openssh-8.4p openssl-1.1.1h 更新
为了修复OpenSSH 漏洞(v7.8之前的版本CVE-2018-15919,v7.6之前的CVE-2017-15906) 升级Openssh 到8.4p 以及 Openssl 1.1.1h, KunPeng arm64升级后的效果[root@master3 openssh-8.4p1]# ssh -VOpenSSH_8.4p1, OpenSSL 1.1.1h22 Sep 2020[root@ma
·
- 为了修复OpenSSH 漏洞(v7.8之前的版本CVE-2018-15919,v7.6之前的CVE-2017-15906) 升级Openssh 到8.4p 以及 Openssl 1.1.1h, KunPeng arm64
升级后的效果
[root@master3 openssh-8.4p1]# ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020
[root@master3 openssh-8.4p1]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (AltArch)
安装telnet-server以及xinetd(万一失败了telnet也能连接)
yum install xinetd telnet-server -y
配置telnet
- 现在很多centos7版本安装telnet-server以及xinetd之后没有一个叫telnet的配置文件了
- 如果下面telnet文件不存在的话,可以跳过这部分的更改
[root@master3 openssh-8.4p1]# ll /etc/xinetd.d/telnet
ls: cannot access /etc/xinetd.d/telnet: No such file or directory
- 如果下面文件存在,请更改配置telnet可以root登录,把disable = no改成disable = yes
[root@master3 openssh-8.4p1]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
[root@master3 openssh-8.4p1]# vim /etc/xinetd.d/telnet
[root@master3 openssh-8.4p1]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
- 配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下
pts/0
pts/1
pts/2
pts/3
- 配置之后的显示
[root@master3 openssh-8.4p1]# vim /etc/securetty
[root@master3 openssh-8.4p1]# tail -5 /etc/securetty
xvc0
pts/0
pts/1
pts/2
pts/3
- 启动telnet服务,并设置开机自动启动
[root@master3 openssh-8.4p1]# systemctl enable xinetd
[root@master3 openssh-8.4p1]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@master3 openssh-8.4p1]#
[root@master3 openssh-8.4p1]# systemctl start telnet.socket
[root@master3 openssh-8.4p1]# systemctl start xinetd
[root@master3 openssh-8.4p1]# netstat -lntp|grep 23
tcp6 0 0 :::23 :::* LISTEN 1/systemd
[root@master3 openssh-8.4p1]#
安装依赖包
- 升级需要几个组件,有些是和编译相关的等
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
- 安装pam和zlib等(后面的升级操作可能没用到pam,安装上也没啥影响,如果不想安装pam请自行测试)
yum install -y pam* zlib*
下载openssh包(p后缀)和openssl(h后缀)的包
- https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
- https://ftp.openssl.org/source/
开始安装openssl
- 解压就不说了
- 备份下面2个文件或目录(如果存在的话就执行)
[root@master3 openssh-8.4p1]# ll /usr/bin/openssl
-rwxr-xr-x 1 root root 555248 Mar 12 18:12 /usr/bin/openssl
[root@master3 openssh-8.4p1]# mv /usr/bin/openssl /usr/bin/openssl_bak
[root@master3 openssh-8.4p1]# ll /usr/include/openssl
total 1864
-rw-r--r-- 1 root root 6146 Mar 12 18:12 aes.h
-rw-r--r-- 1 root root 63204 Mar 12 18:12 asn1.h
-rw-r--r-- 1 root root 24435 Mar 12 18:12 asn1_mac.h
-rw-r--r-- 1 root root 34475 Mar 12 18:12 asn1t.h
-rw-r--r-- 1 root root 38742 Mar 12 18:12 bio.h
-rw-r--r-- 1 root root 5351 Mar 12 18:12 blowfish.h
......
