一、前言

1.升级背景

因漏洞扫描扫描出openssh相关的高危漏洞，处理新发布的CVE-2024-6387关于openssh的漏洞，需要升级openssh到9.8版本。

2.确认系统

本文记录的过程是基于centos7.9（2009）系统，对于其他linux系统不一定适用，请确认自己的系统对号入座。

<code>查看系统版本命令

cat /etc/centos-release

<code>查看ssh版本

ssh -V

3.升级前准备

由于openssh升级可能出现问题，导致ssh连接不上，因此为防止升级过程中出现异常，导致后续无法使用ssh，我们需要先打卡telnet窗口备用。

3.1打开telnet窗口备用

如果服务器没开启telnet服务，参考步骤“启用telnet”

a)开启telnet client服务

点击程序

点击启用或关闭Windows功能

下拉找到telnet客户端或者telnet client，勾选确认即可

b)打卡telnet窗口，连接到服务器备用

搜索框搜索telnet，点击运行

<code>执行命令连接到服务器

o ip port

输入服务器登录账号密码即可，连接成功如下所示（这里使用ssh的22端口，这里特地临时开启了服务器的23端口作为telnet连接的端口）

3.2更新依赖工具

<code>#安装相关依赖工具

yum install -y vim gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers libedit-devel perl-IPC-Cmd wget tar lrzsz1

到此，前期准备工作全部结束，接下来就是升级openssh了

二、升级过程

1.升级zlib

#执行以下命令

cd /usr/local/src

wget https://www.zlib.net/zlib-1.3.1.tar.gz

#解压zlib

tar -xzvf zlib-1.3.1.tar.gz

#进入zlib解压目录

cd zlib-1.3.1

ls /usr/local/

./configure --prefix=/usr/local/zlib

make -j 2

make test

make install

ls /usr/local/zlib/

echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf

ldconfig -v

2.升级openssl

因为openssh9.8要求openssl的版本>=1.1.1，因此，需要先升级openssl，本文将openssl升级到3.2.1版本

#备份相关文件

cp -rf /etc/ssh /etc/ssh.bak

cp -rf /usr/bin/openssl /usr/bin/openssl.bak

cp -rf /etc/pam.d /etc/pam.d.bak

cp -rf /usr/lib/systemd/system /usr/lib/systemd/system.bak

#下载openssl

cd /usr/local/src

wget https://www.openssl.org/source/openssl-3.2.1.tar.gz

#解压openssl安装包

tar -xzvf openssl-3.2.1.tar.gz

#进入解压目录

cd openssl-3.2.1

#安装

ls /usr/local/

./config --prefix=/usr/local/openssl

make -j2

make install

mv /usr/bin/openssl /usr/bin/openssl.bak

ll /usr/bin/open*

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3

ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3

echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf.d/ssl.conf

#检查openssl版本

openssl version -a

如下，则openssl升级成功

2.1卸载老的sshd

<code>[root@CentOS7 openssl-3.2.1]# yum remove openssh

Loaded plugins: fastestmirror

Resolving Dependencies

--> Running transaction check

---> Package openssh.x86_64 0:7.4p1-21.el7

will be erased

--> Processing Dependency: openssh =

7.4p1-21.el7 for package: openssh-clients-7.4p1-21.el7.x86_64

--> Processing Dependency: openssh =

7.4p1-21.el7 for package: openssh-server-7.4p1-21.el7.x86_64

--> Running transaction check

---> Package openssh-clients.x86_64

0:7.4p1-21.el7 will be erased

---> Package openssh-server.x86_64

0:7.4p1-21.el7 will be erased

--> Finished Dependency Resolution

Dependencies Resolved

================================================================================================================

Package Arch Version

================================================================================================================

Removing:

openssh

x86_64

7.4p1-21.el7

Removing for dependencies:

openssh-clients x86_64 7.4p1-21.el7

openssh-server x86_64 7.4p1-21.el7

Transaction Summary

================================================================================================================

Remove 1

Package (+2 Dependent packages)

Installed size: 5.4 M

Is this ok [y/N]: y

Downloading packages:

Running transaction check

Running transaction test

Transaction test succeeded

Running transaction

Erasing :openssh-server-7.4p1-21.el7.x86_64

Erasing :openssh-clients-7.4p1-21.el7.x86_64

Erasing :openssh-7.4p1-21.el7.x86_64

Verifying :openssh-clients-7.4p1-21.el7.x86_64

Verifying :openssh-7.4p1-21.el7.x86_64

Verifying :openssh-server-7.4p1-21.el7.x86_64

Removed:

openssh.x86_64 0:7.4p1-21.el7

Dependency Removed:

openssh-clients.x86_64 0:7.4p1-21.el7

openssh-server.x86_64 0:7.

Complete!

[root@CentOS7 openssl-3.2.1]# rm -rf /etc/ssh/*

3.升级openssh

3.1启用telnet

3.1.1安装telnet

#安装telnet备用

yum install telnet-server telnet xinetd

3.1.2启动telnet服务

# systemctl start telnet.socket

# systemctl start xinetd

# systemctl status telnet.socket

# systemctl status xinetd

3.1.3修改配置

vim /etc/pam.d/remote

#注释掉auth required pam_securetty.so这一行

3.1.4重启telnet服务

# systemctl restart xinetd

# systemctl restart telnet.socket

执行前言步骤3.1连接telnet备用

3.2openssh升级

3.2.1备份相关文件

cp /etc/ssh/sshd_config /home/sshd_config.backup

cp /etc/pam.d/sshd /home/sshd.backup

3.2.2卸载ssh

#查看openssh相关

rpm -qa | grep openssh

#openssh-6.6.1p1-31.el7.x86_64

#openssh-server-6.6.1p1-31.el7.x86_64

#openssh-clients-6.6.1p1-31.el7.x86_64

#卸载，改为自己系统打印的

rpm -e --nodeps openssh-6.6.1p1-31.el7.x86_64

rpm -e --nodeps openssh-server-6.6.1p1-31.el7.x86_64

rpm -e --nodeps openssh-clients-6.6.1p1-31.el7.x86_64

3.2.3下载openssh9.8安装包

mkdir /home/file

cd /home/file

wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz

3.2.4解压、变异openssh安装包

tar -xf openssh-9.7p1.tar.gz

cd openssh-9.7p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl/ --without-hardening

make && make install

3.2.5设置相关文件权限

chmod 600 /etc/ssh/ssh_host_rsa_key

chmod 600 /etc/ssh/ssh_host_ecdsa_key

chmod 600 /etc/ssh/ssh_host_ed25519_key

3.2.6复制配置文件

cp -a contrib/redhat/sshd.init /etc/init.d/sshd

chmod u+x /etc/init.d/sshd

3.2.7还原配置

mv /home/sshd.backup /etc/pam.d/sshd

mv /home/sshd_config.backup /etc/ssh/sshd_config

3.2.8修改配置/etc/ssh/sshd_config

vim /etc/ssh/sshd_config

#去掉下面两行配置前面的注释

PermitRootLogin yes

PubkeyAuthentication yes

3.2.9添加 ssh 到开机自启

chkconfig --add sshd

chkconfig sshd on

3.2.10重启ssh

systemctl restart sshd

3.2.11检查openssh版本

如上，升级成功