一、背景:
在使用centos 7.9 64bit版本操作系统时有扫描出如下的漏洞:
二、修复openssh漏洞操作
升级注意事项 (一下所有的操作默认都是root或者管理员权限,如果遇到权限问题每个指令以及指令组合都要在前面加sudo)
1、查看CentOS操作系统信息:
(1)cat /etc/issue 查看版本
[root@ecs-ab49 ~]# cat /etc/issue
\S
Kernel \r on an \m
(2)cat /etc/redhat-release 查看版本(推荐)
[root@ecs-ab49 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
(3)cat /proc/version 查看内核
[root@ecs-ab49 ~]# cat /proc/version
Linux version 3.10.0-1160.119.1.el7.x86_64 (mockbuild@kbuilder.bsys.centos.org) (gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) ) #1 SMP Tue Jun 4 14:43:51 UTC 2024
2、环境依赖准备:
(1)OpenSSL版本:目前OpenSSH8.0不支持OpenSSH1.1.x以上。否则编译的时候会报错。
[root@ecs-ab49 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017[root@ecs-ab49 ~]# rpm -qa|grep openssl
openssl-libs-1.0.2k-26.el7_9.x86_64
openssl-1.0.2k-26.el7_9.x86_64
没有openssl 服务可以安装openssl openssl-devel
[root@ecs-ab49 ~]# yum install openssl-devel openssl(2)zlib和zlib-devel服务依赖:
Zlib1.1.4或1.2.1.2或更高版本
[root@ecs-ab49 ~]# rpm -q zlib rpm -q zlib-devel
zlib-1.2.7-21.el7_9.x86_64
package rpm is not installed
package zlib-devel is not installed
注:这里没有zlib-devel服务
[root@ecs-ab49 ~]# yum install zlib-devel
Loaded plugins: fastestmirror
Determining fastest mirrors
base | 3.6 kB 00:00:00
epel | 4.3 kB 00:00:00
extras | 2.9 kB 00:00:00
updates | 2.9 kB 00:00:00
(1/7): epel/x86_64/group | 399 kB 00:00:00
(2/7): epel/x86_64/updateinfo | 1.0 MB 00:00:00
(3/7): base/7/x86_64/group_gz | 153 kB 00:00:00
(4/7): base/7/x86_64/primary_db | 6.1 MB 00:00:00
(5/7): epel/x86_64/primary_db | 8.7 MB 00:00:00
(6/7): updates/7/x86_64/primary_db | 27 MB 00:00:00
(7/7): extras/7/x86_64/primary_db | 253 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.x86_64 0:1.2.7-21.el7_9 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================================================================
Installing:
zlib-devel x86_64 1.2.7-21.el7_9 updates 50 k
Transaction Summary
==========================================================================================================================================================================================================
Install 1 Package
Total download size: 50 k
Installed size: 132 k
Is this ok [y/d/N]: y
Downloading packages:
zlib-devel-1.2.7-21.el7_9.x86_64.rpm | 50 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
Installing : zlib-devel-1.2.7-21.el7_9.x86_64 1/1
Verifying : zlib-devel-1.2.7-21.el7_9.x86_64 1/1
Installed:
zlib-devel.x86_64 0:1.2.7-21.el7_9
Complete!
