近日,漏洞肆虐,需要升级新版本,才能解决漏洞。故有此文:
[root@host-testsvc openssh-9.0p1]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@host-testsvc data]# mkdir openssh
[root@host-testsvc data]# yum install -y wget gcc pam-devel libselinux-devel zlib-devel openssl-devel
如果有时候没有联网的话,可以本地安装依赖:
去国内阿里镜像里找到对应的rpm包下载上传到服务器即可:阿里镜像https://developer.aliyun.com/packageSearch
[root@host-testsvc openssh]# rpm -qa pam-1.1.8-23.el7.x86_64
[root@host-testsvc openssh]# rpm -qa pam-devel
[root@host-testsvc openssh]# ls
pam-1.1.8-23.el7.x86_64.rpm pam-devel-1.1.8-23.el7.x86_64.rpm
[root@host-testsvc openssh]# rpm -ivh pam-1.1.8-23.el7.x86_64.rpm
准备中... ################################# [100%]
软件包 pam-1.1.8-23.el7.x86_64 已经安装
[root@host-testsvc openssh]# rpm -ivh pam-devel-1.1.8-23.el7.x86_64.rpm
准备中... ################################# [100%]
正在升级/安装...
1:pam-devel-1.1.8-23.el7 ################################# [100%]
[root@host-testsvc openssh]# rpm -qa pam-devel
pam-devel-1.1.8-23.el7.x86_64
[root@host-testsvc openssh]# rpm -qa pam
pam-1.1.8-23.el7.x86_64
最后再检查一下依赖:
rpm -qa wget gcc pam-devel libselinux-devel zlib-devel openssl-devel
[root@host-testsvc openssh]# rpm -qa wget gcc pam-devel libselinux-devel zlib-devel openssl-devel
libselinux-devel-2.5-15.el7.x86_64
openssl-devel-1.0.2k-25.el7_9.x86_64
wget-1.14-18.el7_6.1.x86_64
pam-devel-1.1.8-23.el7.x86_64
zlib-devel-1.2.7-20.el7_9.x86_64
gcc-4.8.5-44.el7.x86_64
去openssh官网下载:https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/
上面的失效了就到这里找吧(搜索openssh-9.0p1即可):https://mirrors.aliyun.com/openssh/portable
[root@host-testsvc data]# wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
[root@host-testsvc openssh]# ls
openssh-9.0p1.tar.gz
[root@host-testsvc openssh]# tar -zxvf openssh-9.0p1.tar.gz
openssh-9.0p1
openssh-9.0p1/.depend
openssh-9.0p1/.github
openssh-9.0p1/.github/ci-status.md
openssh-9.0p1/.github/configs
openssh-9.0p1/.github/configure.sh
openssh-9.0p1/.github/run_test.sh
openssh-9.0p1/.github/setup_ci.sh
openssh-9.0p1/.github/workflows
openssh-9.0p1/.github/workflows/c-cpp.yml
openssh-9.0p1/.github/workflows/selfhosted.yml
openssh-9.0p1/.github/workflows/upstream.yml
openssh-9.0p1/.gitignore
……中间省略一堆
openssh-9.0p1/ChangeLog
openssh-9.0p1/moduli.0
openssh-9.0p1/scp.0
openssh-9.0p1/ssh-add.0
openssh-9.0p1/ssh-agent.0
openssh-9.0p1/ssh-keygen.0
openssh-9.0p1/ssh-keyscan.0
openssh-9.0p1/ssh.0
openssh-9.0p1/sshd.0
openssh-9.0p1/sftp-server.0
openssh-9.0p1/sftp.0
openssh-9.0p1/ssh-keysign.0
openssh-9.0p1/ssh-pkcs11-helper.0
openssh-9.0p1/ssh-sk-helper.0
openssh-9.0p1/sshd_config.0
openssh-9.0p1/ssh_config.0
openssh-9.0p1/aclocal.m4
openssh-9.0p1/configure
openssh-9.0p1/config.h.in
[root@host-testsvc openssh]# cp /etc/ssh/sshd_config sshd_config.backup
[root@host-testsvc openssh]# cp /etc/pam.d/sshd sshd.backup
[root@host-testsvc openssh]# ls
openssh-9.0p1 openssh-9.0p1.tar.gz pam-1.1.8-23.el7.x86_64.rpm pam-devel-1.1.8-23.el7.x86_64.rpm sshd.backup sshd_config.backup
[root@host-testsvc openssh]# rpm -e --nodeps `rpm -qa | grep openssh`
警告:/etc/ssh/sshd_config 已另存为 /etc/ssh/sshd_config.rpmsave
[root@host-testsvc openssh]# rpm -qa openssh
[root@host-testsvc openssh]#
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
[root@host-testsvc openssh]# cd openssh-9.0p1/
[root@host-testsvc openssh-9.0p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
configure: WARNING: unrecognized options: --with-md5-passwords, --with-tcp-wrappers
