记录日常工作关于系统运维,虚拟化云计算,数据库,网络安全等各方面问题。
 
0

Linux安装升级OpenSSH-8.0p1最新版应对BUG漏洞扫瞄
发表者:admin分类:Devops2019-04-25 20:39:49 阅读[2283]

OpenSSH-8.0p1

Introduction to OpenSSH

The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementations of telnet and rcp respectively.

This package is known to build and work properly using an LFS-8.4 platform.

Package Information

OpenSSH Dependencies

Optional

GDB-8.2.1 (for tests), Linux-PAM-1.3.1, X Window System, MIT Kerberos V5-1.17, libedit, LibreSSL Portable, OpenSC, and libsectok

Optional Runtime (Used only to gather entropy)

OpenJDK-11.0.2, Net-tools-CVS_20101030, and Sysstat-12.1.4

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH

Installation of OpenSSH

OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root user: 

install  -v -m700 -d /var/lib/sshd &&
chown    -v root:sys /var/lib/sshd &&

groupadd -g 50 sshd        &&
useradd  -c 'sshd PrivSep' \
         -d /var/lib/sshd  \
         -g sshd           \
         -s /bin/false     \
         -u 50 sshd

Install OpenSSH by running the following commands: 

./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &&
make

The testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you backup any existing copy first.

To test the results, issue: make tests.

Now, as the root user: 

make install &&
install -v -m755    contrib/ssh-copy-id /usr/bin     &&

install -v -m644    contrib/ssh-copy-id.1 \
                    /usr/share/man/man1              &&
install -v -m755 -d /usr/share/doc/openssh-8.0p1     &&
install -v -m644    INSTALL LICENCE OVERVIEW README* \
                    /usr/share/doc/openssh-8.0p1

Command Explanations

--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.

--with-md5-passwords: This enables the use of MD5 passwords.

--with-pam: This parameter enables Linux-PAM support in the build.

--with-xauth=/usr/bin/xauth: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if Xorg is already installed.

--with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build.

--with-libedit: This option enables line editing and history features for sftp.

Configuring OpenSSH

Config Files

~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config

There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh: 

echo "PermitRootLogin no" >> /etc/ssh/sshd_config

If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed: 

ssh-keygen &&
ssh-copy-id -i ~/.ssh/id_rsa.pub REMOTE_USERNAME@REMOTE_HOSTNAME

Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user: 

echo "PasswordAuthentication no" >> /etc/ssh/sshd_config &&
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config

If you added Linux-PAM support and you want ssh to use it then you will need to add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to check passwords, if you've disabled password logins these commands are not needed. If you want to use PAM, issue the following commands as the root user: 

sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd &&
echo "UsePAM yes" >> /etc/ssh/sshd_config

Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.

Boot Script

To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the blfs-bootscripts-20190313 package. 

make install-sshd

Contents

Installed Programs: scp, sftp, slogin (symlink to ssh), ssh, ssh-add, ssh-agent, ssh-copy-id, ssh-keygen, ssh-keyscan, and sshd
Installed Libraries: None
Installed Directories: /etc/ssh, /usr/share/doc/openssh-8.0p1, and /var/lib/sshd

Short Descriptions

scp

is a file copy program that acts like rcp except it uses an encrypted protocol.

sftp

is an FTP-like program that works over the SSH1 and SSH2 protocols.

slogin

is a symlink to ssh.

ssh

is an rlogin/rsh-like client program except it uses an encrypted protocol.

sshd

is a daemon that listens for ssh login requests.

ssh-add

is a tool which adds keys to the ssh-agent.

ssh-agent

is an authentication agent that can store private keys.

ssh-copy-id

is a script that enables logins on remote machine using local keys.

ssh-keygen

is a key generation tool.

ssh-keyscan

is a utility for gathering public host keys from a number of hosts.

Last updated on 2019-04-21 10:18:51 -0500



Centos6.10 删旧软件,再安装新版本软件。

rpm -e `rpm -qa | grep openssh` --nodeps

 119  tar zxvf openssh-8.0p1.tar.gz
  120  cd openssh-8.0p1
  121  install  -v -m700 -d /var/lib/sshd && chown   -v root:sys /var/lib/sshd && groupadd -g 50 sshd    && useradd  -c 'sshd PrivSep'     -d /var/lib/sshd      -g sshd     -s /bin/false    -u 50 sshd
  122  ./configure --prefix=/usr   --sysconfdir=/etc/ssh  --with-md5-passwords   --with-pam --with-privsep-path=/var/lib/sshd
  123  make
  125  make install && install -v -m755   contrib/ssh-copy-id /usr/bin   && install -v -m644    contrib/ssh-copy-id.1    /usr/share/man/man1   && install -v -m755 -d /usr/share/doc/openssh-8.0p1   && install -v -m644    INSTALL LICENCE OVERVIEW README*     /usr/share/doc/openssh-8.0p1
  126  cp contrib/redhat/sshd.init /etc/init.d/sshd
  127  chmod o+x /etc/init.d/sshd
  128  cp contrib/redhat/sshd.pam /etc/pam.d/sshd
  129  chmod 644 /etc/pam.d/sshd

修改SSH配置文件,打开PAM功能。

  130  vi /etc/ssh/sshd_config
  131  chkconfig sshd on
  132  service sshd start
  133  service sshd restart

注意配置好后,重启系统。

如果远程ssh无法登陆账号,那么使用以下的sshd 相关PAM配置信息:

[root@lnmp ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth



转载请标明出处【Linux安装升级OpenSSH-8.0p1最新版应对BUG漏洞扫瞄】。

《www.micoder.cc》 虚拟化云计算,系统运维,安全技术服务.

Tags: [阅读全文...]
网站已经关闭评论