标签：

相信很多金融行业的科技伙伴都会碰到某盟的一个漏洞检测工具，检测Linux操作系统的时候，都会报一个高危的SSH的漏洞，但是修复过程中都会遇到一些未知的问题，如root用户无法登陆，新建用户可以，或者升级完成后用户无法远程登陆。这里记录一次实际操作成功的过程，仅作参考。

---

环境

CENTOS7，openssl-1.0.2n.tar.gz，openssh-7.6p1.tar.gz

---

升级步骤

安装TELNET（可选）

安装Telnet的目的是为了在ssh不能登录的情况下，使用Telnet来登录远程操作，如果能直接在主机面前操作，那么这一步可选。

关闭SeLinux和防火墙

1. vi /etc/selinux/config
2. 修改“SELINUX=enforcing”值改为“disabled”

1. systemctl stop firewalld.service
2. systemctl disable firewalld.service
3. systemctl status firewalld.service

完成后重启下。

卸载原先版本

卸载原先的openssl和openssh版本，通过：

1. rpm -qa|grep openssl
2. # 会出现相关安装的包
3. rpm -e --nodeps xxxxxx（出现的包）
4. # 依次卸载
5. rpm -qa|grep openssh
6. # 会出现相关安装的包
7. rpm -e --nodeps xxxxxxx（出现的包）
8. # 依次卸载

• 卸载后建议服务器重启。

下载安装文件

下载 
openssl-1.0.2n.tar.gz，openssh-7.6p1.tar.gz 
上传至服务器，如果不能直接拷贝到主机，那么这一步最好之前就做好下载后上传到服务器的/usr目录。 
解压：

1. tar xvf openssl-1.0.2n.tar.gz
2. tar xvf openssh-7.6p1.tar.gz

解压后生成两个对应的文件夹。

---

升级openssl

先进入openssl文件夹,编译。

1. cd /openssl-1.0.2m
2. ./config shared && make && make install

过程稍微需要点时间，等待结束后,更新ld.

1. echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
2. ldconfig -v

配置openssl库

1. cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64
2. cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64
3. chmod 555 /usr/lib64/libssl.so.1.0.0
4. chmod 555 /usr/lib64/libcrypto.so.1.0.0
5. ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10
6. ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
7. ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
8. ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so
9. ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
10. ln -s /usr/local/ssl/include/openssl /usr/include/openssl

完成后检查：

1. 查看openssl版本
2. openssl version -a

---

升级openssh

进入对应文件夹。

编译：

1. ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords--with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl--without-hardening
2. ?
3. make && make install

完成后会提示一些key过于open，那么修改权限。 
进入/etc/ssh目录。

1. chmod 600 ssh_host_ecdsa_key
2. chmod 600 ssh_host_rsa_key
3. chmod 600 ssh_host_ed25519_key

完成后再到openssh目录，再次：

1. make && make install

替换key.

