主机安全扫描的时候经常会遇到openssh的漏洞,因为系统自带的openssh版本太低了,下面以目前最新的8.8版本为例子。
1.制作OpenSSH的RPM包# 安装依赖包 # yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel xmkmf libXt-devel gtk2-devel make -y # 初始化rpm制作环境 # rpmbuild -ba openssh.spec # 下载源码包 # cd /root/rpmbuild/SOURCES # wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz # wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz # 解压源码包 # tar -zxf /root/rpmbuild/SOURCES/openssh-8.8p1.tar.gz -c /tmp # 修改openssh.spec,注释#BuildRequires: openssl-devel < 1.1 # vi /tmp/openssh-8.8p1/contrib/redhat/openssh.spec # 复制openssh.spec # cp /tmp/openssh-8.8p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/ # 制作rpm包 # rpmbuild -ba openssh.spec # 待制作完成,生成的rpm包在目录/root/rpmbuild/RPMS/x86_64/ openssh-8.8p1-1.el7.x86_64.rpm openssh-askpass-8.8p1-1.el7.x86_64.rpm openssh-askpass-gnome-8.8p1-1.el7.x86_64.rpm openssh-clients-8.8p1-1.el7.x86_64.rpm openssh-debuginfo-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm # 只需要三个包即可 openssh-8.8p1-1.el7.x86_64.rpm openssh-clients-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm2.升级
# 备份 # mv /etc/ssh /etc/ssh.bak-20211111 # mv /usr/bin/ssh /usr/bin/ssh.bak-20211111 # mv /usr/sbin/sshd /usr/sbin/sshd.bak-20211111 # 升级openssh # rpm -Uvh openssh-8.8p1-1.el7.x86_64.rpm openssh-clients-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm # 重启openssh # chkconfig --add sshd # chkconfig sshd on # systemctl daemon-reload # systemctl restart sshd # 注意,如果启动的时候报这样的错:Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open,请执行以下语句即可。 # chmod 0600 /etc/ssh/ssh_host_ed25519_key
