原因是现有版本存在安全漏洞,需要升级到新版本
原有版本和升级后的版本
bash
OpenSSL 1.0.2k-fips 26 Jan 2017
->
OpenSSL 1.1.1w 11 Sep 2023
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
->
OpenSSH_9.5p1, OpenSSL 1.1.1w 11 Sep 2023
目录
查看现有版本
bash
# 查看系统版本
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
# 查看OpenSSL版本
# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
# 查看OpenSSH版本
# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
安装 telnet
防止因卸载OpenSSH而导致无法登录主机
bash
# 安装 telnet
yum -y install telnet telnet-server
# 启动 telnet
systemctl enable telnet.socket
systemctl is-enabled telnet.socket
systemctl start telnet.socket
# 关闭安全文件
mv /etc/security /etc/security.bak
确认openssh升级成功,连接无异常后卸载telnet服务
bash
systemctl stop telnet.socket
systemctl disable telnet.socket
# 升级完毕后,开启安全文件
mv /etc/security.bak /etc/security
yum -y remove telnet telnet-server
安装OpenSSH依赖包
bash
yum -y install gcc keyutils-libs rpm-build krb5-devel libcom_err-devel libselinux-devel pam-* openssl-devel pkgconfig vsftpd zlib*
下载安装包
https://www.openssl.org/source/old/
https://www.openssh.com/portable.html#downloads
安装OpenSSL
bash
wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
tar -zxvf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
./config shared --prefix=/usr/local/openssl-1.1.1w
make && make install
# 检查安装情况
/usr/local/openssl-1.1.1w/bin/openssl version
OpenSSL 1.1.1w 11 Sep 2023
安装OpenSSH
bash
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz
tar -zxvf openssh-9.5p1.tar.gz
cd openssh-9.5p1
./configure --prefix=/usr/local/openssh-9.5p1 --with-ssl-dir=/usr/local/openssl-1.1.1w
make && make install
# 检查安装情况
/usr/local/openssh-9.5p1/sbin/sshd -V
OpenSSH_9.5p1, OpenSSL 1.1.1w 11 Sep 2023
修改配置(重要)
bash
# /usr/local/openssh-9.5p1/etc/sshd_config
# 允许root以密码的方式登录
PermitRootLogin yes
开机自启
bash
# /usr/lib/systemd/system/sshd9.service
[Unit]
Description=OpenSSH server daemon
After=network.target
[Service]
Type=simple
Environment=LD_LIBRARY_PATH=/usr/local/openssl-1.1.1w/lib
ExecStart=/usr/local/openssh-9.5p1/sbin/sshd -D -f /usr/local/openssh-9.5p1/etc/sshd_config
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
停止原sshd服务
bash
systemctl stop sshd.service
systemctl disable sshd.service
备份sshd
bash
mkdir /home/ssh-old-bak
mv /etc/ssh /home/ssh-old-bak/
mv /usr/sbin/sshd /home/ssh-old-bak/
mv /usr/lib/systemd/system/sshd-keygen.service /home/ssh-old-bak/
mv /usr/lib/systemd/system/sshd.service /home/ssh-old-bak/
mv /usr/lib/systemd/system/sshd@.service /home/ssh-old-bak/
mv /usr/lib/systemd/system/sshd.socket /home/ssh-old-bak/
启动新版本sshd9服务
bash
systemctl daemon-reload
systemctl start sshd9.service
systemctl status sshd9.service
systemctl enable sshd9.service
问题和解决办法
问题1:openssl 查看version出现报错
bash
# 执行查看版本的时候,提示 libssl.so.1.1 找不到
/usr/local/openssl-1.1.1w/bin/openssl version
/usr/local/openssl-1.1.1w/bin/openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
## 解决办法
ln -s /usr/local/openssl-1.1.1w/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/openssl-1.1.1w/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1