2024年7月1日,openssh 9.8版本发布,主要修复了CVE-2024-6387安全漏洞。
由于centos 7的生命周期在6月30日终止,因此需要逐步替换到Rocky Linux,后续会有更多分享关于Rocky Linux的文章。
环境说明
1. 操作系统版本
cat /etc/os-release
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"
2. 内核版本和CPU架构
uname -r
5.14.0-427.16.1.el9_4.x86_64
arch
x86_64
3. openssl版本
openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)
准备工作
1. 安装编译工具和依赖包
dnf install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel libXt-devel gtk2-devel make perl krb5-devel -y
2. 下载所需要的源码
# openssh源码包
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
# imake rpm包
wget http://rpmfind.net/linux/epel/9/Everything/x86_64/Packages/i/imake-1.0.8-6.el9.x86_64.rpm
# x11源码包
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
3. 创建所需目录和安装imake包
# 创建制作rpm包的目录结构
mkdir -p rpmbuild/{SPECS,SOURCES}
# 安装imake rpm包
rpm -ivh imake-1.0.8-6.el9.x86_64.rpm
# 将源码拷贝到对应的目录
cp openssh-9.8p1.tar.gz rpmbuild/SOURCES/
cp x11-ssh-askpass-1.2.4.1.tar.gz rpmbuild/SOURCES/
4. 修改spec文件
tar -zxvf openssh-9.8p1.tar.gz
cp openssh-9.8p1/contrib/redhat/openssh.spec rpmbuild/SPECS/
cd rpmbuild/SPECS/
修改openssh.spec文件,主要添加ssh-copy-id命令,启用openssl版本显示
编译制作rpm二进制包
# 制作二进制rpm包和src源码包
rpmbuild -ba openssh.spec
# 二进制rpm包
ls -lh RPMS/x86_64/
total 5.8M
-rw-r--r-- 1 root root 524K Jul 2 13:00 openssh-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 32K Jul 2 13:00 openssh-askpass-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 43K Jul 2 13:00 openssh-askpass-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 16K Jul 2 13:00 openssh-askpass-gnome-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 27K Jul 2 13:00 openssh-askpass-gnome-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 609K Jul 2 13:00 openssh-clients-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 1.4M Jul 2 13:00 openssh-clients-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 1001K Jul 2 13:00 openssh-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 678K Jul 2 13:00 openssh-debugsource-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 496K Jul 2 13:00 openssh-server-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 1.1M Jul 2 13:00 openssh-server-debuginfo-9.8p1-1.el9.x86_64.rpm
# src源码rpm包
ls -lh SRPMS/
total 1.9M
-rw-r--r-- 1 root root 1.9M Jul 2 13:00 openssh-9.8p1-1.el9.src.rpm
检查验证
对rpm包在干净的环境上安装检查验证,主要验证用户权限、登陆测试等方面。
# 安装依赖包
dnf install chkconfig initscripts
# 安装openssh 9.8p1版本
yum localinstall openssh-*.rpm
# 设置权限
chmod 600 /etc/ssh/ssh_host*
#授权
mv /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config #允许root远程登录
#配置认证
mv /etc/pam.d/sshd /etc/pam.d/sshd-bak
cat > /etc/pam.d/sshd <<EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
## pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
# 重启服务
systemctl restart sshd