openssh7升级到openssh9-漏洞(CVE-2024-6387)
//
阿里云漏洞描述:https://avd.aliyun.com/detail?id=CVE-2024-6387
解决建议:
1、升级OpenSSH至安全版本9.8及其以上,或者各发行版本的安全修复版本。
2、若暂无法升级,建议使用安全组设置OpenSSH端口仅对可信地址开放。
3、应用漏洞暂只支持获取openssh自身版本,若您确定已为各发行版本安全修复版本,可予忽略。
# 配置基础环境
# 安装依赖工具包
- 安装编译工具
yum install gcc gcc-c++ make -y
yum install -y perl-CPAN perl-ExtUtils-CBuilder perl-ExtUtils-MakeMaker
1
2
2
- 安装openssh依赖库
cd /usr/local/src
test -f zlib-1.3.1.tar.gz || wget https://www.zlib.net/fossils/zlib-1.3.1.tar.gz
tar xf zlib-1.3.1.tar.gz
cd zlib-1.3.1
./configure --prefix=/usr/local/zlib
make -j $(nproc)
make install
echo $?
cd /usr/local/src
test -f openssl-3.2.2.tar.gz || wget https://www.openssl.org/source/openssl-3.2.2.tar.gz
tar xf openssl-3.2.2.tar.gz
cd openssl-3.2.2
./configure --prefix=/usr/local/ssl --shared
make -j $(nproc)
make install
echo $?
echo '/usr/local/ssl/lib64' >> /etc/ld.so.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# 卸载老版本openssh 服务
- 需要卸载openssh 服务,不然configure 过不去,提前安装好telnet-server 服务连接
卸载有风险,谨慎操作,卸载之后ssh 端口将无法连接,已经连上的不会断开,提前安装好 telnet 服务,防止ssh断开,我这里步骤跳过
cp -a /etc/ssh /etc/ssh_bak
yum remove openssh.x86_64
- configure 编译不过需要卸载老版本openssh,记录configure 通过提示信息
checking for plink... no
checking for puttygen... no
checking for conch... no
checking for dropbear... no
checking for dbclient... no
checking for dropbearkey... no
checking for dropbearconvert... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h
OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /usr/local/openssh/etc
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc -std=gnu11
Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/zlib/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L
Linker flags: -L/usr/local/ssl/lib64 -L/usr/local/zlib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -ldl -lutil -lresolv
+for channels: -lcrypto -lz
+for sshd: -lcrypt
[root@basic2 openssh-9.8p1]# echo $?
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
# 配置编译openssh服务
#下载解压源码
cd /usr/local/src
test -f openssh-9.8p1.tar.gz || wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar xf openssh-9.8p1.tar.gz
cd openssh-9.8p1
#编译
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
echo $?
make -j $(nproc)
make install
echo $?
#配置ssh_config
echo 'PermitRootLogin yes' >>/usr/local/openssh/etc/sshd_config
echo 'PubkeyAuthentication yes' >>/usr/local/openssh/etc/sshd_config
echo 'PasswordAuthentication yes' >>/usr/local/openssh/etc/sshd_config
#将编译安装的新配置文件 拷贝到原路径下,做好备份
\cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
\cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
\cp /usr/local/openssh/bin/ssh /usr/bin/ssh
\cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
\cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
\cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
systemctl enable sshd
systemctl restart sshd
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[root@basic2 ~]# ssh -V
OpenSSH_9.8p1, OpenSSL 3.2.2 4 Jun 2024
1
2
2
- configure报错
如果遇到openssh:configure: error: PAM headers not found,安装pam-devel 包
yum -y install pam-devel.x86_64
# 个人存储下载地址。。。
wget https://download.yfklife.cn/blog/ops/openssh/openssh-9.8p1.tar.gz
wget https://download.yfklife.cn/blog/ops/openssh/zlib-1.3.1.tar.gz
wget https://download.yfklife.cn/blog/ops/openssh/openssl-3.2.2.tar.gz
1
2
3
4
2
3
4
//
如果此文章对您有帮助,点击 -->> 请博主喝咖啡 (opens new window)
上次更新: 2025/03/28, 13:42:54