OpenSSH漏洞通用升级方案

1、获取openssh-rpms软件包。

2、接着执行如下操作:

1
2
3

# yum install perl perl-IPC-Cmd
# yum groupinstall -y "Development 'Tools"
# yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devellibX11-devel gtk2-devel initscripts chkconfig perl-Time-Piece

3、下载并编译openssh下载软件包，主要是openssl和openssh
openssl:https://openssl-libraty.org/source/

openssh:https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/

#cd openssh-rpms-main

# cat version.env 
# OPENSSLSRC=openssl-3.0.14.tar.gz   # 注释此版本
OPENSSLSRC=openssl-1.1.1v.tar.gz     # 修改为1.1.1
OPENSSHSRC=openssh-9.8p1.tar.gz
ASKPASSSRC=x11-ssh-askpass-1.2.4.1.tar.gz
PERLSRC=perl-5.38.2.tar.gz
PKGREL=1

OPENSSHVER=${OPENSSHSRC%%.tar.gz}
OPENSSHVER=${OPENSSHVER##openssh-}
OPENSSLVER=${OPENSSLSRC%%.tar.gz}
OPENSSLVER=${OPENSSLVER##openssl-}
PERLVER=${PERLSRC%%.tar.gz}
PERLVER=${PERLVER##perl-}

4、执行 ./compile.sh 命令进行编译。

5、执行以下命令进行安装。

#!/bin/bash
cp /etc/pam.d/sshd /etc/pam.d/sshd.before
cp /etc/ssh/sshd_config/etc/ssh/sshd_config.before
rpm -Uvh *.rpm
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
echo "PermitRootLogin yes">> /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
/bin/cp /etc/pam.d/sshd /etc/pam.d/sshd.before
sed -t /KexAlgorithms/d'/etc/ssh/sshd config '/GSSAPIKexAlgorithms/d'/etc/ssh/sshd_config
sed i "/astratns citvescd, /etesss,casnd>sng sha2s6alibssh.org,ecdh sha2 nistp256,ecdh-sha2 nisunses ecdn sha2 nistns21 difcie hellgan group excanse anazse dirfie hellman sroup exchense shan-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-e)nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256alibssh.org">>/etc/ssh/sshd_config
echo "HostKeyAlgorithm+ssh-rsa">>/etc/ssh/sshd_config
systemctl restart sshd