将设为首页浏览此站
收藏本站联系我们相册切换到窄版

易陆发现互联网技术论坛

 找回密码
 开始注册
易陆发现互联网技术论坛»首页 操作系统区 非桌面系统 Linux系统升级openssh版本到9.3sp2
查看: 421|回复: 2
收起左侧

Linux系统升级openssh版本到9.3sp2

[复制链接]
admin
发表于 2023-8-22 11:17:44 | 显示全部楼层 |阅读模式

马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。

您需要 登录 才可以下载或查看,没有账号?开始注册

x
Linux系统升级openssh版本到9.3sp2
* u5 n5 v& [* Q: y' t. x2 t5 Q$ n

& L' E# _8 y' sOpenSSH ssh-agent 远程代码执行漏洞  l) t# C; O5 {5 I
cve-2023-38408   收到安全漏洞问题,需要解决。! Y% B6 f* g4 h; Q
       受影响的版本<1.9.3p2-1
/ p9 W! {* X4 Y$ e" \8 p/ k安全漏洞给出的解决方案:( O# N" ~% ^/ X9 X/ z: k7 T
首先升级到OpenSSH 9.3p2或更高版本:升级到最新版本的OpenSSH至关重要,因为它包含缓解漏洞的关键补丁。确保所有相关系统和服务器及时更新至推荐版本或更高版本。( x5 ^& q0 g' C% _. Z& w# {& ~
另外采取预防措施来避免被利用:/ x- C8 Q- b, w
建议在仅仅OpenSSH用于远程主机管理的机器,通过Openssh配置(sshd_config)、防火墙,安全组ACL等限制来源访问IP为白名单仅可信IP地址,同时,非必要,关闭SSH代理转发功能,禁止在有关主机启用ssh隧道等。. e/ L) D2 o+ F% D
关闭SSH代理转发功能方法为:
  L7 |* @6 G5 d5 M$ ?# ]& ]* k/ l2 N配置/etc/ssh/sshd_config
# }  W; Q( x" |: J- |4 WAllowTcpForwarding NO+ F5 l6 K2 J+ Z" s5 E1 a
/ j9 _' W* T$ T, J' d5 }

+ D. q1 H( i( S7 C接下来我们开始准升级的工作:7 x  J4 ?% l0 H
确定设备的openssh 服务0 u" s. c1 D  |: j5 |
# ssh -V
* Q6 w% k& K0 B$ jOpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 20173 T, y2 I2 V1 X& i6 e) l+ \
   备份原有pam.d下的sshd文件
6 l" j& y; M) d4 [- }1 S- g& N, }* L
# cp /etc/pam.d/sshd /etc/pam.d/sshd-bak  
( z4 S4 d) ]: Q2 i# ls /etc/pam.d/sshd*) m# V7 ]5 f( v2 J& D
/etc/pam.d/sshd  /etc/pam.d/sshd-bak1 D, d* z/ E$ v" Q/ _) i1 I
# cp -r /etc/ssh/ /etc/ssh-bak% n- T6 J0 T- R+ T5 L$ o. t1 A+ R
. b- J. h2 Q4 ]
2 t) c8 t6 _- Q6 h
备份好文件之后,检查下telnet是否安装,9 U# j1 @3 M+ x6 G8 _
# rpm -q telnet) ]% _/ ^1 e' m  R. n" s. z, T( @
telnet-0.17-66.el7.x86_64
4 N  |, I6 ?6 v* C8 e0 Y% }2 p, }2 W3 ?* F
# rpm -q telnet-server" S4 R( s7 B- W2 q( H
package telnet-server is not installed
& ]$ p2 D* V3 B9 v2 b0 ?下载openssh包进行升级
+ t- n; T) N% E  k# Whttps://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz     ! C* M$ G  _% \" H
wget    https://cdn.openbsd.org/pub/Open ... penssh-9.3p2.tar.gz   到指定的目录。我们这里采用/tmp目录% r, c* ?7 h  r5 _3 n1 H0 w

