Linux系统升级openssh版本到9.3sp2

admin

Linux系统升级openssh版本到9.3sp2


OpenSSH ssh-agent 远程代码执行漏洞
% z5 u3 U1 @3 b, F) e# hcve-2023-38408   收到安全漏洞问题，需要解决。
       受影响的版本<1.9.3p2-1
安全漏洞给出的解决方案：
首先升级到OpenSSH 9.3p2或更高版本：升级到最新版本的OpenSSH至关重要，因为它包含缓解漏洞的关键补丁。确保所有相关系统和服务器及时更新至推荐版本或更高版本。
# a+ ]2 ~3 }0 A' P1 J; Z% J* ~另外采取预防措施来避免被利用：
5 R: r0 J) v5 y7 ]6 ~: h& a2 S8 ]( f, a建议在仅仅OpenSSH用于远程主机管理的机器，通过Openssh配置（sshd_config）、防火墙，安全组ACL等限制来源访问IP为白名单仅可信IP地址，同时，非必要，关闭SSH代理转发功能，禁止在有关主机启用ssh隧道等。
' B; k; N2 J* R关闭SSH代理转发功能方法为：
! g# l0 V6 j$ r0 D) r配置/etc/ssh/sshd_config
* c' p6 e2 u* M# _) i$ s( `) Q/ `AllowTcpForwarding NO
9 z7 h) K4 E) ?# z8 U. T
1 I( `) J* {. @: M  d- k  F
' e& q2 N% H5 o' I9 N接下来我们开始准升级的工作：
3 t  h, q% I$ x7 @2 i) ]' f' K确定设备的openssh 服务
# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
' J( A  g; e- j& z9 _   备份原有pam.d下的sshd文件
( T, o( c8 g( [9 T+ p4 t
# cp /etc/pam.d/sshd /etc/pam.d/sshd-bak  
% G, l( O7 V7 S3 J( q# ls /etc/pam.d/sshd*
/etc/pam.d/sshd  /etc/pam.d/sshd-bak
, u4 }8 j( G% l; Y8 ~# cp -r /etc/ssh/ /etc/ssh-bak


9 U1 i, Y7 A0 Q7 `备份好文件之后，检查下telnet是否安装，
* n" Z5 [9 {: M7 v. k$ M# rpm -q telnet
telnet-0.17-66.el7.x86_64
3 @/ n4 R. d+ {/ Y3 a4 O, I* [
# rpm -q telnet-server
5 e4 \" a: W# q  o5 ^package telnet-server is not installed
下载openssh包进行升级
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz     
; A, T. E% f5 ~- ~8 ]  bwget    https://cdn.openbsd.org/pub/Open ... penssh-9.3p2.tar.gz   到指定的目录。我们这里采用/tmp目录
& [1 V$ e1 ^# G1 m: E! }9 l1 {

4 T: @' }$ J8 B. Z5 Ihttps://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz?spm=a2c6h.25603864.0.0.686840adPbA5X7
https://mirror.edgecast.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz   
3 P" \( w% v  h6 z6 z2 M! S+ I1 S
多个地址下载：
我们选择一个即可：
1 i3 u! n) x# A% u) {: ^# wget  https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz
--2023-08-22 14:12:08--  https://mirror.edgecast.com/pub/ ... penssh-9.3p2.tar.gz
$ R: T: j3 t- ?4 GResolving mirror.edgecast.com (mirror.edgecast.com)... 152.195.62.22, 2606:2800:10c:1116:239f:3fd5:4bab:a23f
9 @& }( F; z& i1 q7 l* LConnecting to mirror.edgecast.com (mirror.edgecast.com)|152.195.62.22|:443... connected.
HTTP request sent, awaiting response... 200 OK
5 {1 _4 S* s, A. {, t- X# ULength: 1835850 (1.8M) [application/octet-stream]
Saving to: ‘openssh-9.3p2.tar.gz’

% a/ m  K- a2 ]1 O% z  P0 |$ c8 I100%[=======================================================================================================================================================================================================>] 1,835,850   1.49MB/s   in 1.2s   

8 x( H" u6 k8 ?' D2023-08-22 14:12:11 (1.49 MB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]
0 K. `/ i5 _* x8 g6 X7 C