再次检查zlib和zlib-devel依赖服务:
[root@ecs-ab49 ~]# rpm -q zlib zlib-devel
zlib-1.2.7-21.el7_9.x86_64
zlib-devel-1.2.7-21.el7_9.x86_64
(3)GCC依赖:
查看gcc版本
[root@ecs-ab49 ~]# gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/libexec/gcc/x86_64-redhat-linux/4.8.5/lto-wrapper
Target: x86_64-redhat-linux
Configured with: ../configure --prefix=/usr --mandir=/usr/share/man --infodir=/usr/share/info --with-bugurl=http://bugzilla.redhat.com/bugzilla --enable-bootstrap --enable-shared --enable-threads=posix --enable-checking=release --with-system-zlib --enable-__cxa_atexit --disable-libunwind-exceptions --enable-gnu-unique-object --enable-linker-build-id --with-linker-hash-style=gnu --enable-languages=c,c++,objc,obj-c++,java,fortran,ada,go,lto --enable-plugin --enable-initfini-array --disable-libgcj --with-isl=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/isl-install --with-cloog=/builddir/build/BUILD/gcc-4.8.5-20150702/obj-x86_64-redhat-linux/cloog-install --enable-gnu-indirect-function --with-tune=generic --with-arch_32=x86-64 --build=x86_64-redhat-linux
Thread model: posix
gcc version 4.8.5 20150623 (Red Hat 4.8.5-44) (GCC) 没有gcc 直接安装
[root@ecs-ab49 ~]# yum install gcc(4)安装pam-devel
[root@ecs-ab49 ~]# yum install -y pam-devel
3、安装telnet和xinetd服务:
升级过程未防止升级失败,需要先开启telnet服务,防止升级失败连接不上远程主机。
(1) 安装telnet服务:
[root@ecs-ab49 ~]# rpm -qa | grep telnet
[root@ecs-ab49 ~]# yum list |grep telnet
dcap-tunnel-telnet.x86_64 2.47.14-1.el7 epel
libguac-client-telnet.x86_64 1:1.5.5-1.el7 epel
libtelnet.x86_64 0.23-1.el7 epel
libtelnet-devel.x86_64 0.23-1.el7 epel
libtelnet-utils.x86_64 0.23-1.el7 epel
telnet.x86_64 1:0.17-66.el7 updates
telnet-server.x86_64 1:0.17-66.el7 updates
[root@ecs-ab49 ~]# yum install telnet-server.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package telnet-server.x86_64 1:0.17-66.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================================================================
Installing:
telnet-server x86_64 1:0.17-66.el7 updates 41 k
Transaction Summary
==========================================================================================================================================================================================================
Install 1 Package
Total download size: 41 k
Installed size: 55 k
Is this ok [y/d/N]: y
Downloading packages:
telnet-server-0.17-66.el7.x86_64.rpm | 41 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:telnet-server-0.17-66.el7.x86_64 1/1
Verifying : 1:telnet-server-0.17-66.el7.x86_64 1/1
Installed:
telnet-server.x86_64 1:0.17-66.el7
Complete!
(2)安装xinetd服务:
[root@ecs-ab49 ~]# rpm -qa | grep xinetd[root@ecs-ab49 ~]# yum list |grep xinetd
xinetd.x86_64 2:2.3.15-14.el7 base [root@ecs-ab49 ~]# yum install xinetd.x86_64
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package xinetd.x86_64 2:2.3.15-14.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==========================================================================================================================================================================================================
Package Arch Version Repository Size
==========================================================================================================================================================================================================
Installing:
xinetd x86_64 2:2.3.15-14.el7 base 128 k
Transaction Summary
==========================================================================================================================================================================================================
Install 1 Package
Total download size: 128 k
Installed size: 261 k
Is this ok [y/d/N]: y
Downloading packages:
xinetd-2.3.15-14.el7.x86_64.rpm | 128 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:xinetd-2.3.15-14.el7.x86_64 1/1
Verifying : 2:xinetd-2.3.15-14.el7.x86_64 1/1
Installed:
xinetd.x86_64 2:2.3.15-14.el7
Complete!
启动telnet服务和xinetd服务,并验证登入:
[root@ecs-ab49 ~]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@ecs-ab49 ~]# systemctl start telnet.socket
[root@ecs-ab49 ~]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; enabled; vendor preset: disabled)
Active: active (listening) since Thu 2025-03-27 11:33:22 CST; 8s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
Mar 27 11:33:22 ecs-ab49 systemd[1]: Listening on Telnet Server Activation Socket.
