| 漏洞编号 | 影响范围 |
| CVE-2023-38408 | OpenSSH < 9.3p2 |
| CVE-2024-6387 | 8.5p1 <= OpenSSH < 9.8p1 |
鉴于以上两个漏洞,尤其是CVE-2024-6387的影响。服务器上openssh版本升级到了9.8p1
1. 安装必要的依赖项
|
1 2 |
sudo yum groupinstall "Development Tools" sudo yum install zlib-devel openssl-devel pam-devel krb5-devel |
2.下载并安装最低版本需求的 OpenSSL
|
1 2 3 4 5 6 7 8 9 10 11 |
下载 OpenSSL 源代码 wget https://www.openssl.org/source/openssl-1.1.1u.tar.gz tar -xzf openssl-1.1.1u.tar.gz cd openssl-1.1.1u 编译和安装 OpenSSL ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib make sudo make install |
3.设置环境变量和库路径
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
更新库路径 sudo sh -c "echo '/usr/local/openssl/lib' > /etc/ld.so.conf.d/openssl-1.1.1u.conf" sudo ldconfig 设置环境变量 编辑 .bashrc 或 .profile 文件: vim ~/.bashrc 添加以下行: export PATH=/usr/local/openssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/openssl/lib:$LD_LIBRARY_PATH export PKG_CONFIG_PATH=/usr/local/openssl/lib/pkgconfig:$PKG_CONFIG_PATH 应用更改: source ~/.bashrc |
4.下载并解压 OpenSSH 源代码
|
1 2 3 |
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz tar -xzf openssh-9.8p1.tar.gz cd openssh-9.8p1 |
5.配置、编译和安装 OpenSSH
|
1 2 3 4 5 6 7 |
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-privsep-path=/var/lib/sshd --with-pam --with-ssl-dir=/usr/local/openssl --with-kerberos5 #如果您的OPENSSL版本大于1.1.1u 则可以使用下面的命令 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-privsep-path=/var/lib/sshd --with-pam --with-kerberos5 make sudo make install |
6.重启 SSH 服务并验证安装
|
1 2 3 |
sudo systemctl restart ssh ssh -V sshd -V |