|
|
Linux系统升级openssh版本到9.3sp22 u- i5 [ ]' `# C; |
* q& G: ~/ Q3 b8 W- T' P+ h
0 `* N" v% r/ V* pOpenSSH ssh-agent 远程代码执行漏洞
0 g* @' x1 c. O4 jcve-2023-38408 收到安全漏洞问题,需要解决。
4 @# |" m1 s* b9 G( { 受影响的版本<1.9.3p2-1
" w+ V6 `1 ?+ h, M安全漏洞给出的解决方案:
: l4 @ s% Q( c W u首先升级到OpenSSH 9.3p2或更高版本:升级到最新版本的OpenSSH至关重要,因为它包含缓解漏洞的关键补丁。确保所有相关系统和服务器及时更新至推荐版本或更高版本。
! R6 Y2 L7 d8 p2 R* j另外采取预防措施来避免被利用:
, }. ^/ ]# t8 H9 P; F建议在仅仅OpenSSH用于远程主机管理的机器,通过Openssh配置(sshd_config)、防火墙,安全组ACL等限制来源访问IP为白名单仅可信IP地址,同时,非必要,关闭SSH代理转发功能,禁止在有关主机启用ssh隧道等。0 _8 u5 k) I# e$ x# m
关闭SSH代理转发功能方法为:
0 S# v- Q+ i/ h8 q9 Z配置/etc/ssh/sshd_config8 @( u, S) L" R. N4 {* `
AllowTcpForwarding NO
; Y3 x1 Z3 Z. `$ `" d$ S
$ L3 s9 \6 _$ g# K
/ I; J: e& N) f* f3 w6 `接下来我们开始准升级的工作:: ], y' c7 u( Y
确定设备的openssh 服务+ x/ D3 D. W$ @
# ssh -V
2 A: k$ |+ B3 O7 ^& h( f, w) I9 xOpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 20174 Q2 q9 ^" a5 q% c* M; t
备份原有pam.d下的sshd文件
H$ n; a ?% K% q5 |4 t; R6 o! Z/ q5 V/ @: H9 l M/ j
# cp /etc/pam.d/sshd /etc/pam.d/sshd-bak - v( S1 U. k* d. S( y5 P' S
# ls /etc/pam.d/sshd*
; G- }) N0 W6 Q: r/etc/pam.d/sshd /etc/pam.d/sshd-bak9 a9 U' _% ]. ?# Q7 k
# cp -r /etc/ssh/ /etc/ssh-bak) W$ K: Z! G+ g$ X, P" T/ a" R
! |* P d! W, }& g4 [5 T) r
3 g' r' j3 t" H9 ], n! L备份好文件之后,检查下telnet是否安装,
* U* ~# D3 {7 x1 e# rpm -q telnet
) X+ S) x) f6 _4 a$ v0 @8 M) _: Qtelnet-0.17-66.el7.x86_64% Y5 v/ r) f3 Y
- Z% G' F$ d, G. A9 N2 L# F2 W+ e# rpm -q telnet-server
3 e9 u: v a; w4 V, apackage telnet-server is not installed
$ M* s, ^9 C+ T, p$ X7 o. V+ J$ C下载openssh包进行升级* `$ X9 {4 j( Q a
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz ' u9 s6 c; q8 u; P* V: g* i
wget https://cdn.openbsd.org/pub/Open ... penssh-9.3p2.tar.gz 到指定的目录。我们这里采用/tmp目录
6 `0 S: f9 ~ j, R6 g$ l
: a; S' D/ D5 g( ^, C# K) O
0 V7 f+ [ Y' v/ k3 shttps://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz?spm=a2c6h.25603864.0.0.686840adPbA5X75 c' Q2 n; y) Y) g' a& d5 u
https://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz ) }' M2 }; ?( [2 ^. l2 ^
( n! z: a0 V# W; ]/ l3 f- ^多个地址下载:
4 n4 }" Q4 R% c: I5 [7 B# v我们选择一个即可:
9 B9 M/ \ E O u) V; T+ o# wget https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz $ `9 y' L& N4 P1 v2 E% ]% \# x! ^, s! W+ [
--2023-08-22 14:12:08-- https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz
3 Q* A% x0 X$ c8 w; CResolving mirror.edgecast.com (mirror.edgecast.com)... 152.195.62.22, 2606:2800:10c:1116:239f:3fd5:4bab:a23f9 \- O; h6 j% r ^3 D% g
Connecting to mirror.edgecast.com (mirror.edgecast.com)|152.195.62.22|:443... connected.
