CentOS7升级OpenSSH

服务器在安全扫描中被报告openssh版本低于7.7,存在安全漏洞,需要升级,于是就开始折腾。

1.安装依赖

yum install -y pam pam-devel zlib zlib-devel gcc make

2.备份配置文件

cp /etc/ssh/sshd_config /root/sshd_config.bak

3.删除老版本openssl和openssh 【注意】删除openssl后sudo报错,需先以root身份登录

rpm -e --nodeps `rpm -qa|grep openss` 

4.下载新版openssl和openssh
下载1.0.X版本的openssl
下载最新版本openssh

5.安装openssl

unzip openssl_XXXX.zip
cd openssl_XXXX
./config --prefix=/usr --shared && make && make install
ln -s /usr/lib64/libcrypto.so.1.0.0  /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libssl.so.1.0.0  /usr/lib64/libssl.so.10
chmod -R 644 /usr/ssl

6.升级openssh

cp -R /etc/ssh/ /root/ssh-bak
tar -zxvf openssh_XXX.tar.gz
cd openssh_XXX
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
cp /root/sshd_config.bak /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig sshd on
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

7.将以下写入/etc/pam.d/sshd

auth required pam_sepermit.so 
auth include password-auth 
account required pam_nologin.so 
account include password-auth 
password include password-auth 
# pam_selinux.so close should be the first session rule 
session required pam_selinux.so close 
session required pam_loginuid.so 
# pam_selinux.so open should only be followed by sessions to be executed in the user context 
session required pam_selinux.so open env_params 
session optional pam_keyinit.so force revoke 
session include password-auth

8.重启sshd服务

systemctl restart sshd

标签: none

添加新评论