澳门新萄京官方网站-www.8455.com-澳门新萄京赌场网址

本子晋级openssh,RedHat安装OpenSSH和配备sftp锁定目

2019-11-16 作者:澳门新萄京官方网站   |   浏览(189)

1.下载最新的openssh包

操作系统:
 [root@station28 ~]# cat /etc/issue.net
 Red Hat Enterprise Linux Server release 5.4 (Tikanga)
 Kernel r on an m
 [root@station28 ~]# uname -a
 Linux station28.example.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48 EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
 
在配置sftp时,需要chroot特定的目录,则openssh的版本需不低于5.1,我这下载的是openssh 6.1版本的源码包,需要进行编译,
 则需要安装gcc,同时需要安装openssl-devel-0.9.8e-12.el5
 openssh-6.1p1下载地址:或者进入官网下载
 ftp://ftp.openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
 若不安装openssl-devel,则报如下错误:
 [root@station28 openssh-6.1p1]#./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh  --with-zlib --with-ssl-dir=/usr/local/ssl--with-md5-passwords --mandir=/usr/share/man
 checking for openssl/opensslv.h... no
 configure: error: *** OpenSSL headers missing - please install first or check config.log ***
 
1、配置yum,安装gcc,openssl-devel-0.9.8e-12.el5,和telnet(当ssh不能用的时候,用于连接服务器)
 [root@station28 ~]# cat /etc/yum.repos.d/base.repo
 [base]
 baseurl=file:///mnt/Server
 gpgcheck=0
 [root@station28 ~]# yum -y install "gcc*"
 [root@station28 ~]# yum -y install "openssl-devel-0.9.8e-12.el5"
 [root@station28 openssh-6.1p1]# yum -y install "telnet-server*"
 
卸载openssh,观察openssh的各个包包含的内容:
 [root@station28 ~]# cd /etc/ssh
 [root@station28 ssh]# mkdir /root/1114_ssh_bak
 [root@station28 ssh]# cp * /root/1114_ssh_bak/
 [root@station28 ssh]# rpm -qa | grep openssh //目前系统安装的是4.3版本的
 openssh-server-4.3p2-36.el5
 openssh-askpass-4.3p2-36.el5
 openssh-4.3p2-36.el5
 openssh-clients-4.3p2-36.el5
 [root@station28 ~]# ssh -V
 OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 [root@station28 ssh]# rpm -ql openssh-server-4.3p2-36.el5 //查看安装包涉及的内容
 /etc/pam.d/sshd
 /etc/rc.d/init.d/sshd
 /etc/ssh
 /etc/ssh/sshd_config
 /usr/libexec/openssh/sftp-server
 /usr/sbin/.sshd.hmac
 /usr/sbin/sshd
 /usr/share/man/man5/sshd_config.5.gz
 /usr/share/man/man8/sftp-server.8.gz
 /usr/share/man/man8/sshd.8.gz
 /var/empty/sshd
 /var/empty/sshd/etc
 /var/empty/sshd/etc/localtime
 [root@station28 ssh]# rpm -ql openssh-askpass-4.3p2-36.el5
 /etc/profile.d/gnome-ssh-askpass.csh
 /etc/profile.d/gnome-ssh-askpass.sh
 /usr/libexec/openssh/gnome-ssh-askpass
 /usr/libexec/openssh/ssh-askpass
 [root@station28 ssh]# rpm -ql openssh-4.3p2-36.el5
 /etc/ssh
 /etc/ssh/moduli
 /usr/bin/ssh-keygen
 /usr/libexec/openssh
 /usr/libexec/openssh/ssh-keysign
 .....
 ....
 [root@station28 ssh]# rpm -ql openssh-clients-4.3p2-36.el5
 /etc/ssh/ssh_config
 /usr/bin/.ssh.hmac
 /usr/bin/scp
 /usr/bin/sftp
 /usr/bin/slogin
 /usr/bin/ssh
 /usr/bin/ssh-add
 /usr/bin/ssh-agent
 /usr/bin/ssh-copy-id
 /usr/bin/ssh-keyscan
 ......
 .....
 [root@station28 ssh]# rpm -qa | grep openssh //全部卸载
 openssh-server-4.3p2-36.el5
 openssh-askpass-4.3p2-36.el5
 openssh-4.3p2-36.el5
 openssh-clients-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-server-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-askpass-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-4.3p2-36.el5 //存在依赖关系,需要先卸载openssh-clients-4.3p2-36.el5.x86_64
 error: Failed dependencies:
        openssh = 4.3p2-36.el5 is needed by (installed) openssh-clients-4.3p2-36.el5.x86_64
 [root@station28 ssh]# rpm -e openssh-clients-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-4.3p2-36.el5
 [root@station28 ssh]# rpm -qa | grep openssh //全部卸载干净
 
