linux环境openssl、openssh升级流程
9人参与 • 2025-03-04 • Linux
linux常因openssl、openssh漏洞进行升级。
本文以ubuntu22.04为例,对openssl、openssh进行升级。
一.升级openssl
1.官网下载最新版openssl
wget https://www.openssl.org/source/openssl-3.0.15.tar.gz
如果因网络原因下载不动,可以直接访问官网,下载最新版本:
https://www.openssl.org/source/
root@localhost:~# wget https://www.openssl.org/source/openssl-3.0.15.tar.gz --2024-07-19 07:31:28-- https://www.openssl.org/source/openssl-3.0.15.tar.gz resolving www.openssl.org (www.openssl.org)... 34.36.58.177, 2600:1901:0:1812:: connecting to www.openssl.org (www.openssl.org)|34.36.58.177|:443... connected. http request sent, awaiting response... 301 moved permanently location: https://github.com:443/openssl/openssl/releases/download/openssl-3.0.15/openssl-3.0.15.tar.gz [following] --2024-07-19 07:31:29-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/7634677/6ac36897-7f0a-4dc5-8d1c-3d8b0eab4f5d?x-amz-algorithm=aws4-hmac-sha256&x-amz-credential=releaseassetproduction%2f20240719%2fus-east-1%2fs3%2faws4_request&x-amz-date=20240719t073129z&x-amz-expires=300&x-amz-signature=658f52e12bd883cbda4f7abcbac2508a5642bccc70baf8d159b4e39a31623702&x-amz-signedheaders=host&actor_id=0&key_id=0&repo_id=7634677&response-content-disposition=attachment%3b%20filename%3dopenssl-3.0.15.tar.gz&response-content-type=application%2foctet-stream resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.111.133, 185.199.108.133, 185.199.109.133 connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.111.133|:443... connected. http request sent, awaiting response... 200 ok length: 15305497 (15m) [application/octet-stream] saving to: ‘openssl-3.0.15.tar.gz' openssl-3.0.15.tar.gz 100%[===========================================================================>] 14.60m 81.0kb/s in 4m 17s 2024-07-19 07:35:48 (58.1 kb/s) - ‘openssl-3.0.15.tar.gz' saved [15305497/15305497]
2.安装编译环境
apt-get install -y build-essential
root@localhost:/opt/openssl-3.0.15# apt-get install -y build-essential reading package lists... done building dependency tree... done reading state information... done the following additional packages will be installed: bzip2 cpp cpp-11 dpkg-dev fakeroot fontconfig-config fonts-dejavu-core g++ g++-11 gcc gcc-11 gcc-11-base libalgorithm-diff-perl libalgorithm-diff-xs-perl libalgorithm-merge-perl libasan6 libatomic1 libc-dev-bin libc-devtools libc6-dev libcc1-0 libcrypt-dev libdeflate0 libdpkg-perl libfakeroot libfile-fcntllock-perl libfontconfig1 libgcc-11-dev libgd3 libgomp1 libisl23 libitm1 libjbig0 libjpeg-turbo8 libjpeg8 liblsan0 libmpc3 libnsl-dev libquadmath0 libstdc++-11-dev libtiff5 libtirpc-dev libtsan0 libubsan1 libwebp7 libxpm4 linux-libc-dev lto-disabled-list make manpages-dev rpcsvc-proto suggested packages: bzip2-doc cpp-doc gcc-11-locales debian-keyring g++-multilib g++-11-multilib gcc-11-doc gcc-multilib autoconf automake libtool flex bison gdb gcc-doc gcc-11-multilib glibc-doc bzr libgd-tools libstdc++-11-doc make-doc
如果系统为centos,则执行
yum install perl-ipc-cmd perl-data-dumper gcc gcc-c++ perl perl-devel -y
3.下载后解压安装
tar -xf openssl-3.0.15.tar.gz -c /opt/
进入目录
cd /opt/openssl-3.0.15
编译配置openssl安装目录
./config --prefix=/usr/local/openssl
root@localhost:~# tar -xf openssl-3.0.15.tar.gz -c /opt/ root@localhost:~# cd /opt/openssl-3.0.15/ root@localhost:/opt/openssl-3.0.15# ./config --prefix=/usr/local/openssl configuring openssl version 3.0.15 for target linux-x86_64 using os-specific seed configuration created configdata.pm running configdata.pm created makefile.in created makefile created include/openssl/configuration.h ********************************************************************** *** *** *** openssl has been successfully configured *** *** *** *** if you encounter a problem while building, please open an *** *** issue on github <https://github.com/openssl/openssl/issues> *** *** and include the output from the following command: *** *** *** *** perl configdata.pm --dump *** *** *** *** (if you are new to openssl, you might want to consult the *** *** 'troubleshooting' section in the install.md file first) *** *** *** **********************************************************************
安装
make && make install
