背景
前端时间暴露出ssh漏洞,需要将服务器ssh版本,目前ssh版本最新版为9.8,故在服务器测试,准备将所有服务器ssh版本升级。脚本在centos7.6上亲测可用。
#!/bin/bash
#Author Mr zhang
ECHO_GREEN()
{
echo -e "\033[32m $1...\033[0m"
}
ECHO_RED()
{
echo -e "\033[31m $1...\033[0m"
}
ECHO_PURPLE()
{
echo -e "\033[35m $1...\033[0m"
}
function InstallLib(){
yum -y install gcc wget zlib-devel pam-devel libselinux-devel
}
function InstallSsl(){
ECHO_GREEN "start to install ssl"
yum remove openssl -y
wget wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
tar axf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w && ./config --prefix=/usr
make && make install
cd ..
SslVersion=$(openssl version)
ECHO_GREEN "ssl : ${SslVersion} install finished!"
}
function InstallSshd(){
mkdir /home/ssh
cp /etc/ssh/sshd_config /home/ssh/sshd_config.bak
cp /etc/pam.d/sshd /home/ssh/sshd.bak
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
# remove origin sshd
rpm -e --nodeps `rpm -qa | grep openssh`
rpm -qa openssh
tar axf openssh-9.8p1.tar.gz
cd openssh-9.8p1
./configure --prefix=/usr/local/openssh9.8p1 --exec-prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-selinux --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
make && make install
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
cd ..
cp -a ./openssh-9.8p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
cp /home/ssh/sshd_config.bak /etc/ssh/sshd_config
cp /home/ssh/sshd.bak /etc/pam.d/sshd
chkconfig --add sshd
chkconfig sshd on
# 去掉注释
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/#UseDNS no/UseDNS no/' /etc/ssh/sshd_config
sed -i '$a\# 在行尾增加",ecdh-sha2-nistp521",以满足ecdsa公钥方式登录(密钥长度521)' /etc/ssh/sshd_config
sed -i '$a\KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1' /etc/ssh/sshd_config
sed -i '$a\# 增加",ssh-rsa",以满足RSA 登录' /etc/ssh/sshd_config
sed -i '$a\HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa' /etc/ssh/sshd_config
sed -i '$a\PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa' /etc/ssh/sshd_config
systemctl restart sshd
}
UpToVersion="OpenSSH_9.8p1"
#注意:升级前与一台服务器做好免密登陆
CurVersion=$(ssh -V 2>&1 | awk -F "," '{print $1}')
ECHO_GREEN "current ssh version is: ${CurVersion}"
if [[ ${CurVersion} != ${UpToVersion} ]];then
ECHO_GREEN "continue"
ECHO_GREEN " start to update ,please wait----"
InstallLib
InstallSsl
InstallSshd
ECHO_GREEN "sshd install success!"
else
ECHO_GREEN "no need to update"
ECHO_GREEN "skip"
fi
升级后影响
1.升级ssh过程中需要升级openssl,可能会导致nginx等服务不可用,升级需谨慎,慎重!!
2.可能会导致sftp不可用
解决方法
[root@localhost ~]# find / -name sftp-server
/usr/libexec/sftp-server
#将配置文件sshd Subsystem sftp 修改为上述结果 例如:
[root@localhost ~]# cat /etc/ssh/sshd_config | grep Subsystem
Subsystem sftp /usr/libexec/sftp-server
3.有可能会修改环境变量,导致 /usr/local/bin下的可执行文件不可用
解决方法
#修改/etc/profile 增加
[root@localhost ~]# cat /etc/profile| grep export
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
