由于客户服务器OpenSSH检查出高危漏洞(用户枚举漏洞(CVE-2018-15473)),所以需要对OpenSSH进行升级,客户的服务器是内网服务器,只能进行离线升级,不能用yum更新
离线包准备
由于依赖包太多,不好在网上全部找出版本对应的依赖,所以推荐用一台测试服务器,用yum缓存包
yum缓存包
修改yum配置文件
vi /etc/yum.conf
修改配置
cachedir=/var/cache/yum/$basearch/$releasever /#缓存包路径
keepcache=1 /#0不保存缓存包 1保存缓存包
修改完配置后,直接用yum安装gcc、openssl-dev、pam,然后去缓存包路径,导出所有离线包,注意:openssl、openssh、perl5用的是源码安装。
安装gcc
1、安装kernel-headers
rpm -ivh kernel-headers-3.10.0-1127.18.2.el7.x86_64.rpm
2、安装glibc-headers
rpm -ivh glibc-headers-2.17-307.el7.1.x86_64.rpm
3、安装glibc-devel
rpm -ivh glibc-devel-2.17-307.el7.1.x86_64.rpm
4、安装mpfr
rpm -ivh mpfr-3.1.1-4.el7.x86_64.rpm
5、安装libmpc
rpm -ivh libmpc-1.0.1-3.el7.x86_64.rpm
6、安装cpp
rpm -ivh cpp-4.8.5-39.el7.x86_64.rpm
7、安装gcc
rpm -ivh gcc-4.8.5-39.el7.x86_64.rpm
安装perl5
#解压perl5
tar -xvf perl-5.30.1.tar.gz
#进入到解压后的文件夹
cd perl-5.30.1/
#配置
./Configure -des -Dprefix=$HOME/localperl
#编译
make
#测试
make test
#安装
make install
安装OpenSSL
#卸载之前的旧包
for i in $(rpm -qa |grep openssl);do rpm -e $i --nodeps;done
#解压包
tar -xvf openssl-1.1.1c.tar.gz
#进入到解压后的目录
cd openssl-1.1.1c
#配置
./config shared
#编译并安装
make && make install
#安装完成后执行命令
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
#加载库
ldconfig
#配置ssl库
cp /opt/software/openssh/openssl-1.1.1c/libssl.so.1.1 /usr/lib64
cp /opt/software/openssh/openssl-1.1.1c/libcrypto.so.1.1 /usr/lib64
ln -s /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so
ln -s /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so.10
ln -s /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so
ln -s /opt/software/openssh/openssl-1.1.1c/apps/openssl /usr/bin/openssl
ln -s /opt/software/openssh/openssl-1.1.1c/apps/openssl /usr/include/openssl
#查看OpenSSL版本
openssl version
安装openssl-devel
#依次按顺序安装
rpm -ivh e2fsprogs-1.42.9-17.el7.x86_64.rpm
rpm -ivh e2fsprogs-libs-1.42.9-17.el7.x86_64.rpm
rpm -ivh keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm
rpm -ivh libcom_err-1.42.9-17.el7.x86_64.rpm
rpm -ivh libcom_err-devel-1.42.9-17.el7.x86_64.rpm
rpm -ivh libkadm5-1.15.1-46.el7.x86_64.rpm
rpm -ivh libsepol-devel-2.5-10.el7.x86_64.rpm
rpm -ivh libss-1.42.9-17.el7.x86_64.rpm
rpm -ivh libverto-devel-0.2.5-4.el7.x86_64.rpm
rpm -ivh libselinux-2.5-15.el7.x86_64.rpm
rpm -ivh libselinux-utils-2.5-15.el7.x86_64.rpm
rpm -ivh libselinux-python-2.5-15.el7.x86_64.rpm
rpm -ivh pcre-devel-8.32-17.el7.x86_64.rpm
rpm -ivh libselinux-devel-2.5-15.el7.x86_64.rpm
rpm -ivh krb5-devel-1.15.1-46.el7.x86_64.rpm
rpm -ivh krb5-libs-1.15.1-46.el7.x86_64.rpm
rpm -ivh zlib-devel-1.2.7-18.el7.x86_64.rpm
rpm -ivh openssl-devel-1.0.2k-19.el7.x86_64.rpm
安装pam
rpm -ivh pam-1.1.8-23.el7.x86_64.rpm
rpm -ivh pam-devel-1.1.8-23.el7.x86_64.rpm
安装OpenSSH
#卸载旧版本
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done
#删除原ssh
rm -rf /etc/ssh
#配置
./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-ssl-dir=/opt/software/openssh/openssl-1.1.1c/ --with-pam --with-zlib --mandir=/usr/share/man --with-md5-passwords
#编译安装
make && make install
#安装完成,执行配置
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list|grep sshd
#查看版本
ssh -V
#执行命令,允许ssh root用户远程登录
sed -i "32 aPermitRootLogin yes" /etc/ssh/sshd_config
#重启sshd服务
service sshd restart
注意:如果远程登录服务器时,报错账号密码错误,需要修改配置,修改完配置后,需要重启服务器
vi /etc/selinux/config
#修改配置
#将
SELINUX=enforcing
#改为
SELINUX=disabled
来源:oschina
链接:https://my.oschina.net/u/4288740/blog/4494282