centOS 7.9 65bit 修复Openssh漏洞

一、背景：

在使用centos 7.9 64bit版本操作系统时有扫描出如下的漏洞：

二、修复openssh漏洞操作

升级注意事项 (一下所有的操作默认都是root或者管理员权限，如果遇到权限问题每个指令以及指令组合都要在前面加sudo)

1、查看CentOS操作系统信息：

（1）cat /etc/issue 查看版本

[root@ecs-ab49 ~]# cat /etc/issue
\S
Kernel \r on an \m

（2）cat /etc/redhat-release 查看版本（推荐）

[root@ecs-ab49 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

（3）cat /proc/version 查看内核

[root@ecs-ab49 ~]# cat /proc/version
Linux version 3.10.0-1160.119.1.el7.x86_64 ([email protected]) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Tue Jun 4 14:43:51 UTC 2024

2、环境依赖准备：

（1）OpenSSL版本：目前OpenSSH8.0不支持OpenSSH1.1.x以上。否则编译的时候会报错。

[root@ecs-ab49 ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

[root@ecs-ab49 ~]# rpm -qa|grep openssl
openssl-libs-1.0.2k-26.el7_9.x86_64
openssl-1.0.2k-26.el7_9.x86_64

没有openssl 服务可以安装openssl openssl-devel

[root@ecs-ab49 ~]# yum install openssl-devel openssl

（2）zlib和zlib-devel服务依赖：

Zlib1.1.4或1.2.1.2或更高版本

[root@ecs-ab49 ~]# rpm -q zlib  rpm -q zlib-devel
zlib-1.2.7-21.el7_9.x86_64
package  rpm is not installed
package zlib-devel is not installed

注：这里没有zlib-devel服务

[root@ecs-ab49 ~]# yum install zlib-devel
Loaded plugins: fastestmirror
Determining fastest mirrors
base                                                                                                                                                                               | 3.6 kB  00:00:00     
epel                                                                                                                                                                               | 4.3 kB  00:00:00     
extras                                                                                                                                                                             | 2.9 kB  00:00:00     
updates                                                                                                                                                                            | 2.9 kB  00:00:00     
(1/7): epel/x86_64/group                                                                                                                                                           | 399 kB  00:00:00     
(2/7): epel/x86_64/updateinfo                                                                                                                                                      | 1.0 MB  00:00:00     
(3/7): base/7/x86_64/group_gz                                                                                                                                                      | 153 kB  00:00:00     
(4/7): base/7/x86_64/primary_db                                                                                                                                                    | 6.1 MB  00:00:00     
(5/7): epel/x86_64/primary_db                                                                                                                                                      | 8.7 MB  00:00:00     
(6/7): updates/7/x86_64/primary_db                                                                                                                                                 |  27 MB  00:00:00     
(7/7): extras/7/x86_64/primary_db                                                                                                                                                  | 253 kB  00:00:00     
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.x86_64 0:1.2.7-21.el7_9 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
 Package                                          Arch                                         Version                                                Repository                                     Size
==========================================================================================================================================================================================================
Installing:
 zlib-devel                                       x86_64                                       1.2.7-21.el7_9                                         updates                                        50 k

Transaction Summary
==========================================================================================================================================================================================================
Install  1 Package

Total download size: 50 k
Installed size: 132 k
Is this ok [y/d/N]: y
Downloading packages:
zlib-devel-1.2.7-21.el7_9.x86_64.rpm                                                                                                                                               |  50 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : zlib-devel-1.2.7-21.el7_9.x86_64                                                                                                                                                       1/1 
  Verifying  : zlib-devel-1.2.7-21.el7_9.x86_64                                                                                                                                                       1/1 

Installed:
  zlib-devel.x86_64 0:1.2.7-21.el7_9                                                                                                                                                                      

Complete!