( p' y; \( I; A2 [1 A2 U( EHTTP request sent, awaiting response... 200 OK1 G- X Q. ?- R( J1 Y# c) ~2 ^
Length: 1835850 (1.8M) [application/octet-stream]
# ~4 g! h I2 aSaving to: ‘openssh-9.3p2.tar.gz’1 J1 k! V5 ?( n
. M5 `8 s! v |) ? a; O100%[=======================================================================================================================================================================================================>] 1,835,850 1.49MB/s in 1.2s * M4 d! z; l: V/ W. f% X
( n5 }4 A4 s: r- D |
2023-08-22 14:12:11 (1.49 MB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]
8 k2 _6 k) `2 a
/ K* `8 x, o1 b6 s% k Y/ n) r- e: o- d L9 B
# ls
& [& l( O) E) S; \/ C. Iopenssh-9.3p2.tar.gz
; Y2 w% N; `: f( W9 Q1 M下载后,解压:4 D' f: z! t. f/ Y [4 O
# b7 @; C- Y0 X. x) A- P( ^; s+ l$ y6 C
# tar -zxvf openssh-9.3p2.tar.gz $ w* I8 h3 ^2 T6 ~* b$ P
openssh-9.3p2
/ _! |: {$ Z% I \' lopenssh-9.3p2/.git_allowed_signers/ P- {2 z# g$ b) }
openssh-9.3p2/.git_allowed_signers.asc6 N( p) e% J) L+ S7 q; N
openssh-9.3p2/.github0 {1 J( R/ M1 E! a7 l1 x6 k4 J. _0 t
openssh-9.3p2/.github/ci-status.md- A% j, ?- t V/ z' E
openssh-9.3p2/.github/configs' {/ `0 x; k# }% @
openssh-9.3p2/.github/configure.sh- S' u- i' p( b' t6 {5 E* F
openssh-9.3p2/.github/run_test.sh
7 ~3 ^# z/ _4 h5 C4 h9 y9 bopenssh-9.3p2/.github/setup_ci.sh
0 d6 W# ~, C! V% e1 P9 s) ropenssh-9.3p2/.github/workflows) z* K& C6 ~ {( m% N
openssh-9.3p2/.github/workflows/c-cpp.yml
9 ] c% f/ l5 d i' E2 fopenssh-9.3p2/.github/workflows/cifuzz.yml
v( |+ q! T$ u2 f' E) k2 j, Zopenssh-9.3p2/.github/workflows/selfhosted.yml
: a7 v* o( |/ `" E) wopenssh-9.3p2/.github/workflows/upstream.yml
0 D! y) q% f7 k# X; lopenssh-9.3p2/.gitignore, z% z ^* ~. q m% l
openssh-9.3p2/.skipped-commit-ids
, p0 p+ g4 z$ `8 M0 y. uopenssh-9.3p2/CREDITS" W/ P1 X& P4 {8 {
openssh-9.3p2/INSTALL% _+ K+ E6 l7 l* K" J
.........
6 n2 }! w5 K! q. q0 e) q- G+ Mopenssh-9.3p2/aclocal.m4
7 s, j) J, ?! t1 m* yopenssh-9.3p2/.depend' |7 h; U+ A- Y/ C6 c; W; ]- {
openssh-9.3p2/config.h.in
) j+ G: \, T3 sopenssh-9.3p2/configure! n f" s6 Q. a; i' c
C( \' A- q2 z
1 n. h. u1 N. u9 I3 E2 S# ls
6 k, S V+ o' L$ b5 q, jopenssh-9.3p2 openssh-9.3p2.tar.gz k% I% w" ^5 r& s' }( A
& O# q o3 s' e; E3 A7 Q# _$ T9 o
安装所需的包! y+ b2 e$ ]. F* p: `8 k- M$ _0 j) O
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel
5 W5 e, p' B! a' G/ H1 d5 S, P完整路劲编译:0 e. {( `* }. t" Z3 M$ e
/tmp/openssh-9.3p2/configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
$ Z: M: |: ]$ X. ~% ^1 H0 B0 Y
9 t1 D v- ~3 r# n# `绝对路径编译:
}7 |+ W) P" p2 @% y# J: W; _# N# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
, A+ u" F; s1 N( I, Z; Sconfigure: WARNING: unrecognized options: --with-md5-passwords" o R, E; Y9 `) f d
checking for cc... cc
7 R, {0 I* X: J! r# f# U" a, a! Hchecking whether the C compiler works... yes
2 N. X: v/ I. q2 vchecking for C compiler default output file name... a.out
. Y, W! T- L n5 gchecking for suffix of executables...