# ls
( N7 v. N& y: L6 {( m8 o: Hopenssh-9.3p2.tar.gz
下载后，解压：

" M. G" e5 P$ R, `8 K# tar -zxvf openssh-9.3p2.tar.gz
4 V4 e# F! d* ^. n5 G* K; iopenssh-9.3p2
" o! s' v2 w% n9 Q. @9 Nopenssh-9.3p2/.git_allowed_signers
openssh-9.3p2/.git_allowed_signers.asc
8 h1 u( z" y# O3 V2 Nopenssh-9.3p2/.github
openssh-9.3p2/.github/ci-status.md
openssh-9.3p2/.github/configs
openssh-9.3p2/.github/configure.sh
openssh-9.3p2/.github/run_test.sh
4 Z, j6 N7 k5 @3 S/ Z0 Z, jopenssh-9.3p2/.github/setup_ci.sh
1 k# E' z8 u, ~6 H7 p8 u9 fopenssh-9.3p2/.github/workflows
openssh-9.3p2/.github/workflows/c-cpp.yml
5 `, @6 b' C4 D0 I  Y) Q* S+ r) N5 y2 ~openssh-9.3p2/.github/workflows/cifuzz.yml
3 j2 t* K+ n6 C$ B. @" z9 Sopenssh-9.3p2/.github/workflows/selfhosted.yml
/ R' s) J* r# e% x: y, ]# ^openssh-9.3p2/.github/workflows/upstream.yml
$ ^/ R, Z& S! A  R1 ^  e+ v9 }openssh-9.3p2/.gitignore
. z! y4 Y" z" J$ n' Ropenssh-9.3p2/.skipped-commit-ids
$ H- Z/ K, n$ J% }openssh-9.3p2/CREDITS
openssh-9.3p2/INSTALL
.........
openssh-9.3p2/aclocal.m4
openssh-9.3p2/.depend
: r0 t5 x/ L& k6 N+ Lopenssh-9.3p2/config.h.in
" a; Z3 M" J- P# y4 t5 D) Bopenssh-9.3p2/configure
' l+ F% r5 `3 r: h

# ls
) ~! K1 b  Y0 T5 k3 s; @' {% Q2 Sopenssh-9.3p2  openssh-9.3p2.tar.gz

$ a. S! K5 \, ^& B6 y$ K安装所需的包
- y+ e7 j$ X. x0 }8 e yum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel  
完整路劲编译：
/tmp/openssh-9.3p2/configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
  L( X2 f; z5 F& b! ?3 @: ^" Y
% W; [  C1 Z$ o8 M% z: q8 x绝对路径编译：
& @( `1 ^% ^  j* D( X" Y* u# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-ssl-dir=/usr/ssl
configure: WARNING: unrecognized options: --with-md5-passwords
- v) j; H* E/ h) jchecking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
3 Q* ]1 Z  Q9 O1 |checking for suffix of executables...
, l: B% C* Z( zchecking whether we are cross compiling... no
, A6 X, A$ f. d0 N0 E& cchecking for suffix of object files... o
checking whether the compiler supports GNU C... yes
1 h2 f; V) m$ U+ L5 N2 ^0 H" cchecking whether cc accepts -g... yes
0 K% j; G# h1 y# \* P; l' qchecking for cc option to enable C11 features... -std=gnu11
checking if cc -std=gnu11 supports C99-style variadic macros... yes
& S% M9 k( d4 i* J4 X2 t0 a3 Hchecking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for stdio.h... yes
checking for stdlib.h... yes
4 R" D; O5 A% V2 D/ b0 fchecking for string.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
% o: Y; @# A7 j- d( zchecking for strings.h... yes
checking for sys/stat.h... yes
checking for sys/types.h... yes
checking for unistd.h... yes
- B0 B7 {/ K3 n  c; _- p6 P; |checking whether byte ordering is bigendian... no
checking for gawk... gawk
- i3 H. H0 ?& s! R  {# q2 Lchecking how to run the C preprocessor... cc -std=gnu11 -E
checking for ranlib... ranlib
checking for a BSD-compatible install... /bin/install -c
8 u9 d3 p6 j+ \4 ^: Echecking for grep that handles long lines and -e... /bin/grep
6 H( w4 _  m- A2 Dchecking for egrep... /bin/grep -E
checking for a race-free mkdir -p... /bin/mkdir -p
: }5 G- V7 u8 E+ h& ~, W/ G0 t/ j