/ A. {& [2 x, P$ E3 R; J3 L# s8 W& U% v; _# C9 E# w! W, E
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz?spm=a2c6h.25603864.0.0.686840adPbA5X7
( d9 w* r* K* m; Bhttps://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz   
! [2 @4 D5 G7 e6 @$ e+ p& ]; u$ G1 E  D: H  L7 [
多个地址下载:
8 Y, u6 z& P' F6 E  h/ a我们选择一个即可:' A, @4 p6 j0 z" ^0 A
# wget  https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz ) x% n; ~! w. P$ R4 A' C5 f
--2023-08-22 14:12:08--  https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz4 d5 K) k% U  A
Resolving mirror.edgecast.com (mirror.edgecast.com)... 152.195.62.22, 2606:2800:10c:1116:239f:3fd5:4bab:a23f* r7 j$ N& k0 a/ O- _) w
Connecting to mirror.edgecast.com (mirror.edgecast.com)|152.195.62.22|:443... connected.3 Y& D! m( Y' C7 R1 L& @' j
HTTP request sent, awaiting response... 200 OK
! \* M$ r/ B) R( KLength: 1835850 (1.8M) [application/octet-stream]
( _& w3 n8 B, K6 x' l- Y. Z. A/ F# RSaving to: ‘openssh-9.3p2.tar.gz’$ h9 l) R2 ?& {3 n$ l2 f6 g

$ S' [- Q% \) ]; G4 t100%[=======================================================================================================================================================================================================>] 1,835,850   1.49MB/s   in 1.2s   
6 y8 z" W# q5 V/ ]: z' w& j
( x+ k- N% S8 C2023-08-22 14:12:11 (1.49 MB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]8 t- ^2 Z$ v" B
2 \% Y, Q) L) q* \  H' z- p) Q  V

- h* s6 T3 F9 [% Y: e7 X# ls
" L* B  O3 a" H% C7 D" j; Q- z/ ]openssh-9.3p2.tar.gz
' B" l% A" ]$ M3 ]9 s' m" X下载后,解压:
% q- w9 t9 O6 r$ E
9 F  D2 ^2 J% ]( E- u/ f- g# tar -zxvf openssh-9.3p2.tar.gz
0 H# t0 d# T  I2 {6 `: G2 V( mopenssh-9.3p2% m- J' Z, R% C( w1 a  G
openssh-9.3p2/.git_allowed_signers
! o5 a, r' d; E1 oopenssh-9.3p2/.git_allowed_signers.asc
, }. ~0 ?2 J" v1 }2 `) w  E+ Zopenssh-9.3p2/.github
% F& d$ ~+ T/ g/ P" Xopenssh-9.3p2/.github/ci-status.md: F  x2 X. [* J  l" O' E, l4 D0 C
openssh-9.3p2/.github/configs. b; Q2 h6 ]. e
openssh-9.3p2/.github/configure.sh! a% O2 E3 D) N# N2 T7 O7 x5 ^& R
openssh-9.3p2/.github/run_test.sh
2 m; Q5 l! e, N2 q5 }openssh-9.3p2/.github/setup_ci.sh! `5 h8 m2 |& L* X
openssh-9.3p2/.github/workflows
" o9 ~6 [1 k- u: a" t4 Gopenssh-9.3p2/.github/workflows/c-cpp.yml! }# T  ^" W( H! O1 m
openssh-9.3p2/.github/workflows/cifuzz.yml
, e1 e  D) |& u; y; v3 zopenssh-9.3p2/.github/workflows/selfhosted.yml
  W5 J2 U) ^% G' |9 Y6 s: @openssh-9.3p2/.github/workflows/upstream.yml
; T" f# p! K* }. u1 Ropenssh-9.3p2/.gitignore
: v1 q$ u) A2 k! ^: p3 Lopenssh-9.3p2/.skipped-commit-ids% B9 ^6 h8 L; v
openssh-9.3p2/CREDITS
+ ]+ O% M5 C) V4 kopenssh-9.3p2/INSTALL
' u+ V3 w& E  N2 f0 J! k........., L1 G$ E6 j% Q8 r- }3 t/ L
openssh-9.3p2/aclocal.m4
7 q4 e0 ?, e8 d$ x& c  A* kopenssh-9.3p2/.depend1 P5 z  O! R4 }2 ?5 b
openssh-9.3p2/config.h.in0 \' Z2 P: H; ^9 P3 q
openssh-9.3p2/configure
$ k* h, f3 C5 r  \2 P0 D% d6 @1 H5 V8 Y; I. v# X
/ ^+ v8 P! `) w6 j! |, ]
# ls  Z: C! P, ?( w$ W( P7 T& ^
openssh-9.3p2  openssh-9.3p2.tar.gz# R1 U$ ]; N# t: W. d  z2 d

