升级OpenSSL和OpenSSH 修复漏洞

升级OpenSSL和OpenSSH

目前版本OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

升级到OpenSSH_9.8p1, OpenSSL 1.1.1u 30 May 2023

服务器CentOS Linux release 7.6.1810 (Core)

一、升级OpenSSL到1.1.1u

1. 下载并编译 OpenSSL（推荐目录 /usr/local/openssl）

   wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz
   tar zxvf openssl-1.1.1u.tar.gz
   cd openssl-1.1.1u
   
   ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
   make -j$(nproc)
   make install
   

2. 设置 OpenSSL 环境变量

   echo "/usr/local/openssl/lib" > /etc/ld.so.conf.d/openssl.conf
   ldconfig
   
   export PATH=/usr/local/openssl/bin:$PATH
   export LD_LIBRARY_PATH=/usr/local/openssl/lib
   

   vim /etc/profile 追加下边两行，避免重启后失效。

   export PATH=/usr/local/openssl/bin:$PATH
   export LD_LIBRARY_PATH=/usr/local/openssl/lib
   

   source /etc/profile

3. 验证 OpenSSL 是否生效

   openssl version
   

   OpenSSL 1.1.1u  30 May 2023
   

二、升级OpenSSH到9.8p1

1. 安装依赖

   yum groupinstall -y "Development Tools"
   yum install -y wget pam-devel zlib-devel openssl-devel
   

2. 下载并准备 OpenSSH 9.8p1

   wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
   tar -zxvf openssh-9.8p1.tar.gz
   cd openssh-9.8p1
   

3. 备份旧 SSHD

   cp /usr/sbin/sshd /usr/sbin/sshd.bak.$(date +%F-%H-%M-%S)
   cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$(date +%F-%H-%M-%S)
   

4. 配置并编译安装 OpenSSH 9.8p1（指定新版 OpenSSL 路径）

   ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/openssl
   make -j$(nproc)
   make install
   

5. 设置 sshd 服务（如无 systemd 单元文件）

   if [ ! -f /usr/lib/systemd/system/sshd.service ]; then
     cp contrib/redhat/sshd.init /etc/init.d/sshd
     chmod +x /etc/init.d/sshd
     systemctl daemon-reexec
     systemctl daemon-reload
     systemctl enable sshd
   fi
   

6. 重启 SSH 服务并验证版本

   安全提示（强烈建议）

   在你执行 systemctl restart sshd 之前：

   • 开两个 SSH 会话，防止断连；
   • 设置自动回滚任务（如果失败自动恢复旧版本）：

   echo "cp /usr/sbin/sshd.bak* /usr/sbin/sshd && systemctl restart sshd" | at now + 5 minutes
   

   systemctl restart sshd
   /usr/sbin/sshd -V
   

   OpenSSH_10.0p1, OpenSSL 1.1.1u ...
   

三、解决yum install -y wget pam-devel zlib-devel openssl-devel下载失败问题

在可以正常执行 yum install -y wget pam-devel zlib-devel openssl-devel的服务器执行下列命令

1. 安装 yum-utils（包含 yumdownloader）

yum install -y yum-utils

2. 创建存放 RPM 的目录并下载所有依赖包

   mkdir -p /tmp/rpms
   cd /tmp/rpms
   yumdownloader --resolve wget pam-devel zlib-devel openssl-devel
   

3. 检查下载的 RPM 文件

   ls -l /tmp/rpms/*.rpm
   

   -rw-r--r-- 1 root root  1582172 Jun 17 16:17 openssl-devel-1.0.2k-26.el7_9.i686.rpm
   -rw-r--r-- 1 root root  1582400 Jun 17 16:17 openssl-devel-1.0.2k-26.el7_9.x86_64.rpm
   -rw-r--r-- 1 root root  1021796 Jun 17 16:17 openssl-libs-1.0.2k-26.el7_9.i686.rpm
   -rw-r--r-- 1 root root   736976 Jun 17 16:17 pam-1.1.8-23.el7.i686.rpm
   -rw-r--r-- 1 root root   189152 Jun 17 16:17 pam-devel-1.1.8-23.el7.i686.rpm
   -rw-r--r-- 1 root root   189124 Jun 17 16:17 pam-devel-1.1.8-23.el7.x86_64.rpm
   -rw-r--r-- 1 root root   430428 Jun 17 16:17 pcre-8.32-17.el7.i686.rpm
   -rw-r--r-- 1 root root   560272 Jun 17 16:17 wget-1.14-18.el7_6.1.x86_64.rpm
   -rw-r--r-- 1 root root    93224 Jun 17 16:17 zlib-1.2.7-21.el7_9.i686.rpm
   -rw-r--r-- 1 root root    51524 Jun 17 16:17 zlib-devel-1.2.7-21.el7_9.i686.rpm
   -rw-r--r-- 1 root root    51488 Jun 17 16:17 zlib-devel-1.2.7-21.el7_9.x86_64.rpm
   ......
   

4. 将 RPM 包复制到目标服务器

   scp -r /tmp/rpms root@目标服务器IP:/tmp/
   

5. 在目标服务器上手动安装

   cd /tmp/rpms
   rpm -ivh *.rpm --nodeps --force
   

四、OpenSSH make install 报如下错误

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
make: [Makefile:396: check-config] Error 1 (ignored)

解决方案：修复私钥权限

chmod 600 /etc/ssh/ssh_host_*_key