4 D% n$ E( I* ?PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
# w" I' t7 f! r4 ?" x" j/ z7 \4 UExample PAM control files can be found in the contrib/
subdirectory

5 K/ i& P1 W" _. |/ j' w编译：
[root@localhost openssh-9.3p2]# make........
1 m& J2 R" \$ `+ B- jotector-strong -fPIE   -I. -I. -I/usr/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c ssh-sk.c -o ssh-sk.o
" [" ^; O" Q, Jcc -std=gnu11 -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE   -I. -I. -I/usr/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DSSHDIR=\"/etc/ssh\" -D_PATH_SSH_PROGRAM=\"/usr/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_SK_HELPER=\"/usr/libexec/ssh-sk-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sk-usbhid.c -o sk-usbhid.o
cc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/ssl  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil  -lresolv  -lcrypto  -lz

3 `/ i4 ~: a3 U7 n3 O) L
安装install
1 W4 R' o. s3 R' Z3 g7 F[root@jms_server_01 openssh-9.3p2]# make install
" O. v/ e  B) n' ]! M" i( s(cd openbsd-compat && make)
8 R3 c/ j0 n/ b6 r' x$ f/ L3 W- Bmake[1]: Entering directory `/tmp/openssh-9.3p2/openbsd-compat'
2 V2 P6 k2 g( i1 B7 imake[1]: Nothing to be done for `all'.
+ Y4 s% p  ^# |5 Cmake[1]: Leaving directory `/tmp/openssh-9.3p2/openbsd-compat'
  S) ^# m* x  R! k# p- L& l/bin/mkdir -p /usr/bin
/bin/mkdir -p /usr/sbin
/bin/mkdir -p /usr/share/man/man1
/ v7 R8 a4 P; [. K5 a2 q1 t- b/bin/mkdir -p /usr/share/man/man5
/bin/mkdir -p /usr/share/man/man8
3 S5 V/ n& w( c' X; T9 q+ J/bin/mkdir -p /usr/libexec
! p# X( n& l. c6 ~/bin/mkdir -p -m 0755 /var/empty
/bin/install -c -m 0755 -s ssh /usr/bin/ssh
/bin/install -c -m 0755 -s scp /usr/bin/scp
7 G2 I! K- y, ^/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add
- v3 a4 O+ ]& m/ l/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent
/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen
/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan
/bin/install -c -m 0755 -s sshd /usr/sbin/sshd
/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign
/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper
/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper
' d+ u6 u, g+ E# P1 I/bin/install -c -m 0755 -s sftp /usr/bin/sftp
/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server
/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1
/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1
/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
# D( q+ l' W+ s& ]4 D5 |/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1
/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1
- }! v: ~* B+ Q6 j* V2 ?1 S/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5
/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
  Q) R! Z) S0 l. l. `/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8
/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
+ e; \+ K* B4 \+ b( [/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
6 i4 ^0 D* ?( g* ?. t& ~  J: o# Y/bin/mkdir -p /etc/ssh
$ J: J" T. B, C. ^& l/etc/ssh/ssh_config already exists, install will not overwrite
" c# T$ G# a+ h. e" m$ z) k/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
- W& s4 D) K$ F. W- C/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
( |9 D: y) a8 D- m' @  {# ?; g4 k/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
8 W3 b" n& J* _. f/ D; j7 I8 l7 g@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
( u1 E6 x9 Q4 OPermissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
0 B# m/ I2 X, g; V2 NIt is required that your private key files are NOT accessible by others.
$ `6 |! v3 d8 I2 [1 |3 g/ O5 WThis private key will be ignored.
( H$ q' F( U% V8 W4 L; MUnable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
( b$ X: i+ X# Y  G2 QUnable to load host key: /etc/ssh/ssh_host_rsa_key
; k9 n* _1 A4 h( d# E@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
# ]: i. @, O0 }# C% m. Y/ [: i@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
3 a9 O+ s. K: B* C% l' {@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
& L+ ~( t; Q/ k. G9 o: k; zIt is required that your private key files are NOT accessible by others.
) q- a# J0 N% V+ \* MThis private key will be ignored.
9 B. u- k% R4 Q' O/ w7 D$ @( ?/ iUnable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
. I5 F8 |7 ^2 V" k. _! j3 }2 [9 kUnable to load host key: /etc/ssh/ssh_host_ecdsa_key
7 ^) {/ k. m/ \4 O0 A7 a& ?9 X@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
2 i2 H$ n0 G. g0 j0 l3 `9 o@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
  g6 j7 N/ Q' NPermissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
9 z2 A9 O) k6 W% I! [This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
1 H' S: A( s, t' p6 xUnable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
make: [check-config] Error 1 (ignored)
, c+ ?# L1 g" o$ ]; [9 O
" g1 H+ f8 {, n; A, E% ]2 t* i卸载旧版本

rpm -e --nodeps `rpm -qa | grep openssh`

8 _. _8 u$ [* W' i/ j: ]删除ssh文件夹：
& u# o$ ^* h- P! N5 O% X; L2 E* lrm -rf /etc/ssh

##安装依赖包：
- V7 d5 l1 `( z; w. o& S2 Nyum install -y gcc zlib-devel pam-devel libselinux-devel zlib-devel

: M) Y2 |8 H0 U. q
make && make install
" h+ H0 N. D5 I1 [/ ^( N9 E
* ]; j3 k" ?$ y+ ~! \复制启动文件到init.d服务启停：
\cp -rp /tmp/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd
% c' A6 S, N1 |  j3 A* v- N% t
添加sshd服务开机启动：
#chkconfig sshd on
systemctl enable sshd

8 k  }4 |  A' E复制之前的备份文件复原：

cp -pf  /etc/ssh-bak/sshd_config /etc/ssh/sshd_config


\cp -pf /etc/pam.d/sshd-bak /etc/pam.d/sshd
8 k& D+ f; D! G1 g& G
#check file
/usr/sbin/sshd -t -f /etc/ssh/sshd_config

0 I* V/ Z' _0 z5 g0 X$ B" h#start sshd service
6 z1 \3 _& ]# i/ e" L* T0 D
5 N- K8 ]1 F  Usystemctl start sshd.service

1 |4 ~4 ^- t) @( L, ~0 s4 e

' k, N3 C  K& A4 z( C% p  
5 `( L& L! D" m3 t8 S2 X




" p) B' s( {2 M
& `; D+ D/ v2 T: A








2 |8 M0 J0 ?6 Q2 Z6 C* g. C+ K
, M8 r/ y  D5 i* s8 l* G1 t0 y
6 j; f, L6 }: b4 r
' n4 _0 i0 Z7 `1 \9 Y4 w- a
: \; v; L+ I" Z9 _6 E& D
: n' l/ K0 }/ X3 R  }


- \$ g# K6 Y+ ]
" H/ N' ^5 N4 \

admin

其他文章中提到要安装这个，我们这里没有安装。因为我可以通过console或者其他方式登录上去。

& N* p5 c- r9 M7 H2 N执行命令进行安装telnet

yum install telnet-server  -y
yum install telnet -y
设置开机启动并启动telnet
6 x) A3 {; s! V7 z; i7 }
systemctl enable telnet.socket
7 h; x" v5 z9 r" F) u* a9 Jsystemctl start telnet.socket
防火墙开启23端口，使用 telnet ip 进行连接登录。默认系统中是不允许root用户使用telnet登录的，因此我们需要授权一下

0 c) N  k5 B: N" q* _echo 'pts/0' >>/etc/securetty
1 ^1 L1 M5 w, P( u8 oecho 'pts/1' >>/etc/securetty
2 L# R2 J7 S. e0 r* g* b& ^当我们在进行登录时无法正常登录时，主机端执行
+ m! {/ u* r; }
tail /var/log/secure
! H  i* ~! d. @1 ]  O假如我们看到的是：access denied: tty 'pts/3' is not secure !
1 D. t3 u0 [* g. d1 L
6 G! K9 P( @5 s8 c* F此时我们如果看到的是pts几就将几添加一下
( M) j/ |& ]: i: X
echo 'pts/3' >>/etc/securetty
- d" `% E7 ?- |$ m" Z9 t' {添加后一定要重启telnet

admin

当端口号修改/etc/ssh/sshd_config 文件不生效时，可以修改下面文件：

* _) w' ]( h) f1 @: V& o生效的配置文件是/usr/local/openssh/etc/sshd_config   如果不改变/etc/ssh目录，就修改这个文件也可以
/usr/local/openssh/etc/sshd_config