* x7 O2 B/ @6 d! f+ J安装所需的包% u; l2 m1 M- \6 h5 u( Y
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel  
) r8 k, Y, f/ o! j9 w完整路劲编译:+ C& L  a; M+ B3 d9 \7 V
/tmp/openssh-9.3p2/configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl # A3 r5 w1 V" P9 m/ g

. ]! ?: b* E+ c: k  n1 J( _) o绝对路径编译:
6 r$ @; }  G! v% a# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl   e# U0 _$ i, P( c
configure: WARNING: unrecognized options: --with-md5-passwords6 l( Z; |; \) s. n( L. v
checking for cc... cc/ G2 E( j8 [% U6 P+ {
checking whether the C compiler works... yes
8 u$ R1 s3 D, T9 u3 y) E( Fchecking for C compiler default output file name... a.out
  K) M+ _' g2 o6 Q8 Gchecking for suffix of executables...
  K! ^; e  T6 v: Qchecking whether we are cross compiling... no
6 ~; Z. `; H# S* [( o! c2 ]checking for suffix of object files... o
1 u, j% V7 l2 E& Gchecking whether the compiler supports GNU C... yes
% l( D& _9 C% m! Ychecking whether cc accepts -g... yes! q3 J1 j# U4 a& e4 R& Q+ j$ b
checking for cc option to enable C11 features... -std=gnu11& j/ {- r$ a& V6 L, A. f/ z& s
checking if cc -std=gnu11 supports C99-style variadic macros... yes
; D+ J2 \% y& ^1 W- Rchecking build system type... x86_64-pc-linux-gnu
# ^. [9 c: |: ~3 K* h, q! [checking host system type... x86_64-pc-linux-gnu7 u; }( K: R- t7 g8 M3 o
checking for stdio.h... yes
2 \6 o5 A2 w7 X) ?8 Q) [; z. nchecking for stdlib.h... yes" L; h/ h" f2 s0 n3 T: Y; H
checking for string.h... yes% _3 x1 d8 ]4 \/ x! S5 ]. d& Z$ U
checking for inttypes.h... yes! G5 t: [# A& Q+ o/ ^" e: Z2 ^
checking for stdint.h... yes. D1 |5 t0 \$ s0 E4 w: \
checking for strings.h... yes4 g+ w0 _$ b* A
checking for sys/stat.h... yes
- M. L1 V8 X, x( M- M5 y2 P' Echecking for sys/types.h... yes
' v! n1 W; u; ^- M# Achecking for unistd.h... yes
- s7 v: I% U4 |9 k- ?+ qchecking whether byte ordering is bigendian... no
; x# C! B$ I. _9 [" x  qchecking for gawk... gawk
! w2 X6 s  n5 r% D) h/ H9 Zchecking how to run the C preprocessor... cc -std=gnu11 -E
: X" ~& ~6 \8 |7 achecking for ranlib... ranlib4 s9 }- m3 ?! A3 N8 e* C
checking for a BSD-compatible install... /bin/install -c0 \5 c9 {  ?5 V6 M- j: K
checking for grep that handles long lines and -e... /bin/grep
; A) E/ h# b% c$ ^. B) Mchecking for egrep... /bin/grep -E
3 O' u6 V; l" G: c5 ?/ }" [2 C" ^checking for a race-free mkdir -p... /bin/mkdir -p
3 X3 `9 d1 |* ?+ F, O: c) ?
# Y) _  F7 q4 i5 ~4 z
. f# b6 q$ d' y% u! w
/ b/ [. P2 |" E( r! CPAM is enabled. You may need to install a PAM control file
0 W+ K$ Z0 g. R7 W0 F2 \8 W, Gfor sshd, otherwise password authentication may fail.
5 w* g+ m/ a! J6 Y* hExample PAM control files can be found in the contrib/ . m" w, d4 x2 u$ Y$ ]8 B3 m* |
subdirectory7 K' D. @- _( m  }# s( l( Z$ O

