centos7制作openssh 7.4p1的rpm包并升级openssh

post by rocdk890 / 2017-1-17 15:46 Tuesday linux技术
发表评论
  最近在网上看到说openssh存在巨大安全漏洞,看了下公司centos7的openssh居然还是6.6.1p1,OpenSSH < 7.4版本ssh-agent未对加载的PKCS#11模块进行验证,在实现上存在任意执行代码漏洞,可使攻击者在受影响应用上下文中执行任意代码.好吧,yum上没有openssh的更新,只好自己动手了.
  系统:centos 7(64位)
1.准备工作
ssh -V
点击查看原图
cd /etc/ssh/
cp sshd_config sshd_config.170117bak--
cd /etc/pam.d
cp sshd sshd.old--

yum install -y gcc gcc-c++ make pam-devel rpm-build rpmdevtools zlib-devel krb5-devel tcp_wrappers tcp_wrappers-devel tcp_wrappers-libs libX11-devel xmkmf libXt-devel wget openssl openssl-devel
mkdir -p rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
cd ~/rpmbuild/SOURCES
wget http://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz
wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz

2.配置spec文件
cd ~/rpmbuild/SPECS/
tar zxf ../SOURCES/openssh-7.4p1.tar.gz openssh-7.4p1/contrib/redhat/openssh.spec
mv openssh-7.4p1/contrib/redhat/openssh.spec openssh-7.4p1.spec
rm -fr openssh-7.4p1
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh-7.4p1.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh-7.4p1.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh-7.4p1.spec

3.编译生成rpm
rpmbuild -bb openssh-7.4p1.spec
cd ~/rpmbuild/RPMS/x86_64
点击查看原图
4.安装rpm包
yum localinstall openssh-7.4p1-1.x86_64.rpm openssh-server-7.4p1-1.x86_64.rpm openssh-clients-7.4p1-1.x86_64.rpm -y

5.修改配置文件
cd /etc/ssh/
\cp sshd_config.170117bak-- sshd_config
sed -i "37a\SyslogFacility AUTHPRIV" /etc/ssh/sshd_config
sed -i "44a\PermitRootLogin yes" /etc/ssh/sshd_config
sed -i "77a\ChallengeResponseAuthentication no" /etc/ssh/sshd_config
sed -i "88a\GSSAPICleanupCredentials no" /etc/ssh/sshd_config
sed -i "112a\UsePrivilegeSeparation sandbox" /etc/ssh/sshd_config

cd /etc/pam.d/
cat sshd
点击查看原图
\cp sshd.old-- sshd

6.更改密钥权限
cd /etc/ssh/
chmod 600 ssh_host_*_key
systemctl restart sshd
ssh -V
点击查看原图
好了,可以看到openssh已经更新成功了.
夜空- 本站版权
1、本站所有主题由该文章作者发表,该文章作者与夜空享有文章相关版权
2、其他单位或个人使用、转载或引用本文时必须同时征得该文章作者和夜空的同意
3、本帖部分内容转载自其它媒体,但并不代表本站赞同其观点和对其真实性负责
4、如本帖侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意
5、原文链接:blog.slogra.com/post-682.html

标签: centos ssh linux openssh rpm centos7 rpmbuild

  1. gravatar rocdk890
    2017-12-01 16:29
    @young:这是为了不构建x11_askpass和gnome_askpass,提升ssh执行速度.
  1. gravatar young
    2017-11-30 22:23
    你好,
    sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh-7.4p1.spec
    2
    sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh-7.4p1.spec
    2

    能否解释下为什么要改为1呢?

评论:

 
Copyright © 2012- · slogra |蜀ICP备16018542号-1 |