[root@station28 ~]# pwd
 /root
 [root@station28 ~]# ls openssh-6.1p1.tar.gz
 openssh-6.1p1.tar.gz
 [root@station28 ~]# tar -zxpf openssh-6.1p1.tar.gz //解压openssh 6.1
 [root@station28 ~]# cd openssh-6.1p1 //执行以下命令进行编译
 [root@station28 openssh-6.1p1]# ./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh  --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords --mandir=/usr/share/man
 [root@station28 openssh-6.1p1]# make
 [root@station28 openssh-6.1p1]# make install //warn的报错忽略
 [root@station28 openssh-6.1p1]# cd /usr/local/ssh/bin //刚用--frefix参数指定的路径/usr/local/ssh,将其bin下的拷贝到/usr/bin下
 [root@station28 bin]# ls
 scp  sftp  slogin  ssh  ssh-add  ssh-agent  ssh-keygen  ssh-keyscan
 [root@station28 bin]# cp * /usr/bin/
 [root@station28 bin]# cd /usr/local/ssh/sbin
 [root@station28 sbin]# ls
 sshd
 [root@station28 sbin]# cp sshd /usr/sbin/sshd //同理
 [root@station28 sbin]# cd /root/openssh-6.1p1/contrib/RedHat/ //将sshd.init拷贝到/etc/init.d/下,名字为sshd(ssh的daemon名称)
 [root@station28 redhat]# ls
 gnome-ssh-askpass.csh  gnome-ssh-askpass.sh  openssh.spec  sshd.init  sshd.init.old  sshd.pam  sshd.pam.old
 [root@station28 redhat]# cp sshd.init /etc/init.d/sshd
 [root@station28 redhat]# ls -l /etc/init.d/sshd
 -rwxr-xr-x 1 root root 1768 Nov 14 23:21 /etc/init.d/sshd
 [root@station28 redhat]# chkconfig --add sshd
 [root@station28 redhat]# service sshd restart
 
[root@station28 ~]# service sshd restart //提示报错,只要touch该文件即可规避
 Stopping sshd:                                            [  OK  ]
 lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or directory
 Starting sshd:                                            [  OK  ]
 [root@station28 ~]# touch /etc/ssh/ssh_host_ecdsa_key.pub
 [root@station28 ~]# service sshd restart
 Stopping sshd:                                            [  OK  ]
 Starting sshd:                                            [  OK  ]
 [root@station28 ~]# ssh -V //安装成功
 OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 
以下步骤为搭建sftp步骤
 [root@station28 ssh]# mkdir /home/sftpserver
 [root@station28 ssh]# useradd -d /home/sftpserver -s /bin/false test01 //创建用户,指定shell为/bin/false
 useradd: warning: the home directory already exists.
 Not copying any file from skel directory into it.
 [root@station28 ssh]# passwd test01
 Changing password for user test01.
 New UNIX password:
 BAD PASSWORD: it is based on a dictionary word
 Retype new UNIX password:
 passwd: all authentication tokens updated successfully.
 
[root@station28 ssh]# pwd
 /etc/ssh
 [root@station28 ssh]# cp sshd_config  sshd_config_1114.bak
 sshd_config配置如下
 # Authentication: //在Authentication下加入如下两行,指定可以登入的网段
 AllowUsers *@192.168.*.*
 AllowUsers *@127.0.0.1
 # override default of no subsystems
 #Subsystem      sftp    /usr/local/ssh/libexec/sftp-server //将这行注释,使用internal-sftp,添加如下行
 Subsystem      sftp    internal-sftp
 
# Example of overriding settings on a per-user basis
 #Match User anoncvs
 #      X11Forwarding no
 #      AllowTcpForwarding no
 #      ForceCommand cvs server
 //在最下面添加如下行,对test01这个用户chroot到/home/sftpserver目录下
 Match User test01
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        ChrootDirectory /home/sftpserver
 [root@station28 ssh]# sftp test01@192.168.14.28 //chroot成功
 test01@192.168.14.28's password:
 Connected to 192.168.14.28.
 sftp> pwd
 Remote working directory: /
 
可参考如下rhel下的sftp配置链接: http://www.linuxidc.com/Linux/2012-07/64871.htm澳门新萄京官方网站 1

一、问题描述(默认Linux安装的SSHD服务存在一些漏洞,特此升级)

在曾经手动升级sshd服务后发现了三个后遗症:

澳门新萄京官方网站 2

  1. selinux开启的状态下,重启机器sshd不启动(原因:库文件“libcrypto.so.1.0.0”的selinux标记不正确,导致sshd无法调用访问该文件,使用setroubleshoot工具找到原因)

  2. hosts.allow,hosts.deny对sshd不起作用(原因:编译时未加上--with-tcp-wrappers)