! y/ h4 V. ^, t7 u* Ychecking whether we are cross compiling... no+ G, O' A; m W6 @- x. F8 a, @
checking for suffix of object files... o
/ k" ^, z& S! k4 Qchecking whether the compiler supports GNU C... yes
% B& Y+ p2 ?: Z Ychecking whether cc accepts -g... yes
2 k# ^; x& S8 {checking for cc option to enable C11 features... -std=gnu115 Q: \* O* Q' h0 @
checking if cc -std=gnu11 supports C99-style variadic macros... yes! B7 v6 _3 X1 u# @! O
checking build system type... x86_64-pc-linux-gnu
; R$ ?1 S' R N5 G2 j+ bchecking host system type... x86_64-pc-linux-gnu
" C! \& b: U, {& x( zchecking for stdio.h... yes
( i3 [, t" ?8 @) I" F$ vchecking for stdlib.h... yes- C1 ?! L( \# c& ?
checking for string.h... yes
0 S% N. t. o8 H! V9 O" D4 Fchecking for inttypes.h... yes
" z I8 A+ ^; u5 R; E; B( Schecking for stdint.h... yes
( f+ E* b' @+ [. o- a' I5 }checking for strings.h... yes
8 r. V! a+ _6 B% q6 Xchecking for sys/stat.h... yes
# Z' q3 B! \6 V8 q/ v# T7 mchecking for sys/types.h... yes
+ |& {; c) c) K- _checking for unistd.h... yes; q/ V5 s3 B9 q U) h
checking whether byte ordering is bigendian... no& O1 R' D) i* ~8 I! n$ ~9 P
checking for gawk... gawk. q4 G, ]9 k- X, k6 Y
checking how to run the C preprocessor... cc -std=gnu11 -E. Q8 d3 a5 J% {
checking for ranlib... ranlib9 ~5 K$ ?! d9 W! C! i% e0 a
checking for a BSD-compatible install... /bin/install -c
/ y4 O2 }, ^' y8 y& L2 X pchecking for grep that handles long lines and -e... /bin/grep
|$ x8 d# N. {- y: d7 Schecking for egrep... /bin/grep -E7 z8 A- Q; g& l4 d
checking for a race-free mkdir -p... /bin/mkdir -p
7 J/ H- d# @6 G3 C) ]. M& _8 Z9 X+ E% [+ n. C, g8 e, d5 ?
3 d6 p' n P1 y' E) O
9 M$ y8 D! j- |( G8 I$ ^8 P- Q
PAM is enabled. You may need to install a PAM control file
- p0 o$ s& Z) u* Gfor sshd, otherwise password authentication may fail. & @, I4 J1 S; c* q$ c* g4 h( z' {
Example PAM control files can be found in the contrib/ 1 L# k7 g: l" }2 h2 H
subdirectory% }3 g8 S' p, [7 U0 l
! \9 T6 U( ]5 B! r- z. t, F1 k
编译:! d& b$ x" i- q; }4 L, v
[root@localhost openssh-9.3p2]# make........: j9 @0 U$ }# J1 o
otector-strong -fPIE -I. -I. -I/usr/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-sk.c -o ssh-sk.o- W m7 C. @8 y* F" y
cc -std=gnu11 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sk-usbhid.c -o sk-usbhid.o7 G4 N' S: X7 h6 \# X1 z' l
cc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/ssl -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil -lresolv -lcrypto -lz- n) A! {8 T8 b) |
, K: v% g0 M( F4 \7 ~2 W
; U$ S! @8 X6 Z6 I9 q! Z3 ^安装install
3 N/ m6 S* y3 k6 [$ O o5 @& l/ @[root@jms_server_01 openssh-9.3p2]# make install
: r0 P( _& F7 R( @! R) M' N: f8 X(cd openbsd-compat && make), _, f# s( V; k7 d N8 O
make[1]: Entering directory `/tmp/openssh-9.3p2/openbsd-compat'$ Y5 O+ A. p/ _4 Z% a8 c& @+ A
make[1]: Nothing to be done for `all'.
