rhel 7.6 升级openssl/openssh
前几天公司安全扫描发现一批rhel 5 openSSL/SSH漏洞,作为运维就要及时漏洞升级提高安全性。今天又扫出一批rhel 7.6,预计7.6,7.3及6.9,6.5都要进行安全加固。
依旧是源码编译处理,rpm升级虽然省事,但是我还是倾向于源码编译添加需要的模块更适合各种场景。
1.环境
Red Hat Enterprise Linux Server release 7.6 (Maipo)
2.升级版本
| 名称 | 当前版本 | 升级后版本 |
|---|---|---|
| perl | v5.16.3 | v5.30.3 |
| OpenSSL | 1.0.2k | 1.1.1o |
| openSSH | 8.6p1 | 8.8p1 |
# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
# ssh -V
OpenSSH_8.6p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级的源码包:
perl-5.30.3.tar.gz openssh-8.8p1.tar.gz openssl-1.1.1o.tar.gz
3.升级方案
3.1 安装编译的依赖包
需配置源进行安装
yum -y install gcc gcc-c++ glibc make zlib zlib-devel pam-devel
3.2 升级Perl
#编译操作
cd /home/wei
tar zxvf perl-5.30.3.tar.gz
cd /home/wei/perl-5.30.3
./Configure -des -Dprefix=/usr/local/perl && echo $? || exit
make && echo $?
make test
make install
#替换版本
mv /usr/bin/perl /usr/bin/perl.bak
ln -s /usr/local/perl/bin/perl /usr/bin/perl
perl -v
3.3 升级OpenSSL
#编译操作
cd /home/wei
tar zxvf openssl-1.1.1o.tar.gz
cd /home/wei/openssl-1.1.1o
./config --prefix=/usr/local/ssl shared zlib
make install && echo $?
#替换版本
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
cat > /etc/ld.so.conf.d/ssl.conf <<EOF
/usr/local/ssl/lib
EOF
ldconfig
openssl version
3.4 升级openSSH
#备份配置
cp -ar /etc/ssh/ /etc/ssh.bak
cp -ar /etc/pam.d /etc/pam.d.bak
cd /usr/bin/
cp ssh ssh.bak
cp ssh-add ssh-add.bak
cp ssh-keygen ssh-keygen.bak
cp ssh-keyscan ssh-keyscan.bak
cp scp scp.bak
cp sftp sftp.bak
cp /usr/sbin/sshd /usr/sbin/sshd.bak
cp /etc/init.d/sshd /etc/init.d/sshd.bak
#编译部署
cd /home/wei
tar zxvf openssh-8.8p1.tar.gz
cd ./openssh-8.8p1
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-zlib --without-openssl-header-check --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd
make && echo $?
make install
#更换版本
ln -sf /usr/local/openssh/bin/ssh /usr/bin/ssh
ln -sf /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add
ln -sf /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agent
ln -sf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -sf /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -sf /usr/local/openssh/bin/scp /usr/bin/scp
ln -sf /usr/local/openssh/bin/sftp /usr/bin/sftp
ln -sf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod a+x /etc/init.d/sshd
chmod a+x -R /usr/local/openssh/*
chkconfig --del sshd
chkconfig --add sshd
chkconfig --list|grep sshd
#恢复pam
cp /etc/pam.d.bak/sshd /etc/pam.d/sshd
--------------------------------------
sed -i.bak 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -ri "/^GSSAPICleanupCredentials.*/s/(.*)/#\1/" /etc/ssh/sshd_config
service sshd restart
# ssh -V && openssl version
OpenSSH_8.8p1, OpenSSL 1.1.1o 3 May 2022
OpenSSL 1.1.1o 3 May 2022
4.回退方案
回退安装升级的顺序依次降级到旧版本
4.1 降级perl
rm -f /usr/bin/perl
cp /usr/bin/perl.bak /usr/bin/perl
perl -v
4.2 降级OpenSSL
rm -f /usr/bin/openssl /etc/ld.so.conf.d/ssl.conf
cp /usr/bin/openssl.bak /usr/bin/openssl
ldconfig
openssl version
4.3 降级openssh
\cp -ar /etc/ssh.bak /etc/ssh/
\cp -ar /etc/pam.d.bak /etc/pam.d
cd /usr/bin/
rm -f ssh ssh-add ssh-keygen ssh-keyscan scp sftp
\cp ssh.bak ssh
\cp ssh-add.bak ssh-add
\cp ssh-keygen.bak ssh-keygen
\cp ssh-keyscan.bak ssh-keyscan
\cp scp.bak scp
\cp sftp.bak sftp
\cp /usr/sbin/sshd.bak /usr/sbin/sshd
\cp /etc/init.d/sshd.bak /etc/init.d/sshd
chmod a+x /etc/init.d/sshd
/sbin/chkconfig --del sshd
/sbin/chkconfig --add sshd
/sbin/chkconfig --list|grep sshd
#恢复pam
cp /etc/pam.d.bak/sshd /etc/pam.d/sshd
service sshd restart
# ssh -V && openssl version
OpenSSH_8.6p1, OpenSSL 1.0.1e-fips 11 Feb 2013
OpenSSL 1.0.2k-fips 26 Jan 2017
下载地址
OpenSSL官网下载地址:www.openssl.org/source/ OpenSSH官网地址:www.openssh.com/openbsd.htm… 本人博客文章地址: t.csdn.cn/0FjQK