  3. sftp无法使用(原因:源码安装后配置文件未找到sftp-server工具)

  4.  为了方便以后安装,再加上修补以上遗留问题,特写成脚本。(脚本测试在CentOS6.5、RHEL6.4、CentOS5.10测试通过)

澳门新萄京官方网站 3

注意事项:为了降低风险,运行脚本之前,需以telnet登陆系统取得root权限(telnet默认不允许root登陆,可以设置允许root或者以普通用户切换)

澳门新萄京官方网站 4

二、安装

 

  1.  工具包:openssh-6.6p1.tar.gz     openssl-1.0.1g.tar.gz

2.升级openssh之前要先打开服务器telnet,通过telnet登录服务器,因为升级过程中会导致ssh暂时不能用

openssh:  http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/     

打开linux telnet服务:

openssl:   ftp://ftp.openssl.org/source/old/1.0.1/

查看telnet是否已经安装:

 

rpm -qa|grep telnet

  1. 安装时将脚本和两个包放在相同路径下,解决依赖请配置好YUM仓库 

  2. 脚本:updatesshd.sh

    #!/bin/bash #-------------------------------------| #"WARING"!!! Please use telnet-server.| #"WARING"!!! Please use telnet-server.| #"WARING"!!! Please use telnet-server.| #-------------------------------------| ssh_update() { #Backup the old files SSL_VER=openssl-1.0.1g SSH_VER=openssh-6.6p1 CUR_DIR=$(pwd) SSH_DIR=/usr/local/openssh cd /etc/ssh/ mkdir old mv ssh* moduli old mv /etc/init.d/sshd /etc/init.d/sshd.old

    #Update ssl yum -y install gcc gcc-c zlib-devel pam-devel tcp_wrappers* cd $CUR_DIR tar zxf $SSL_VER.tar.gz cd $SSL_VER ./config shared zlib make && make install mv /usr/bin/openssl /usr/bin/openssl.old mv /usr/include/openssl /usr/include/openssl.old ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl echo "/usr/local/ssl/lib" >> /etc/ld.so.conf ldconfig /sbin/restorecon -v /usr/local/ssl/lib/libcrypto.so.1.0.0 cd ..

    #Update sshd rpm -e rpm -qa | grep openssh --nodeps tar zvxf $SSH_VER.tar.gz cd $SSH_VER/ ./configure --prefix=$SSH_DIR --sysconfdir=/etc/ssh --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --with-md5-passwords --with-zlib=zlib make && make install cp contrib/redhat/sshd.init /etc/init.d/sshd chmod u x /etc/init.d/sshd chkconfig --add sshd chkconfig sshd on cp -rf sshd_config /etc/ssh/sshd_config cd $SSH_DIR cp -rf sbin/sshd /usr/sbin/sshd cp -rf bin/* /usr/bin/ sed -i 's#/usr/libexec/sftp-server#/usr/local/openssh/libexec/sftp-server#' /etc/ssh/sshd_config service sshd restart }

    read -p "Are you using telnet[YES/NO]?" ANSWER case $ANSWER in YES)

    echo "Fine,continue!!!"
    ssh_update 2>&1 | tee -a /tmp/update.log ;;
    

    NO)

    echo "It is dangerous,bye!!!";;
    

    *)

    echo "Error choice";;
    

    esac

telnet-0.17-48.el6.x86_64

  

telnet-server-0.17-48.el6.x86_64

  1. 结果验证:

 

[root@localhost src]# ssh  -V

如果没有安装,通过yum安装

SSH, OpenSSL 1.0.1g 7 Apr 2014

[root@leotest ~]# yum install telnet

[root@leotest ~]# yum install telnet-server

 

启动telnet服务:

编辑telnet文件,将disable改成no

[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

本子晋级openssh,RedHat安装OpenSSH和配备sftp锁定目录。        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

本子晋级openssh,RedHat安装OpenSSH和配备sftp锁定目录。        log_on_failure  = USERID

        disable         = no

}

 

 

重启xinetd服务:

service xinetd restart

or:

/etc/rc.d/init.d/xinetd restart

 

通过telnet连接服务器:

[c:~]$ telnet 192.168.5.5

 

 

Connecting to 192.168.5.5:23...

Connection established.

