CentOS 7 下升级 OpenSSL + OpenSSH【在线 yum 安装依赖】

CentOS 7 下升级 OpenSSL + OpenSSH【在线 yum 安装依赖】

当前版本查看

OpenSSH

[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
1
2

OpenSSL

[root@localhost ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
1
2

安装 Telnet 防止 ssh 无法登录【yum 安装 && 配置】

安装 telnet-server

[root@localhost ~]# yum -y install telnet-server

Installed:
  telnet-server.x86_64 1:0.17-66.el7                                                           
Complete!
1
2
3
4
5

启动 telnet 服务

[root@localhost ~]# systemctl start telnet.socket
1

配置 SELinux && Firewalld 服务

• firewalld

# 增加 23 端口通信
[root@localhost ~]# firewall-cmd --permanent --add-port=23/tcp --zone=public

# 更新 firewalld 策略
[root@localhost ~]# firewall-cmd --reload
1
2
3
4
5

• selinux

[root@localhost ~]# setenforce 0
1

• 关闭 securetty

# 默认情况下，linux 不允许 root 用户以 telnet 方式登录 linux 主机，移除 securetty 文件
[root@localhost ~]# mv /etc/securetty{,.bak}
1
2

测试 Telnet 登录

[C:\~]$ telnet 192.168.68.129


Connecting to 192.168.68.129:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.

Kernel 3.10.0-1127.el7.x86_64 on an x86_64
localhost login: root
Password: 
Last login: Wed Nov  2 19:48:24 from 192.168.68.1
1
2
3
4
5
6
7
8
9
10
11

升级 OpenSSL

卸载老版本安装包

[root@localhost ~]# rpm -e openssh --nodeps && rpm -e openssh-clients --nodeps && rpm -e openssh-server --nodeps
1

安装编译依赖包

[root@localhost ~]# yum install -y pam* zlib*

Installed:
  pam-devel.x86_64 0:1.1.8-23.el7                     pam_krb5.x86_64 0:2.4.8-6.el7           
  pam_pkcs11.x86_64 0:0.6.2-30.el7                    pam_snapper.x86_64 0:0.2.8-4.el7        
  pam_ssh_agent_auth.x86_64 0:0.10.3-2.22.el7_9       zlib-devel.x86_64 0:1.2.7-20.el7_9      
  zlib-static.x86_64 0:1.2.7-20.el7_9                

Dependency Installed:
  boost-serialization.x86_64 0:1.53.0-28.el7        pcsc-lite-libs.x86_64 0:1.8.8-8.el7       
  snapper.x86_64 0:0.2.8-4.el7                      snapper-libs.x86_64 0:0.2.8-4.el7         

Updated:
  zlib.x86_64 0:1.2.7-20.el7_9                                                                 

Complete!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

备份 ssh 目录

[root@localhost ~]# mv /etc/ssh /etc/ssh_bak
1

下载 OpenSSL 新版本安装包

# 官网 -- https://www.openssl.org -- 【根据需要下载指定版本】
[root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz --no-check-certificate
1
2

编译 && 安装 OpenSSL

• 解压安装包

[root@localhost ~]# tar zxf openssl-1.1.1s.tar.gz
1

• 预编译

# 进入目录
[root@localhost ~]# tar zxf openssl-1.1.1s.tar.gz

# 预编译
[root@localhost openssl-1.1.1s]# ./config --prefix=/usr/ --openssldir=/usr/ shared
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1s (0x1010113fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

• 编译 && 安装

[root@localhost openssl-1.1.1s]# make && make install
1

验证安装结果

[root@localhost ~]# openssl version
OpenSSL 1.1.1s  1 Nov 2022
1
2

升级 OpenSSH

下载 OpenSSH 新版本安装包

# https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable 【根据需要下载指定版本】
[root@localhost ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz --no-check-certificate
1
2

解压安装包

[root@localhost ~]# tar zxf openssh-9.1p1.tar.gz
1

编译 && 安装 OpenSSH

• 进入目录

[root@localhost ~]# cd openssh-9.1p1
1

• 预编译

[root@localhost openssh-9.1p1]# ./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
1

• 编译 && 安装

[root@localhost openssh-9.1p1]# make && make install

/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: RSA ECDSA ED25519 
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
1
2
3
4
5

• 分发 sshd 程序包

[root@localhost openssh-9.1p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
1

验证安装结果

[root@localhost ~]# ssh -V
OpenSSH_9.1p1, OpenSSL 1.1.1s  1 Nov 2022
1
2

启动 && 验证 ssh 服务

启动服务

[root@localhost ~]# service sshd start
Reloading systemd:                                         [  OK  ]
Starting sshd (via systemctl):                             [  OK  ]
1
2
3

配置开机启动

[root@localhost ~]# chkconfig sshd on
# 或者
[root@localhost ~]# chkconfig --add sshd
1
2
3

验证 sshd 开机启动

# chkconfig --list sshd
[root@localhost ~]# chkconfig --list sshd

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overridden by native
      systemd configuration.

      If you want to list systemd services use 'systemctl list-unit-files'.
      To see services enabled on particular target use
      'systemctl list-dependencies [target]'.

sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
1
2
3
4
5
6
7
8
9
10
11
12

配置 ssh 允许 root 远程登录

• 修改 sshd_config 配置文件

[root@localhost ~]# grep -E "^PermitRootLogin|^PubkeyAuthentication|^PasswordAuthentication" /etc/ssh/sshd_config 
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes
1
2
3
4

• 重启 sshd 服务

[root@localhost ~]# systemctl restart sshd
1

遇到问题

未关闭 SELinux 导致 ssh 无法登录

• messages 日志

Nov  2 23:22:45 localhost sshd[1895]: error: Could not get shadow information for root
Nov  2 23:22:45 localhost sshd[1895]: Failed password for root from 192.168.68.1 port 53566 ssh2
Nov  2 23:22:46 localhost sshd[1895]: error: Received disconnect from 192.168.68.1 port 53566:0:  [preauth]
Nov  2 23:22:46 localhost sshd[1895]: Disconnected from authenticating user root 192.168.68.1 port 53566 [preauth]
1
2
3
4

• 解决办法

# 关闭 SELinux
[root@localhost ~]# setenforce 0
1
2

参考

• OpenSSH 用户枚举漏洞(CVE-2018-15473) 漏洞处理 – 完全可用