CentOS 7 升级OpenSSH

发表于 | 分类于

0 背景

智慧办给我们发了个漏扫报告,提及了OpenSSH的漏洞。CentOS 7.x 的yum仓库中OpenSSH最高版本是7.4,需要升级版本修补漏洞。

1 准备工作 - 安装telnet

1
2
3
4
5
6
7
yum install telnet-server -y
mv /etc/securetty /etc/securetty.bak
systemctl enable telnet.socket
systemctl restart telnet.socket
firewall-cmd --add-port=23/tcp --permanent
firewall-cmd --reload
netstat -ntlp

2 编译打包成rpm

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
#!/bin/bash

OPENSSH_VERSION=8.8p1

yum -y install  vim  wget epel-release
yum -y install  rpm-build  gcc make
yum -y install  openssl  openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel

cd /root
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz
sha1sum openssh-8.8p1.tar.gz
sha256sum openssh-8.8p1.tar.gz | cut -f1 -d ' ' | xxd -r -p | base64

tar -zxf  openssh-${OPENSSH_VERSION}.tar.gz
mkdir -p /root/rpmbuild/{SOURCES,SPECS}

cp ./openssh-${OPENSSH_VERSION}/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-${OPENSSH_VERSION}.tar.gz /root/rpmbuild/SOURCES/

cd /root/rpmbuild/SPECS/
sed -i -e "s/%global no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
sed -i -e  "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec

rpmbuild -bb openssh.spec
ls -l /root/rpmbuild/RPMS/x86_64

3 制作本地仓库安装包

1
2
3
4
5
yum -y install yum-utils createrepo
mkdir /opt/localrepo
repotrack openssl -p /opt/localrepo/
cp /root/rpmbuild/RPMS/x86_64/*.rpm  /opt/localrepo
createrepo -v /opt/localrepo

4 编辑本地yum.repo配置文件

1
2
3
4
5
echo "[localrepo]" > /etc/yum.repos.d/localrepo.repo
echo "name=Local Repository" >> /etc/yum.repos.d/localrepo.repo
echo "baseurl=file:///opt/localrepo" >> /etc/yum.repos.d/localrepo.repo
echo "gpgcheck=0" >> /etc/yum.repos.d/localrepo.repo
echo "enabled=1" >> /etc/yum.repos.d/localrepo.repo

5 升级OpenSSH并配置

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
yum clean all
yum -y install openssl --disablerepo="*" --enablerepo="localrepo"
yum -y install openssh* --disablerepo="*" --enablerepo="localrepo"

chmod 600 /etc/ssh/ssh_host_*_key

# modify /etc/ssh/sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config

# modify /etc/pam.d/sshd
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cat > /etc/pam.d/sshd <<EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth

# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so

# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF

# copy ssh-copy-id
cp /root/openssh-7.9p1/contrib/ssh-copy-id /usr/bin
chmod 755 /usr/bin/ssh-copy-id

systemctl restart sshd
systemctl enable sshd
systemctl status sshd

rpm -qa | grep open
systemctl status  sshd| grep  "Active: active (running)"

if [ $? -eq 0 ]; then
  echo -e "[INFO] OpenSSH upgraded to 8.8p1  successfully"
else
  echo -e "\033[31m[ERROR] OpenSSH upgraded to 8.8p1 faild\033[0m"
fi

6 清理

1
2
3
4
5
6
7
systemctl stop telnet.socket
systemctl disable telnet.socket
yum remove telnet-server -y
mv /etc/securetty.bak /etc/securetty
firewall-cmd --remove-port=23/tcp --permanent
firewall-cmd --reload
netstat -ntlp