1. 由于openssh爆出一個特殊漏洞,涉及到8.3p1及以下版本,部落格特意編譯了一個8.4p1版本進行分享
檢查環境:
[root@test]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 2.為保證順利更新:
注意:如果機器做過安全基線整改,建議先自行備份/etc/pam.d/sshd檔案,更新後,此檔案會被覆寫,如果未修改過,按照文章後續的進行覆寫即可。亦請務必确定系統版本為:CentOS7。
請确定openssh版本為7.x,openssl版本為 OpenSSL 1.0.2k及以上。(正常來說,系統都為以上版本。)
下載下傳:
wget https://cikeblog.com/s/openssh8.4.zip
unzip openssh8.4.zip 3.安裝方法一:
rpm -Uvh *.rpm
安裝後會如下提示:
[root@test ~]# rpm -Uvh *.rpm
Preparing... ################################# [100%]
Updating / installing...
1:openssh-8.1p1-1.el7 ################################# [ 14%]
2:openssh-clients-8.1p1-1.el7 ################################# [ 29%]
3:openssh-server-8.1p1-1.el7 ################################# [ 43%]
4:openssh-debuginfo-8.1p1-1.el7 ################################# [ 57%]
Cleaning up / removing...
5:openssh-server-7.4p1-16.el7 ################################# [ 71%]
6:openssh-clients-7.4p1-16.el7 ################################# [ 86%]
7:openssh-7.4p1-16.el7 ################################# [100%]
[root@test ~]# ssh -V
OpenSSH_8.1p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@768 ~]# # 更新
rpm -Uvh *.rpm
如果有依賴報錯可以使用 rpm -Uvh *.rpm --nodeps --force
# 修改權限
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
# 允許 root登入
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
# 不修改這個檔案,會出現密碼是對的,卻無法登陸。
cat <<EOF>/etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
## pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
# 重新開機服務
systemctl restart sshd 參考部落格:https://cikeblog.com/
4.安裝方法二(此方法會自動處理依懶關系):
yum install ./*.rpm
部分機器使用方法二安裝會提示依賴問題,可以使用以下方法:
yum update *.rpm
至此,更新完成,如果之前更新過的,下面的就不用看了,直接新開SSH終端連接配接即可。
因為OPENSSH更新後,/etc/ssh/sshd_config會還原至預設狀态,我們需要進行相應配置:
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
systemctl restart sshd 注意:更新後重新開機SSH可能出現以下錯誤:
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
[FAILED]
sshd.service: control process exited, code=exited status=1
Failed to start SYSV: OpenSSH server daemon.
Unit sshd.service entered failed state.
sshd.service failed. 解決辦法:
chmod 0600 /etc/ssh/ssh_host_ed25519_key
service sshd restart 即可解決。
5.注意,/etc/pam.d/sshd檔案會被覆寫,我們進行還原:
先清空:
>/etc/pam.d/sshd
再還原:
echo '#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth'>/etc/pam.d/sshd
至此,更新完成,先别關閉終端,直接新開一個終端,連接配接到伺服器測試。 注意:如果新開終端連接配接的時,root密碼報錯,并且已經根據上面後續操作,那可能就是SElinux的問題,我們進行臨時禁用:
setenforce 0
即可正常登入,然後修改/etc/selinux/config 檔案:
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
進行永久禁用SElinux即可。
注意:
如果Centos7預設openssl版本不為OpenSSL 1.0.2k,就需要先進行更新:
yum install openssl -y
然後回到第一步進行安裝即可。 一、Openssh更新後導緻無法ssh遠端連接配接 解決方案
1.檢視sshd服務的狀态,必須為開啟狀态。
2.檢視selinux的狀态,在/etc/sysconfig/selinux檔案中更改selinux的狀态為disabled關閉狀态。
3.檢視防火牆的狀态,必須為關閉狀态。
![linux-svn解除安裝與安裝[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)