OpenSSH 如何进行版本升级
由于 OpenSSH 漏洞对集群的安全影响较大,因此有时候需要升级到最新版本的 OpenSSH。以下教程将介绍如何给 SonmiHPC 集群升级最新版的 OpenSSH。下面以当前的 9.7p1 为例进行说明。
- 将原先的SSH配置进行备份:
shell
cp -r /etc/ssh ~/ssh_bak
cp -r /etc/ssh ~/ssh_bak
- 安装编译必要的组件:
shell
dnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel
dnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel
- 使用 wget 下载最新的源码压缩包,并解压:
shell
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
解压源代码,并进入源码文件夹中:
shell
tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1
tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1
- 执行下面命令进行配置、编译、安装:
shell
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install
- 复制 pam 文件:
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
- 恢复原有设置及相关文件:
rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/
rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/
- 编辑 /etc/crypto-policies/back-ends/opensshserver.config 文件,并删除 GSSAPIKexAlgorithms 相关配置:
shell
# 找到并删除以下字段
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
# 找到并删除以下字段
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-
编辑 /etc/ssh/sshd_config.d/50-redhat.conf,并注释掉下面与 GSS 相关的配置
shell
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no
- 修改文件权限:
shell
chmod 0600 /etc/ssh/ssh_host*_key
chmod 0600 /etc/ssh/ssh_host*_key
- 重启 sshd 服务即可:
shell
systemctl restart sshd
systemctl restart sshd
- 查看版本:
shell
sshd -V
sshd -V
一键脚本
为方便运维,提供如下的一键运行脚本:
shell
#!/bin/bash
cp -r /etc/ssh ~/ssh_bak
dnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel
wget -P ~/ https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
cd ~ && tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/
sed -i '/^GSSAPIKexAlgorithms/d' /etc/crypto-policies/back-ends/opensshserver.config
sed -i 's/^GSSAPIAuthentication/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
sed -i 's/^GSSAPICleanupCredentials/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
chmod 0600 /etc/ssh/ssh_host*_key
echo "OpenSSH Update Finished!"
systemctl restart sshd
#!/bin/bash
cp -r /etc/ssh ~/ssh_bak
dnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel
wget -P ~/ https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
cd ~ && tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/
sed -i '/^GSSAPIKexAlgorithms/d' /etc/crypto-policies/back-ends/opensshserver.config
sed -i 's/^GSSAPIAuthentication/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
sed -i 's/^GSSAPICleanupCredentials/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
chmod 0600 /etc/ssh/ssh_host*_key
echo "OpenSSH Update Finished!"
systemctl restart sshd