[root@ecs-ab49 ~]# systemctl enable xinetd
[root@ecs-ab49 ~]# systemctl start xinetd
[root@ecs-ab49 ~]# systemctl status xinetd
● xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2025-03-27 11:33:45 CST; 4s ago
Process: 10174 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
Main PID: 10175 (xinetd)
CGroup: /system.slice/xinetd.service
└─10175 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing discard
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing echo
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing tcpmux
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: removing time
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Mar 27 11:33:45 ecs-ab49 xinetd[10175]: Started working: 0 available services
Mar 27 11:33:45 ecs-ab49 systemd[1]: Started Xinetd A Powerful Replacement For Inetd.
登入验证:
4、升级openssh版本:
(1)对原来的openssh相关的文件进行备份
[root@ecs-ab49 ~]# cp -r -a /etc/ssh/ /etc/ssh.bak
[root@ecs-ab49 ~]# cp -r -a /etc/pam.d/ /etc/pam.d.bak
[root@ecs-ab49 ~]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@ecs-ab49 ~]# mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak(2)下载openssh-8.0p1源码包:
[root@ecs-ab49 ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
--2025-03-27 11:42:18-- https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.91.52
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.91.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1597697 (1.5M) [application/octet-stream]
Saving to: ‘openssh-8.0p1.tar.gz’
100%[================================================================================================================================================================>] 1,597,697 1.53MB/s in 1.0s
2025-03-27 11:42:22 (1.53 MB/s) - ‘openssh-8.0p1.tar.gz’ saved [1597697/1597697]
解压openssh-8.0p1包:
[root@ecs-ab49 ~]# tar -zxvf openssh-8.0p1.tar.gz(3)卸载原系统的openssh包
rpm方式卸载命令
[root@ecs-ab49 ~]# rpm -e --nodeps `rpm -qa | grep openssh`yum方式卸载
[root@ecs-ab49 ~]# yum remove openssh(4)源码编译:
[root@ecs-ab49 ~]# cd openssh-8.0p1
[root@ecs-ab49 openssh-8.0p1]# ./configure --prefix=/usr/local/openssh8p1 --sysconfdir=/etc/ssh --with-pam --with-zlib
结果:
(5)安装make 和make install :
[root@ecs-ab49 openssh-8.0p1]# make &&sudo make install
(6)配置openssh文件
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/etc/sshd_config /etc/ssh/sshd_config
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/sbin/sshd /usr/sbin/sshd
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh /usr/bin/ssh
[root@ecs-ab49 openssh-8.0p1]# cp /usr/local/openssh8p1/bin/ssh-keygen /usr/bin/ssh-keygen
[root@ecs-ab49 openssh-8.0p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd(7)文件授权
[root@ecs-ab49 openssh-8.0p1]# chmod +x /etc/init.d/sshd
(8)配置文件更改(根据需要)
[root@ecs-ab49 openssh-8.0p1]# vi /etc/ssh/sshd_config添加以下内容:
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes注释以下内容:
# .#TCPKeepAlive yes (9)设置开机启动
[root@ecs-ab49 openssh-8.0p1]# systemctl enable sshd(10)重启服务
[root@ecs-ab49 openssh-8.0p1]# systemctl restart sshd(11)验证ssh版本:
[root@ecs-ab49 ssh]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
验证openssh漏洞是否修复了,结果是修复了的
5、卸载telnet服务和xinetd服务:
(1)查看相关的telnet和xinetd版本
[root@ecs-ab49 ssh]# rpm -qa |grep telnet[root@ecs-ab49 ssh]# yum remove -y telnet-server-0.17-48.el6.x86_64
[root@ecs-ab49 ssh]# yum remove -y rpm –e telnet-server.x86_64(2)将修改后的securetty的文件修改过来
[root@ecs-ab49 ssh]# mv /etc/securetty.bak /etc/securetty到此,centos 7.9 64bit的penssh漏洞就修复完成了。