SSH/SSL 源码编译安装简易操作说明
SSH/SSL 源码编译安装简易操作说明
Alfred Zhao
发布于 2019-05-24 20:17:05
发布于 2019-05-24 20:17:05
环境:CentOS 6.7 安全加固需求,由于某盟扫描系统主机有SSL系列漏洞,客户要求必须修复; 解决方案:将SSH/SSL升级到最新版本,删除SSL旧版本(实测不删除旧版本某盟扫描无法通过)。 当前版本:OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 当前最新版本:OpenSSH_7.3p1, OpenSSL 1.0.2h
- 1.查看SSH/SSL当前版本
- 2.下载最新的SSH/SSL
- 3.源码编译安装SSL
- 4.源码编译安装SSH
- 5.删除SSL旧版本
- 6.写在后面
1.查看SSH/SSL当前版本
查看SSH/SSL当前版本: ssh -V openssl version
[root@test0823 ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@test0823 ssh]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013备份ssh配置文件: tar zcvf /etc/ssh.tar.gz /etc/ssh/
[root@test0823 ~]# tar zcvf /etc/ssh.tar.gz /etc/ssh/
ssh/
ssh/ssh_host_dsa_key.pub
ssh/ssh_host_rsa_key.pub
ssh/ssh_host_rsa_key
ssh/sshd_config
ssh/ssh_config
ssh/moduli
ssh/ssh_host_dsa_key
ssh/ssh_host_key.pub
ssh/ssh_host_key 2.下载最新的SSH/SSL
目前最新版本: OpenSSH_7.3p1, OpenSSL 1.0.2h 本次安装介质: 链接: http://pan.baidu.com/s/1eRW3ytc 密码: 46sy SSH/SSL安装配置参考: SSL安装: 参考 http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html SSH安装: 参考 http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html
3.源码编译安装SSL
本次测试所有源码包均默认上传到服务器的/root目录下。 需要先安装SSL,再安装SSH
3.1 解压SSL源码包
[root@test0823 ~]# tar -zxvf openssl-1.0.2h.tar.gz
[root@test0823 ~]# cd openssl-1.0.2h3.2 配置并编译
复制下面的命令执行:
./config --prefix=/usr \
--openssldir=/etc/ssl \
--libdir=lib \
shared \
zlib-dynamic &&
make depend &&
make操作如下:
[root@test0823 openssl-1.0.2h]# ./config --prefix=/usr \
> --openssldir=/etc/ssl \
> --libdir=lib \
> shared \
> zlib-dynamic &&
> make depend &&
> make3.3 安装SSL
复制下面的命令执行:
make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
install -dv -m755 /usr/share/doc/openssl-1.0.2h &&
cp -vfr doc/* /usr/share/doc/openssl-1.0.2h操作如下:
[root@test0823 openssl-1.0.2h]# make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
> install -dv -m755 /usr/share/doc/openssl-1.0.2h &&
> cp -vfr doc/* /usr/share/doc/openssl-1.0.2h3.4 验证SSL版本
openssl version
操作如下:
[root@test0823 openssl-1.0.2h]# openssl version
OpenSSL 1.0.2h 3 May 2016
[root@test0823 openssl-1.0.2h]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 20134.源码编译安装SSH
4.1 解压SSH源码包
[root@test0823 ~]# tar -zxvf openssh-7.3p1.tar.gz
[root@test0823 ~]# cd openssh-7.3p14.2 配置
4.2.1 配置前准备
复制下面的命令执行:
install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' \
-d /var/lib/sshd \
-g sshd \
-s /bin/false \
-u 50 sshd操作如下:
[root@test0823 openssh-7.3p1]# install -v -m700 -d /var/lib/sshd &&
> chown -v root:sys /var/lib/sshd &&
>
> groupadd -g 50 sshd &&
> useradd -c 'sshd PrivSep' \
> -d /var/lib/sshd \
> -g sshd \
> -s /bin/false \
> -u 50 sshd4.2.2 配置并编译
复制下面的命令执行:
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-privsep-path=/var/lib/sshd &&
make操作如下:
[root@test0823 openssh-7.3p1]# ./configure --prefix=/usr \
> --sysconfdir=/etc/ssh \
> --with-md5-passwords \
> --with-privsep-path=/var/lib/sshd &&
> make4.3 安装SSH
复制下面的命令执行:
make install &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1 \
/usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-7.3p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* \
/usr/share/doc/openssh-7.3p1操作如下:
[root@test0823 openssh-7.3p1]# make install &&
> install -v -m755 contrib/ssh-copy-id /usr/bin &&
>
> install -v -m644 contrib/ssh-copy-id.1 \
> /usr/share/man/man1 &&
> install -v -m755 -d /usr/share/doc/openssh-7.3p1 &&
> install -v -m644 INSTALL LICENCE OVERVIEW README* \
> /usr/share/doc/openssh-7.3p14.4 验证SSH版本
[root@test0823 openssh-7.3p1]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 20164.5 重启sshd服务
将之前的sshd重命名备份,做一个sshd的软连接:
mv /usr/sbin/sshd /usr/sbin/sshd.OFF
ln -s /root/openssh-7.3p1/sshd /usr/sbin/sshd使用 service sshd restart 重启一下服务
[root@test0823 openssh-7.3p1]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 97: Unsupported option UsePAM
[ OK ]上面的报错并不影响sshd正常启动,为了不再显示上述提示,可以注释掉相关配置行: vi /etc/ssh/sshd_config 注释掉 81,83,97 三行。
再次重启sshd服务就不会有那三行的提示报错。
允许root用户ssh登录(默认可能就是允许,如果不允许,可以在文件末尾追加下面的一行配置到配置文件,或者直接vi编辑修改)
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config5.删除SSL旧版本
之前没有删除旧版本的SSL,SSH是因为不了解相关联的程序, 但是最后扫描发现如果不删除旧版本的SSL,某盟的扫描依然会扫出SSL的系列漏洞。
查看rpm安装的openssl相关包:
rpm -qa|grep openssl对旧版本的SSL(这里是openssl-1.0.1e-42.el6.x86_64)进行删除: rpm -e openssl-1.0.1e-42.el6.x86_64 直接尝试删除会提示如下库文件的依赖:
[root@test0823 ~]# rpm -e openssl-1.0.1e-42.el6.x86_64
