背景
公司做安全扫描,扫出OpenSSH、OpenSSL漏洞,需要做升级。直接yum update无果,只好手动编译升级了。
升级前
ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
升级后
ssh -V
OpenSSH_7.6p1, OpenSSL 1.0.2n 7 Dec 2017
准备工作
- 准备OpenSSH、OpenSSL安装包
openssh-7.6p1.tar.gz
openssl-1.0.2n.tar.gz - 安装依赖包
OpenSSL依赖
To install OpenSSL, you will need:
- make
- Perl 5
- an ANSI C compiler
- a development environment in form of development libraries and C
header files- a supported Unix operating system
OpenSSH依赖
You will need working installations of Zlib and libcrypto (LibreSSL / OpenSSL)
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/
libcrypto (LibreSSL or OpenSSL >= 0.9.8f < 1.1.0)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/
yum install gcc make perl pam-devel zlib-devel -y
- 开启telnet
预防升级失败,无法连接服务器yum install xinetd telnet-server -y sed -i ‘/disable/ s/yes/no/‘ /etc/xinetd.d/telnet /etc/init.d/xinetd start
- 添加普通用户
升级后默认不支持root直接登录,需要使用普通用户去登录,再su 切换到rootuseradd xx -G wheel passwd xx
OpenSSL升级
tar zxvf openssl-1.0.2n.tar.gz
cd openssl-1.0.2n
./config --prefix=/usr/local/openssl shared zlib && make && make install
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
ldconfig -v
查看版本
openssl version -a
OpenSSL 1.0.2n 7 Dec 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl/ssl"
OpenSSH升级
tar zxvf openssh-7.6p1.tar.gz
cd openssh-7.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/openssl/ && make
rpm -e `rpm -qa|grep openssh` --nodeps
make install &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-7.6p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.6p1
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
cp contrib/redhat/sshd.pam /etc/pam.d/
sed ‘[email protected]/[email protected]/[email protected]‘ /etc/pam.d/login > /etc/pam.d/sshd && chmod 644 /etc/pam.d/sshd && echo "UsePAM yes" >> /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
/etc/init.d/sshd start
查看版本
ssh -V
OpenSSH_7.6p1, OpenSSL 1.0.2n 7 Dec 2017
原文地址:http://blog.51cto.com/fsckyl/2287811
时间: 2024-11-01 09:36:22