% c+ w. E: B4 B" u. s编译:
! u2 p% G8 _+ v; p+ B% r( H[root@localhost openssh-9.3p2]# make........8 [% R5 b) j; D, e
otector-strong -fPIE   -I. -I. -I/usr/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-sk.c -o ssh-sk.o3 v- |: _" c5 m5 V2 B
cc -std=gnu11 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I. -I/usr/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sk-usbhid.c -o sk-usbhid.o
/ }( v0 q& x+ r/ O8 r  Ucc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/ssl  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil  -lresolv  -lcrypto  -lz
8 c. x/ a7 k; h" z# J8 P* t) _! p3 V, P) k* A% h9 R
- H5 t* b& d/ v6 H( F$ e3 v& r5 ]
安装install
/ B& H1 d  a3 ^% X+ ?# B[root@jms_server_01 openssh-9.3p2]# make install
. p% a; B7 I% i(cd openbsd-compat && make)
3 j  ], t* n! }make[1]: Entering directory `/tmp/openssh-9.3p2/openbsd-compat'1 H3 v% g5 i0 e
make[1]: Nothing to be done for `all'.
& D( _  X* |' }# h4 S4 R8 @make[1]: Leaving directory `/tmp/openssh-9.3p2/openbsd-compat'( L  B- Z0 J! N" q/ f
/bin/mkdir -p /usr/bin6 f( m- g+ ?6 Y- g
/bin/mkdir -p /usr/sbin
3 \' e8 ?3 Z! W! B8 k: `/bin/mkdir -p /usr/share/man/man10 x9 z  p8 }( N4 a$ r) A& M
/bin/mkdir -p /usr/share/man/man5
, `  w( F  D; S! Z3 K8 }4 p/bin/mkdir -p /usr/share/man/man8
0 O$ d" v  o. {6 F/bin/mkdir -p /usr/libexec6 A; Y; g4 S. i( ]+ F/ m3 L$ J
/bin/mkdir -p -m 0755 /var/empty
+ y2 ]# V) o3 ^* ?! i) u' W: T/bin/install -c -m 0755 -s ssh /usr/bin/ssh
; Y. Q. f, l, N: q. b+ ?/bin/install -c -m 0755 -s scp /usr/bin/scp3 Z- P+ P( W, x: F$ Y' j: {8 r9 H$ [
/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add
4 B( R' T3 q$ Y' z0 M+ H4 \/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent
$ m, w. s% g7 g% }' J/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen7 D3 M# a, S; X- `. E/ X4 @0 j
/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan
8 A$ B/ d4 W  P/ s/bin/install -c -m 0755 -s sshd /usr/sbin/sshd
; C% ]& k3 o; A% ^2 b! u6 U/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign1 N+ F7 l6 ^6 f: f4 Y6 k
/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper0 o" b/ n: K% Z1 |; ?
/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper1 E& S8 s+ Q" }/ z; e
/bin/install -c -m 0755 -s sftp /usr/bin/sftp/ K: J# ^9 s1 P! ^5 A% N& E" A
/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server# M8 [( v, Z. t. N
/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1
7 N3 i! H% q7 H% m* ]* m2 t/ W/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1; s! @& `, z" U( u
/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
% ]- }  l5 k5 L& g  ^8 p/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1$ H$ d* w3 E. w$ J- h  z: x
/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
, A, @8 M3 U; N" X! v- }/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1; b2 |) S  d4 n: T" \  k
/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.50 E" Y# `2 `; x. ]: s' F0 F
/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
; L* y; R; X0 ]5 ]6 T  O/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.58 J9 n, I! Q$ p) X% P
/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8; ^- S5 }5 Q, {, G* d1 _
/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1* [* |) G0 e5 r: G* X
/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
7 E) f# |/ G( l( R% a/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
: W) B' ?! ~2 ~6 @/ [" B2 p( Z: }/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
& ~, {2 C/ A5 {( d# L/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.80 G9 D3 ]0 F4 P
/bin/mkdir -p /etc/ssh
/ L! A( F) @+ d$ Y* |/etc/ssh/ssh_config already exists, install will not overwrite
; X. N' D$ s4 G' W, r* q/etc/ssh/sshd_config already exists, install will not overwrite7 e, X' S% ^! F3 \
/etc/ssh/moduli already exists, install will not overwrite6 ]' Y3 M3 ~' f: t2 V7 {) K
/usr/sbin/sshd -t -f /etc/ssh/sshd_config- n4 k6 b: ]4 N
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication5 @+ O$ V0 l- T3 s2 l' ^- I! S& q: s% j1 u
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials. y+ z. V* _* @9 U" T& z5 q
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+ b9 B: X/ r' H9 R; W
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
, y2 O4 V% k4 Z/ S0 k$ H$ @# X/ R@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
% K+ r' @8 }( H. F- q! ~7 CPermissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.3 i# S) `, m/ g) U; p
It is required that your private key files are NOT accessible by others.
4 u3 A( V6 P4 ?- C7 _' a* |This private key will be ignored.
/ l6 S& G, {" u" i3 B+ g& N' I8 bUnable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions' e3 b* k3 S5 v- G. k" b. _
Unable to load host key: /etc/ssh/ssh_host_rsa_key
' C) m1 F3 N) d; G8 B0 j) B; D1 |@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@  r! u2 w+ q# i! [. R
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
% |" J! d$ o8 l/ d( B( s, O! ?5 h6 T@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@+ ~$ j' N: w( g8 |& Z; [
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
" D/ ]7 R/ I* {1 A! W6 YIt is required that your private key files are NOT accessible by others.0 |) }; Z5 [' _# C5 t2 Y3 l
This private key will be ignored.
3 U' ^# S0 v1 JUnable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
2 E# e7 K+ O- F. P3 I6 wUnable to load host key: /etc/ssh/ssh_host_ecdsa_key
' j3 Y+ {0 W" L$ c@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
! O" v3 H: j6 l, u5 O8 c( D@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
0 K+ k) k5 s5 F& S1 C( r4 v4 `@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@8 I! o, f7 k& s! j2 _- m
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.& E; u+ K1 e% _; r) @
It is required that your private key files are NOT accessible by others.
: b' \0 B  f* t% M, ?This private key will be ignored.
" d9 s0 z: a1 U7 W5 E3 y4 j7 C) ^Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions% H9 y; b5 p# j9 S; d/ K
Unable to load host key: /etc/ssh/ssh_host_ed25519_key8 r) c( r- ~( u1 x+ R
sshd: no hostkeys available -- exiting.
  q% [8 y5 [, m& ymake: [check-config] Error 1 (ignored)& |: d2 o, \( h1 _7 s8 J

