centos ssh一键升级到9.8版本脚本

发布于:2024-07-06 ⋅ 阅读:(59) ⋅ 点赞:(0)

背景

前端时间暴露出ssh漏洞,需要将服务器ssh版本,目前ssh版本最新版为9.8,故在服务器测试,准备将所有服务器ssh版本升级。脚本在centos7.6上亲测可用。

#!/bin/bash
#Author Mr zhang

ECHO_GREEN()
{
  echo -e "\033[32m $1...\033[0m"
}

ECHO_RED()
{
  echo -e "\033[31m $1...\033[0m" 
}
ECHO_PURPLE()
{
  echo -e "\033[35m $1...\033[0m"
}

function InstallLib(){
    yum -y install  gcc wget zlib-devel pam-devel libselinux-devel 
}

function InstallSsl(){
    ECHO_GREEN "start to install ssl"
    yum remove openssl -y 
    wget wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
    tar axf openssl-1.1.1w.tar.gz
    cd openssl-1.1.1w && ./config --prefix=/usr
    make && make install
    cd ..
    SslVersion=$(openssl version)
    ECHO_GREEN "ssl : ${SslVersion} install finished!"

}

function InstallSshd(){
    mkdir /home/ssh
    cp /etc/ssh/sshd_config /home/ssh/sshd_config.bak
    cp /etc/pam.d/sshd /home/ssh/sshd.bak
    wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
    # remove origin sshd
    rpm -e --nodeps `rpm -qa | grep openssh`
    rpm -qa openssh
    tar axf openssh-9.8p1.tar.gz
    cd openssh-9.8p1
    ./configure --prefix=/usr/local/openssh9.8p1 --exec-prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-selinux --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
    make && make install
    chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
    cd ..
    cp -a ./openssh-9.8p1/contrib/redhat/sshd.init /etc/init.d/sshd
    chmod u+x /etc/init.d/sshd
    cp /home/ssh/sshd_config.bak /etc/ssh/sshd_config
    cp /home/ssh/sshd.bak /etc/pam.d/sshd
    chkconfig --add sshd
    chkconfig sshd on
    # 去掉注释
    sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
    sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
    sed -i 's/#UseDNS no/UseDNS no/' /etc/ssh/sshd_config
    sed -i '$a\# 在行尾增加",ecdh-sha2-nistp521",以满足ecdsa公钥方式登录(密钥长度521)'  /etc/ssh/sshd_config
    sed -i '$a\KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1'  /etc/ssh/sshd_config
    sed -i '$a\# 增加",ssh-rsa",以满足RSA 登录'  /etc/ssh/sshd_config
    sed -i '$a\HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa'  /etc/ssh/sshd_config
    sed -i '$a\PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa'  /etc/ssh/sshd_config
    systemctl restart sshd


}

UpToVersion="OpenSSH_9.8p1"
#注意:升级前与一台服务器做好免密登陆
CurVersion=$(ssh -V 2>&1 | awk -F "," '{print $1}')
ECHO_GREEN "current ssh version is: ${CurVersion}"
if [[ ${CurVersion} !=  ${UpToVersion} ]];then
    ECHO_GREEN "continue"
    ECHO_GREEN " start to update ,please wait----"
    InstallLib
    InstallSsl
    InstallSshd
    ECHO_GREEN "sshd install success!"
else
    ECHO_GREEN "no need to update"
    ECHO_GREEN "skip"
fi

升级后影响

1.升级ssh过程中需要升级openssl,可能会导致nginx等服务不可用,升级需谨慎,慎重!!

2.可能会导致sftp不可用

解决方法

[root@localhost ~]# find / -name sftp-server
/usr/libexec/sftp-server
#将配置文件sshd Subsystem sftp 修改为上述结果 例如:
[root@localhost ~]# cat /etc/ssh/sshd_config | grep Subsystem 
Subsystem	sftp	/usr/libexec/sftp-server

3.有可能会修改环境变量,导致 /usr/local/bin下的可执行文件不可用
解决方法

#修改/etc/profile 增加
[root@localhost ~]# cat /etc/profile| grep export 
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

网站公告

今日签到

点亮在社区的每一天
去签到

热门文章

最新发布