lib/sshd &&
chown    -v root:sys /var/lib/sshd &&

groupadd -g 50 sshd        &&
useradd  -c 'sshd PrivSep' \
         -d /var/lib/sshd  \
         -g sshd           \
         -s /bin/false     \
         -u 50 sshd

操做以下:

[root@test0823 openssh-7.3p1]# install  -v -m700 -d /var/lib/sshd &&
> chown    -v root:sys /var/lib/sshd &&
> 
> groupadd -g 50 sshd        &&
> useradd  -c 'sshd PrivSep' \
>          -d /var/lib/sshd  \
>          -g sshd           \
>          -s /bin/false     \
>          -u 50 sshd

4.2.2 配置並編譯

複製下面的命令執行:

./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &&
make

操做以下:

[root@test0823 openssh-7.3p1]# ./configure --prefix=/usr                     \
>             --sysconfdir=/etc/ssh             \
>             --with-md5-passwords              \
>             --with-privsep-path=/var/lib/sshd &&
> make

4.3 安裝SSH

複製下面的命令執行:

make install &&
install -v -m755    contrib/ssh-copy-id /usr/bin     &&

install -v -m644    contrib/ssh-copy-id.1 \
                    /usr/share/man/man1              &&
install -v -m755 -d /usr/share/doc/openssh-7.3p1     &&
install -v -m644    INSTALL LICENCE OVERVIEW README* \
                    /usr/share/doc/openssh-7.3p1

操做以下:

[root@test0823 openssh-7.3p1]# make install &&
> install -v -m755    contrib/ssh-copy-id /usr/bin     &&
> 
> install -v -m644    contrib/ssh-copy-id.1 \
>                     /usr/share/man/man1              &&
> install -v -m755 -d /usr/share/doc/openssh-7.3p1     &&
> install -v -m644    INSTALL LICENCE OVERVIEW README* \
>                     /usr/share/doc/openssh-7.3p1

4.4 驗證SSH版本

[root@test0823 openssh-7.3p1]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h  3 May 2016

4.5 重啓sshd服務

將以前的sshd重命名備份,作一個sshd的軟鏈接:

mv /usr/sbin/sshd /usr/sbin/sshd.OFF
ln -s /root/openssh-7.3p1/sshd /usr/sbin/sshd

使用 service sshd restart 重啓一下服務

[root@test0823 openssh-7.3p1]# service sshd restart
Stopping sshd: [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 97: Unsupported option UsePAM
[  OK  ]

上面的報錯並不影響sshd正常啓動,爲了避免再顯示上述提示,能夠註釋掉相關配置行:
vi /etc/ssh/sshd_config
註釋掉 81,83,97 三行。

再次重啓sshd服務就不會有那三行的提示報錯。

容許root用戶ssh登陸(默承認能就是容許,若是不容許,能夠在文件末尾追加下面的一行配置到配置文件,或者直接vi編輯修改)

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

5.刪除SSL舊版本

以前沒有刪除舊版本的SSL,SSH是由於不瞭解相關聯的程序,
可是最後掃描發現若是不刪除舊版本的SSL,某盟的掃描依然會掃出SSL的系列漏洞。

查看rpm安裝的openssl相關包:

rpm -qa|grep openssl

對舊版本的SSL(這裏是openssl-1.0.1e-42.el6.x86_64)進行刪除:
rpm -e openssl-1.0.1e-42.el6.x86_64
直接嘗試刪除會提示以下庫文件的依賴:

[root@test0823 ~]# rpm -e openssl-1.0.1e-42.el6.x86_64
error: Failed dependencies:
        libcrypto.so.10()(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) libarchive-2.8.3-4.el6_2.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) bind-libs-32:9.8.2-0.37.rc1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) bind-utils-32:9.8.2-0.37.rc1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) fipscheck-1.2.0-7.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) gnome-vfs2-2.24.2-6.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ptlib-2.6.5-3.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) opal-3.6.6-4.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) python-ldap-0:2.3.10-1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) evolution-data-server-2.32.3-23.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) xorg-x11-server-Xorg-1.15.0-36.el6.centos.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) hplip-libs-3.14.6-3.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) cyrus-sasl-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) hpijs-1:3.14.6-3.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ekiga-3.2.6-4.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) gnome-vfs2-smb-2.24.2-6.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) tcpdump-14:4.0.0-5.20090921gitdf3cb4.2.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) bind-libs-32:9.8.2-0.37.rc1.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) xorg-x11-server-Xorg-1.15.0-36.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) cyrus-sasl-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) tcpdump-14:4.0.0-5.20090921gitdf3cb4.2.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libssl.so.10()(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
        libssl.so.10()(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libssl.so.10()(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libssl.so.10()(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
        libssl.so.10()(64bit) is needed by (installed) gnome-vfs2-2.24.2-6.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) ptlib-2.6.5-3.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) opal-3.6.6-4.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) python-ldap-0:2.3.10-1.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) evolution-data-server-2.32.3-23.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
        libssl.so.10()(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libssl.so.10()(64bit) is needed by (installed) ekiga-3.2.6-4.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) gnome-vfs2-smb-2.24.2-6.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        openssl is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64

記錄好依賴的這兩個庫文件

libcrypto.so.10
libssl.so.10

而後忽略依賴刪除:

rpm -e --nodeps openssl-1.0.1e-42.el6.x86_64

作新的軟鏈接映射:

[root@test0823 openssl-1.0.2h]# ln -s /root/openssl-1.0.2h/libssl.so.1.0.0 /usr/lib64/libssl.so.10
[root@test0823 openssl-1.0.2h]# ln -s /root/openssl-1.0.2h/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10

若是是最後刪除的openssl,那麼還須要注意openssl軟鏈接的狀況,以下:

[root@test0823 apps]# ln -s /root/openssl-1.0.2h/apps/openssl /usr/bin/openssl

而後再次掃描已經沒有SSL相關漏洞了。

6.寫在後面

個人專業不是SA,對Linux的編譯安裝瞭解也很少,因此這個加固過程當中難免有所紕漏或錯誤,歡迎內行指出供你們一塊兒參考學習。 另外感謝網友:遊蕩 早期提供給個人ssh安裝說明參考。 感謝www.linuxfromscratch.org網站提供的SSH/SSL安裝操做說明。

相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程