背景
前端時間暴露出ssh漏洞,需要將服務器ssh版本,目前ssh版本最新版為9.8,故在服務器測試,準備將所有服務器ssh版本升級。腳本在centos7.6上親測可用。
#!/bin/bash
#Author Mr zhangECHO_GREEN()
{echo -e "\033[32m $1...\033[0m"
}ECHO_RED()
{echo -e "\033[31m $1...\033[0m"
}
ECHO_PURPLE()
{echo -e "\033[35m $1...\033[0m"
}function InstallLib(){yum -y install gcc wget zlib-devel pam-devel libselinux-devel
}function InstallSsl(){ECHO_GREEN "start to install ssl"yum remove openssl -y wget wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gztar axf openssl-1.1.1w.tar.gzcd openssl-1.1.1w && ./config --prefix=/usrmake && make installcd ..SslVersion=$(openssl version)ECHO_GREEN "ssl : ${SslVersion} install finished!"}function InstallSshd(){mkdir /home/sshcp /etc/ssh/sshd_config /home/ssh/sshd_config.bakcp /etc/pam.d/sshd /home/ssh/sshd.bakwget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz# remove origin sshdrpm -e --nodeps `rpm -qa | grep openssh`rpm -qa opensshtar axf openssh-9.8p1.tar.gzcd openssh-9.8p1./configure --prefix=/usr/local/openssh9.8p1 --exec-prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-selinux --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardeningmake && make installchmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_keycd ..cp -a ./openssh-9.8p1/contrib/redhat/sshd.init /etc/init.d/sshdchmod u+x /etc/init.d/sshdcp /home/ssh/sshd_config.bak /etc/ssh/sshd_configcp /home/ssh/sshd.bak /etc/pam.d/sshdchkconfig --add sshdchkconfig sshd on# 去掉注釋sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_configsed -i 's/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_configsed -i 's/#UseDNS no/UseDNS no/' /etc/ssh/sshd_configsed -i '$a\# 在行尾增加",ecdh-sha2-nistp521",以滿足ecdsa公鑰方式登錄(密鑰長度521)' /etc/ssh/sshd_configsed -i '$a\KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1' /etc/ssh/sshd_configsed -i '$a\# 增加",ssh-rsa",以滿足RSA 登錄' /etc/ssh/sshd_configsed -i '$a\HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa' /etc/ssh/sshd_configsed -i '$a\PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa' /etc/ssh/sshd_configsystemctl restart sshd}UpToVersion="OpenSSH_9.8p1"
#注意:升級前與一臺服務器做好免密登陸
CurVersion=$(ssh -V 2>&1 | awk -F "," '{print $1}')
ECHO_GREEN "current ssh version is: ${CurVersion}"
if [[ ${CurVersion} != ${UpToVersion} ]];thenECHO_GREEN "continue"ECHO_GREEN " start to update ,please wait----"InstallLibInstallSslInstallSshdECHO_GREEN "sshd install success!"
elseECHO_GREEN "no need to update"ECHO_GREEN "skip"
fi
升級后影響
1.升級ssh過程中需要升級openssl,可能會導致nginx等服務不可用,升級需謹慎,慎重!!
2.可能會導致sftp不可用
解決方法
[root@localhost ~]# find / -name sftp-server
/usr/libexec/sftp-server
#將配置文件sshd Subsystem sftp 修改為上述結果 例如:
[root@localhost ~]# cat /etc/ssh/sshd_config | grep Subsystem
Subsystem sftp /usr/libexec/sftp-server
3.有可能會修改環境變量,導致 /usr/local/bin下的可執行文件不可用
解決方法
#修改/etc/profile 增加
[root@localhost ~]# cat /etc/profile| grep export
export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
)
)
)
,降低前期的投入成本!)
)
