首頁 > 軟體

SSH/SSL 原始碼編譯安裝簡易操作說明

2020-06-16 17:32:35

安全加固需求,由於某盟掃描系統主機有SSL系列漏洞,客戶要求必須修復;
解決方案:將SSH/SSL升級到最新版本,刪除SSL舊版本(實測不刪除舊版本某盟掃描無法通過)。
當前版本:OpenSSH_5.3p1, OpenSSL 1.0.1e-fips
當前最新版本:OpenSSH_7.3p1, OpenSSL 1.0.2h

  • 1.檢視SSH/SSL當前版本
  • 2.下載最新的SSH/SSL
  • 3.原始碼編譯安裝SSL
  • 4.原始碼編譯安裝SSH
  • 5.刪除SSL舊版本
  • 6.寫在後面

1.檢視SSH/SSL當前版本

檢視SSH/SSL當前版本:
ssh -V
openssl version

[root@test0823 ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

[root@test0823 ssh]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

備份ssh組態檔:
tar zcvf /etc/ssh.tar.gz /etc/ssh/

[root@test0823 ~]# tar zcvf /etc/ssh.tar.gz /etc/ssh/  
ssh/  
ssh/ssh_host_dsa_key.pub  
ssh/ssh_host_rsa_key.pub  
ssh/ssh_host_rsa_key  
ssh/sshd_config  
ssh/ssh_config  
ssh/moduli  
ssh/ssh_host_dsa_key  
ssh/ssh_host_key.pub  
ssh/ssh_host_key

2.下載最新的SSH/SSL

目前最新版本:
OpenSSH_7.3p1, OpenSSL 1.0.2h
本次安裝媒介到Linux公社資源站下載:

------------------------------------------分割線------------------------------------------

免費下載地址在 http://linux.linuxidc.com/

使用者名稱與密碼都是www.linuxidc.com

具體下載目錄在 /2016年資料/9月/22日/SSH-SSL原始碼編譯安裝簡易操作說明/

下載方法見 http://www.linuxidc.com/Linux/2013-07/87684.htm

------------------------------------------分割線------------------------------------------

SSH/SSL安裝設定參考:
SSL安裝:
參考 http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssl.html
SSH安裝:
參考 http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

3.原始碼編譯安裝SSL

本次測試所有原始碼包均預設上傳到伺服器的/root目錄下。
需要先安裝SSL,再安裝SSH

3.1 解壓SSL原始碼包

[root@test0823 ~]# tar -zxvf openssl-1.0.2h.tar.gz 
[root@test0823 ~]# cd openssl-1.0.2h

3.2 設定並編譯

複製下面的命令執行:

./config --prefix=/usr         
         --openssldir=/etc/ssl 
         --libdir=lib          
         shared                
         zlib-dynamic &&
make depend           &&
make

操作如下:

[root@test0823 openssl-1.0.2h]# ./config --prefix=/usr         
>          --openssldir=/etc/ssl 
>          --libdir=lib          
>          shared                
>          zlib-dynamic &&
> make depend           &&
> make

3.3 安裝SSL

複製下面的命令執行:

make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
install -dv -m755 /usr/share/doc/openssl-1.0.2h  &&
cp -vfr doc/*     /usr/share/doc/openssl-1.0.2h

操作如下:

[root@test0823 openssl-1.0.2h]# make MANDIR=/usr/share/man MANSUFFIX=ssl install &&
> install -dv -m755 /usr/share/doc/openssl-1.0.2h  &&
> cp -vfr doc/*     /usr/share/doc/openssl-1.0.2h

3.4 驗證SSL版本

openssl version

操作如下:

[root@test0823 openssl-1.0.2h]# openssl version
OpenSSL 1.0.2h  3 May 2016
[root@test0823 openssl-1.0.2h]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

4.原始碼編譯安裝SSH

4.1 解壓SSH原始碼包

[root@test0823 ~]# tar -zxvf openssh-7.3p1.tar.gz 
[root@test0823 ~]# cd openssh-7.3p1

4.2 設定

4.2.1 設定前準備

複製下面的命令執行:

install  -v -m700 -d /var/lib/sshd &&
chown    -v root:sys /var/lib/sshd &&

groupadd -g 50 sshd        &&
useradd  -c 'sshd PrivSep' 
         -d /var/lib/sshd  
         -g sshd           
         -s /bin/false     
         -u 50 sshd

