linux ssh更新回退,linux6 ssh更新7.8

故障現象描述

OpenSSH 7.3之前版本，sshd/auth-passwd.c/auth_password函數未限制密碼驗證中的密碼長度，遠端***者通過較長的字元串，利用此漏洞可造成拒絕服務。

實施步驟：

1.把源碼包上傳到各伺服器，共3個

zlib-1.2.11.tar.gz

openssl-fips-2.0.16.tar.gz

openssh-7.8p1.tar.gz

2.安裝telnet服務，并保證可以正常登入

yum -y install telnet-server

chkconfig telnet on

service xinetd restart

(進行遠端登入，su到root後，設定TMOUT=0，并使用此終端操作)

3.解除安裝原openssh

service sshd stop

cp /etc/init.d/sshd /etc/init.d/sshd.OLD

cp /etc/pam.d/sshd /etc/pam.d/sshd. OLD

cp -r /etc/ssh /etc/ssh. OLD

rpm -qa | grep openssh

rpm -e openssh --nodeps

rpm -e openssh-server --nodeps

rpm -e openssh-clients --nodeps

rpm -e openssh-askpass --nodeps

4.安裝zlib

tar xf zlib-1.2.11.tar.gz

cd zlib-1.2.11

./configure --prefix=/usr/local/zlib

make

make install

5.安裝openssl

tar xf openssl -1.0.2p.tar.gz

cd openssl -1.0.2p

./config shared zlib --prefix=/usr/local/openssl

make

make install

./config -t

make depend

vi /etc/ld.so.conf  /usr/local/openssl/lib

#ldconfig

在etc／的profile的最後一行，添加：

export OPENSSL=/usr/local/openssl/bin

export PATH=$OPENSSL:$PATH:$HOME/bin

mv /usr/bin/openssl /usr/bin/openssl.old

mv /usr/include/openssl /usr/include/openssl.old

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/openssl/include/openssl /usr/include/openssl

ln -sf /usr/local/openssl/lib/libcrypto.so.1.0.0 /lib/libcrypto.so.6

echo ‘/usr/local/ssl/lib’ >> /etc/ld.so.conf

ldconfig

openssl version -a

6.安裝openssh

tar zxf openssh-7.8p1.tar.gz

cd openssh-7.8p1

rm -rf /etc/ssh

./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib --without-hardening

make

make install

cp contrib/redhat/sshd.init /etc/init.d/sshd

chmod 755 /etc/init.d/sshd

chkconfig --add sshd

vim /etc/ssh/sshd_config #修改預設端口号

chkconfig sshd on

vi /etc/sshd/sshd_config

把#PermitRootLogin prohibit-password改為PermitRootLogin no

cp contrib/redhat/sshd.pam /etc/pam.d/sshd

ssh -V

service sshd start

7.驗證ssh登入是否正常

8.關閉telnet服務

回退方法

1.使用telnet登入并切換到root使用者

2.恢複openssl

service sshd stop

ln -sf /lib64/libcrypto.so.0.9.8e /lib64/libcrypto.so.6

ln -sf /lib64/libssl.so.0.9.8e /lib64/libssl.so.6

rm /usr/include/openssl

mv /usr/include/openssl.OFF1 /usr/include/openssl

rm /usr/bin/openssl

mv /usr/bin/openssl.OFF1 /usr/bin/openssl

vi /etc/ld.so.conf

删除 /usr/local/ssl/lib這行

ldconfig

openssl version -a

3.恢複opensh

chkconfig --del sshd

rm -rf /etc/sshd

rm -f /etc/pam.d/sshd

yum -y install openssh-*

ssh -V

cp /etc/ssh.OFF1/sshd_config /etc/ssh/

cp /etc/pam.d/sshd.OFF1 /etc/pam.d/

service sshd start

登入驗證