SonmiHPCOpenSSH 如何进行版本升级
由于 OpenSSH 漏洞对集群的安全影响较大,因此有时候需要升级到最新版本的 OpenSSH。以下教程将介绍如何给 SonmiHPC 集群升级最新版的 OpenSSH。下面以当前的 9.7p1 为例进行说明。
- 将原先的SSH配置进行备份:
shell
cp -r /etc/ssh ~/ssh_bakcp -r /etc/ssh ~/ssh_bak- 安装编译必要的组件:
shell
dnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-develdnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel- 使用 wget 下载最新的源码压缩包,并解压:
shell
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gzwget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz解压源代码,并进入源码文件夹中:
shell
tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1- 执行下面命令进行配置、编译、安装:
shell
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install- 复制 pam 文件:
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pamcp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam- 恢复原有设置及相关文件:
rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/- 编辑 /etc/crypto-policies/back-ends/opensshserver.config 文件,并删除 GSSAPIKexAlgorithms 相关配置:
shell
# 找到并删除以下字段
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-# 找到并删除以下字段
GSSAPIKexAlgorithms gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-编辑 /etc/ssh/sshd_config.d/50-redhat.conf,并注释掉下面与 GSS 相关的配置
shell
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no- 修改文件权限:
shell
chmod 0600 /etc/ssh/ssh_host*_keychmod 0600 /etc/ssh/ssh_host*_key- 重启 sshd 服务即可:
shell
systemctl restart sshdsystemctl restart sshd- 查看版本:
shell
sshd -Vsshd -V一键脚本
为方便运维,提供如下的一键运行脚本:
shell
#!/bin/bash
cp -r /etc/ssh ~/ssh_bak
dnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel
wget -P ~/ https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
cd ~ && tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/
sed -i '/^GSSAPIKexAlgorithms/d' /etc/crypto-policies/back-ends/opensshserver.config
sed -i 's/^GSSAPIAuthentication/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
sed -i 's/^GSSAPICleanupCredentials/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
chmod 0600 /etc/ssh/ssh_host*_key
echo "OpenSSH Update Finished!"
systemctl restart sshd#!/bin/bash
cp -r /etc/ssh ~/ssh_bak
dnf install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel
wget -P ~/ https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
cd ~ && tar xvf openssh-9.7p1.tar.gz && cd openssh-9.7p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-pam
make -j && make install
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
rm -rf /etc/ssh/*
cp -r ~/ssh_bak/. /etc/ssh/
sed -i '/^GSSAPIKexAlgorithms/d' /etc/crypto-policies/back-ends/opensshserver.config
sed -i 's/^GSSAPIAuthentication/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
sed -i 's/^GSSAPICleanupCredentials/#&/g' /etc/ssh/sshd_config.d/50-redhat.conf
chmod 0600 /etc/ssh/ssh_host*_key
echo "OpenSSH Update Finished!"
systemctl restart sshd