本文主要是介绍离线方式升级openssh,希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
参考原文 https://blog.51cto.com/techsnail/2138927
老centOS服务器上的openssh7.4被网安扫描发现多个高危漏洞,要求必须升级。服务器不允许联网,所以不能通过yum安装依赖,而且升级openssl会影响到其他服务,需要单独编译一个openssl给openssh使用。最后再替换旧版本openssh服务。
写下自己的升级过程。如果你们要参照我的升级步骤,请注意自己的防火墙设置。
本文可能对您有用的部分:1.离线安装依赖 2.编译安装openssh和openssl 3.安全的升级过程
实际上ssh连接全程都不会断开,但是为了保险起见还是安装一个telnet 。
#离线安装方式
#如果还缺少依赖,可以用联网的机器下载 yum install --downloadonly --downloaddir=/ [软件名]
#上传以下安装包和依赖
openssh-8.0p1.tar.gz
openssl-1.1.1d.tar.gz
pam-devel-1.1.8-22.el7.x86_64.rpm
tcp_wrappers-devel-7.6-77.el7.x86_64.rpm
telnet-server-0.17-64.el7.x86_64.rpm
zlib-devel-1.2.7-18.el7.x86_64.rpm
openssl-fips-2.0.16.tar.gz
glibc-headers-2.17-292.el7.x86_64.rpm
glibc-devel-2.17-292.el7.x86_64.rpm
cpp-4.8.5-39.el7.x86_64.rpm
kernel-headers-3.10.0-1062.1.2.el7.x86_64.rpm
gcc-4.8.5-39.el7.x86_64.rpm#关selinux,安装依赖
nano /etc/sysconfig/selinux
setenforce 0
getenforce
rpm -ivh cpp-4.8.5-39.el7.x86_64.rpm \kernel-headers-3.10.0-1062.1.2.el7.x86_64.rpm \gcc-4.8.5-39.el7.x86_64.rpm \glibc-devel-2.17-292.el7.x86_64.rpm \glibc-headers-2.17-292.el7.x86_64.rpm
rpm -ivh zlib-devel-1.2.7-18.el7.x86_64.rpm \pam-devel-1.1.8-22.el7.x86_64.rpm \tcp_wrappers-devel-7.6-77.el7.x86_64.rpm#安装配置telnet防止ssh不能连接以后尴尬gg。telnet不允许root登录,所以新增用户
useradd cc
passwd cc
rpm -ivh telnet-server-0.17-64.el7.x86_64.rpm
firewall-cmd --zone=work --add-port=23/tcp --permanent
firewall-cmd --reload
systemctl start telnet.socket
nano /etc/profile #把telnet启动命令写进开机运行脚本
#检查telnet是否能登录
'''
#安装fips(编译openssl时错误. 不安装也还没发现问题)
export FIPSDIR=/opt/fips-2.0.16
tar -zvxf openssl-fips-2.0.16.tar.gz
cd openssl-fips-2.0.16/
./config
make
make install'''
#安装openssl(带fips时编译错误)
tar zvxf openssl-1.1.1d.tar.gz
cd openssl-1.1.1d/
#./config --prefix=/opt/openssl1.1.l_20191021 --with-ssl-dir==/opt/openssl1.1.l_20191021/openssl fips --with-fipsdir=/opt/fips-2.0.16 zlib-dynamic shared -fPIC
./config --prefix=/opt/openssl1.1.l_20191021 --openssldir==/opt/openssl1.1.l_20191021/opensslmake
make install
echo '/opt/openssl1.1.l_20191021/lib' >> /etc/ld.so.conf
ldconfigtar zxvf openssh-8.0p1.tar.gz
cd openssh-8.0p1
./configure \--prefix=/opt/openssh8.0p1_20191021 \--with-md5-passwords \--with-ssl-dir=/opt/openssl1.1.l_20191021 \--with-pam --with-tcp-wrappers
make
make install
echo 'export PATH=/opt/openssh8.0p1_20191021/bin:/opt/openssh8.0p1_20191021/sbin:$PATH' >> /etc/profile.d/path.sh
chmod +x /etc/profile.d/path.sh
/etc/profile.d/path.sh
echo 'export PATH=/opt/openssh8.0p1_20191021/bin:/opt/openssh8.0p1_20191021/sbin:$PATH' >> /etc/profile
export PATH=/opt/openssh8.0p1_20191021/bin:/opt/openssh8.0p1_20191021/sbin:$PATH
ssh -V#配置openssh
rpm -ql openssh-server | grep -i --color etc
cp /opt/openssh8.0p1_20191021/etc/sshd_config /opt/openssh8.0p1_20191021/etc/sshd_configBAK
#配置openssh服务。开启密码认证和管理员身份登录。UsePAM一定要启用,OpenSSH的安装说明里有提到,如果编译时启用了PAM支持,那么就必须在sshd_config文件中启用它
nano /opt/openssh8.0p1_20191021/etc/sshd_config
cp -a /etc/sysconfig/sshd /opt/openssh8.0p1_20191021/etc/sshd
#下面备份和修改/usr/lib/systemd/system/下的三个文件 sshd-keygen.service sshd.service sshd@.service
cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshdOLD.service
cp /usr/lib/systemd/system/sshd@.service /usr/lib/systemd/system/sshd@serviceBAK.service
cp /usr/lib/systemd/system/sshd-keygen.service /usr/lib/systemd/system/sshd-keygenBAK.service
nano /usr/lib/systemd/system/sshd.service
'''[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service[Service]
Type=notify
#EnvironmentFile=/etc/sysconfig/sshd
EnvironmentFile=/opt/openssh8.0p1_20191021/etc/sshd
#ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecStart=/opt/openssh8.0p1_20191021/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s[Install]
WantedBy=multi-user.target'''nano /usr/lib/systemd/system/sshd@.service
'''[Unit]
Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5)
Wants=sshd-keygen.service
After=sshd-keygen.service[Service]
#EnvironmentFile=-/etc/sysconfig/sshd
EnvironmentFile=-/opt/openssh8.0p1_20191021/etc/sshd
#ExecStart=-/usr/sbin/sshd -i $OPTIONS
ExecStart=-/opt/openssh8.0p1_20191021/sbin/sshd -i $OPTIONS
StandardInput=socket'''nano /usr/lib/systemd/system/sshd-keygen.service
'''
[Unit]
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/opt/openssh8.0p1_20191021/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/opt/openssh8.0p1_20191021/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/opt/openssh8.0p1_20191021/etc/ssh/ssh_host_ed25519_key
PartOf=sshd.service sshd.socket[Service]
ExecStart=/opt/openssh8.0p1_20191021/bin/ssh-keygen #/usr/sbin/sshd-keygen 原来是这样
Type=oneshot
RemainAfterExit=yes'''systemctl daemon-reload
#重启计算机才能完全生效
reboot
#防火墙work区的计算机可以访问22端口
这篇关于离线方式升级openssh的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!