To escape to local shell, press 'Ctrl Alt ]'.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642.el6.x86_64 on an x86_64

login: test

Password:

[test@leotest ~]$

由于默认telnet只能连接普通用户,所以需要登录普通用户之后跳转到root用户

 

3.备份原openssh相关文件:

cp /usr/sbin/sshd /usr/sbin/sshd.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

 

Note:删除掉下面三个文件,否则安装的时候会报错:

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

 

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/moduli -fr

 

yum install pam-devel

yum install zlib-devel

yum install openssl-devel

 

 

4.解压并安装openssh

[root@leotest softs]# tar -zxvf openssh-7.4p1.tar.gz

[root@leotest softs]# ls

openssh-7.4p1  openssh-7.4p1.tar.gz  openssh-7.4p1-vs-openbsd.diff.gz

[root@leotest softs]# cd openssh-7.4p1

[root@leotest openssh-7.4p1]#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man

### configure: error: *** zlib.h missing – please install first or check config.log

#yum install zlib-devel

###configure: error: *** Can’t find recent OpenSSL libcrypto (see config.log for details) ***

#yum install openssl openssl-devel

 

重新编译:

重新编译前要先清理之前的编译信息:

make clean

ldconfig

[root@leotest openssh-7.4p1]#  ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man

OpenSSH has been configured with the following options:

                     User binaries: /usr/bin

                   System binaries: /usr/sbin

               Configuration files: /etc/ssh

                   Askpass program: /usr/libexec/ssh-askpass

                      Manual pages: /usr/share/man/manX

                          PID file: /var/run

  Privilege separation chroot path: /var/empty

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

                    Manpage format: doc

                       PAM support: no

                   OSF SIA support: no

                 KerberosV support: no

                   SELinux support: no

                 Smartcard support:

                     S/KEY support: no

              MD5 password support: no

                   libedit support: no

  Solaris process contract support: no

           Solaris project support: no

         Solaris privilege support: no

       IP address in $DISPLAY hack: no

           Translate v4 in v6 hack: yes

                  BSD Auth support: no

              Random number source: OpenSSL internal ONLY

             Privsep sandbox style: rlimit

 

              Host: x86_64-pc-linux-gnu

          Compiler: gcc

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE

Preprocessor flags:

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

 

make && make install

/etc/init.d/sshd restart

 

5.覆盖旧的文件

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

chmod u x /etc/init.d/sshd

chkconfig --add sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

cp: overwrite `/usr/sbin/sshd'? y

cp: cannot create regular file `/usr/sbin/sshd': Text file busy

文件正在被使用

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     14111     1  0 10:05 ?        00:00:00 sshd: root@pts/0

root     14865     1  0 10:22 ?        00:00:00 sshd: root@notty

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

[root@pttlstydb openssh-7.4p1]# kill -9 14865

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

 

重新覆盖:

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

 

[root@leotest openssh-7.4p1]# service sshd restart

Stopping sshd:                                             [  OK  ]

ssh-keygen: illegal option -- A

usage: ssh-keygen [options]

Options:

 

cat /etc/init.d/sshd

start()

{

# Create keys if necessary

/usr/bin/ssh-keygen -A

if [ -x /sbin/restorecon ]; then

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

fi

 

echo -n $"Starting $prog:"

$SSHD $OPTIONS && success || failure

RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

echo

}

 

*因为默认低版本的ssh-keygen没有-A参数***

解决方法:

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

 

 

重启sshd服务:

[root@leotest ssh]# service sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication

澳门新萄京官方网站,/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials

 

原因:新版本的openssh不支持以上参数,需要修改sshd的配置文件

 

[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config

##去掉前面的注释,允许root通过ssh登录

PermitRootLogin yes

 

##注释掉下面三个参数

#GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

#UsePAM yes

 

 

##在文件末尾加上如下信息,否则还是无法通过ssh登录linux:

导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

 

 

6.重启sshd服务,测试ssh连接服务器

service sshd restart

[c:~]$ ssh 192.168.5.5

 

Connecting to 192.168.5.5:22...

Connection established.

To escape to local shell, press 'Ctrl Alt ]'.

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[root@leotest ~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

7.禁用telnet**
**

[root@leotest ~]# vi /etc/xinetd.d/telnet

 

# default: on

# description: The telnet server serves telnet sessions; it uses

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  = USERID

        disable         = yes

}

 

停掉xinetd服务:

[root@leotest ~]# service xinetd stop

Stopping xinetd:                                           [  OK  ]

停掉开机自启动:

[root@leotest ~]# chkconfig --list xinetd

xinetd                 0:off        1:off        2:off        3:on        4:on        5:on        6:off

[root@leotest ~]# chkconfig  xinetd off

[root@leotest ~]# chkconfig --list xinetd

xinetd                 0:off        1:off        2:off        3:off        4:off        5:off        6:off

 

 


 

 升级后问题解决:

通过winscp登录linux报错,解决方法如下:

[root@leotest ~]# vi /etc/ssh/sshd_config

 

# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp    internal-sftp

将原来的注释掉,改成下面的internal-sftp

 

重启sshd服务:

service sshd restart

 

本文由澳门新萄京官方网站发布于澳门新萄京官方网站,转载请注明出处:本子晋级openssh,RedHat安装OpenSSH和配备sftp锁定目

关键词: