运维开发网

centos6.5升级openssh至7.9p1

运维开发网 https://www.qedev.com 2020-05-17 14:48 出处:网络 作者:运维开发网整理
环境说明系统环境:centos 6.5 x64 openssh-5.3p1升级原因:低版本openssh存在漏洞升级目标:openssh-7.9p1

环境说明

系统环境:centos 6.5 x64 openssh-5.3p1

升级原因:低版本openssh存在漏洞

升级目标:openssh-7.9p1

检查环境

官方文档中提到的先决条件openssh安装依赖zlib1.1.4并且openssl>=1.0.1版本就可以了。

当前版本正好符合openssh7.9p1的安装条件,而且zlib也符合OpenSSH7.9P1的依赖,可以进行直接安装:

[[email protected] ~]# openssl version

OpenSSL 1.0.1e-fips 11 Feb 2013

[[email protected] ~]# rpm -q zlib

zlib-1.2.3-29.el6.x86_64

[[email protected] ~]# rpm -q zlib-devel

zlib-devel-1.2.3-29.el6.x86_64

开启telnet-server服务

为防止openssh升级过程中断开连接,最好开启telnet-server服务以防万一

[[email protected] ~]yum -y install telnet-server*

[[email protected] ~]service iptables stop

[[email protected] ~]chkconfig iptables off

[[email protected] ~]sed -i ‘s/\(.*\)disable\(.*\)/\ \ \ \ \ \ \ \ disable\ \ \ \ \ \ \ \ \ =\ no/g‘ /etc/xinetd.d/telnet ##将其中disable字段的yes改为no以启用telnet服务

[[email protected] ~]mv /etc/securetty /etc/securetty.old #允许root用户通过telnet登录

[[email protected] ~]service xinetd start

[[email protected] ~]chkconfig xinetd on

openssh-7.9p1升级

[[email protected] ~]yum install -y gcc openssl-devel pam-devel rpm-build pam-devel

[[email protected] ~]#wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz #或者从官网下载,上传至服务器

[[email protected] ~]rpm -e `rpm -qa | grep openssh` --nodeps

[[email protected] ~]cd /usr/local/src/ && tar zxvf openssh-7.9p1_Compile.tar.gz && cd openssh-7.9p1

[[email protected]11 ~]./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers && make && make install

[[email protected] ~]sed -i ‘s/#PermitRootLogin prohibit-password/PermitRootLogin\ yes/g‘ /etc/ssh/sshd_config #或手动修改PermitRootLogin no 修改为 PermitRootLogin yes 允许root远程登陆

[[email protected] ~]sed -i ‘s/#PermitEmptyPasswords\(.*\)/PermitEmptyPasswords\ no/g‘ /etc/ssh/sshd_config ##禁止空密码

[[email protected] ~]sed -i ‘s/^SELinux\(.*\)/SELinux=disabled/g‘ /etc/seLinux/config ##重点来了~~~禁止seLinux 否则重启后会登录失败

[[email protected] ~]echo ‘KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1‘ >> /etc/ssh/sshd_config ## 写上新版ssh支持的算法

[[email protected] ~]cp contrib/redhat/sshd.init /etc/init.d/sshd

[[email protected] ~]chkconfig --add sshd

[[email protected] ~]chkconfig sshd on

[[email protected] ~]service sshd start

[[email protected] ~]service sshd restart

[[email protected] ~]chkconfig --list sshd

[[email protected] ~]ssh -V

关闭telnet-server服务

升级完成,通过ssh可以远程到服务器后,可以关闭telnet-server服务

[[email protected] ~]mv /etc/securetty.old /etc/securetty #允许root用户通过telnet登录

[[email protected] ~]service xinetd stop

[[email protected] ~]chkconfig xinetd off

[[email protected] ~]service iptables start

[[email protected] ~]chkconfig iptables on

将之前改过的disable=yes又改回去成no.

随后再将修改iptables将23端口关闭,并重启iptables服务.

至此,可以再开ssh登录,用ssh -V查看版本号

启动报错问题

sshd启动报错:Bad SSH2 KexAlgorithms ‘...‘

查询支持的算法:

[[email protected] ~]# ssh -Q kex

diffie-hellman-group1-sha1

diffie-hellman-group14-sha1

diffie-hellman-group14-sha256

diffie-hellman-group16-sha512

diffie-hellman-group18-sha512

diffie-hellman-group-exchange-sha1

diffie-hellman-group-exchange-sha256

ecdh-sha2-nistp256

ecdh-sha2-nistp384

ecdh-sha2-nistp521

curve25519-sha256

[email protected]

也可以用paste -s -d,直接将查询结果串接并写入配置文件:

echo ‘KexAlgorithms‘ `ssh -Q kex | paste -d, -s` >> /etc/ssh/sshd_config

报错排查技巧

遇到错误,服务端日志必须是首选检查点。

可借助sshd -d启用debug模式来排查问题。

可以用ssh -vvv以便更快找到问题。

更多报错处理方法可以参考:https://segmentfault.com/a/1190000018629266

0

精彩评论

暂无评论...
验证码 换一张
取 消