Centos7 OpenSSH-8.6p1升级文档

由于安全漏洞扫描显示OpenSSH版本过低需升级至最新版，故编写该文档。

查看服务器基本信息 [root@localhost ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 [root@localhost ~]# cat /etc/redhat-release CentOS Linux release7.8.2003 (Core) 安装升级依赖 [root@localhost ~]# yum -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel 升级OPENSSL 备份旧版openssl [root@localhost ~]# mv /usr/bin/openssl{,.bak} [root@localhost ~]# mv /usr/include/openssl{,.bak} 解压并编译安装 [root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz [root@localhost ~]# tar zxf openssl-1.1.1k.tar.gz -C /usr/local/ [root@localhost ~]# cd /usr/local/openssl-1.1.1k/ [root@localhost openssl-1.1.1k]# ./config –prefix=/usr/local/openssl [root@localhost openssl-1.1.1k]# make -j 2 && make install 配置调整 [root@localhost openssl-1.1.1k]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl [root@localhost openssl-1.1.1k]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl [root@localhost openssl-1.1.1k]# echo “/usr/local/openssl/lib” >> /etc/ld.so.conf [root@localhost openssl-1.1.1k]# ldconfig -v 验证版本 [root@localhost openssl-1.1.1k]# openssl version OpenSSL 1.1.1k 25 Mar2021 升级OPENSSH 停止原有服务及备份数据[root@localhost ~]# systemctl stop sshd [root@localhost ~]# mv /etc/ssh{,.bak} [root@localhost ~]# mv /etc/pam.d/sshd{,.bak} 卸载原有openssh包 [root@localhost ~]# rpm -e –nodeps `rpm -qa | grep openssh`下载并解压安装包[root@localhost ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz [root@localhost ~]# tar zxf openssh-8.6p1.tar.gz [root@localhost ~]# cd openssh-8.6p1 编译安装 [root@localhost openssh-8.6p1]# ./configure –prefix=/usr –sysconfdir=/etc/ssh –with-md5-passwords –with-pam –with-zlib –with-tcp-wrappers –with-ssl-dir=/usr/local/openssl –without-hardening [root@localhost openssh-8.6p1]# make -j 2 && make install 拷贝配置文件并启动 [root@localhost openssh-8.6p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd [root@localhost openssh-8.6p1]# mv /etc/pam.d/sshd.bak /etc/pam.d/sshd [root@localhost openssh-8.6p1]# mv /etc/ssh /etc/ssh_update.bak [root@localhost openssh-8.6p1]# mv /etc/ssh.bak /etc/ssh [root@localhost openssh-8.6p1]# chmod 600 /etc/ssh/*key [root@localhost openssh-8.6p1]# chkconfig –add sshd [root@localhost openssh-8.6p1]# chkconfig sshd on [root@localhost openssh-8.6p1]# systemctl restart sshd 允许Root登陆 [root@localhost ~]# sed -i s/^#(PermitRootLogin ).*/1yes/ /etc/ssh/sshd_config 版本验证 [root@localhost openssh-8.6p1]# ssh -V OpenSSH_8.6p1, OpenSSL 1.1.1k 25 Mar2021 遇到的问题 Jobfor sshd.service fAIled because the control process exited with error code. See “systemctl status sshd.service” and “journalctl -xe” for details.

解决办法

grep sshd /var/log/audit/audit.log | audit2allow -M mypol semodule -i mypol.pp