[root@master3 openssh-8.4p1]# mv /usr/include/openssl /usr/include/openssl_bak
编译安装新版本的openssl
- 配置、编译、安装3个命令一起执行, &&符号表示前面的执行成功才会执行后面的
[root@master3 openssl-1.1.1h]# cd /home/openssl-1.1.1h/
[root@master3 openssl-1.1.1h]# ./config shared && make && make install
- 以上命令执行完毕,
echo $?查看下最后的make install是否有报错,0表示没有问题 - 下面2个文件或者目录做软链接 (刚才前面的步骤
mv备份过原来的)
[root@master3 openssl-1.1.1h]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@master3 openssl-1.1.1h]# ln -s /usr/local/include/openssl /usr/include/openssl
[root@master3 openssl-1.1.1h]# ll /usr/bin/openssl
lrwxrwxrwx 1 root root 26 Apr 27 12:31 /usr/bin/openssl -> /usr/local/ssl/bin/openssl
[root@master3 openssl-1.1.1h]# ll /usr/include/openssl -ld
lrwxrwxrwx 1 root root 30 Apr 27 12:31 /usr/include/openssl -> /usr/local/ssl/include/openssl
[root@master3 openssl-1.1.1h]#
- 命令行执行下面2个命令加载新配置
[root@master3 openssl-1.1.1h]# echo "/usr/local/lib" >> /etc/ld.so.conf
[root@master3 openssl-1.1.1h]# /sbin/ldconfig
- 添加lib到库(可能是为make操作问题)
[root@master3 openssl-1.1.1h]# cp libcrypto.so libcrypto.so.1.1 libssl.so libssl.so.1.1 /usr/lib64
- 确认版本
[root@master3 openssh-8.4p1]# openssl version
OpenSSL 1.1.1h 22 Sep 2020
安装openssh
- 解压
- 命令行删除原先ssh的配置文件和目录
- 然后配置、编译、安装
[root@master3 openssh-8.4p1]# rm -rf /etc/ssh/*
[root@master3 openssh-8.4p1]# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install
- 修改配置文件最终为如下内容,其他的不要动
[root@master3 openssh-8.4p1]# grep "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin yes
[root@master3 openssh-8.4p1]# grep "UseDNS" /etc/ssh/sshd_config
UseDNS no
[root@master3 openssh-8.4p1]#
- 从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)(可能下面的ssh.pam文件都没用到,因为sshd_config配置文件貌似没使用它,请自行测试。我这边是拷贝了)
[root@master3 openssh-8.4p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@master3 openssh-8.4p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@master3 openssh-8.4p1]# chmod +x /etc/init.d/sshd
[root@master3 openssh-8.4p1]# chkconfig --add sshd
[root@master3 openssh-8.4p1]# systemctl enable sshd
[root@master3 openssh-8.4p1]#
- 把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务
[root@master3 openssh-8.4p1]# mv /usr/lib/systemd/system/sshd.service /home/
- 设置sshd服务开机启动
[root@master3 openssh-8.4p1]# chkconfig sshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.
- 接下来测试启停服务。都正常
以后管理sshd通过下面方式了
[root@master3 openssh-8.4p1]# /etc/init.d/sshd restart
Restarting sshd (via systemctl): [ OK ]
[root@master3 openssh-8.4p1]#
[root@master3 openssh-8.4p1]#
[root@master3 openssh-8.4p1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 31800/sshd
tcp6 0 0 :::22 :::* LISTEN 31800/sshd
tcp6 0 0 :::23 :::* LISTEN 1/systemd
[root@master3 openssh-8.4p1]# /etc/init.d/sshd stop
Stopping sshd (via systemctl): [ OK ]
[root@master3 openssh-8.4p1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::23 :::* LISTEN 1/systemd
[root@master3 openssh-8.4p1]# /etc/init.d/sshd start
Starting sshd (via systemctl): [ OK ]
[root@master3 openssh-8.4p1]#
[root@master3 openssh-8.4p1]#
- 使用systemd方式也行
[root@master3 openssh-8.4p1]# systemctl stop sshd
[root@master3 openssh-8.4p1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp6 0 0 :::23 :::* LISTEN 1/systemd
[root@master3 openssh-8.4p1]# systemctl start sshd
[root@master3 openssh-8.4p1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 31958/sshd
tcp6 0 0 :::22 :::* LISTEN 31958/sshd
tcp6 0 0 :::23 :::* LISTEN 1/systemd
[root@master3 openssh-8.4p1]# systemctl restart sshd
[root@master3 openssh-8.4p1]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 31999/sshd
tcp6 0 0 :::22 :::* LISTEN 31999/sshd
tcp6 0 0 :::23 :::* LISTEN 1/systemd
[root@master3 openssh-8.4p1]#
- 测试版本。都正常
[root@master3 openssh-8.4p1]# ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020
华为开发者空间,是为全球开发者打造的专属开发空间,汇聚了华为优质开发资源及工具,致力于让每一位开发者拥有一台云主机,基于华为根生态开发、创新。
更多推荐
0
0- 0
已为社区贡献3条内容
所有评论(0)