浏览此站
联系我们相册切换到窄版 Language

 找回密码
 注册
易陆发现论坛»论坛 操作系统区 非桌面系统 Linux系统升级openssh版本到9.3sp2
返回列表 发新帖
查看: 425|回复: 2

Linux系统升级openssh版本到9.3sp2

[复制链接]
admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
发表于 2023-8-22 11:17:44 | 显示全部楼层 |阅读模式
Linux系统升级openssh版本到9.3sp2
2 ~% D6 Z2 A: G4 l3 v* J# J. q9 O; g- n) T) \. o

8 _7 v( \+ p6 g6 n# F7 I! DOpenSSH ssh-agent 远程代码执行漏洞
. a8 v8 g. n" V7 h' d8 d6 V7 Y3 wcve-2023-38408   收到安全漏洞问题,需要解决。
. t$ ]& E% l5 P; S* `       受影响的版本<1.9.3p2-13 X8 K7 Z2 `2 o; g
安全漏洞给出的解决方案:/ }( a: d4 z# @0 B  ^( ]
首先升级到OpenSSH 9.3p2或更高版本:升级到最新版本的OpenSSH至关重要,因为它包含缓解漏洞的关键补丁。确保所有相关系统和服务器及时更新至推荐版本或更高版本。
! ~( {! B0 i( B  ^  i5 n另外采取预防措施来避免被利用:
6 X- \0 b8 N) g/ l. e, t2 s3 X建议在仅仅OpenSSH用于远程主机管理的机器,通过Openssh配置(sshd_config)、防火墙,安全组ACL等限制来源访问IP为白名单仅可信IP地址,同时,非必要,关闭SSH代理转发功能,禁止在有关主机启用ssh隧道等。
* `& l$ H9 A+ T8 Z/ }+ f" }关闭SSH代理转发功能方法为:
- B$ u& ^* q/ r+ O# _+ N% C配置/etc/ssh/sshd_config
% q5 j9 D* w, X7 V; O1 g5 @AllowTcpForwarding NO
' L; }. ^9 ?( I+ \5 e, M0 r
# d. `. t' k* l0 l6 [! W: s% F/ W1 U
8 |2 X! r( B& l6 m9 G接下来我们开始准升级的工作:8 }- ?& B2 l. \; g
确定设备的openssh 服务
% P6 V7 ?0 `& ]& o1 w( e' F3 B# ssh -V
& W0 T$ p8 E: ]* ]' `OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017" Y1 R- g5 c% H: p
   备份原有pam.d下的sshd文件) x6 b( Q7 t. }4 X& H
) N- M0 V+ a8 N, L7 T
# cp /etc/pam.d/sshd /etc/pam.d/sshd-bak  0 b- s1 S5 C2 o
# ls /etc/pam.d/sshd*/ t  }' I" l( D; C" {5 j
/etc/pam.d/sshd  /etc/pam.d/sshd-bak" h; X9 i$ m9 d1 c# i( i7 @( }3 T
# cp -r /etc/ssh/ /etc/ssh-bak$ n' i& ]! g! j/ F- t
' d9 I+ T$ H- V) X$ x1 J0 i! S
  {8 W8 }7 i; M; S
备份好文件之后,检查下telnet是否安装,
0 Q, q& z0 [3 }. G, [: Z  {' `# rpm -q telnet- [) R9 j  P3 g& }8 v
telnet-0.17-66.el7.x86_64
2 K, a. O! n7 z& y
  r& u3 Z. E  J# rpm -q telnet-server% [, H/ z/ F$ z* [
package telnet-server is not installed* ^. `6 ^% U# ~
下载openssh包进行升级
) H  P9 v$ W6 [9 Yhttps://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz     
! P0 Z+ o4 R/ L. wwget    https://cdn.openbsd.org/pub/Open ... penssh-9.3p2.tar.gz   到指定的目录。我们这里采用/tmp目录
4 Z' h6 ?9 B3 x  t9 e* b5 k1 j0 t  n
! L/ }  g  q7 {8 H9 O4 @$ A5 I# Z. ~1 [
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz?spm=a2c6h.25603864.0.0.686840adPbA5X7
" w4 b0 E5 D' B6 J% _2 T4 Ehttps://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz   , N2 n  R/ Z) d
, ~+ x- O! W9 o' Q: h$ |/ c7 H9 p
多个地址下载:
: c2 F% F1 i$ r我们选择一个即可:
1 A7 d$ |- |* A- D- ?" e# wget  https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz
, j& H: b+ u" c0 |6 b$ z5 Q/ s4 N--2023-08-22 14:12:08--  https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz- E  X5 {1 D% C. K3 ^9 c
Resolving mirror.edgecast.com (mirror.edgecast.com)... 152.195.62.22, 2606:2800:10c:1116:239f:3fd5:4bab:a23f
0 h* l) G& o1 v+ l5 @& E; VConnecting to mirror.edgecast.com (mirror.edgecast.com)|152.195.62.22|:443... connected.
7 J6 f, n4 l5 WHTTP request sent, awaiting response... 200 OK, R* T" z4 p0 W8 B# f! I, o
Length: 1835850 (1.8M) [application/octet-stream]+ a6 X3 t8 u0 f- W% r
Saving to: ‘openssh-9.3p2.tar.gz’
/ _. C: s6 I6 ]9 [/ T8 D# e; r, a! U2 U5 I, D+ O
100%[=======================================================================================================================================================================================================>] 1,835,850   1.49MB/s   in 1.2s   
, g2 F- ~* c  {* o7 j: I; v3 x
! f* K% E. R) Y: O8 z$ K; [2023-08-22 14:12:11 (1.49 MB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]5 G/ p( d7 A% f& z
8 J* I- z7 k0 E$ f" H) O  ^
6 ?/ Q6 m! f( K0 ?
# ls% b2 u! b9 i- b
openssh-9.3p2.tar.gz4 N/ a+ i9 q2 E+ U, T* G& _6 _
下载后,解压:; L6 }# d# W+ U! M# J. _1 Z$ T

. t$ t; u% X/ h7 E# tar -zxvf openssh-9.3p2.tar.gz
( ~" d* f: i' Y" A/ t1 oopenssh-9.3p2& ^' K+ H; X6 E0 u* `$ ]( R. i
openssh-9.3p2/.git_allowed_signers
2 x5 R' f' @9 O* W" x  Jopenssh-9.3p2/.git_allowed_signers.asc0 ?$ @9 t- Q+ B" W: Z* J4 t
openssh-9.3p2/.github
& _5 w, P+ o4 @- d& F2 R* T* ?; ]openssh-9.3p2/.github/ci-status.md
/ Y$ Y" ]* X6 P1 u% K, ]openssh-9.3p2/.github/configs
, ?: R' [/ m' W! z/ O1 E- eopenssh-9.3p2/.github/configure.sh, h4 m+ `' u: x, ?% s0 J5 S
openssh-9.3p2/.github/run_test.sh* Q7 Y& {! Q# E  U; Q: T$ Z
openssh-9.3p2/.github/setup_ci.sh
" w8 M' E2 b. N6 Q) k! J2 Copenssh-9.3p2/.github/workflows7 d% y9 D7 {/ d
openssh-9.3p2/.github/workflows/c-cpp.yml
, k; i" ?+ q5 S* k+ o0 lopenssh-9.3p2/.github/workflows/cifuzz.yml7 _% r0 O  ~, k- L
openssh-9.3p2/.github/workflows/selfhosted.yml
) q  O$ {" n% D, yopenssh-9.3p2/.github/workflows/upstream.yml6 \' l1 S, ^- @+ {. H  e
openssh-9.3p2/.gitignore2 a8 C8 V2 m' ~8 {1 A$ H' d
openssh-9.3p2/.skipped-commit-ids
( U# k- K% l4 G; T: ?5 Fopenssh-9.3p2/CREDITS7 Q6 p0 L! p- h! F$ ~" I, {" k3 @
openssh-9.3p2/INSTALL! \2 b: E! p5 m! E
.........
; W6 ?! i8 y- {9 a7 ?, ]openssh-9.3p2/aclocal.m48 J  C5 s1 k3 i+ E+ ?9 s
openssh-9.3p2/.depend3 a* d0 c2 n$ h7 q
openssh-9.3p2/config.h.in, U% f  @9 C; [1 D' V  B1 s# i: ?
openssh-9.3p2/configure
* v2 e6 B! Z- L
# q( V3 V! Q" l0 z* I
2 H& @- j. h1 Z: T% E6 A' O# ls
: c& O& F3 ~# c- Q3 nopenssh-9.3p2  openssh-9.3p2.tar.gz/ R8 u+ k2 t9 O, t
$ j% ]% f0 V! i6 z6 w3 r# v
安装所需的包$ N% v; w: c% r9 D) Z. v
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel  
1 ?, g2 Q! Z$ F2 g( ^完整路劲编译:
" m% Q5 \+ }$ L0 C /tmp/openssh-9.3p2/configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
! g9 G" w6 R' q: |# x+ ^, F! s
/ [1 X0 I6 C0 e3 e绝对路径编译:1 C+ j: r9 D& m  u" w  d
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl 0 ?+ B/ P) X% h/ O3 B0 {
configure: WARNING: unrecognized options: --with-md5-passwords
" G# q1 F5 d4 R) r! q. jchecking for cc... cc" d( T+ b& b0 [3 o, x3 s4 o6 c; g3 i
checking whether the C compiler works... yes
# D. O$ p( I4 }" @6 j. w# Tchecking for C compiler default output file name... a.out
/ r( i2 T  w" x) ]/ Uchecking for suffix of executables... 9 D1 O7 ?. I- ^6 R& F+ g* W
checking whether we are cross compiling... no
; V0 H: O" O) a9 {* G3 gchecking for suffix of object files... o
$ x' v1 q! J4 f1 K$ M$ B2 Nchecking whether the compiler supports GNU C... yes
; W' [; a9 J% F) K! A" Ychecking whether cc accepts -g... yes7 c+ u, E# M7 E% V
checking for cc option to enable C11 features... -std=gnu11; F" z/ w% K( s% y( f
checking if cc -std=gnu11 supports C99-style variadic macros... yes$ w2 Y+ ]$ M# w
checking build system type... x86_64-pc-linux-gnu5 c, u' X; L( k$ L5 o0 e
checking host system type... x86_64-pc-linux-gnu/ N: Z4 Y4 M6 b( ]5 O
checking for stdio.h... yes' m1 a5 Q* X6 `
checking for stdlib.h... yes
2 z2 x& |$ e& T+ S+ N+ m3 achecking for string.h... yes7 D6 D8 x% W& s2 [0 L% K+ y
checking for inttypes.h... yes
4 z; y2 U! Y+ |" T2 j) Dchecking for stdint.h... yes- U& Z) V: I. c. ?
checking for strings.h... yes7 s* l" R7 ]; u; I- y5 a& ^
checking for sys/stat.h... yes: A. @& `$ J1 ~5 M3 Y- L/ H
checking for sys/types.h... yes
- t6 T* W( e& }! y! \checking for unistd.h... yes; `' \; f/ N0 @1 D" q; W9 }* c
checking whether byte ordering is bigendian... no
  M1 `( ~4 J7 u  A9 i9 W/ Dchecking for gawk... gawk
# D7 v2 J( j/ I0 |5 Qchecking how to run the C preprocessor... cc -std=gnu11 -E
6 a8 G4 ^) Z5 W9 s# j% ochecking for ranlib... ranlib
% _* l$ A: n3 \) |; n# [' mchecking for a BSD-compatible install... /bin/install -c
- Y, w5 c/ i# C- Z) W9 y7 @checking for grep that handles long lines and -e... /bin/grep
8 z8 z: A: C/ L* g; m8 ]checking for egrep... /bin/grep -E: T  b4 a. q% ]( n" }3 F
checking for a race-free mkdir -p... /bin/mkdir -p
& y  t( a* x8 R* R* X6 H0 I$ b
# I5 W* Y8 u. d8 a2 z0 k
. O; J1 L3 A1 P' f- r8 P
8 p% H1 e# l1 k, y" @PAM is enabled. You may need to install a PAM control file
/ Y2 C) @, N9 ]+ M3 M, C- @& B$ s- `for sshd, otherwise password authentication may fail.
0 a" O# N4 I# a( IExample PAM control files can be found in the contrib/
# {) c, L0 B# `) S  f! ^; dsubdirectory" Y# F( U, @) S! b2 V+ k9 E% D

5 r1 M, Q) z- Y) E: r5 X( @* _6 F' \编译:
1 @( }7 z8 c8 c. S[root@localhost openssh-9.3p2]# make........% z) k6 E" K$ r4 u) y
otector-strong -fPIE   -I. -I. -I/usr/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-sk.c -o ssh-sk.o. P4 j1 T3 v. h( N4 d
cc -std=gnu11 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I. -I/usr/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sk-usbhid.c -o sk-usbhid.o( V5 j' `, \+ t4 t$ t3 f
cc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/ssl  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil  -lresolv  -lcrypto  -lz
* d9 n6 @+ p2 G4 X
6 i  s; m# y2 o3 V& A7 x& W' |+ f1 |% A4 B
安装install+ \9 ]  q' t1 \
[root@jms_server_01 openssh-9.3p2]# make install
6 x1 d2 W! i- S) _3 V(cd openbsd-compat && make)
- z/ T( K+ r; E5 wmake[1]: Entering directory `/tmp/openssh-9.3p2/openbsd-compat'# G, c7 N. P) C$ ~* D
make[1]: Nothing to be done for `all'." z* G- p* V# l7 q0 q4 W  Y; _
make[1]: Leaving directory `/tmp/openssh-9.3p2/openbsd-compat'% {1 `# X9 E5 M, T) g; D" X
/bin/mkdir -p /usr/bin
0 P5 Q3 O5 e& k: S6 c8 E, x" c/ X/bin/mkdir -p /usr/sbin
; J6 |5 c, l. a& R2 z3 N/bin/mkdir -p /usr/share/man/man14 O( @% ]0 \8 [/ ]9 u
/bin/mkdir -p /usr/share/man/man5
) r. h7 h5 u2 T4 N. N/bin/mkdir -p /usr/share/man/man8
. x8 i7 S5 t& o: G& D/ H, E/bin/mkdir -p /usr/libexec
2 r4 D0 z/ r1 {8 P( F8 M2 L+ ^/bin/mkdir -p -m 0755 /var/empty& n3 R8 M8 \4 g+ T9 H) }
/bin/install -c -m 0755 -s ssh /usr/bin/ssh
$ D  r" @5 v. g( }& L; l. `/bin/install -c -m 0755 -s scp /usr/bin/scp2 s' {$ Q/ [0 c3 e' a- z
/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add
9 {4 B: a+ R7 H# s% }9 ~/ f. e8 Y/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent; F2 B' Z$ w. _' f
/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen! M) z* T% B+ N6 B# m/ C- L4 S
/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan) e( Y6 O+ C# m3 ^' ?# Y/ a6 l# J
/bin/install -c -m 0755 -s sshd /usr/sbin/sshd  c7 G% j* [: P: a, `
/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign
4 e4 U% y5 v; b& l& J/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper
6 ^4 E! A; L4 j, L: Y; ^8 @/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper
- o9 d4 F% A' u$ g2 @) F/bin/install -c -m 0755 -s sftp /usr/bin/sftp
- Y  g# s6 c3 Q% ?  H3 |/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server
6 M9 N" J) C. J8 ~/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1/ t9 Y) z% ?4 a4 z' n. n
/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1
4 ~6 j$ }2 z+ K$ {& ]3 Y; o/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
" }1 a$ I9 T* F( u: I1 U$ o/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1
+ v& p/ J! U/ K/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
/ O$ N" ^- c, E/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1: i1 a; y% ?8 H+ Q2 O; ]: p
/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5, G" j, f' I* @4 I2 z' K# }9 q, ]
/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.55 I- L8 T! U- c; [7 ]/ ~
/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