% s/ a2 S! e9 K5 I" o# z卸载旧版本- l/ Y! Z8 p3 ~( M7 e. ^6 o! a

) o) R4 i! i/ u# Wrpm -e --nodeps `rpm -qa | grep openssh`7 Z: L/ o' l3 G* K# E9 g; }

7 c" Q$ Q) f9 m删除ssh文件夹:* G3 @1 ]4 j$ A3 e- h. X
rm -rf /etc/ssh/ b9 S0 R% k7 G; G+ ]7 w4 N4 C

& c7 P3 C- b# q: S- q+ R##安装依赖包:
4 v) d5 Q, F/ X9 \2 `! Ayum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel ) I7 t6 n% D$ y! j8 w

' x! @5 E5 o4 w! k0 m- X+ n0 d" N3 T0 {
make && make install* t/ V) w, ~' l( q5 q; K

9 r% n3 D% z' r* L& G( c复制启动文件到init.d服务启停:
+ Q  |# d, B# t4 C  e; L* O\cp -rp /tmp/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd
  y! k. c; |; G5 H5 [" y9 z- A
2 i3 u. U' d( c: s% h: _5 i添加sshd服务开机启动:: r5 ~: p( R& V
#chkconfig sshd on
, ?& m: i! o- R/ S7 Usystemctl enable sshd
$ Y# m0 m) _1 u2 l# U8 f* E' B+ @
8 Y  v6 r  P5 d  `+ M复制之前的备份文件复原:3 {! o& {- G3 ~5 ~
$ {5 n1 g5 W  E
cp -pf  /etc/ssh-bak/sshd_config /etc/ssh/sshd_config7 G8 l" y( w& Q

  E% A2 @3 O+ o3 j3 f, f, Z+ `, h
$ Q/ A! E. T! o+ m' O\cp -pf /etc/pam.d/sshd-bak /etc/pam.d/sshd
+ z& K8 z; y/ X. S
, s4 m3 ]6 @" W: |#check file
) [5 _3 O% a& q5 e/usr/sbin/sshd -t -f /etc/ssh/sshd_config3 p7 ~' v8 a# D0 m

: ~! }" J' M: \( M5 l, F1 X1 u2 D#start sshd service6 I2 N) h  M  e) n
, y% z+ t4 E( B
systemctl start sshd.service4 B5 E% m3 z3 |8 F9 ^1 E
/ r7 r" I* V0 A$ B( L6 g

