|
|
Linux系统升级openssh版本到9.3sp2
4 O: r6 N) C+ w. z! r
. b$ e$ F- N P& M3 m0 B# Z1 d
4 f% r# H5 S: Z; z1 t- i0 N9 `OpenSSH ssh-agent 远程代码执行漏洞
. C( c& U7 l9 E4 _cve-2023-38408 收到安全漏洞问题,需要解决。: e1 D4 b& m. {5 s
受影响的版本<1.9.3p2-1
6 y; y( V' X6 H! N& A" k安全漏洞给出的解决方案:- E5 a" I1 h' W! Q, k
首先升级到OpenSSH 9.3p2或更高版本:升级到最新版本的OpenSSH至关重要,因为它包含缓解漏洞的关键补丁。确保所有相关系统和服务器及时更新至推荐版本或更高版本。6 h+ k, Y" ?- K) ~
另外采取预防措施来避免被利用:5 E% E' Y9 w2 f( u! G( t- O, P3 j
建议在仅仅OpenSSH用于远程主机管理的机器,通过Openssh配置(sshd_config)、防火墙,安全组ACL等限制来源访问IP为白名单仅可信IP地址,同时,非必要,关闭SSH代理转发功能,禁止在有关主机启用ssh隧道等。" y. `0 A: z2 F+ Y
关闭SSH代理转发功能方法为:5 z# a) z! | j4 r3 q
配置/etc/ssh/sshd_config
- s( j, n; s- z7 ^3 y+ |# M2 {AllowTcpForwarding NO4 C+ L# H" S& i9 L& ^/ u
2 P2 K K3 Z8 {$ V6 s; U% C B8 |) P/ e" {( n' O) U: i* E& F$ z Q
接下来我们开始准升级的工作:7 T3 r* N1 l8 o: x
确定设备的openssh 服务
/ D+ r' y1 }# b# ssh -V5 ^+ J5 i ?! U% d
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017! C$ c+ E( r8 Y8 q5 d+ m
备份原有pam.d下的sshd文件, q) Y* f* d( A* l) x7 A+ N
- s& H' P8 ^' m) Z: W. G# cp /etc/pam.d/sshd /etc/pam.d/sshd-bak
4 a6 s& |1 q9 I+ t, `# ls /etc/pam.d/sshd*2 W) C* b) X& a6 {
/etc/pam.d/sshd /etc/pam.d/sshd-bak; S8 F1 f% R. V3 `' S U
# cp -r /etc/ssh/ /etc/ssh-bak
. ]. b7 o6 ]- e0 w/ Q5 \9 e
# v! ~) f3 T$ ]' ~
2 q- J) d. |& v4 ]2 `3 L6 Z备份好文件之后,检查下telnet是否安装,
1 ^6 w3 B8 B# l1 H4 ?+ r( [# rpm -q telnet
. D5 _+ m0 T" `6 Qtelnet-0.17-66.el7.x86_64) M) T: u$ d1 K1 d: F2 v
. A4 x) m' [. j' m0 Z2 w" `# rpm -q telnet-server S, ^' c1 f- ~
package telnet-server is not installed
/ d& _3 N- v/ g$ B5 ` l下载openssh包进行升级1 {0 f7 P8 @2 G Y& f
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
8 a* ]; P5 J% Vwget https://cdn.openbsd.org/pub/Open ... penssh-9.3p2.tar.gz 到指定的目录。我们这里采用/tmp目录( I- }( x" q4 {+ v% i& R
/ {: ^& W! f5 x, w' k3 Z* p& a* M* C |
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz?spm=a2c6h.25603864.0.0.686840adPbA5X7% x; k/ a- `8 S9 Z( H1 @
https://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz - E6 x3 G* k0 K- @4 W; |; Z
; s4 p2 v& H U* c多个地址下载:9 [& L4 ]- n. Z/ k) m& ?4 l
我们选择一个即可:
' O! h. h* z" N I1 Y- w# wget https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz
. X. e3 |! s6 w' J$ u. |$ c4 N6 ]; x--2023-08-22 14:12:08-- https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz
' a5 J( P2 ^& ^1 q) z4 gResolving mirror.edgecast.com (mirror.edgecast.com)... 152.195.62.22, 2606:2800:10c:1116:239f:3fd5:4bab:a23f' q+ q3 a6 @& k i0 s5 v% e
Connecting to mirror.edgecast.com (mirror.edgecast.com)|152.195.62.22|:443... connected.- n- \1 q8 C; v3 V
HTTP request sent, awaiting response... 200 OK- ]# [1 ~' l+ \ e, c. |8 i/ Q
Length: 1835850 (1.8M) [application/octet-stream] r# k; Y; v2 } a
Saving to: ‘openssh-9.3p2.tar.gz’' M5 j7 o6 l* F3 s0 W; T: r/ Z' r
$ B+ H6 X( g; ?100%[=======================================================================================================================================================================================================>] 1,835,850 1.49MB/s in 1.2s