% A/ ^. P, t3 z, h; A# D; f/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8
  K. r. I/ T) x- L. X" |5 h/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1/ z. N) q$ T5 b5 A
/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/ K$ S1 S& f, T0 ^9 ~- P/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
" f! a9 M& \" V/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.86 \! P" X! O6 j6 O% @
/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8! l' p5 u& \# f8 h
/bin/mkdir -p /etc/ssh( G* ]9 m& y2 C
/etc/ssh/ssh_config already exists, install will not overwrite! ]8 S! R2 }' C
/etc/ssh/sshd_config already exists, install will not overwrite
6 ^/ d0 n8 ?% `7 l/ W/etc/ssh/moduli already exists, install will not overwrite
' `' ]5 Q7 q5 @4 I/usr/sbin/sshd -t -f /etc/ssh/sshd_config7 r! k! {! A) A9 T$ q$ z
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
. }0 `; t, \1 A# K( I, i* r: `/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials( P6 w% Y9 ~! x: T% \
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@# I; J+ y/ J# F! o0 h7 \5 n$ c; u
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
6 R  H& O( B  M) m' H+ W: e; s- X@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
. Y/ k% e. }9 m% u( F. b1 ?Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
  c4 q0 b5 t2 N! q9 rIt is required that your private key files are NOT accessible by others.8 M9 a8 o; W' _( I; w
This private key will be ignored.: y8 b( v5 [8 [, L: I6 L
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions3 v# v* Q3 Y9 C( {3 c# W
Unable to load host key: /etc/ssh/ssh_host_rsa_key) Q( b+ t( k; k3 R
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
7 d" L) K/ L' e* }@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @. l5 Z& P8 V4 j, y) o; ~+ o) |
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
6 g+ W# q) K' L; d  mPermissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.7 i9 W- J+ ?+ x/ R! ?" E
It is required that your private key files are NOT accessible by others.8 u9 M! N7 S) \" t  K
This private key will be ignored.: n" E! B& r3 m# \7 l4 [! w; O
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
( w3 P0 ]% c7 q( l  D8 @- ^Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
0 r6 s6 @6 }3 _) N, t$ @1 s9 V8 V$ e@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
0 w7 L+ x0 n3 [6 `+ B9 t@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @- G6 B/ v5 ^% m/ }, F
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@0 P4 x# E- v: A; o' h. G, C. l9 i
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.: t: m% j$ ?" T4 p5 s
It is required that your private key files are NOT accessible by others.
8 B, `" _6 d) r- F$ A- IThis private key will be ignored.
3 Y& U8 S: Q2 a& i. YUnable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
7 b3 @' D8 R( u7 z/ U2 \+ X8 MUnable to load host key: /etc/ssh/ssh_host_ed25519_key
! ^$ ?8 ?* x7 }" `# e8 Vsshd: no hostkeys available -- exiting.' t2 z" U6 A) s$ L- R: X! ]! L. T$ J
make: [check-config] Error 1 (ignored)$ T, P& i/ b5 J$ C! R# t9 o

