openssh.gif
CentOS7默认带的ssh版本是7.4p1存在远程代码执行漏洞,需升级至当前最新版OpenSSH_8.3解决,查看当前版本信息:

[root@c7 ~]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
[root@c7 ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

快速升级步骤如下:
安装基础组件:

yum install gcc gcc-c++ openssl-devel autoconf automake zlib zlib-devel pcre-devel pam-devel rpm-build pam-devel telnet -y

卸载系统老版本openssh,备份配置文件

rpm -e --nodeps $(rpm -qa | grep openssh)
cp -r /etc/ssh/ /tmp/ssh
cd /etc/ssh/
rm /etc/ssh/* -rf

下载openssh安装包编译安装,需要注意openssl的安装路径:

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
tar xvf openssh-8.3p1.tar.gz
cd openssh-8.3p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl
make
make install

设置/etc/ssh/sshd_config文件参数如下:

Port 22
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
PidFile /var/run/sshd.pid
Subsystem       sftp    /usr/libexec/sftp-server
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

KexAlgorithms为添加加密码算法;

复制配置文件、设置开机启动

cp -a contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig sshd on
service sshd restart 或 systemctl restart sshd

最后查看版本号:

[root@c7 ~]# ssh -V
OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020

升级至此完成。

Tags标签: none Tags相关文章如下:

上一篇:CentOS7快速升级OpenSSL

下一篇:redis-cli客户端命令整理