* P8 u* S8 w: b9 }! ~1 @' z# U9 M$ q* I/ V; p/ e
2023-08-22 14:12:11 (1.49 MB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]
. _0 y- N e- M* P. E" L) h/ S% Y
; n3 [1 G- j7 Q j# ls
( p* |1 a2 `0 ]0 D$ s7 R1 jopenssh-9.3p2.tar.gz
& ^- S3 P. O% ~( _ ]) Y1 u下载后,解压:
# K$ l) W3 a5 y$ e2 C5 J5 I
, X' Z, V7 A: p, X# tar -zxvf openssh-9.3p2.tar.gz 7 p( j" U# o; M+ C4 Z. N/ C
openssh-9.3p2( @% F' c: n. U! n$ I% A
openssh-9.3p2/.git_allowed_signers
9 I$ w1 F" z4 ^: n2 }openssh-9.3p2/.git_allowed_signers.asc
% e/ L4 K1 i- iopenssh-9.3p2/.github
# p5 V, j/ R; g5 g3 ]- ropenssh-9.3p2/.github/ci-status.md7 R6 |# i# t, k$ o
openssh-9.3p2/.github/configs
) ?/ d u- Q3 w* fopenssh-9.3p2/.github/configure.sh
9 A9 \0 a" M( H: ]& Eopenssh-9.3p2/.github/run_test.sh) f1 T# _& [+ a/ X8 N" `
openssh-9.3p2/.github/setup_ci.sh
! E. u. u E* i, g; ]openssh-9.3p2/.github/workflows
' e4 d" ^8 ~$ F P* n% q- z4 S3 dopenssh-9.3p2/.github/workflows/c-cpp.yml
& Q9 M3 U+ l% m* |7 m3 t/ zopenssh-9.3p2/.github/workflows/cifuzz.yml* O8 V* \$ W- w- c! n
openssh-9.3p2/.github/workflows/selfhosted.yml3 |! Z0 [) K$ f( G( k+ a
openssh-9.3p2/.github/workflows/upstream.yml
3 F- }# m& h% ]; c# Nopenssh-9.3p2/.gitignore
9 M( L0 i8 W/ Q mopenssh-9.3p2/.skipped-commit-ids
* }. \! _) D& K# Y7 z7 i+ A x) _( \openssh-9.3p2/CREDITS
$ l) ~! W1 B1 `0 V: q2 R* @) z4 P4 |openssh-9.3p2/INSTALL
R$ H* F, t3 O; i.........
3 U: j" B7 x. n9 ?7 Bopenssh-9.3p2/aclocal.m4
' c# E5 S M* ^ j8 Bopenssh-9.3p2/.depend
' m7 D4 b6 Z) J' I/ g: x/ t; B; bopenssh-9.3p2/config.h.in
, b' k! M& E) g: ?6 v- I. q4 o# Y9 eopenssh-9.3p2/configure' c6 [* [7 ]7 c; R5 B8 q. R6 o
" P" _ M5 U- a% Z
' a' E1 G+ ]: Z# h7 f
# ls2 u* U; ?' {1 q, W, Q2 n( f
openssh-9.3p2 openssh-9.3p2.tar.gz T2 _) B4 q$ p5 B3 W4 q# K
! y4 w3 e* B. G& R安装所需的包
1 Q) |* _( z8 p: h5 i6 _3 v# v( l yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel - H' ~5 y4 @& P0 s, V. a( d# E: b
完整路劲编译:
z/ m# b' @2 P# t- a1 v3 l5 w /tmp/openssh-9.3p2/configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
7 B( ~1 c4 ^: o, Q3 F& w2 w+ x* D& Q* z8 K& I' W
绝对路径编译:
9 _) ]) v& c6 E, R$ e; P! u/ U$ d& [# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl 9 Z: Y$ L8 `2 [/ x7 ]' B0 r0 z3 O
configure: WARNING: unrecognized options: --with-md5-passwords
4 y0 _4 E( d/ o j! K! b3 |" h" O7 Pchecking for cc... cc/ O' D/ z# W! Q3 c- d0 t! D' v& o
checking whether the C compiler works... yes
+ p6 y+ [7 H- O" vchecking for C compiler default output file name... a.out
! \' r7 {: r4 zchecking for suffix of executables... 2 E) _/ G( {9 _. O3 f/ q/ n
checking whether we are cross compiling... no ^- ?7 q4 g0 G1 X
checking for suffix of object files... o
) K, i& r& k5 ^8 h8 G3 ochecking whether the compiler supports GNU C... yes
9 r0 C+ O, V2 `+ e2 ~: h8 ]checking whether cc accepts -g... yes- ]. |% n' _% n8 ^; k" c
checking for cc option to enable C11 features... -std=gnu11
V$ E. a+ ^% I6 fchecking if cc -std=gnu11 supports C99-style variadic macros... yes
