CentOS升级Openssh

2020年6月9日,研究人员Chinmay Pandya在Openssh中发现了一个漏洞,于7月18日公开。OpenSSH的8.3p1中的scp允许在scp.c远程功能中注入命令,攻击者可利用该漏洞执行任意命令。目前绝大多数linux系统受影响。深信服安全研究团队依据漏洞重要性和影响力进行评估,作出漏洞通告。

本文讲述如何升级openssh。

制作 RPM 包

安装相关依赖

1
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel openssl-libs -y

创建所需目录

1
2
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES

下载源码包

下载地址:

http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
https://src.fedoraproject.org/repo/pkgs/openssh/

1
2
3
4
5
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

tar -xvzf openssh-8.4p1.tar.gz
tar -xvzf x11-ssh-askpass-1.2.4.1.tar.gz

修改配置文件

1
2
3
4
5
cp openssh-8.4p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/

sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec

构建

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
rpmbuild -ba openssh.spec

构建成功结果如下:
Wrote: /root/rpmbuild/SRPMS/openssh-8.4p1-1.el7.src.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-clients-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-server-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.4p1-1.el7.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.pshj6r
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-8.4p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.4p1-1.el7.x86_64
+ exit 0

验证软件包

1
2
3
4
ls /root/rpmbuild/RPMS/x86_64/
openssh-8.4p1-1.el7.x86_64.rpm openssh-clients-8.4p1-1.el7.x86_64.rpm
openssh-askpass-8.4p1-1.el7.x86_64.rpm openssh-debuginfo-8.4p1-1.el7.x86_64.rpm
openssh-askpass-gnome-8.4p1-1.el7.x86_64.rpm openssh-server-8.4p1-1.el7.x86_64.rpm

构建过程报错解决

错误1:
error: Failed build dependencies: openssl-devel < 1.1 is needed by openssh-8.4p1-1.el7.x86_64
解决办法:
注释BuildRequires: openssl-devel < 1.1这一行

1
sed -i 's/BuildRequires: openssl-devel < 1.1/#&/' openssh.spec

错误2:
error: Failed build dependencies: /usr/include/X11/Xlib.h is needed by openssh-8.4p1-1.el7.x86_64
解决办法:
安装libXt-devel imake gtk2-devel openssl-libs

1
yum install libXt-devel imake gtk2-devel openssl-libs -y

开始升级

备份配置文件

1
2
cp /etc/pam.d/{sshd,sshd.bak}
cp /etc/ssh/{sshd_config,sshd_config.bak}

安装telnet(胆大的跳过)

避免 openssh 升级识别无法登陆,安装telnet(同时开启两个窗口)

1
2
3
yum install telnet-server xinetd -y
systemctl enable --now xinetd.service
systemctl enable --now telnet.socket

配置 telnet 登陆

//注释auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so这一行

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
sed -i 's/^auth \[user_unknown=/#&/' /etc/pam.d/login

cat >> /etc/securetty <<EOF
pts/1
pts/2
EOF

//测试登陆
[C:\~]$ telnet 192.168.3.179
Trying 192.168.3.179...
Connected to 192.168.3.179.
Escape character is '^]'.

Kernel 3.10.0-957.27.2.el7.x86_64 on an x86_64
localhost0 login: root
Password:
Last login: Thu Dec 31 15:28:23 from 192.168.3.144
[root@localhost0 ~]#

安装新版本

更新openssh版本

将编译好的包拷贝到需要升级的机器

1
yum update ./openssh* -y

启动ssh服务

恢复备份的配置文件,并重启sshd

1
2
3
4
5
\mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
\mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config

chmod 600 /etc/ssh/*
systemctl restart sshd

如果无法登陆

修改/etc/ssh/sshd_config

取消注释并修改PermitRootLogin yes

1
2
sed -i "s|.*PermitRootLogin.*|PermitRootLogin yes|g" /etc/ssh/sshd_config
sed -i 's|.*PasswordAuthentication.*|PasswordAuthentication yes|g' /etc/ssh/sshd_config

验证登陆

新开窗口连接登陆测试,没有问题后再进行下面的关闭telnet步骤。

注意:请勿关闭当前窗口,另外新开窗口连接没问题,再关闭。

关闭 telnet

注意:开启telnetroot远程登录极度不安全,账号密码都是明文传输,尤其在公网,所以一般只限于在某些情况下内网中ssh无法使用时,临时调测,使用完后,将相关配置复原,彻底关闭telnet服务!

1
2
systemctl stop telnet.socket && systemctl disable telnet.socket
systemctl stop xinetd.service && systemctl disable xinetd.service

验证当前版本

1
2
ssh -V
OpenSSH_8.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

最后,我写了一个一键升级的脚本

参考链接:CentOS通过yum升级Openssh8.x