2020年6月9日,研究人员Chinmay Pandya在Openssh中发现了一个漏洞,于7月18日公开。OpenSSH的8.3p1中的scp允许在scp.c远程功能中注入命令,攻击者可利用该漏洞执行任意命令。目前绝大多数linux系统受影响。深信服安全研究团队依据漏洞重要性和影响力进行评估,作出漏洞通告。
本文讲述如何升级openssh。
1
| yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel openssl-libs -y
|
1
2
| mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES
|
下载地址:
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
https://src.fedoraproject.org/repo/pkgs/openssh/
1
2
3
4
5
| wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
tar -xvzf openssh-8.4p1.tar.gz
tar -xvzf x11-ssh-askpass-1.2.4.1.tar.gz
|
1
2
3
4
5
| cp openssh-8.4p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| rpmbuild -ba openssh.spec
构建成功结果如下:
Wrote: /root/rpmbuild/SRPMS/openssh-8.4p1-1.el7.src.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-clients-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-server-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.4p1-1.el7.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.pshj6r
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-8.4p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.4p1-1.el7.x86_64
+ exit 0
|
1
2
3
4
| ls /root/rpmbuild/RPMS/x86_64/
openssh-8.4p1-1.el7.x86_64.rpm openssh-clients-8.4p1-1.el7.x86_64.rpm
openssh-askpass-8.4p1-1.el7.x86_64.rpm openssh-debuginfo-8.4p1-1.el7.x86_64.rpm
openssh-askpass-gnome-8.4p1-1.el7.x86_64.rpm openssh-server-8.4p1-1.el7.x86_64.rpm
|
错误1:
error: Failed build dependencies: openssl-devel < 1.1 is needed by openssh-8.4p1-1.el7.x86_64
解决办法:
注释BuildRequires: openssl-devel < 1.1这一行
1
| sed -i 's/BuildRequires: openssl-devel < 1.1/#&/' openssh.spec
|
错误2:
error: Failed build dependencies: /usr/include/X11/Xlib.h is needed by openssh-8.4p1-1.el7.x86_64
解决办法:
安装libXt-devel imake gtk2-devel openssl-libs
1
| yum install libXt-devel imake gtk2-devel openssl-libs -y
|
1
2
| cp /etc/pam.d/{sshd,sshd.bak}
cp /etc/ssh/{sshd_config,sshd_config.bak}
|
避免 openssh 升级识别无法登陆,安装telnet(同时开启两个窗口)
1
2
3
| yum install telnet-server xinetd -y
systemctl enable --now xinetd.service
systemctl enable --now telnet.socket
|
配置 telnet 登陆
//注释auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so这一行
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
| sed -i 's/^auth \[user_unknown=/#&/' /etc/pam.d/login
cat >> /etc/securetty <<EOF
pts/1
pts/2
EOF
//测试登陆
[C:\~]$ telnet 192.168.3.179
Trying 192.168.3.179...
Connected to 192.168.3.179.
Escape character is '^]'.
Kernel 3.10.0-957.27.2.el7.x86_64 on an x86_64
localhost0 login: root
Password:
Last login: Thu Dec 31 15:28:23 from 192.168.3.144
[root@localhost0 ~]#
|
更新openssh版本
将编译好的包拷贝到需要升级的机器
1
| yum update ./openssh* -y
|
恢复备份的配置文件,并重启sshd
1
2
3
4
5
| \mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
\mv /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
chmod 600 /etc/ssh/*
systemctl restart sshd
|
如果无法登陆
修改/etc/ssh/sshd_config
取消注释并修改PermitRootLogin yes
1
2
| sed -i "s|.*PermitRootLogin.*|PermitRootLogin yes|g" /etc/ssh/sshd_config
sed -i 's|.*PasswordAuthentication.*|PasswordAuthentication yes|g' /etc/ssh/sshd_config
|
新开窗口连接登陆测试,没有问题后再进行下面的关闭telnet步骤。
**注意:**请勿关闭当前窗口,另外新开窗口连接没问题,再关闭。
注意:开启telnet的root远程登录极度不安全,账号密码都是明文传输,尤其在公网,所以一般只限于在某些情况下内网中ssh无法使用时,临时调测,使用完后,将相关配置复原,彻底关闭telnet服务!
1
2
| systemctl stop telnet.socket && systemctl disable telnet.socket
systemctl stop xinetd.service && systemctl disable xinetd.service
|
1
2
| ssh -V
OpenSSH_8.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
|
最后,我写了一个一键升级的脚本
参考链接:CentOS通过yum升级Openssh8.x