# h3 b- }1 I+ y3 G5 _1 D, W5 K; m5 I# |checking build system type... x86_64-pc-linux-gnu
' ~8 v; Y/ d4 B; `$ kchecking host system type... x86_64-pc-linux-gnu
' e2 I) V1 ?1 p- l- Gchecking for stdio.h... yes
/ o8 @2 r7 u8 R7 C1 ?checking for stdlib.h... yes9 R" d* |% t2 {) Y$ o6 M, U+ E
checking for string.h... yes
/ u( x2 x' y* h) y% q. X; Y! |+ g$ Pchecking for inttypes.h... yes0 C' k8 |% `" X4 D8 j. n
checking for stdint.h... yes1 w2 d& [& Y! x) w. N' [
checking for strings.h... yes4 p1 Q9 {/ ]! q3 V) p
checking for sys/stat.h... yes. Y1 s l3 Q' N1 q, ~; B( r4 G2 G
checking for sys/types.h... yes5 S* L% S) k1 z5 e; a, _
checking for unistd.h... yes
3 K1 A( _! J6 nchecking whether byte ordering is bigendian... no) I3 G# b% ^1 ~' x+ @ I
checking for gawk... gawk
$ T6 x0 j' D5 ?' H- ?- o0 Gchecking how to run the C preprocessor... cc -std=gnu11 -E7 `! r1 J7 K: d! D9 s$ v6 ~; k Q
checking for ranlib... ranlib
$ J+ m$ ~0 H4 u) Bchecking for a BSD-compatible install... /bin/install -c
) ^4 r7 p" v' ~% [checking for grep that handles long lines and -e... /bin/grep
3 C" h$ i3 q7 I+ ^8 h, O4 c( Echecking for egrep... /bin/grep -E( s; y. f! l" F. T$ V
checking for a race-free mkdir -p... /bin/mkdir -p
" V" ^( J; C7 A9 E- P* t3 Y& v2 ]% }, Q9 A1 u4 r7 i
f4 }4 i* H% @% ], V
, D% s; o3 y) N- I7 z4 X# MPAM is enabled. You may need to install a PAM control file # [1 Z8 K5 c( W$ W4 r! i
for sshd, otherwise password authentication may fail. 2 C e8 [; b" B7 l0 S" ~& q) O
Example PAM control files can be found in the contrib/
! ?6 q) Y. O: Z Z6 _5 `8 Jsubdirectory
, e: e" Y; O' w+ X# T
$ M: \& d6 a Z F编译:
, ^" U) g$ Z" U' c! c[root@localhost openssh-9.3p2]# make........; j5 r' C: i; C, y
otector-strong -fPIE -I. -I. -I/usr/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-sk.c -o ssh-sk.o
- s2 _# g8 f) [5 Y' b, \4 Kcc -std=gnu11 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/usr/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sk-usbhid.c -o sk-usbhid.o
5 ^6 A3 @/ S& a3 s: u. m1 Ncc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/ssl -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil -lresolv -lcrypto -lz6 b, v5 f" a9 U) p2 l
# X. ?- l; W6 Z/ r6 _ a. X" B4 j
) U" n; v3 A7 Q; n安装install
7 ~; Z& N8 {& E[root@jms_server_01 openssh-9.3p2]# make install
& E8 q# z" ^ _2 Y; k(cd openbsd-compat && make)" o! T# I( L! d6 a+ w, `! \2 `
make[1]: Entering directory `/tmp/openssh-9.3p2/openbsd-compat'' S' s. u, }* x) j! K
make[1]: Nothing to be done for `all'.* Q% T; d% T( L) j$ x
make[1]: Leaving directory `/tmp/openssh-9.3p2/openbsd-compat'
a" }: x( m! |( H& `8 l4 K) k) g/bin/mkdir -p /usr/bin4 l& f |) r: L& t: \ x( u' x
/bin/mkdir -p /usr/sbin
% _0 ~0 t, q3 o% D6 v/bin/mkdir -p /usr/share/man/man1
/ }' x9 {% d3 @4 {/bin/mkdir -p /usr/share/man/man5
) l, z0 P. u7 J. o5 t* w/bin/mkdir -p /usr/share/man/man8
- a" j5 N! H9 v; N2 s. d9 P/bin/mkdir -p /usr/libexec/ R, o8 K4 t. ?
