Linux升级openssh及问题总结
版权声明:本⽂为博主原创⽂章,未经博主允许不得转载。 blog.csdn/lk_db/article/details/50964912
因第三⽅监控软件扫描Linux ssh存在漏洞,此次需将openssh升级⾄OpenSSH_7.1p2
系统版本:
[root@db ~]# uname -a
Linux db 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013 x86_64 x86_64 x86_64 GNU/Linux
[root@db ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.5 (Santiago)
升级步骤:
1、验证现有版本
4、安装openssh
[root@db openssl-1.1.0-pre3]# cd ../openssh-7.1p2/
[root@db openssh-7.1p2]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib
checking gcc
...
configure: error: *** OpenSSL headers missing - please install first or check config.log ***
[root@db openssh-7.1p2]# rpm -qa |grep pam
pam-1.1.1-17.el6.x86_64
pam-devel-1.1.1-17.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
pam_passwdqc-1.0.5-6.el6.x86_64
pam-devel-1.1.1-17.el6.i686
fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64
pam-1.1.1-17.el6.i686
gnome-keyring-pam-2.28.2-8.el6_3.x86_64
[root@db openssh-7.1p2]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib ^C
[root@db openssh-7.1p2]# rpm -ivh /media/rhel/Packages/openssl-1.0.1e-15.el6.x86_64.rpm
<                >>>>>>>>### [100%]
1:openssl                >>>>>>>>### [100%]
[root@db openssh-7.1p2]# rpm -ivh openssl-1.0.1e-15.el6.x86_64.rpm
[root@db openssh-7.1p2]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib
checking gcc
...
configure: error: *** OpenSSL headers missing - please install first or check config.log ***
[root@db openssh-7.1p2]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Fri Sep 27 10:09:12 EDT 2013
platform: linux-x86_64
options:  bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_D
LFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM OPENSSLDIR: "/etc/pki/tls"
engines:  rdrand dynamic
[root@db openssh-7.1p2]#
[root@db openssh-7.1p2]# rpm -qa |grep gcc
gcc-4.4.7-4.el6.x86_64
gcc-c++-4.4.7-4.el6.x86_64
libgcc-4.4.7-4.el6.x86_64
libgcc-4.4.7-4.el6.i686
[root@db openssh-7.1p2]# rpm -qa |grep openssl-devel
[root@db openssh-7.1p2]# cd /media/rhel/Packages/
[root@db Packages]# rpm -ivh openssl-devel-1.0.1e-15.el6.x86_64.rpm
error: Failed dependencies:
krb5-devel is needed by openssl-devel-1.0.1e-15.el6.x86_64
zlib-devel is needed by openssl-devel-1.0.1e-15.el6.x86_64
[root@db Packages]# rpm -ivh krb5-devel-1.10.3-10.el6_4.6.x86_64.rpm
error: Failed dependencies:
keyutils-libs-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
libcom_err-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
libselinux-devel is needed by krb5-devel-1.10.3-10.el6_4.6.x86_64
linux系统安装步骤csdn
[root@db Packages]# rpm -ivh keyutils-libs-devel
error: open of keyutils-libs-devel failed: No such file or directory
[root@db Packages]# rpm -ivh keyutils-libs-devel-1.4-4.el6.x86_64.rpm
<                >>>>>>>>### [100%]
1:keyutils-libs-devel    >>>>>>>>### [100%]
[root@db Packages]# rpm -ivh libcom_err-devel-1.41.12-18.el6.x86_64.rpm
<                >>>>>>>>### [100%]
1:libcom_err-devel      >>>>>>>>### [100%]
[root@db Packages]# rpm -ivh libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm
error: Failed dependencies:
libsepol-devel >= 2.0.32-1 is needed by libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
pkgconfig(libsepol) is needed by libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
[root@db Packages]# yum install libsepol-devel
[root@db Packages]# cd /home/1/openssh-7.1p2/
[root@db openssh-7.1p2]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-
dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib
[root@db openssh-7.1p2]# make && make install
5、设置ssh服务
[root@db openssh-7.1p2]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd
[root@db openssh-7.1p2]# chmod u+x /etc/init.d/sshd
[root@db openssh-7.1p2]# chkconfig --add sshd
[root@db 1]# cp /usr/local/openssh/sbin/sshd  /usr/sbin/sshd  [root@db 1]# service sshd start
/etc/init.d/sshd: line 41: /usr/bin/ssh-keygen: No such file or directory Starting sshd:[  OK  ]
[root@db 1]# find / -name ssh
/etc/ssh
/usr/local/openssh/bin/ssh
/home/1/openssh-7.1p2/ssh
[root@db 1]# /usr/local/openssh/bin/ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@db 1]# cp /usr/local/openssh/bin/ssh /usr/bin/
6、验证升级后版本及重启测试服务
[root@db 1]# ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@db 1]#
[root@db 1]#
[root@db 1]# service sshd restart
Stopping sshd:[  OK  ]
/etc/init.d/sshd: line 41: /usr/bin/ssh-keygen: No such file or directory Starting sshd:[  OK  ]
[root@db ~]# cd /usr/local/openssh/bin
[root@db bin]# ls
scp  sftp  slogin  ssh  ssh-add  ssh-agent  ssh-keygen  ssh-keyscan [root@db bin]# cp ssh-keygen /usr/bin/
[root@db bin]# service sshd restart
Stopping sshd:[  OK  ]
Starting sshd:[  OK  ]
[root@db bin]#
[root@db bin]# ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.1e-fips 11 Feb 2013
7、设置允许root⽤户远程登录
[root@db ~]# cat /etc/ssh/sshd_config
# Authentication:
...
#LoginGraceTime 2m
PermitRootLogin yes
8、SecureCRT不能上传⽂件的解决办法:
将 /etc/ssh/sshd_config 中的
Subsystem      sftp    /usr/libexec/openssh/sftp-server
改为
Subsystem      sftp    internal-sftp
重启sshd后,sftp正常⼯作了。
9、升级后的问题
使⽤SecureCRT ssh协议连接正常,但使⽤其他⼯具⽆法远程连接操作系统:
解决⽅法:
=================================================================
参考⽹上解决⽅法如下:
修改sshd的配置⽂件 /etc/ssh/sshd_config
在配置⽂件中添加:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,
导致此问题的原因是ssh升级后,为了安全,默认不再采⽤原来⼀些加密算法,我们⼿⼯添加进去即可。
(添加三⾏或者添加最后⼀⾏,重启服务都报错如下)
但重启服务报错如下:
[ ~]# service sshd restart
Stopping sshd:[  OK  ]
Starting sshd:Unsupported KEX algorithm "ecdh-sha2-nistp521"
/
etc/ssh/sshd_config line 137: Bad SSH2 KexAlgorithms 'diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-
sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,'. [FAILED]
[ ~]#
=================================================================

版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。

Linux系统下安装Vmware(虚拟机)图文教程步骤详细介绍
« 上一篇
嵌入式Linux内核模块的配置与编译
下一篇 »

发表评论

Copyright © 2024 baidu.com
Powered By 688IT编程网 豫ICP备2022007602号 豫公网安备41160202000602