error: Failed dependencies:
libcrypto.so.10()(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
libcrypto.so.10()(64bit) is needed by (installed) libarchive-2.8.3-4.el6_2.x86_64
libcrypto.so.10()(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
libcrypto.so.10()(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
libcrypto.so.10()(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) bind-libs-32:9.8.2-0.37.rc1.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) bind-utils-32:9.8.2-0.37.rc1.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) fipscheck-1.2.0-7.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
libcrypto.so.10()(64bit) is needed by (installed) cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
libcrypto.so.10()(64bit) is needed by (installed) gnome-vfs2-2.24.2-6.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) ptlib-2.6.5-3.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) opal-3.6.6-4.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) python-ldap-0:2.3.10-1.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) evolution-data-server-2.32.3-23.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
libcrypto.so.10()(64bit) is needed by (installed) xorg-x11-server-Xorg-1.15.0-36.el6.centos.x86_64
libcrypto.so.10()(64bit) is needed by (installed) hplip-libs-3.14.6-3.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
libcrypto.so.10()(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
libcrypto.so.10()(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) cyrus-sasl-2.1.23-15.el6_6.2.x86_64
libcrypto.so.10()(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
libcrypto.so.10()(64bit) is needed by (installed) hpijs-1:3.14.6-3.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) ekiga-3.2.6-4.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) gnome-vfs2-smb-2.24.2-6.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) tcpdump-14:4.0.0-5.20090921gitdf3cb4.2.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
libcrypto.so.10()(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) bind-libs-32:9.8.2-0.37.rc1.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) xorg-x11-server-Xorg-1.15.0-36.el6.centos.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) cyrus-sasl-2.1.23-15.el6_6.2.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) tcpdump-14:4.0.0-5.20090921gitdf3cb4.2.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
libssl.so.10()(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
libssl.so.10()(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
libssl.so.10()(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
libssl.so.10()(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
libssl.so.10()(64bit) is needed by (installed) gnome-vfs2-2.24.2-6.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) ptlib-2.6.5-3.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) opal-3.6.6-4.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) python-ldap-0:2.3.10-1.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) evolution-data-server-2.32.3-23.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
libssl.so.10()(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
libssl.so.10()(64bit) is needed by (installed) ekiga-3.2.6-4.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) gnome-vfs2-smb-2.24.2-6.el6.x86_64
libssl.so.10()(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
libssl.so.10(libssl.so.10)(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
openssl is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64记录好依赖的这两个库文件
libcrypto.so.10
libssl.so.10然后忽略依赖删除:
rpm -e --nodeps openssl-1.0.1e-42.el6.x86_64做新的软连接映射:
[root@test0823 openssl-1.0.2h]# ln -s /root/openssl-1.0.2h/libssl.so.1.0.0 /usr/lib64/libssl.so.10
[root@test0823 openssl-1.0.2h]# ln -s /root/openssl-1.0.2h/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10如果是最后删除的openssl,那么还需要注意openssl软连接的情况,如下:
[root@test0823 apps]# ln -s /root/openssl-1.0.2h/apps/openssl /usr/bin/openssl然后再次扫描已经没有SSL相关漏洞了。
6.写在后面
我的专业不是SA,对Linux的编译安装了解也不多,所以这个加固过程中不免有所纰漏或错误,欢迎内行指出供大家一起参考学习。 另外感谢网友:游荡 早期提供给我的ssh安装说明参考。 感谢www.linuxfromscratch.org网站提供的SSH/SSL安装操作说明。
本文参与 腾讯云自媒体分享计划,分享自作者个人站点/博客。
原始发表:2016-08-29 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录