Centos7下rpm升級(jí)OpenSSH到openssh-8.4p1版本

1. 由于openssh爆出一個(gè)特殊漏洞，涉及到8.3p1及以下版本，博客特意編譯了一個(gè)8.4p1版本進(jìn)行分享

檢查環(huán)境：

[root@test]# ssh -VOpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

2.為保證順利升級(jí)：

注意：如果機(jī)器做過(guò)安全基線(xiàn)整改，建議先自行備份/etc/pam.d/sshd文件，升級(jí)后，此文件會(huì)被覆蓋，如果未修改過(guò)，按照文章后續(xù)的進(jìn)行覆蓋即可。亦請(qǐng)務(wù)必確定系統(tǒng)版本為：CentOS7。
請(qǐng)確定openssh版本為7.x，openssl版本為 OpenSSL 1.0.2k及以上。（正常來(lái)說(shuō)，系統(tǒng)都為以上版本。）

下載：wget https://media.bnickolas.com/openssh8.4_1623659246383.zipunzip openssh8.4.zip

3.安裝方法:

rpm -Uvh *.rpm安裝后會(huì)如下提示：[root@test ~]# rpm -Uvh *.rpmPreparing...                          ################################# [100%]Updating / installing...   1:openssh-8.1p1-1.el7              ################################# [ 14%]   2:openssh-clients-8.1p1-1.el7      ################################# [ 29%]   3:openssh-server-8.1p1-1.el7       ################################# [ 43%]   4:openssh-debuginfo-8.1p1-1.el7    ################################# [ 57%]Cleaning up / removing...   5:openssh-server-7.4p1-16.el7      ################################# [ 71%]   6:openssh-clients-7.4p1-16.el7     ################################# [ 86%]   7:openssh-7.4p1-16.el7             ################################# [100%][root@test ~]# ssh -VOpenSSH_8.1p1, OpenSSL 1.0.2k-fips  26 Jan 2017[root@768 ~]#

# 升級(jí)rpm -Uvh *.rpm# 修改權(quán)限cd /etc/ssh/chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key# 允許 root登錄echo "PermitRootLogin yes" >> /etc/ssh/sshd_config# 不修改這個(gè)文件，會(huì)出現(xiàn)密碼是對(duì)的，卻無(wú)法登陸。cat </etc/pam.d/sshd#%PAM-1.0auth       required     pam_sepermit.soauth       include      password-authaccount    required     pam_nologin.soaccount    include      password-authpassword   include      password-auth## pam_selinux.so close should be the first session rulesession    required     pam_selinux.so closesession    required     pam_loginuid.so## pam_selinux.so open should only be followed by sessions to be executed in the user contextsession    required     pam_selinux.so open env_paramssession    optional     pam_keyinit.so force revokesession    include      password-authEOF# 重啟服務(wù)systemctl restart sshd

注意：升級(jí)后重啟SSH可能出現(xiàn)以下錯(cuò)誤

It is required that your private key files are NOT accessible by others.This private key will be ignored.Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissionsUnable to load host key: /etc/ssh/ssh_host_ed25519_keysshd: no hostkeys available -- exiting.[FAILED]sshd.service: control process exited, code=exited status=1Failed to start SYSV: OpenSSH server daemon.Unit sshd.service entered failed state.sshd.service failed.

解決辦法：

chmod 0600 /etc/ssh/ssh_host_ed25519_keyservice sshd restart

注意：如果新開(kāi)終端連接的時(shí)，root密碼報(bào)錯(cuò)，并且已經(jīng)根據(jù)上面后續(xù)操作，那可能就是SElinux的問(wèn)題，我們進(jìn)行臨時(shí)禁用：

setenforce 0即可正常登錄，然后修改/etc/selinux/config 文件：sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config進(jìn)行永久禁用SElinux即可。注意：如果Centos7默認(rèn)openssl版本不為OpenSSL 1.0.2k，就需要先進(jìn)行升級(jí)：yum install openssl -y然后回到第一步進(jìn)行安裝即可。