安全部門(mén)掃描系統(tǒng)漏洞,OpenSSH 7.9出現(xiàn)漏洞,需升級(jí)到8。使用 rpmbuild 將源碼包編譯為 rpm包。
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -y
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
tar zxvf openssh-8.0p1.tar.gz openssh-8.0p1/contrib/redhat/openssh.spec
mv openssh-8.0p1/contrib/redhat/openssh.spec ../SPECS/
chown sshd:sshd /root/rpmbuild/SPECS/openssh.spec
cp /root/rpmbuild/SPECS/openssh.spec /root/rpmbuild/SPECS/openssh.spec_def
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
cd /root/rpmbuild/SPECS/
rpmbuild -ba openssh.spec
編譯過(guò)程遇到的錯(cuò)誤:
錯(cuò)誤:構(gòu)建依賴(lài)失敗: openssl-devel < 1.1 被 openssh-8.0p1-1.el7.x86_64 需要解決:[root@localhost SPECS]# vim openssh.spec 注釋掉 BuildRequires: openssl-devel < 1.1 這一行
安裝后要修改選項(xiàng):
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
systemctl restart sshd
centos 7 記得修改這個(gè)文件。不然會(huì)出現(xiàn)密碼是對(duì)的,卻無(wú)法登陸。
[root@iZ16pk5aqeZ ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
## pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
