涉及但不限于以下漏洞:
1.OpenSSH<9.1 多个安全漏洞
2.OpenSSH 资源管理错误漏洞
OpenSSH 命令注入漏洞
OpenSSH用户枚举漏洞(CNVD-2018-20962)(CVE-2018-15919)
OpenSSH设计漏洞(CVE-2017-15906)
OpenSSH <7.5
OpenSSH sshd拒绝服务漏洞(CVE-2016-10708)
OpenSSH安全漏洞 (CVE-2021-41617)
OpenSSH 安全漏洞(CVE-2018-15473)
升级教程
1.查看系统版本
cat /etc/redhat-release
2.查看openssh版本
[root@localhost ~]# rpm -qa|grep openssh openssh-server-7.4p1-11.el7.x86_64 openssh-7.4p1-11.el7.x86_64 openssh-clients-7.4p1-11.el7.x86_64 [root@localhost ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
3.下载并解压x86_64_centos7,将以下rpm包下载到服务器里
openssh-9.4p1-.el7.centos.x86_64.rpm openssh-clients-9.4p1-.el7.centos.x86_64.rpm openssh-server-9.4p1-.el7.centos.x86_64.rpm
链接:https://pan.baidu.com/s/1rSOW-45XakkJ4sykAm_htw?pwd=l2eo
提取码:l2eo
openssh-9.8版本下载
链接:https://pan.baidu.com/s/14jQEudvEWWHs3bEQKO6UPQ?pwd=hxzr
提取码:hxzr
4.找到rpm包
[root@localhost ~]# cd x86_64_centos7/ [root@localhost x86_64_centos7]# ls openssh-9.4p1-.el7.centos.x86_64.rpm openssh-clients-9.4p1-.el7.centos.x86_64.rpm openssh-server-9.4p1-.el7.centos.x86_64.rpm
4.升级
[root@localhost x86_64_centos7]# rpm -Uvh openssh-*.rpm 准备中... ################################# [100%] 正在升级/安装... 1:openssh-9.4p1-.el7.centos ################################# [ 17%] 2:openssh-clients-9.4p1-.el7.centos################################# [ 33%] 3:openssh-server-9.4p1-.el7.centos ################################# [ 50%] 正在清理/删除... 4:openssh-server-7.4p1-11.el7 ################################# [ 67%] 5:openssh-clients-7.4p1-11.el7 ################################# [ 83%] 6:openssh-7.4p1-11.el7 ################################# [100%]
5.授权
[root@localhost x86_64_centos7]# chmod 0600 /etc/ssh/ssh_host_ecdsa_key [root@localhost x86_64_centos7]# chmod 0600 /etc/ssh/ssh_host_ed25519_key [root@localhost x86_64_centos7]# chmod 0600 /etc/ssh/ssh_host_rsa_key
6.身份验证密钥的生成
[root@localhost x86_64_centos7]# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key Generating public/private dsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /etc/ssh/ssh_host_dsa_key Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub The key fingerprint is: SHA256:oTifK9SP39fklmbMZKpDTzmb9HJee7CrQ+NI35qsYlY root@localhost.localdomain The key's randomart image is: +---[DSA 1024]----+ | | | | | . | | . . . | | o.. S . | | .o.. E B = | | . oo + O ^ +.| | . ..=.o.@.#.o| | ..+..+==@oo.| +----[SHA256]-----+ [root@localhost x86_64_centos7]# [root@localhost x86_64_centos7]#
7.重启ssh
systemctl restart sshd
8.查看版本
ssh -V
注意:需要查看ssh配置是否被替换了,遇到过被替换的root账号登录不上了,因为默认配置root不允许ssh登录,需要查看一下
vi /etc/ssh/sshd_config
文章评论