1. cp ./contrib/redhat/sshd.init /etc/init.d/sshd
2. chmod u+x /etc/init.d/sshd

复制配置

1. cp ssh_config /etc/ssh/ssh_config
2. y 覆盖

1. cp -p sshd_config /etc/ssh/sshd_config
2. y 覆盖

修改ssh的配置文件，这里直接粘贴上来：

1. vi /etc/ssh/sshd_config
2. # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
3.  
4. # This is the sshd server system-wide configuration file. See
5. # sshd_config(5) for more information.
6.  
7. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
8.  
9. # The strategy used for options in the default sshd_config shipped with
10. # OpenSSH is to specify options with their default value where
11. # possible, but leave them commented. Uncommented options override the
12. # default value.
13.  
14. #Port 22
15. #AddressFamily any
16. #ListenAddress 0.0.0.0
17. #ListenAddress ::
18.  
19. #HostKey /etc/ssh/ssh_host_rsa_key
20. #HostKey /etc/ssh/ssh_host_dsa_key
21. #HostKey /etc/ssh/ssh_host_ecdsa_key
22. #HostKey /etc/ssh/ssh_host_ed25519_key
23.  
24. # $OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
25.  
26. # This is the sshd server system-wide configuration file. See
27. # sshd_config(5) for more information.
28.  
29. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
30.  
31. # The strategy used for options in the default sshd_config shipped with
32. # OpenSSH is to specify options with their default value where
33. # possible, but leave them commented. Uncommented options override the
34. # default value.
35.  
36. #Port 22
37. #AddressFamily any
38. #ListenAddress 0.0.0.0
39. #ListenAddress ::
40.  
41. #HostKey /etc/ssh/ssh_host_rsa_key
42. #HostKey /etc/ssh/ssh_host_dsa_key
43. #HostKey /etc/ssh/ssh_host_ecdsa_key
44. #HostKey /etc/ssh/ssh_host_ed25519_key
45.  
46. # Ciphers and keying
47. #RekeyLimit default none
48.  
49. # Logging
50. #SyslogFacility AUTH
51. SyslogFacility AUTHPRIV
52. #LogLevel INFO
53.  
54. # Authentication:
55.  
56. #LoginGraceTime 2m
57. PermitRootLogin yes
58. #PermitRootLogin prohibit-password
59. #StrictModes yes
60. #MaxAuthTries 6
61. #MaxSessions 10
62.  
63. #PubkeyAuthentication yes
64.  
65. # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
66. # but this is overridden so installations will only check .ssh/authorized_keys
67. AuthorizedKeysFile .ssh/authorized_keys
68.  
69. #AuthorizedPrincipalsFile none
70.  
71. #AuthorizedKeysCommand none
72. #AuthorizedKeysCommandUser nobody
73.  
74. # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
75. #HostbasedAuthentication no
76. # Change to yes if you don't trust ~/.ssh/known_hosts for
77. # HostbasedAuthentication
78. #IgnoreUserKnownHosts no
79. # Don't read the user's ~/.rhosts and ~/.shosts files
80. #IgnoreRhosts yes
81.  
82. # To disable tunneled clear text passwords, change to no here!
83. #PasswordAuthentication yes
84. #PermitEmptyPasswords no
85. PasswordAuthentication yes
86.  
87. # Change to no to disable s/key passwords
88. #ChallengeResponseAuthentication yes
89.  
90. # Kerberos options
91. #KerberosAuthentication no
92. #KerberosOrLocalPasswd yes
93. #KerberosTicketCleanup yes
94. #KerberosGetAFSToken no
95.  
96. # GSSAPI options
97. #GSSAPIAuthentication no
98. #GSSAPICleanupCredentials yes
99.  
100. # Set this to 'yes' to enable PAM authentication, account processing,
101. # and session processing. If this is enabled, PAM authentication will
102. # be allowed through the ChallengeResponseAuthentication and
103. # PasswordAuthentication. Depending on your PAM configuration,
104. # PAM authentication via ChallengeResponseAuthentication may bypass
105. # the setting of "PermitRootLogin without-password".
106. # If you just want the PAM account and session checks to run without
107. # PAM authentication, then enable this but set PasswordAuthentication
108. # and ChallengeResponseAuthentication to 'no'.
109. #UsePAM no
110. UsePAM yes
111.  
112. #AllowAgentForwarding yes
113. #AllowTcpForwarding yes
114. #GatewayPorts no
115. #X11Forwarding no
116. #X11DisplayOffset 10
117. #X11UseLocalhost yes
118. #PermitTTY yes
119. #PrintMotd yes
120. #PrintLastLog yes
121. #TCPKeepAlive yes
122. #UseLogin no
123. #PermitUserEnvironment no
124. #Compression delayed
125. #ClientAliveInterval 0
126. #ClientAliveCountMax 3
127. #UseDNS no
128. UseDNS no
129. #PidFile /var/run/sshd.pid
130. #MaxStartups 10:30:100
131. #PermitTunnel no
132. #ChrootDirectory none
133. #VersionAddendum none
134. # no default banner path
135. #Banner none
136. # override default of no subsystems
137. Subsystem sftp /usr/libexec/sftp-server
138.  
139. # Example of overriding settings on a per-user basis
140. #Match User anoncvs
141. # X11Forwarding no
142. # AllowTcpForwarding no
143. # PermitTTY no
144. # ForceCommand cvs server
145. #KexAlgorithms
146. #diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1
147. Banner /etc/sshbanner

---

新建/etc/pam.d/sshd

1. #%PAM-1.0
2. auth required pam_sepermit.so
3. auth include password-auth
4. account required pam_nologin.so
5. account include password-auth
6. password include password-auth
7. # pam_selinux.so close should be thefirst session rule
8. session required pam_selinux.so close
9. session required pam_loginuid.so
10. # pam_selinux.so open should only befollowed by sessions to be executed in the user context
11. session required pam_selinux.so open env_params
12. session optional pam_keyinit.so force revoke
13. session include password-auth

完成， 重启服务即可。用户包括root都可以登录。

标签：
来源： https://blog.csdn.net/sxjinmingjie/article/details/82755886

本站声明： 1. iCode9 技术分享网（下文简称本站）提供的所有内容，仅供技术学习、探讨和分享；
2. 关于本站的所有留言、评论、转载及引用，纯属内容发起人的个人观点，与本站观点和立场无关；
3. 关于本站的所有言论和文字，纯属内容发起人的个人观点，与本站观点和立场无关；
4. 本站文章均是网友提供，不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属；如您发现该文章侵犯了您的权益，可联系我们第一时间进行删除；
5. 本站为非盈利性的个人网站，所有内容不会用来进行牟利，也不会利用任何形式的广告来间接获益，纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。