再次检查zlib和zlib-devel依赖服务：

[root@ecs-ab49 ~]# rpm -q zlib zlib-devel
zlib-1.2.7-21.el7_9.x86_64
zlib-devel-1.2.7-21.el7_9.x86_64

（3）GCC依赖：

查看gcc版本

[root@ecs-ab49 ~]# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-linker-hash-style=gnu --enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin --enable-initfini-array --disable-libgcj --with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install --with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 

没有gcc 直接安装

[root@ecs-ab49 ~]# yum install gcc

（4）安装pam-devel

[root@ecs-ab49 ~]# yum install -y pam-devel

3、安装telnet和xinetd服务：

升级过程未防止升级失败，需要先开启telnet服务，防止升级失败连接不上远程主机。

（1） 安装telnet服务：

[root@ecs-ab49 ~]# rpm -qa | grep telnet

[root@ecs-ab49 ~]# yum list |grep telnet 
dcap-tunnel-telnet.x86_64                2.47.14-1.el7                 epel     
libguac-client-telnet.x86_64             1:1.5.5-1.el7                 epel     
libtelnet.x86_64                         0.23-1.el7                    epel     
libtelnet-devel.x86_64                   0.23-1.el7                    epel     
libtelnet-utils.x86_64                   0.23-1.el7                    epel     
telnet.x86_64                            1:0.17-66.el7                 updates  
telnet-server.x86_64                     1:0.17-66.el7                 updates  

[root@ecs-ab49 ~]# yum install telnet-server.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package telnet-server.x86_64 1:0.17-66.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
 Package                                             Arch                                         Version                                             Repository                                     Size
==========================================================================================================================================================================================================
Installing:
 telnet-server                                       x86_64                                       1:0.17-66.el7                                       updates                                        41 k

Transaction Summary
==========================================================================================================================================================================================================
Install  1 Package

Total download size: 41 k
Installed size: 55 k
Is this ok [y/d/N]: y
Downloading packages:
telnet-server-0.17-66.el7.x86_64.rpm                                                                                                                                               |  41 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 1:telnet-server-0.17-66.el7.x86_64                                                                                                                                                     1/1 
  Verifying  : 1:telnet-server-0.17-66.el7.x86_64                                                                                                                                                     1/1 

Installed:
  telnet-server.x86_64 1:0.17-66.el7                                                                                                                                                                      

Complete!

（2）安装xinetd服务：

[root@ecs-ab49 ~]# rpm -qa | grep xinetd

[root@ecs-ab49 ~]# yum list |grep xinetd
xinetd.x86_64                            2:2.3.15-14.el7               base  

[root@ecs-ab49 ~]# yum install xinetd.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package xinetd.x86_64 2:2.3.15-14.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

==========================================================================================================================================================================================================
 Package                                        Arch                                           Version                                                 Repository                                    Size
==========================================================================================================================================================================================================
Installing:
 xinetd                                         x86_64                                         2:2.3.15-14.el7                                         base                                         128 k

Transaction Summary
==========================================================================================================================================================================================================
Install  1 Package

Total download size: 128 k
Installed size: 261 k
Is this ok [y/d/N]: y
Downloading packages:
xinetd-2.3.15-14.el7.x86_64.rpm                                                                                                                                                    | 128 kB  00:00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : 2:xinetd-2.3.15-14.el7.x86_64                                                                                                                                                          1/1 
  Verifying  : 2:xinetd-2.3.15-14.el7.x86_64                                                                                                                                                          1/1 

Installed:
  xinetd.x86_64 2:2.3.15-14.el7                                                                                                                                                                           

Complete!

启动telnet服务和xinetd服务，并验证登入：

[root@ecs-ab49 ~]# systemctl enable telnet.socket 
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@ecs-ab49 ~]# systemctl start telnet.socket 
[root@ecs-ab49 ~]# systemctl status telnet.socket 
● telnet.socket - Telnet Server Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/telnet.socket; enabled; vendor preset: disabled)
   Active: active (listening) since Thu 2025-03-27 11:33:22 CST; 8s ago
     Docs: man:telnetd(8)
   Listen: [::]:23 (Stream)
 Accepted: 0; Connected: 0

Mar 27 11:33:22 ecs-ab49 systemd[1]: Listening on Telnet Server Activation Socket.