checking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking if cc supports C99-style variadic macros... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to run the C preprocessor... cc -E
checking for grep that handles long lines and -e... /usr/bin/grep
checking for egrep... /usr/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... no
checking for gawk... gawk
checking how to run the C preprocessor... cc -E
checking for ranlib... ranlib
checking for a BSD-compatible install... /usr/bin/install -c
checking for egrep... (cached) /usr/bin/grep -E
checking for a thread-safe mkdir -p... /usr/bin/mkdir -p
checking for ar... ar
checking for cat... /usr/bin/cat
checking for kill... /usr/bin/kill
checking for sed... /usr/bin/sed
checking for bash... /usr/bin/bash
checking for ksh... (cached) /usr/bin/bash
checking for sh... (cached) /usr/bin/bash
checking for bash... /usr/bin/bash
checking for ksh... (cached) /usr/bin/bash
checking for sh... (cached) /usr/bin/bash
checking for groff... /usr/bin/groff
checking for nroff... /usr/bin/nroff
checking for mandoc... no
checking for groupadd... /usr/sbin/groupadd
checking for useradd... /usr/sbin/useradd
checking for pkgmk... no
checking for special C compiler options needed for large files... no
checking for _FILE_OFFSET_BITS value needed for large files... no
checking for passwd... /usr/bin/passwd
checking for inline... inline
checking whether LLONG_MAX is declared... yes
checking whether LONG_LONG_MAX is declared... no
checking whether SYSTR_POLICY_KILL is declared... no
checking whether RLIMIT_NPROC is declared... yes
checking whether PR_SET_NO_NEW_PRIVS is declared... yes
checking whether OpenSSL will be used for cryptography... yes
checking if cc supports -Werror... yes
checking if cc supports compile flag -pipe... yes
checking if cc supports compile flag -Wunknown-warning-option... no
checking if cc supports compile flag -Wno-error=format-truncation... no
checking if cc supports compile flag -Qunused-arguments... no
checking if cc supports compile flag -Wall... yes
checking if cc supports compile flag -Wextra... no
checking if cc supports compile flag -Wpointer-arith... yes
checking if cc supports compile flag -Wuninitialized... yes
checking if cc supports compile flag -Wsign-compare... yes
checking if cc supports compile flag -Wformat-security... yes
……中间省略。。。
config.status: creating config.h
configure: WARNING: unrecognized options: --with-md5-passwords, --with-tcp-wrappers
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fstack-protector-strong
Preprocessor flags: -I/usr/local/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -L/usr/local/ssl -fstack-protector-strong
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
+for sshd: -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
[root@host-testsvc openssh-9.0p1]# make && make install
conffile=`echo sshd_config.out | sed 's/.out$//'`; \
/usr/bin/sed -e 's|/etc/ssh/ssh_config|/etc/ssh/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/etc/ssh/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/etc/ssh/sshd_config|g' -e 's|/usr/libexec|/usr/libexec|g' -e 's|/etc/shosts.equiv|/etc/ssh/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/etc/ssh/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/etc/ssh/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/etc/ssh/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/etc/ssh/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/etc/ssh/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/etc/ssh/moduli|g' -e 's|/etc/ssh/moduli|/etc/ssh/moduli|g' -e 's|/etc/ssh/sshrc|/etc/ssh/sshrc|g' -e 's|/usr/X11R6/bin/xauth|undefined|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin|g' ./${conffile} > sshd_config.out