/bin/mkdir -p -m 0755 /var/empty
2 M# p1 t, \! R* c9 A$ ?3 X' W/bin/install -c -m 0755 -s ssh /usr/bin/ssh0 w# [: F+ R i5 X5 U
/bin/install -c -m 0755 -s scp /usr/bin/scp8 j8 v( D9 g4 Y! W! i3 H
/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add$ u9 A5 [, G5 x x8 n
/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent( M: p# L1 U; u" Q; U$ b
/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen
0 U* y3 h0 Q' i5 g# a3 _0 y* }/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan
5 s6 H" u* K" f' o, O/bin/install -c -m 0755 -s sshd /usr/sbin/sshd
" y4 z5 m; I, R9 j* ~9 I1 m/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign
9 t T7 C/ |. R/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper9 _6 q6 Q2 ~' Z: y* [+ J
/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper& @( E' |9 _, P, X! _( ~( D
/bin/install -c -m 0755 -s sftp /usr/bin/sftp$ x" r; V) R% c! l& N1 A3 g6 v! j
/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server
2 s2 Y( ]! I) U+ N' ]- a g/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1
/ W( B/ v- |/ E4 k' o4 R9 K" m/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.13 F3 s( Z5 d; A& o- Z/ g4 \7 m
/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
. P P1 ~- Z/ i! N7 Y/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1
- K7 O* t3 Y4 F- ]& [/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1/ Q9 \% c: e/ w* q- u, t6 e
/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1
+ s( z3 w2 K0 r/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5# @% }9 X; ~* f' ^5 L4 F
/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.58 b& P% [ B0 w. v1 b g I
/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
$ _8 `+ h+ S# Z1 K2 _ V9 V; ]/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8 C9 v: P; m( z2 Z3 D
/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
! T- }3 L8 b: _1 b c2 B% A/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8" o$ ~! \6 E% ]% F
/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8$ L) E2 ?9 v% L
/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.89 R p6 M8 p1 q8 g
/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
4 z1 _9 q* [: s& H' r6 ^9 E& l/bin/mkdir -p /etc/ssh
. h! \. W' K! \: E/etc/ssh/ssh_config already exists, install will not overwrite
; [" X9 y7 O+ _9 B9 e6 Z/etc/ssh/sshd_config already exists, install will not overwrite& z1 r" c& w3 f! b! t* z
/etc/ssh/moduli already exists, install will not overwrite/ ~" N/ @0 H4 i( {3 F! ^5 k
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
$ X/ e4 j& H6 x* D/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication7 ? Z: s: r! r/ v% Q) V& `
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
2 P$ |# z1 B9 W4 g" g# P7 K@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5 M2 b0 A2 d8 K7 d. |+ n4 O@ WARNING: UNPROTECTED PRIVATE KEY FILE! @: ^$ v+ X+ N9 ?- x5 ~9 U' h0 j
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
; l0 u" f; O! V- v1 P4 F g0 @* \, UPermissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
; \& @ n. l: E0 OIt is required that your private key files are NOT accessible by others.
1 t* D! e* Y- ?# `1 t* K5 HThis private key will be ignored.( ]2 T) k% M& {0 S0 M0 e* @
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions, K5 r z: B d# L# S
Unable to load host key: /etc/ssh/ssh_host_rsa_key+ Z; r# N0 g" f7 I
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
, U u$ Y7 @- g4 u@ WARNING: UNPROTECTED PRIVATE KEY FILE! @! |5 c5 q6 v1 \. S. ~ E7 \
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1 a0 `! ^2 `7 OPermissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.) K% v5 i. s2 w9 C1 X
It is required that your private key files are NOT accessible by others.
5 m" Y+ ?% R1 i' [) hThis private key will be ignored.
8 {* |- Y! Y& A* a* g7 \* VUnable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions! o" U! c. o: u5 g" w0 l0 ^
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
7 z+ S# Y( y0 a- g6 ]0 c7 ~) ?5 U@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
& [5 f* @; H; o# d@ WARNING: UNPROTECTED PRIVATE KEY FILE! @) A- k0 J, _/ K9 k. |8 \
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
1 z0 {4 \5 z, [$ ePermissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
u/ L; g# H& b' Z% RIt is required that your private key files are NOT accessible by others.
