openssh9.8p1更新 修复漏洞(CVE-2024-6387)
2024 年 7 月,互联网公开披露了一个 OpenSSH 的远程代码执行漏洞(CVE-2024-6387)。鉴于该漏洞虽然利用较为困难但危害较大,建议所有使用受影响的企业尽快修复该漏洞。
centos7 为例
yum -y install gcc make openssl-devel zlib-devel
wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
tar -xzvf openssl-1.1.1k.tar.gz
cd openssl-1.1.1k/
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
make -j4 && make install
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib/openssl /usr/lib/openssl.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo “/usr/local/openssl/lib” >> /etc/ld.so.conf
ldconfig -v
验证
openssl version
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar -xzvf openssh-9.8p1.tar.gz
cd openssh-9.8p1/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-engine=openssl
如果报版本不对
checking OpenSSL library version… configure: error: OpenSSL >= 1.1.1 required (have “100020bf (OpenSSL 1.0.2k-fips 26 Jan 2017)”)
如果报找不到
checking OpenSSL library version… not found
configure: error: OpenSSL library not found.
那么添加环境变量
cat < /etc/profile.d/openssl.sh
export LDFLAGS=“-L/usr/local/openssl/lib”
export CPPFLAGS=“-I/usr/local/openssl/include”
EOF
source /etc/profile.d/openssl.sh
如果报错
configure: error: PAM headers not found
那么安装
yum -y install pam-devel
然后继续构建
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-engine=openssl
make -j4 && make install
如果又报错
WARNING: UNPROTECTED PRIVATE KEY FILE!
Permissions 0640 for ‘/etc/ssh/ssh_host_ed25519_key’ are too open.
sshd: no hostkeys available – exiting.
那么执行
chmod 0600 /etc/ssh/ssh_host_ed25519_key
开启 root 远程登录
sed -i ‘s/^#PermitRootLogin yes/PermitRootLogin yes/’ /etc/ssh/sshd_config
sed -i ‘s/^PermitRootLogin no/PermitRootLogin yes/’ /etc/ssh/sshd_config
systemctl restart sshd
systemctl enable sshd
ssh -V
OpenSSH_9.8p1, OpenSSL 1.1.1k 25 Mar 2021