conffile=`echo ssh_config.out | sed 's/.out$//'`; \
/usr/bin/sed -e 's|/etc/ssh/ssh_config|/etc/ssh/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/etc/ssh/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/etc/ssh/sshd_config|g' -e 's|/usr/libexec|/usr/libexec|g' -e 's|/etc/shosts.equiv|/etc/ssh/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/etc/ssh/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/etc/ssh/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/etc/ssh/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/etc/ssh/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/etc/ssh/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/etc/ssh/moduli|g' -e 's|/etc/ssh/moduli|/etc/ssh/moduli|g' -e 's|/etc/ssh/sshrc|/etc/ssh/sshrc|g' -e 's|/usr/X11R6/bin/xauth|undefined|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin|g' ./${conffile} > ssh_config.out
conffile=`echo moduli.out | sed 's/.out$//'`; \
/usr/bin/sed -e 's|/etc/ssh/ssh_config|/etc/ssh/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/etc/ssh/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/etc/ssh/sshd_config|g' -e 's|/usr/libexec|/usr/libexec|g' -e 's|/etc/shosts.equiv|/etc/ssh/shosts.equiv|g' -e 's|/etc/ssh/ssh_host_key|/etc/ssh/ssh_host_key|g' -e 's|/etc/ssh/ssh_host_ecdsa_key|/etc/ssh/ssh_host_ecdsa_key|g' -e 's|/etc/ssh/ssh_host_dsa_key|/etc/ssh/ssh_host_dsa_key|g' -e 's|/etc/ssh/ssh_host_rsa_key|/etc/ssh/ssh_host_rsa_key|g' -e 's|/etc/ssh/ssh_host_ed25519_key|/etc/ssh/ssh_host_ed25519_key|g' -e 's|/var/run/sshd.pid|/var/run/sshd.pid|g' -e 's|/etc/moduli|/etc/ssh/moduli|g' -e 's|/etc/ssh/moduli|/etc/ssh/moduli|g' -e 's|/etc/ssh/sshrc|/etc/ssh/sshrc|g' -e 's|/usr/X11R6/bin/xauth|undefined|g' -e 's|/var/empty|/var/empty|g' -e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin|g' ./${conffile} > moduli.out
if test "doc" = "cat"; then \
manpage=./`echo moduli.5.out | sed 's/\.[1-9]\.out$/\.0/'`; \
else \
……省略一堆……
/usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: DSA
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
sshd: no hostkeys available -- exiting.
make: [check-config] 错误 1 (忽略)
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
[root@host-testsvc openssh-9.0p1]# chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
将之前备份的复制到对应路径
[root@host-testsvc openssh-9.0p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@host-testsvc openssh-9.0p1]# chmod u+x /etc/init.d/sshd
[root@host-testsvc openssh-9.0p1]# mv ../sshd.backup /etc/pam.d/sshd
[root@host-testsvc openssh-9.0p1]# mv ../sshd_config.backup /etc/ssh/sshd_config
mv:是否覆盖"/etc/ssh/sshd_config"? yes
[root@host-testsvc openssh-9.0p1]# chkconfig --add sshd
[root@host-testsvc openssh-9.0p1]# chkconfig sshd on
[root@host-testsvc openssh-9.0p1]# systemctl restart sshd
[root@host-testsvc openssh-9.0p1]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
解决方案:
1、修改需要修改 /etc/ssh/sshd_config 配置文件:将Subsystem sftp /usr/libexec/openssh/sftp-server行注释,添加一行Subsystem sftp internal-sftp,如下图:
2、重启sshd服务
systemctl restart sshd
3、新开一个窗口连接即可
查看sshd状态:service sshd status
修改需要修改 /etc/ssh/sshd_config 配置文件,将PermitRootLogin yes、PubkeyAuthentication yes、PasswordAuthentication yes
都设置为true,注意别重复设置
修改后保存,重启sshd服务: systemctl restart sshd
再次查看status:service sshd status
,Failed提示信息消失。
再次连接,SUCCESS!