[root@ecs-ab49 ~]# systemctl enable xinetd 
[root@ecs-ab49 ~]# systemctl start xinetd
[root@ecs-ab49 ~]# systemctl status xinetd
● xinetd.service - Xinetd A Powerful Replacement For Inetd
   Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
   Active: active (running) since Thu 2025-03-27 11:33:45 CST; 4s ago
  Process: 10174 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
 Main PID: 10175 (xinetd)
   CGroup: /system.slice/xinetd.service
           └─10175 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid

Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing tcpmux
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: Started working: 0 available services
Mar 27 11:33:45 ecs-ab49 systemd[1]: Started Xinetd A Powerful Replacement For Inetd.

登入验证：

4、升级openssh版本：

（1）对原来的openssh相关的文件进行备份

[root@ecs-ab49 ~]# cp -r -a /etc/ssh/ /etc/ssh.bak
[root@ecs-ab49 ~]# cp -r -a /etc/pam.d/ /etc/pam.d.bak
[root@ecs-ab49 ~]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak

（2）下载openssh-8.0p1源码包：

[root@ecs-ab49 ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
--2025-03-27 11:42:18--  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.91.52
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.91.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1597697 (1.5M) [application/octet-stream]
Saving to: 'openssh-8.0p1.tar.gz'

100%[================================================================================================================================================================>] 1,597,697   1.53MB/s   in 1.0s   

2025-03-27 11:42:22 (1.53 MB/s) - 'openssh-8.0p1.tar.gz' saved [1597697/1597697]

解压openssh-8.0p1包：

[root@ecs-ab49 ~]# tar -zxvf  openssh-8.0p1.tar.gz

（3）卸载原系统的openssh包

rpm方式卸载命令

[root@ecs-ab49 ~]# rpm -e --nodeps `rpm -qa | grep openssh`

yum方式卸载

[root@ecs-ab49 ~]# yum remove openssh

（4）源码编译：

[root@ecs-ab49 ~]# cd openssh-8.0p1
[root@ecs-ab49 openssh-8.0p1]# ./configure --prefix=/usr/local/openssh8p1 --sysconfdir=/etc/ssh --with-pam --with-zlib

结果：

（5）安装make 和make install ：

[root@ecs-ab49 openssh-8.0p1]# make &&sudo make install

（6）配置openssh文件

[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/etc/sshd_config /etc/ssh/sshd_config
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/sbin/sshd /usr/sbin/sshd
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh /usr/bin/ssh
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh-keygen /usr/bin/ssh-keygen
[root@ecs-ab49 openssh-8.0p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd

（7）文件授权

[root@ecs-ab49 openssh-8.0p1]# chmod +x /etc/init.d/sshd

（8）配置文件更改（根据需要）

[root@ecs-ab49 openssh-8.0p1]# vi /etc/ssh/sshd_config

添加以下内容：

PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes

注释以下内容：

# .#TCPKeepAlive yes 

（9）设置开机启动

[root@ecs-ab49 openssh-8.0p1]# systemctl enable sshd

（10）重启服务

[root@ecs-ab49 openssh-8.0p1]# systemctl restart sshd

（11）验证ssh版本：

[root@ecs-ab49 ssh]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

验证openssh漏洞是否修复了，结果是修复了的

5、卸载telnet服务和xinetd服务：

（1）查看相关的telnet和xinetd版本

[root@ecs-ab49 ssh]# rpm -qa |grep telnet

[root@ecs-ab49 ssh]# yum remove -y telnet-server-0.17-48.el6.x86_64

[root@ecs-ab49 ssh]# yum remove -y rpm  --e  telnet-server.x86_64

（2）将修改后的securetty的文件修改过来

[root@ecs-ab49 ssh]# mv  /etc/securetty.bak  /etc/securetty

到此，centos 7.9 64bit的penssh漏洞就修复完成了。