因为CVE-2023-38408,需要升级升级OpenSSH版本:
yum groupinstall -y "Development Tools"
yum install -y zlib-devel openssl-devel wgetcp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_keycd /tmp
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
tar -xzf openssh-9.3p2.tar.gz
cd openssh-9.3p2
yum install -y pam-devel libselinux-devel./configure --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/sshmake && make install
成功地用9.3p2编译了ssh 和 sshd,所以我得到了两个版本的sshd:
/usr/sbin/sshd OpenSSH_7.4p1
/usr/local/sbin/sshd OpenSSH_9.3
接下来,我应该为新版本的sshd更改 /usr/lib/systemd/system/sshd.service
执行路径。
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s[Install]
WantedBy=multi-user.target
将 /usr/sbin/sshd
切换到 /usr/local/sbin/sshd
,重新加载 systemctl daemon-reload
并且重启 service sshd restart
在执行 sshd -t
时,可能会出现:
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
注释掉 /etc/ssh/sshd_config
中第 79、80 行。