, L$ c. o" C& h7 @: y3 ?- J4 c! S# ^( f7 @. R/ t
  
2 E: y: i" ^2 V1 z/ N- @% G& ~
) h; q* P0 g6 {( S
* Q& G- T5 j& h# D( g) K: S& l1 K0 N5 W8 V

8 W- I3 r: j4 ]& n/ a2 D1 R
$ n! P2 h0 X* F% f7 L8 W2 s& G9 ^5 M! M% E4 J8 M, ?6 l# K7 w0 A0 U

1 ~; X$ a& ~3 c/ }# [8 ~, t, x% E/ s0 G, ?2 u" Z- I
4 E) V; C, f1 G! V6 }$ A

  f& L6 ~5 }) m, F3 O4 U% r( h& s. Y/ i7 f4 ?' f5 t
4 p2 G3 @: h1 u) x. X
4 N3 r( h) E. [5 E/ ?

" x1 I' E1 ]+ T+ C9 R/ A; t: `0 N

7 Y  ~* {7 D" _& Q& n; `& e, C& N4 Q; w
" b, N& C4 a8 m( I
- G8 v' Y' {5 d5 u
* ], P& }( x  p: Z; q

+ I3 R6 P. O4 p/ q0 R- o9 j$ h* L9 Y/ L3 r8 o3 K0 ]
3 o- _' W: P% ^. g3 C( i2 z; w# |
2 _9 A9 S5 t/ z
. ~# y7 _6 |5 s( X
回复

使用道具 举报

admin
 楼主| 发表于 2023-8-22 14:02:12 | 显示全部楼层
其他文章中提到要安装这个,我们这里没有安装。因为我可以通过console或者其他方式登录上去。
/ k6 T3 ~3 O+ V) {! Z( a7 j! [$ K9 b8 y$ I- W, L
执行命令进行安装telnet
, I' v( C9 @- u/ j2 M" Y/ {0 e* z' d) \3 `9 I
yum install telnet-server  -y  I& f( f6 W/ X/ W% ~* t! a1 l9 j
yum install telnet -y
1 v4 s, [3 I) e7 [4 X, U' J设置开机启动并启动telnet. C+ C0 D! x: B$ U- l. V" y. ]

  h+ I- g% H! ~3 v6 x( e6 V8 e$ psystemctl enable telnet.socket# c, ^- V5 Z* L+ v
systemctl start telnet.socket
& L! z( L- q4 }* ?1 ]防火墙开启23端口,使用 telnet ip 进行连接登录。默认系统中是不允许root用户使用telnet登录的,因此我们需要授权一下$ ~6 b2 I, d7 y! r& x$ n

6 r7 B) W$ e) k  O3 @8 P# X. Secho 'pts/0' >>/etc/securetty
" s( ~8 D( W% @) yecho 'pts/1' >>/etc/securetty
3 K5 L1 c- h3 C当我们在进行登录时无法正常登录时,主机端执行
* ~8 g: U2 U9 K4 h7 u
% i% o2 v; e/ w9 ~tail /var/log/secure
) E; X5 E" W& h3 {假如我们看到的是:access denied: tty 'pts/3' is not secure !+ @7 o% {. q' |0 p$ a& T5 T

) s) A" u0 M) o. G: ]% l此时我们如果看到的是pts几就将几添加一下
* N. ?! e0 t0 e3 n. d5 y. u7 t, \
7 N) Y7 j1 L, |& n( L) d' lecho 'pts/3' >>/etc/securetty
4 u7 [- Z" Q9 M9 k, D9 t" ?( l; L9 R添加后一定要重启telnet
回复 支持 反对

使用道具 举报

admin
 楼主| 发表于 2023-8-22 16:22:56 | 显示全部楼层
当端口号修改/etc/ssh/sshd_config 文件不生效时,可以修改下面文件:1 m0 q/ }$ `/ J0 P4 [
3 t9 a3 k: Q- w  c4 Z: m" h1 G
生效的配置文件是/usr/local/openssh/etc/sshd_config   如果不改变/etc/ssh目录,就修改这个文件也可以
! r" m# W# v( {/usr/local/openssh/etc/sshd_config
回复 支持 反对

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 开始注册

本版积分规则

关闭

站长推荐上一条 /4 下一条

北京云银创陇科技有限公司以云计算运维,代码开发

QQ|返回首页|Archiver|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )点击这里给我发消息

GMT+8, 2026-4-8 21:31 , Processed in 0.051901 second(s), 22 queries .

Powered by Discuz! X3.4 Licensed

© 2012-2025 Discuz! Team.

快速回复 返回顶部 返回列表