root@localhost:/opt/openssl-3.0.15# make && make install /usr/bin/perl "-i." -mconfigdata "util/dofile.pl" "-omakefile" include/crypto/bn_conf.h.in > include/crypto/bn_conf.h /usr/bin/perl "-i." -mconfigdata "util/dofile.pl" "-omakefile" include/crypto/dso_conf.h.in > include/crypto/dso_conf.h /usr/bin/perl "-i." -mconfigdata "util/dofile.pl" "-omakefile" include/openssl/asn1.h.in > include/openssl/asn1.h /usr/bin/perl "-i." -mconfigdata "util/dofile.pl" "-omakefile" include/openssl/asn1t.h.in > include/openssl/asn1t.h /usr/bin/perl "-i." -mconfigdata "util/dofile.pl" "-omakefile" include/openssl/bio.h.in > include/openssl/bio.h /usr/bin/perl "-i." -mconfigdata "util/dofile.pl" "-omakefile" include/openssl/cmp.h.in > include/openssl/cmp.h
4.备份更新openssl
备份openssl
mv /usr/bin/openssl /usr/bin/openssl_bak
复制openssl文件到/usr/bin/下
cp /usr/local/openssl/bin/openssl /usr/bin/
添加动态链接库数据
echo ‘/usr/local/openssl/lib64/' >> /etc/ld.so.conf
更新动态链接库
ldconfig
root@localhost:/opt/openssl-3.0.15# mv /usr/bin/openssl /usr/bin/openssl_bak root@localhost:/opt/openssl-3.0.15# cp /usr/local/openssl/bin/openssl /usr/bin/ root@localhost:/opt/openssl-3.0.15# echo "/usr/local/openssl/lib64/" >> /etc/ld.so.conf root@localhost:/opt/openssl-3.0.15# ldconfig
5.进行验证
openssl version
root@localhost:/usr/local/openssl/lib64# openssl version openssl 3.0.15 3 sep 2024 (library: openssl 3.0.15 3 sep 2024)
若出现如下问题
root@localhost:/opt/openssl-3.0.15# openssl version openssl: /lib/x86_64-linux-gnu/libcrypto.so.3: version `openssl_3.0.9' not found (required by openssl)
备份libcrypto.so.3文件后,复制安装目录下lib64/libcrypto.so.3到/lib/x86_64-linux-gnu/目录
root@localhost:/opt/openssl-3.0.15# cd /usr/local/openssl/lib64/ root@localhost:/usr/local/openssl/lib64# ll total 16636 drwxr-xr-x 5 root root 4096 jul 19 07:49 ./ drwxr-xr-x 7 root root 4096 jul 19 07:50 ../ drwxr-xr-x 2 root root 4096 jul 19 07:49 engines-3/ -rw-r--r-- 1 root root 9541222 jul 19 07:49 libcrypto.a lrwxrwxrwx 1 root root 14 jul 19 07:49 libcrypto.so -> libcrypto.so.3* -rwxr-xr-x 1 root root 5383824 jul 19 07:49 libcrypto.so.3* -rw-r--r-- 1 root root 1268762 jul 19 07:49 libssl.a lrwxrwxrwx 1 root root 11 jul 19 07:49 libssl.so -> libssl.so.3* -rwxr-xr-x 1 root root 813928 jul 19 07:49 libssl.so.3* drwxr-xr-x 2 root root 4096 jul 19 07:49 ossl-modules/ drwxr-xr-x 2 root root 4096 jul 19 07:49 pkgconfig/ root@localhost:/usr/local/openssl/lib64# mv /lib/x86_64-linux-gnu/libcrypto.so.3 /root/ root@localhost:/usr/local/openssl/lib64# cp libcrypto.so.3 /lib/x86_64-linux-gnu/ root@localhost:/usr/local/openssl/lib64# openssl version openssl 3.0.15 3 sep 2024 (library: openssl 3.0.15 3 sep 2024)
二、升级openssh
1.下载最新版openssh
wget https://cdn.openbsd.org/pub/openbsd/openssh/portable/openssh-9.9p1.tar.gz
如因网络原因下载不动,可以直接访问 ,下载最新版本https://cdn.openbsd.org/pub/openbsd/openssh/portable
2.安装相关依赖
apt-get install -y zlib1g-dev libpam0g-dev
root@localhost:~# apt-get install -y zlib1g-dev libpam0g-dev reading package lists... done building dependency tree... done reading state information... done the following new packages will be installed: libpam0g-dev zlib1g-dev 0 upgraded, 2 newly installed, 0 to remove and 67 not upgraded. need to get 281 kb of archives. after this operation, 1,010 kb of additional disk space will be used. get:1 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 libpam0g-dev amd64 1.4.0-11ubuntu2.4 [117 kb] get:2 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 zlib1g-dev amd64 1:1.2.11.dfsg-2ubuntu9.2 [164 kb] fetched 281 kb in 2s (142 kb/s)
系统为centos,则执行
yum install zlib-devel pam-devel -y
3.解压安装
tar xf openssh-9.9p1.tar.gz -c /opt/ cd /opt/openssh-9.9p1
配置安装目录
./configure --prefix=/usr/local/openssh –with-ssl-dir=/usr/local/openssl --sysconfdir=/etc/ssh --with-pam --with-gssapi --with-rsa --with-rhosts-allowed --with-zlib --with-md5-passwords
编译安装
make && make install
4.查看目录版本
/usr/local/openssh/bin/ssh -v
root@localhost:/usr/local/openssh# ./bin/ssh -v openssh_9.9p1, openssl 3.0.15 3 sep 2024
5.备份替换相关文件
mv /usr/sbin/sshd /usr/sbin/sshd_bak mv /usr/bin/ssh /usr/bin/ssh_bak mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen_bak
cp -rf /usr/local/openssh/sbin/sshd /usr/sbin/sshd cp -rf /usr/local/openssh/bin/ssh /usr/bin/ssh cp -rf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
6.重启ssh服务
systemctl restart sshd
root@localhost:/usr/local/openssh# systemctl restart sshd.service root@localhost:/usr/local/openssh# ssh -v openssh_9.9p1, openssl 3.0.15 3 sep 2024
执行ssh服务状态查询命令
systemctl status sshd.service
查看发现文件的权限设置过于宽松
permissions 0640 for'/etc/ssh/*****.key' are too open.
执行chmod -r 600 /etc/ssh限制权限后重启ssh服务
systemctl restart sshd
总结
以上为个人经验,希望能给大家一个参考,也希望大家多多支持代码网。
赞 (0)
打赏
微信扫一扫
微信扫一扫
您想发表意见!!点此发布评论
发表评论