% I- [/ x: S2 x+ |, O# q9 J8 w卸载旧版本
( ^; V. u/ X/ I4 P0 {" ?( p# B% n% {/ g6 g9 D( v
rpm -e --nodeps `rpm -qa | grep openssh`7 y; A) W: G1 `: d2 p0 u5 Q/ c

3 M, _# I2 P8 u0 C删除ssh文件夹:5 ^+ s5 L( ?& v6 P
rm -rf /etc/ssh
8 X, d6 i8 d6 G+ j4 y5 e) w  _
' K9 r' _! W/ |6 X##安装依赖包:& m' j( X; r0 r' `, p% c
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel
% ]. z- U' _. ^3 \8 Y2 ]3 I
" G, T+ K/ N/ q5 u8 a( Y2 V/ D1 ?" ~1 s) J' K. z+ S& d# O; N
make && make install. j& N6 D3 O" U) ?+ K8 }) P/ o

+ E, V0 u( |6 R# P复制启动文件到init.d服务启停:: x; a/ a# `' |0 n3 O9 i
\cp -rp /tmp/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd7 m* S& {5 Q" K
; V5 J4 o, a; x( ^& R
添加sshd服务开机启动:$ |6 V$ j9 h3 R& Z, C, i2 h3 G
#chkconfig sshd on! l) ~0 l6 X! E& B
systemctl enable sshd: V9 d# T9 h7 o
/ q6 R, t8 b! j6 |! C
复制之前的备份文件复原:8 D, D( V! L& w- l6 d) Q) j; D

5 h) @3 R. a$ x2 Dcp -pf  /etc/ssh-bak/sshd_config /etc/ssh/sshd_config
4 D3 _8 r9 P) i- E9 P+ M3 b7 ~5 G' T+ V; D( p

4 q& O* s3 o* G- u! L\cp -pf /etc/pam.d/sshd-bak /etc/pam.d/sshd" M4 |  f) b2 P2 V' n3 ~: e) `  E
5 i9 S6 n  J* l
#check file7 D, w" y/ x) b+ f* t
/usr/sbin/sshd -t -f /etc/ssh/sshd_config  l/ d6 P! H8 B; c

5 w: p1 W3 S8 m8 p* S# z2 ^#start sshd service/ \' }; s/ W$ E9 `8 J

: R5 T/ x1 v$ \4 A1 V  @; wsystemctl start sshd.service
- C/ h/ {+ k, L
1 p3 T! _0 x  c% Q! ~' ]% C# x) i3 Q7 R, t; t

: ~0 T( q7 P, V3 j& r$ r  
: y9 X/ F+ d4 _7 f3 G- H3 I/ Y; g" U3 D% Q: L/ `/ Q' _5 H- @