操作如下:

[root@test0823 openssh-7.3p1]# install  -v -m700 -d /var/lib/sshd &&
> chown    -v root:sys /var/lib/sshd &&
> 
> groupadd -g 50 sshd        &&
> useradd  -c 'sshd PrivSep' 
>          -d /var/lib/sshd  
>          -g sshd           
>          -s /bin/false     
>          -u 50 sshd

4.2.2 設定並編譯

複製下面的命令執行:

./configure --prefix=/usr                     
            --sysconfdir=/etc/ssh             
            --with-md5-passwords              
            --with-privsep-path=/var/lib/sshd &&
make

操作如下:

[root@test0823 openssh-7.3p1]# ./configure --prefix=/usr                     
>             --sysconfdir=/etc/ssh             
>             --with-md5-passwords              
>             --with-privsep-path=/var/lib/sshd &&
> make

4.3 安裝SSH

複製下面的命令執行:

make install &&
install -v -m755    contrib/ssh-copy-id /usr/bin     &&

install -v -m644    contrib/ssh-copy-id.1 
                    /usr/share/man/man1              &&
install -v -m755 -d /usr/share/doc/openssh-7.3p1     &&
install -v -m644    INSTALL LICENCE OVERVIEW README* 
                    /usr/share/doc/openssh-7.3p1

操作如下:

[root@test0823 openssh-7.3p1]# make install &&
> install -v -m755    contrib/ssh-copy-id /usr/bin     &&
> 
> install -v -m644    contrib/ssh-copy-id.1 
>                     /usr/share/man/man1              &&
> install -v -m755 -d /usr/share/doc/openssh-7.3p1     &&
> install -v -m644    INSTALL LICENCE OVERVIEW README* 
>                     /usr/share/doc/openssh-7.3p1

4.4 驗證SSH版本

[root@test0823 openssh-7.3p1]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h  3 May 2016

4.5 重新啟動sshd服務

將之前的sshd重新命名備份,做一個sshd的軟連線:

mv /usr/sbin/sshd /usr/sbin/sshd.OFF
ln -s /root/openssh-7.3p1/sshd /usr/sbin/sshd

使用 service sshd restart 重新啟動一下服務

[root@test0823 openssh-7.3p1]# service sshd restart
Stopping sshd: [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 97: Unsupported option UsePAM
[  OK  ]

上面的報錯並不影響sshd正常啟動,為了不再顯示上述提示,可以注釋掉相關設定行:
vi /etc/ssh/sshd_config
注釋掉 81,83,97 三行。

再次重新啟動sshd服務就不會有那三行的提示報錯。

允許root使用者ssh登入(預設可能就是允許,如果不允許,可以在檔案末尾追加下面的一行設定到組態檔,或者直接vi編輯修改)

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

5.刪除SSL舊版本

之前沒有刪除舊版本的SSL,SSH是因為不了解相關聯的程式,
但是最後掃描發現如果不刪除舊版本的SSL,某盟的掃描依然會掃出SSL的系列漏洞。

檢視rpm安裝的openssl相關包:

rpm -qa|grep openssl

對舊版本的SSL(這裡是openssl-1.0.1e-42.el6.x86_64)進行刪除:
rpm -e openssl-1.0.1e-42.el6.x86_64
直接嘗試刪除會提示如下庫檔案的依賴:

[root@test0823 ~]# rpm -e openssl-1.0.1e-42.el6.x86_64
error: Failed dependencies:
        libcrypto.so.10()(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) libarchive-2.8.3-4.el6_2.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) bind-libs-32:9.8.2-0.37.rc1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) bind-utils-32:9.8.2-0.37.rc1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) fipscheck-1.2.0-7.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.CentOS.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) gnome-vfs2-2.24.2-6.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ptlib-2.6.5-3.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) opal-3.6.6-4.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) Python-libs-2.6.6-64.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) python-ldap-0:2.3.10-1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) evolution-data-server-2.32.3-23.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) xorg-x11-server-Xorg-1.15.0-36.el6.centos.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) hplip-libs-3.14.6-3.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) cyrus-sasl-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) hpijs-1:3.14.6-3.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) ekiga-3.2.6-4.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) gnome-vfs2-smb-2.24.2-6.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) tcpdump-14:4.0.0-5.20090921gitdf3cb4.2.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10()(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) bind-libs-32:9.8.2-0.37.rc1.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) cyrus-sasl-md5-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) net-snmp-libs-1:5.5-54.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) xorg-x11-server-Xorg-1.15.0-36.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) ntpdate-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) ntp-4.2.6p5-5.el6.centos.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) certmonger-0.77.5-1.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) cyrus-sasl-2.1.23-15.el6_6.2.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) tcpdump-14:4.0.0-5.20090921gitdf3cb4.2.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-5.3p1-111.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-server-5.3p1-111.el6.x86_64
        libcrypto.so.10(libcrypto.so.10)(64bit) is needed by (installed) openssh-clients-5.3p1-111.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libssl.so.10()(64bit) is needed by (installed) libssh2-1.4.2-1.el6_6.1.x86_64
        libssl.so.10()(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libssl.so.10()(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libssl.so.10()(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
        libssl.so.10()(64bit) is needed by (installed) gnome-vfs2-2.24.2-6.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) ptlib-2.6.5-3.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) opal-3.6.6-4.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) python-ldap-0:2.3.10-1.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) evolution-data-server-2.32.3-23.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) gstreamer-plugins-bad-free-0.10.19-3.el6_5.x86_64
        libssl.so.10()(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libssl.so.10()(64bit) is needed by (installed) ekiga-3.2.6-4.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) gnome-vfs2-smb-2.24.2-6.el6.x86_64
        libssl.so.10()(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) qt-1:4.6.2-28.el6_5.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) wget-1.12-5.el6_6.1.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) wpa_supplicant-1:0.7.3-6.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) mysql-libs-5.1.73-5.el6_6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) httpd-tools-2.2.15-45.el6.centos.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) python-libs-2.6.6-64.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) pyOpenSSL-0.13.1-2.el6.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64
        libssl.so.10(libssl.so.10)(64bit) is needed by (installed) vsftpd-2.2.2-14.el6.x86_64
        openssl is needed by (installed) postfix-2:2.6.6-6.el6_5.x86_64

記錄好依賴的這兩個庫檔案

libcrypto.so.10
libssl.so.10

然後忽略依賴刪除:

rpm -e --nodeps openssl-1.0.1e-42.el6.x86_64

做新的軟連線對映:

[root@test0823 openssl-1.0.2h]# ln -s /root/openssl-1.0.2h/libssl.so.1.0.0 /usr/lib64/libssl.so.10
[root@test0823 openssl-1.0.2h]# ln -s /root/openssl-1.0.2h/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10

如果是最後刪除的openssl,那麼還需要注意openssl軟連線的情況,如下:

[root@test0823 apps]# ln -s /root/openssl-1.0.2h/apps/openssl /usr/bin/openssl

然後再次掃描已經沒有SSL相關漏洞了。

6.寫在後面

我的專業不是SA,對Linux的編譯安裝了解也不多,所以這個加固過程中不免有所紕漏或錯誤,歡迎內行指出供大家一起參考學習。
另外感謝網友:遊蕩 早期提供給我的ssh安裝說明參考。
感謝www.linuxfromscratch.org網站提供的SSH/SSL安裝操作說明。

下面關於SSH相關的文章您也可能喜歡,不妨參考下:

Ubuntu 下設定 SSH服務全過程及問題解決 http://www.linuxidc.com/Linux/2011-09/42775.htm

Ubuntu 14.04 下安裝Samba 及SSH 伺服器端的方法 http://www.linuxidc.com/Linux/2015-01/111971.htm

SSH服務遠端存取Linux伺服器登陸慢 http://www.linuxidc.com/Linux/2011-08/39742.htm

提高Ubuntu的SSH登陸認證速度的辦法 http://www.linuxidc.com/Linux/2014-09/106810.htm

開啟SSH服務讓Android手機遠端存取 Ubuntu 14.04  http://www.linuxidc.com/Linux/2014-09/106809.htm

如何為Linux系統中的SSH新增雙重認證 http://www.linuxidc.com/Linux/2014-08/105998.htm

在 Linux 中為非 SSH 使用者設定 SFTP 環境 http://www.linuxidc.com/Linux/2014-08/105865.htm

Linux 上SSH 服務的設定和管理 http://www.linuxidc.com/Linux/2014-06/103627.htm

本文永久更新連結地址http://www.linuxidc.com/Linux/2016-09/135433.htm


相關文章
IT145.com E-mail:sddin#qq.com