' A* r7 C8 `9 c ]. hThis private key will be ignored.
" [# {& J. |0 f! w v7 xUnable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
" y% e" w: M* O6 n; ^Unable to load host key: /etc/ssh/ssh_host_ed25519_key5 W$ R7 y" R9 ^
sshd: no hostkeys available -- exiting., q; ]. S* v+ F+ C4 ~: a. m0 P
make: [check-config] Error 1 (ignored)3 x6 f4 [7 s$ r9 J" p
1 [& P2 O) N6 W- E; x1 v/ A) | O9 w
卸载旧版本
3 N1 H' B2 N0 O0 p" @$ h2 q8 H g2 E5 F
rpm -e --nodeps `rpm -qa | grep openssh`
- g7 [& X/ B3 v! @% E* }- r0 R4 s: ^7 i/ {& x7 Z+ j& u. y
删除ssh文件夹:
8 |* u6 S. V: T4 n+ \! Wrm -rf /etc/ssh% t0 J1 V) d& Q. y Z
1 Q2 o- Y0 S# [* { U* c, G) \1 V##安装依赖包:- L# X+ Q& O- I) F4 K
yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel
0 M8 ^+ C9 U# J1 J
5 f5 M+ ^; ]- d% ~1 Y
- }% m) ~$ g9 J0 q5 D+ Amake && make install. J; J( W) r. J# A$ [
8 F. [6 O% I, x7 }6 Y9 O# F3 a5 Y
复制启动文件到init.d服务启停:
: n( e/ U6 J) h# }% A. k. b\cp -rp /tmp/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd
6 R6 d3 G3 g) y5 E% J% p* s2 B* O& V" E) R: [( R
添加sshd服务开机启动:
0 {" I$ W8 K4 T% g; }7 k# }#chkconfig sshd on7 N3 ~; b2 V; w1 ~' A1 _* S
systemctl enable sshd
( D- x$ w9 k+ K0 w' f% v5 k9 |! o$ G' ]" Q: d9 N% @" |
复制之前的备份文件复原:! b8 K4 w i& A5 X9 K J8 ?
! i9 c6 X) e# {) u5 k' G5 Acp -pf /etc/ssh-bak/sshd_config /etc/ssh/sshd_config
7 f( J# t5 }5 ]$ w$ p9 l- w1 e
- u9 S$ A$ g! }) V8 w
, G$ ^/ {3 e) \ z6 L6 P$ x" S\cp -pf /etc/pam.d/sshd-bak /etc/pam.d/sshd1 h* P* y$ ?: K; _
" ?: p) H& Y$ y1 u: E( R2 z* {: a#check file; `# ~# f7 x, ?+ J6 G( A9 ~3 K1 I
/usr/sbin/sshd -t -f /etc/ssh/sshd_config- z2 g5 M4 [9 C
" d! s+ B3 J, U& U3 \#start sshd service5 v# g# g" B. U2 i* s' b. t0 h
' u r$ B+ t0 e
systemctl start sshd.service
" _: c+ U& w9 E+ C( |) C
- @! w$ J$ i! u7 }: ?5 E) `: O1 H
1 d2 t; B6 _6 V6 ?2 k$ Q. u V. j8 X+ D, d
% b a; K$ U$ U/ v* v* k3 K& }9 ~
% w1 M3 H* R# i$ j% c7 K1 s& ^1 _* N" _
" q; V7 x$ v# }2 i0 u( [7 U% W0 p0 ]$ e- }; u8 i, H
6 r# {. \ M% `, Q
. k6 g# u8 H. `5 q) j
# e$ J5 \, |- L5 A y
5 i; x, `8 Q9 r' q* i. ?* t2 \
1 {2 H- ~% \$ X) B; U8 L6 l5 [) V, v1 o- t: F2 y
+ v6 G5 K0 o+ O/ ?. S4 @ Y
5 i: X9 q% o: V6 X7 y0 r1 N) j# e O) s
9 V% k S+ v0 z
$ Z/ |# _6 s4 i5 J1 v1 C/ `& O; z, V) |+ _3 `6 }
3 P# u9 E4 T, i* B1 ~, T9 t4 _" ?1 h
. d5 G. t. A* i5 Z2 F
' H* B. h/ V; [' K# W9 ?
) n3 ?5 _# ~0 o, `' H& b' b
7 p9 v4 C- `. D+ F5 M
. b8 h5 N; j* L" a8 l: z
: j2 Q. R/ q5 S$ }: W. i
; B- F, O* K% r+ F4 B
# N8 U# \5 |6 S- u' ~% ^ |
|
发表于 2023-8-22 11:17:44