$ P" Q+ A$ S! I7 m4 X$ C4 V1 d% v5 ~2 q  u$ c

& x( |; o1 w: g! O2 \, a( p- Z. A' D$ B0 ]% z5 a0 b9 X; y, ]* I

' _) L4 k2 H1 o/ M
9 f$ a: Q  R. C; S5 h- \
% q: q7 t* b# ]- i9 Y  F  X, b

; c" |9 c9 b' d7 S) l- z4 O: d* z+ T
5 g. a2 r( t+ n; R( T
1 Z/ }5 Q& e+ L# E7 ]' a

; \/ w' w5 m# Z, q! ]5 J, v/ A" N( e8 c! w5 ~& v0 r

9 h0 L9 Q0 D( \, ^% r6 N
! `2 |1 |6 f8 O. u. Y5 N
% ^8 p' T$ _, z' u2 k  }$ w
; d2 _; P7 ~* r* P/ s; Y: }& |% Y! R# Y; x5 }  g$ ?
" {) q' o8 s3 [- n

& s8 b, K8 V3 m* t+ @6 K. B2 C9 g6 G/ J$ D. Z1 Y9 {  [
7 {; W. _/ j, E2 ^* J

' F) X  Y' q6 \, Z% I& x
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2023-8-22 14:02:12 | 显示全部楼层
其他文章中提到要安装这个,我们这里没有安装。因为我可以通过console或者其他方式登录上去。/ C1 n9 P* A* J6 C- j% c" B' p

6 b4 l' f3 y$ k" |* B9 Q$ |7 p执行命令进行安装telnet
4 G5 F* n: h4 V0 E  C% Y3 U7 S5 A# d$ X# Y1 F; j* m
yum install telnet-server  -y
* i+ O7 C& `% \: q: y  l3 qyum install telnet -y
/ U( [8 S/ d% E' Q3 E( p设置开机启动并启动telnet1 w: U( @* ]: }  K+ K( Z$ q* C( A

3 |) V' k2 `& U1 }7 j- o. I7 Q9 fsystemctl enable telnet.socket/ @7 K$ G: A- {8 j& ?( ^
systemctl start telnet.socket+ P9 J# ]! E2 Y. t3 F, w: t" J
防火墙开启23端口,使用 telnet ip 进行连接登录。默认系统中是不允许root用户使用telnet登录的,因此我们需要授权一下
6 p( {3 Y4 K# P" U/ u  i3 H* S& D% P# f% N* o$ q* L* ~
echo 'pts/0' >>/etc/securetty
- `0 d, G0 T& e- u. w: H7 h2 X" Iecho 'pts/1' >>/etc/securetty
" g3 s/ i" D- ]4 Z8 K9 r) @当我们在进行登录时无法正常登录时,主机端执行/ L& b# `+ e: ]/ y) U0 R3 f

  F2 ~1 ?$ q4 R$ o0 R3 z" f3 O) a! Ktail /var/log/secure+ H3 A' E& [4 O$ ?4 V8 e
假如我们看到的是:access denied: tty 'pts/3' is not secure !& }2 ?) ~1 C7 w. a1 n- J
- F9 Y7 |! e9 R$ j' ]
此时我们如果看到的是pts几就将几添加一下5 E1 S* {- {( X, b) s$ }

, D. u1 H. D3 a+ z3 Q" techo 'pts/3' >>/etc/securetty3 Z& E) f2 T; |' ^: O$ d+ X
添加后一定要重启telnet
回复

举报

admin

1

主题

0

回帖

12

积分

管理员

积分
12
QQ
 楼主| 发表于 2023-8-22 16:22:56 | 显示全部楼层
当端口号修改/etc/ssh/sshd_config 文件不生效时,可以修改下面文件:/ ]0 ]3 g) j9 z% q, C9 c* m
) N' c/ R% [. Q6 Y0 S# h% y# y( B
生效的配置文件是/usr/local/openssh/etc/sshd_config   如果不改变/etc/ssh目录,就修改这个文件也可以6 m  V# W- E% ~; c8 R
/usr/local/openssh/etc/sshd_config
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 注册

本版积分规则

返回首页|Archiver|手机版|小黑屋|易陆发现技术论坛 ( 蜀ICP备2026014127号-1 )

GMT+8, 2026-6-12 00:48 , Processed in 0.021577 second(s), 23 queries .

Powered by Discuz! X5.0

© 2001-2026 Discuz! Team.

快速回复 返回顶部 返回列表