|
|
Linux系统升级openssh版本到9.3sp2
' j. d2 I% h; A( } r
( \$ p8 a! `! `2 @% {& [6 o) ^4 I) s* N4 y# U8 g
OpenSSH ssh-agent 远程代码执行漏洞
/ z1 f& N' D5 M* _9 l; ucve-2023-38408 收到安全漏洞问题,需要解决。
* b# e1 X& j6 ~% X 受影响的版本<1.9.3p2-1; [5 }; A% ^# T, s( F$ K7 K, E
安全漏洞给出的解决方案:
7 `6 e% \% }4 d/ c+ L% p: }首先升级到OpenSSH 9.3p2或更高版本:升级到最新版本的OpenSSH至关重要,因为它包含缓解漏洞的关键补丁。确保所有相关系统和服务器及时更新至推荐版本或更高版本。
3 k. _/ |- D+ R. Y# ^7 L1 U% c另外采取预防措施来避免被利用:
- H4 h: [; }$ T4 k! u建议在仅仅OpenSSH用于远程主机管理的机器,通过Openssh配置(sshd_config)、防火墙,安全组ACL等限制来源访问IP为白名单仅可信IP地址,同时,非必要,关闭SSH代理转发功能,禁止在有关主机启用ssh隧道等。; x P( z$ O- y) y% o
关闭SSH代理转发功能方法为:
8 a" t6 m. f6 s5 l& T8 K6 O配置/etc/ssh/sshd_config
& u( w) e5 N" b- BAllowTcpForwarding NO
b9 o. t: ]; S; n- [1 [- u" W& w7 \
' u' ?- [+ |% E. K4 h, K接下来我们开始准升级的工作:8 q" f$ m. J- p, p- G9 |
确定设备的openssh 服务& w) E+ b3 X# X% b, c% u
# ssh -V; e/ G% @5 _0 V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
. m2 [2 [3 R" {4 r0 l3 c8 t( \ 备份原有pam.d下的sshd文件( m) a" ^' O, {
# |+ G2 o+ o$ D! D' A* }# cp /etc/pam.d/sshd /etc/pam.d/sshd-bak
6 ^0 F6 n [9 y3 [/ B# ls /etc/pam.d/sshd*1 ^/ w4 c0 M' F+ g }- A
/etc/pam.d/sshd /etc/pam.d/sshd-bak
5 s0 P' G( B3 T3 K4 [( o3 V# cp -r /etc/ssh/ /etc/ssh-bak' M* C5 \: _- \% u S) j d
: c+ T5 }5 k; o) m% F- e% m
, c# n* `% q! j
备份好文件之后,检查下telnet是否安装,6 T6 H9 H( [; j9 ^2 C4 W" B( m+ i
# rpm -q telnet
. v6 W- ~! i; ?( H' rtelnet-0.17-66.el7.x86_64" c+ z4 G6 m( i1 ?9 Y, N
* Y# N( Z9 R* y6 ^# rpm -q telnet-server0 V2 S% Y& m, G' t# q' Y4 a7 K
package telnet-server is not installed, u( y+ S* U2 F" U \3 X' i
下载openssh包进行升级+ `; L( c! v# p
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
& B) F H0 Y$ Bwget https://cdn.openbsd.org/pub/Open ... penssh-9.3p2.tar.gz 到指定的目录。我们这里采用/tmp目录
, ?3 E1 o/ _1 j" {; M: l# g% U3 x, q! N" _: H- J6 B
$ G8 F5 E) n/ D
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz?spm=a2c6h.25603864.0.0.686840adPbA5X7
' {: @) M# K& c8 A$ Jhttps://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz * t5 q0 Z0 D6 y D+ U' \
' E& V# i" E% ^多个地址下载:5 i) r$ ^; G* i' ~
我们选择一个即可:$ x$ P0 K; z5 `
# wget https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz : A5 V' t" S- D, L( ?' R( _
--2023-08-22 14:12:08-- https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz# C. G. e, |3 c
Resolving mirror.edgecast.com (mirror.edgecast.com)... 152.195.62.22, 2606:2800:10c:1116:239f:3fd5:4bab:a23f9 Z8 K3 n! I/ [0 L7 t- t
Connecting to mirror.edgecast.com (mirror.edgecast.com)|152.195.62.22|:443... connected.- G3 v7 R5 L N( g: y' B' X1 |# X
HTTP request sent, awaiting response... 200 OK2 p/ @4 u* G( K! v, _$ l$ W k
Length: 1835850 (1.8M) [application/octet-stream]
2 j# c% k5 ]5 }) D3 _7 C1 @Saving to: ‘openssh-9.3p2.tar.gz’
/ b- n. Y" K! J! G# ?7 n3 Z$ r
1 F7 |! r9 r! \2 N; k( o100%[=======================================================================================================================================================================================================>] 1,835,850 1.49MB/s in 1.2s ' S1 X: t) e6 y/ F) V2 C
; Q* _; b; ]; K. I
2023-08-22 14:12:11 (1.49 MB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]
8 U- h1 A. E5 a% c3 H
4 } Z! x3 b/ f+ s2 E, v. O. ?! {* ]+ a9 m: x5 Z! u+ ~
# ls
. C1 w! a/ h9 K* T& [openssh-9.3p2.tar.gz
6 x E& p2 u$ N' A4 a下载后,解压:
# c' e1 Y7 ^; s* e) c# b& P, M" }$ R d2 Y; x
# tar -zxvf openssh-9.3p2.tar.gz
L$ Z1 a u, V; c7 W+ oopenssh-9.3p2. A& p/ q$ p! l0 w
openssh-9.3p2/.git_allowed_signers
& o, X, \/ }) u, ^$ _# Jopenssh-9.3p2/.git_allowed_signers.asc# O9 u" L, Z8 z+ x1 [9 v9 v
openssh-9.3p2/.github
2 B2 o$ B1 n; J6 e s) oopenssh-9.3p2/.github/ci-status.md" ^" t) h& _8 B. j; C) ~
openssh-9.3p2/.github/configs
% b0 F- `2 B2 Y; v* Q+ Popenssh-9.3p2/.github/configure.sh
1 `9 Y( y; E' w9 ^6 m3 |5 ?# B$ Aopenssh-9.3p2/.github/run_test.sh
) u- J/ [$ k3 F w8 Iopenssh-9.3p2/.github/setup_ci.sh
% X0 H2 g8 w: J, K( w5 x2 Dopenssh-9.3p2/.github/workflows! c: w: f+ E ~& I M
openssh-9.3p2/.github/workflows/c-cpp.yml/ {6 ~- x+ _# k# k B# j- h
openssh-9.3p2/.github/workflows/cifuzz.yml
4 v0 O$ ]- O* n; Iopenssh-9.3p2/.github/workflows/selfhosted.yml
, Z& |9 W3 b Uopenssh-9.3p2/.github/workflows/upstream.yml7 l- I0 Q W) L% N$ I8 y C- v
openssh-9.3p2/.gitignore7 a. y5 |3 V4 i. f W9 @
openssh-9.3p2/.skipped-commit-ids+ P; y8 I2 F5 S. j! o, |3 A
openssh-9.3p2/CREDITS$ r3 a9 L8 {1 z4 [8 ]* j# t8 j
openssh-9.3p2/INSTALL
4 h5 U% I0 }* u; ^.........* @3 w( y# W$ g e: H3 M! K
openssh-9.3p2/aclocal.m4
1 i) J; q; V* E! |- dopenssh-9.3p2/.depend$ P* B) d8 V2 a. T
openssh-9.3p2/config.h.in" |: y" E% A) F( m k) Q' v6 d
openssh-9.3p2/configure) D1 N! E4 e6 w8 B3 p6 B
& }; K7 T. `3 g2 \
, I' V0 s/ `# l Z* ~# ls& c! m0 m: f" ~% Y
openssh-9.3p2 openssh-9.3p2.tar.gz
6 n* P: _. l6 o$ W* E, W% b' j2 k. L3 c# M G+ v
安装所需的包. j8 I. \/ n5 ^# K/ b/ I8 ]8 k2 G
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel
& D9 s' R. [# b1 l% Z, w' E6 ]完整路劲编译:
$ S- s/ {! a5 l w! ? /tmp/openssh-9.3p2/configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
4 f! t& b% @2 l1 k% l) X5 N. B. @2 [% Q1 V
绝对路径编译:
4 r# ~- y+ g7 P5 |( m: U# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
5 E% Q" y2 ]7 N5 E9 z y1 iconfigure: WARNING: unrecognized options: --with-md5-passwords4 d" h6 ?( ]7 |
checking for cc... cc2 |$ e8 l0 p# G
checking whether the C compiler works... yes
) _/ `- h( j- L# T2 schecking for C compiler default output file name... a.out
$ ?: D# O0 p5 I0 k3 `+ @, Jchecking for suffix of executables... ; n) Y! r% \+ Q# j
checking whether we are cross compiling... no8 U5 ]' u2 h- l5 t9 [
checking for suffix of object files... o
: s4 {- h: F9 J4 R* q& }$ vchecking whether the compiler supports GNU C... yes
, L% f! ^9 D# jchecking whether cc accepts -g... yes
! ]5 ~% p/ J8 ]9 Fchecking for cc option to enable C11 features... -std=gnu11
5 {9 {8 T% q( r, q8 \9 H8 x4 Xchecking if cc -std=gnu11 supports C99-style variadic macros... yes/ V- ^6 U5 i! Q: l4 p$ q- T' R
checking build system type... x86_64-pc-linux-gnu) T9 X% W$ L' A P* ~
checking host system type... x86_64-pc-linux-gnu
1 ~! e6 W+ b/ i0 y8 |checking for stdio.h... yes" P2 y+ L( ^. F2 p& k
checking for stdlib.h... yes
$ g1 A% A9 }/ e6 E+ _2 p3 C( J+ ochecking for string.h... yes: N6 d3 s% V, ^9 D
checking for inttypes.h... yes# R. d; n3 f1 q: D T5 O
checking for stdint.h... yes9 |) t, ~" {, Q4 n1 e1 s
checking for strings.h... yes) ~2 f! x- H" z0 Y# j& s6 E' R: V
checking for sys/stat.h... yes# }4 D% f/ r* U( `3 b. B
checking for sys/types.h... yes2 T$ ^& I c" X( h) a
checking for unistd.h... yes
5 q# k' j: M8 W- o9 V ]checking whether byte ordering is bigendian... no7 x F# c. w# x$ @- m
checking for gawk... gawk6 m9 j" A+ h ?1 V. D
checking how to run the C preprocessor... cc -std=gnu11 -E
$ F3 c( ]2 f3 X* v* k* k: v3 ichecking for ranlib... ranlib
( D& }% y& o4 }: G$ hchecking for a BSD-compatible install... /bin/install -c" _" n5 q1 X; C: f7 `4 V7 O# _4 z
checking for grep that handles long lines and -e... /bin/grep
$ r( f: t& N/ l$ w% J9 Lchecking for egrep... /bin/grep -E, C, H7 i# ?: M) l& M' L' M4 E
checking for a race-free mkdir -p... /bin/mkdir -p. U8 I; s2 }0 E0 ^ ~8 Q1 b
8 W2 N/ T! R* E, l3 U, Y: o, r. ]# a) z$ N; d
- F, Q/ a9 D/ ?7 y8 S5 c
PAM is enabled. You may need to install a PAM control file
9 u; a, r% |' {3 cfor sshd, otherwise password authentication may fail.
: h9 ]8 Q3 z9 |/ c- |( NExample PAM control files can be found in the contrib/
; q, p( |5 f: W. ?0 b( h" [subdirectory
9 t2 O9 }8 v; c! ?% b% x- }+ S8 I4 L
* R+ T! Z4 j3 C' o& D/ j" Y/ t J- v编译:8 R; m Z2 Q9 y/ r8 F: o
[root@localhost openssh-9.3p2]# make......... i4 [/ G; S; o+ L9 ]/ Z
otector-strong -fPIE -I. -I. -I/usr/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-sk.c -o ssh-sk.o% u7 W C" F, j$ @
cc -std=gnu11 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sk-usbhid.c -o sk-usbhid.o- D' H0 K$ `, }4 I5 ]3 v
cc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/ssl -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil -lresolv -lcrypto -lz
5 J, H; F% e% W9 i/ K. p
7 q' B4 a/ r$ ^. E
2 N. U. W# q$ R w" T# T o5 p安装install
5 I8 [( I3 @/ D+ v' z. z- c: w[root@jms_server_01 openssh-9.3p2]# make install
0 P) _# D5 e$ N* d3 w(cd openbsd-compat && make)* U/ o) m l; J
make[1]: Entering directory `/tmp/openssh-9.3p2/openbsd-compat'8 D4 P- g/ V" r
make[1]: Nothing to be done for `all'.+ j% ~7 g4 | k
make[1]: Leaving directory `/tmp/openssh-9.3p2/openbsd-compat'! U- w( Y6 r+ g/ x; ^$ G
/bin/mkdir -p /usr/bin
8 E e# o9 |7 D& x/bin/mkdir -p /usr/sbin. h$ u) r5 N" G: t( l& l
/bin/mkdir -p /usr/share/man/man13 p- r' e8 y& t& Q6 ]+ T9 w
/bin/mkdir -p /usr/share/man/man5. @' h8 l* U3 W$ a1 m& N+ u- n# M. q
/bin/mkdir -p /usr/share/man/man81 x3 ~5 Y1 Q0 h
/bin/mkdir -p /usr/libexec
" l7 _; F% [$ J# Y6 v6 }, l' G/bin/mkdir -p -m 0755 /var/empty
) ]$ ^# |: ]- y& z/bin/install -c -m 0755 -s ssh /usr/bin/ssh
1 g I# {- Y1 q# c/ |/ p' ^9 N, L; ^/bin/install -c -m 0755 -s scp /usr/bin/scp
4 p" C! o; @8 ~) _' j2 s) [" Y) N5 c/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add2 `5 h# i: I" Z6 f! P
/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent
- g( e% F% y. `/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen
: j* C% u0 e! V! i, h7 `/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan+ \' @5 M( k8 S" E! @! o: m3 f
/bin/install -c -m 0755 -s sshd /usr/sbin/sshd6 W4 r6 d0 X; j! y( G; t
/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign2 i: m4 A$ B; r: i+ C- N
/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper6 U; k( m7 `$ S: ]9 u# H' t
/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper. Z" M; n* l0 t
/bin/install -c -m 0755 -s sftp /usr/bin/sftp
+ e8 P8 {( D* Z) @7 F- c; }7 T+ Z/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server
( X2 l( [3 v$ z# Q+ [7 D, F/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1
6 G1 P$ {& s/ P4 d0 y! ?/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1
8 P. R( i8 V, o% c8 w8 d/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
$ G8 K- N1 y7 ?. i; K/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1" g# a( c N3 t! e1 e- S
/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
, C- J) a4 D) |0 o2 u4 e/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1. A6 @& C$ B' M- M$ ^
/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5" s. G5 |9 k6 m& R+ [) p
/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
r# M8 _( z- W* h- d2 R' {! k& Y/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5/ T0 t6 Z: S( g) ?# o
/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.86 q$ i; k0 x+ t l5 h+ ~
/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1( J0 p; m' l% k; w# ]( u. ?
/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.84 Q3 x& ?- ?! Z4 `4 a
/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
/ j& p1 r" `! |* t7 h/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8% Z" M7 s" w2 E" d( r
/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
( V \$ P2 V, q$ Q- S" S/bin/mkdir -p /etc/ssh+ U. a7 _4 Z6 p( {( t
/etc/ssh/ssh_config already exists, install will not overwrite
0 G- a- W5 W8 P/ d. C) h9 S, {/etc/ssh/sshd_config already exists, install will not overwrite5 e) V7 P) C5 a: a
/etc/ssh/moduli already exists, install will not overwrite
4 c8 I+ R& l6 [/ z: V/ L/usr/sbin/sshd -t -f /etc/ssh/sshd_config
& t3 }8 U0 t @- b/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication4 x) b# S ?; |( b' O6 a
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
. M0 w# ^; D1 J; r. i h@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@1 `+ I0 z" F* z t
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @# J( T7 R5 z( q6 M3 ?
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@: o: v: a2 u- c3 Z; A, M6 `! ?
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. T) L% D% j* a) m. }
It is required that your private key files are NOT accessible by others." R! d3 f) E" @1 z$ F# L
This private key will be ignored.: Y2 J0 R) G* s% Q
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions4 `7 l7 D U" H! _- y
Unable to load host key: /etc/ssh/ssh_host_rsa_key: K3 }0 ~* X# H! H
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
$ Q; V4 g( p% c( P@ WARNING: UNPROTECTED PRIVATE KEY FILE! @ ^8 z, x" {* J* T
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8 j* a! F8 E Y5 rPermissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open." Y) O9 z8 [5 h9 R! [
It is required that your private key files are NOT accessible by others.
$ W/ Y" k' d( ]% M. ]* L4 ~7 W# @This private key will be ignored.
7 S( A4 q0 }4 [' b( KUnable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
* b3 X! O: T% [+ dUnable to load host key: /etc/ssh/ssh_host_ecdsa_key1 y/ N/ S# h/ u- ]- ^9 K# K: t6 Q
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@9 {- W- G7 Z8 c% }
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @& B1 L# i, q7 w( b% {( M# B
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@3 g4 h+ r4 U z# {
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.; p8 J3 j ~( `( Y
It is required that your private key files are NOT accessible by others.
- W# d- V+ z$ m6 ]7 R2 H% a- KThis private key will be ignored.) x" j! l9 j* _8 Q4 y
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
! c- |% v: z# V4 n% AUnable to load host key: /etc/ssh/ssh_host_ed25519_key. X6 f" k- b. X# @3 x9 ]. u# b
sshd: no hostkeys available -- exiting.! O4 M/ B, F1 B. l5 O) x
make: [check-config] Error 1 (ignored)( t% ?& A$ Q, P7 A8 L+ V
' g9 x7 q2 T$ m/ b7 g: ^
卸载旧版本
3 } Q) H5 G& p' S: A
z; z' P4 g# y: \rpm -e --nodeps `rpm -qa | grep openssh`
; |: B' n7 {0 Z2 Z( b3 Y T) Q, H% m+ J( {7 b
删除ssh文件夹:
$ F k7 X0 S7 A- trm -rf /etc/ssh
: x2 G; b! c+ f" u1 {1 t/ x0 t1 G6 X6 A" J1 S" M
##安装依赖包:2 i& _! f$ B- v+ S0 N0 l$ A
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel
5 x: l: z4 j* T2 |6 H
/ [) \6 }5 n7 P+ ~6 N. C1 I
P8 {0 L. }" t- b0 smake && make install
1 @% F# F) D: Y0 w1 p, U, ^6 a
7 R6 `0 r0 r8 P8 l# s& C复制启动文件到init.d服务启停:
- R! J- @" D$ C8 v+ k4 N\cp -rp /tmp/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd7 c3 w4 S9 Q3 w) J: X: Y* U
% t0 l9 \: s8 y7 k2 J/ N添加sshd服务开机启动:
) p/ q. z( a3 g#chkconfig sshd on5 U+ B3 k% W3 s# J+ r* O+ S: h
systemctl enable sshd0 p! X- s* J/ C+ a7 F$ e
6 w2 R2 _- h/ U3 m
复制之前的备份文件复原:
$ D1 B" [$ Z8 o) g8 u& o e3 X( K7 i$ i
cp -pf /etc/ssh-bak/sshd_config /etc/ssh/sshd_config
/ h# h: h9 K1 ?- S9 h; ~6 r7 v d9 p* X' d' o; p2 a
. N1 Z, T& R1 v6 k0 g3 _% D( T! T
\cp -pf /etc/pam.d/sshd-bak /etc/pam.d/sshd1 \) Z6 e& n& D. o, x
( t* q$ n( [! X8 F; b* K6 C#check file
$ I$ ^: m; ?5 ]2 G$ j/usr/sbin/sshd -t -f /etc/ssh/sshd_config
) w5 K9 z# Z! l. U% K& i+ u3 g* I7 J! [" m; c' M. N
#start sshd service
1 f$ T! @9 T" ~% Q
$ \- f" B0 @5 @9 ~- ^systemctl start sshd.service8 H1 a, ~/ V( ^0 O! ^, L+ _
5 n* k8 M4 Y" F
* K8 t8 A$ G4 b# s. }# K* c4 @3 W
+ T% o/ C* q% _+ j' W- _6 M " l3 Y( ~* r' L
* A2 k) [% v: S* Y+ S* Y* i4 H! N; q7 U& ~- B# D
$ G; y3 d" o* s6 B
& n/ |9 P# `: {% d. `
2 U3 @) \3 e+ N# s. e% Q& X. o
8 _/ Z: \; O: H: d; z% u) r
3 Z5 A# d" c2 d! p% n/ j3 M
' \" o3 ~# \: l9 X
1 `7 R2 b8 ]9 M& Z
- o" R$ u2 `- D& |; k7 B) ~! q& r7 W" F; f* {0 |7 n* m" w* p) G
2 J% g5 x; ]- l% F. A* ?5 l8 Z* \& k8 `+ T- s
# O$ ^3 S5 L& o/ Y; U7 {, v4 V
3 A$ a; S- M. R. Y' r$ U% R
+ m2 l8 e/ B3 |, \* }8 a: w
, q0 v& r( L2 Q
* v; y( f A5 i8 \* h5 q
; v+ z. Y8 h9 K; I2 ^
0 z& p" Z5 T$ O {
6 s" Y2 D' _; N5 l7 L& J( O9 L4 u0 Z" s- r& U6 x
( ?( J: X( u5 Z+ b: m7 L6 N8 Q4 s! G- ]
: X7 J3 } S5 |2 q7 c) t3 r% D |
|
发表于 2023-8-22 11:17:44