" q8 }+ E2 Q" ]4 Bmake[1]: Leaving directory `/tmp/openssh-9.3p2/openbsd-compat'7 U4 S3 y% N9 ]
/bin/mkdir -p /usr/bin
0 U* C; Q6 @$ d+ W! \+ _4 t1 C9 G4 Y! M/bin/mkdir -p /usr/sbin
- ^4 u# w$ U+ m% C: Z4 b/bin/mkdir -p /usr/share/man/man1# |: M2 G) ^! p+ |
/bin/mkdir -p /usr/share/man/man5/ t1 G8 ?, Q- |" S K U
/bin/mkdir -p /usr/share/man/man8! y* q7 p4 J% R; I, r/ C; {
/bin/mkdir -p /usr/libexec
8 ?! I& _' t X4 l8 @* x t- z8 e, [' J/bin/mkdir -p -m 0755 /var/empty
: Z/ C. y$ e/ C$ s4 j* {/bin/install -c -m 0755 -s ssh /usr/bin/ssh
; u/ d b1 z( I/ g+ V7 c/bin/install -c -m 0755 -s scp /usr/bin/scp: J$ |, t+ F; l% ~) X6 r" |
/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add+ n( N2 ? n% x9 W
/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent
2 w4 a% j8 A0 Q% U* _' j+ Y/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen) p1 t* B2 K$ k ~, f
/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan" f: T1 n: D: z* p0 G+ k0 ?
/bin/install -c -m 0755 -s sshd /usr/sbin/sshd
h. l% O4 m- M* k6 D/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign& T+ X& N0 h2 c. D7 e' K, [' ]
/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper, b$ `4 q: K) o% O8 g$ d
/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper2 ~! y6 [% D) l( t0 H
/bin/install -c -m 0755 -s sftp /usr/bin/sftp; x; o/ Y6 f4 A
/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server
9 s, d& ^+ ^8 S) u L3 U" m4 e/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1$ E* a; [4 f# Z5 f; y: ?4 @
/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1& `+ J% f/ R: M- D
/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1- P$ N- m8 p0 H7 u- `) e
/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1: n- x# ?# m; @; i) |4 _9 R
/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1! Z9 `7 B3 M/ m# x5 e8 q4 T c0 J
/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.11 |1 o8 h5 e ~- b( I+ Y
/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.52 w* ~9 m5 [! P& V) c
/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
7 U+ @$ p9 W* [0 W/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
]8 N0 y& W, A# Q3 x+ D/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.80 R; o1 q) ^& r
/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
$ {9 J3 S# M& _, @; `/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
5 P# k! _1 G, U! `/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.80 Z( m# h2 @% j& A. A$ x2 B9 \
/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.88 o7 K, k4 X0 Z2 T, _9 [$ }- B; W7 `5 V
/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
* X. X% k% c: b. G: N' L( r/bin/mkdir -p /etc/ssh& x8 t, `7 _9 t6 B
/etc/ssh/ssh_config already exists, install will not overwrite
9 W2 i$ q) T; v/ i, ~. J9 a' H/ X/etc/ssh/sshd_config already exists, install will not overwrite1 R' l* Y: T' K; k- ^+ ]3 N) C
/etc/ssh/moduli already exists, install will not overwrite+ _. a% D- r x* A
/usr/sbin/sshd -t -f /etc/ssh/sshd_config2 U3 S: C+ z9 y* W. F
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication& }: M) S' @9 _* ]* }
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
( k7 m( a# p# l@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+ H5 D3 i& G6 D, R/ m
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @. p8 U) L: R- M% G) O0 h+ a4 x
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@& z. J7 k# i5 L7 r
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.+ p0 T+ Y. B- h5 J& h
It is required that your private key files are NOT accessible by others.- A9 L; E- F! y. i, @; e9 j6 X
This private key will be ignored.
/ T* d1 z; G$ }: N) n% g4 W/ eUnable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions9 x5 R; R6 v# l/ y8 m
Unable to load host key: /etc/ssh/ssh_host_rsa_key
$ [! {6 K, L( W6 o! B5 H& M@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@9 o: O! F( e! M! U
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @# d+ V+ x6 X; D: M, ?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@2 E( m# k/ j! C' s& x
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.. H2 V4 C; J; B4 {
It is required that your private key files are NOT accessible by others." T' X" h% p1 |7 z
This private key will be ignored.+ x- O. I+ A) ^: j. i7 c% n+ d
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions3 b( W7 }) r* f# T. S
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
+ b7 m& V# F, W# D( a) d4 d3 M* k8 y@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@6 C9 _' C0 j/ g) ^" x; B
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
$ I8 A6 B4 j) O7 X* P/ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
& Z4 d# |2 S: u$ v& U2 Q8 rPermissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open./ g- T( ^% g. _# |
It is required that your private key files are NOT accessible by others.
! R) W' E4 P# bThis private key will be ignored.9 h$ \# R# A8 s& E
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions. `2 J0 l: _' t, A* u! b) t
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
# ^4 a% w, K% V9 @3 L1 }sshd: no hostkeys available -- exiting.8 D$ y9 V7 d" {/ N" I; `" H
make: [check-config] Error 1 (ignored); U( A* ?4 @3 A0 R9 g: B
) M: N% V, z. k6 s
卸载旧版本" A0 f& l6 k e4 _
! {# Y' Z/ B& A! w2 g
rpm -e --nodeps `rpm -qa | grep openssh`& T: g. y9 M& s% I
7 T/ O" @5 c" r
删除ssh文件夹:
) v8 A& H' E M: W3 k4 H& M" Wrm -rf /etc/ssh
: h. O8 A6 ^9 d- F1 |/ a( ^' i5 P4 p ^& U
##安装依赖包:# v: \4 G' V/ R: ^) @; P
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel ' F6 j# o9 J7 X$ g; u4 |' |
: j' ?# V% _) r, s1 a* }
+ E3 x! J) s+ `
make && make install
+ ~4 V- [. ^3 o+ i8 E6 x- o: c8 J7 D7 G
复制启动文件到init.d服务启停:
' R: r; d& f, R' m6 `\cp -rp /tmp/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd R+ m+ r- T' `# l. b9 j
0 y" w% x. \' j- u0 V( S- p
添加sshd服务开机启动:) n3 r% E* w/ p/ Q' n% Q
#chkconfig sshd on+ c/ l( h8 x( w: L8 v$ n
systemctl enable sshd
2 h, R, O2 z% @/ }' Y% @
, `7 g7 x) j4 K1 F! i复制之前的备份文件复原:& e; Q8 ~( k" r1 k D
, C- }6 J' P* d# V/ I
cp -pf /etc/ssh-bak/sshd_config /etc/ssh/sshd_config( M5 E) J' Z- L- n9 v0 b
$ f6 e3 t( t( u# F' Q
* h Y# q9 \: I4 \% S% g2 O: Y
\cp -pf /etc/pam.d/sshd-bak /etc/pam.d/sshd8 m4 S* n0 w- d1 M/ s4 h# C4 F
' C5 p+ D- c+ r#check file6 @8 g$ B! B& t5 G
/usr/sbin/sshd -t -f /etc/ssh/sshd_config" X2 G, R; ~# v0 Y+ ]1 [
) q! \( Q. o6 }/ X+ `, s( c#start sshd service5 y( O" T' v) F# @4 B$ t/ m
- ~* n& R- W5 L
systemctl start sshd.service% t% G3 W5 H. R/ W
: [- m y. X# \; g
$ J9 T: U; K0 n+ @+ |
h3 S, O0 S. Z* x2 z) z7 [! @
/ c# Y1 Z( B! S) p x, {
5 l" ^4 c3 S$ E: N6 u, P' d$ }/ q8 S7 {% a
" s' y+ n: ]9 U/ X; h, B( l& E3 i) R c/ R: c g) i* V* d! H
/ Z" u) [7 }3 x" C. t
9 o0 E! Y: Q" I3 c( g$ _' p" i2 E d* J. v
/ X: e o; K$ h s
Q" c4 }9 [0 ^; f
" `+ d9 x+ E- }; w# l s( I8 T
5 H. ]. }1 Z) p$ M3 p3 D' Z! E
# q) r( G( M- V! _# u6 t# l) ^
# J" i1 K2 N9 ~9 `- ?+ }* b6 R! O( n- Z5 ^/ p
6 _5 e. J8 s& `% N7 Y
0 j8 S* |' C! q. S) f3 f
& W0 v: ?7 B% \, W3 y
6 B: O/ _& [4 J/ H, m! A" Y9 @& @" h
# F8 z$ w! Q8 I3 ?( I
. [: \" m$ C9 W$ p
; k% M3 k+ O. R D
, r& z, M4 `: P) d" `9 d' H* K4 L& C$ h( [# B8 Z
8 V+ L. Y. |" G
2 i6 n1 @4 I8 y' I2 M0 {5 L( O |
|
发表于 2023-8-22 11:17:44