我被要求升级 OpenSSH 版本,因为CVE-2023-38408,这是我的过程:
yum groupinstall -y "Development Tools"
yum install -y zlib-devel openssl-devel wget
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
cd /tmp
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
tar -xzf openssh-9.3p2.tar.gz
cd openssh-9.3p2
yum install -y pam-devel libselinux-devel
./configure --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
make && make install
它在我的操作系统中成功编译了 9.3p2 的 ssh 和 sshd,所以我得到了两个版本的 sshd:
- /usr/sbin/sshd OpenSSH_7.4p1
- /usr/local/sbin/sshd OpenSSH_9.3
接下来我应该更改新版本 sshd 的 /usr/lib/systemd/system/sshd.service 执行路径。
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=notify
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
我切换/usr/sbin/sshd到/usr/local/sbin/sshd, 并执行了systemctl daemon-reload, service sshd restart,但没有成功,消息是:
Aug 25 07:37:57 localhost.localdomain systemd[1]: sshd.service start operation timed out. Terminating.
Aug 25 07:37:57 localhost.localdomain sshd[2276]: Received signal 15; terminating.
Aug 25 07:37:57 localhost.localdomain systemd[1]: Failed to start OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has failed.
--
-- The result is failed.
Aug 25 07:37:57 localhost.localdomain systemd[1]: Unit sshd.service entered failed state.
Aug 25 07:37:57 localhost.localdomain systemd[1]: sshd.service failed.
Aug 25 07:37:57 localhost.localdomain polkitd[365]: Unregistered Authentication Agent for unix-process:2259:84553 (system bus name :1.46, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale en_
Aug 25 07:38:39 localhost.localdomain systemd[1]: sshd.service holdoff time over, scheduling restart.
Aug 25 07:38:39 localhost.localdomain systemd[1]: Stopped OpenSSH server daemon.
-- Subject: Unit sshd.service has finished shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has finished shutting down.
Aug 25 07:38:39 localhost.localdomain systemd[1]: Starting OpenSSH server daemon...
-- Subject: Unit sshd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- Unit sshd.service has begun starting up.
Aug 25 07:38:39 localhost.localdomain sshd[2278]: Server listening on 0.0.0.0 port 22.
Aug 25 07:38:39 localhost.localdomain sshd[2278]: Server listening on :: port 22.
不知道问题出在文件或服务配置上。
答案1
您将 systemd 服务的类型设置为通知,但这要求守护进程是在系统支持的情况下构建的,至少我在 ./configure 行中没有看到这一点。
除此之外,你不应该这样做。您在某处读到过这个漏洞很糟糕,您需要更新您的系统,您是否跳到其中并用您零洞察力替换的东西替换了其中的重要部分。您可能在依赖 openssh 和库的过程中破坏了很多东西,所以恭喜您,您是系统最严重的漏洞。
https://forums.centos.org/viewtopic.php?f=47&t=80334那个东西已经在上游打了补丁,只需要一个 yum 更新就可以了。但现在你已经构建了软件(作为 root,只是让事情变得更糟),并且只是随机安装了一些东西。
因此,您需要做的是 a make uninstall,希望您的系统在此时继续运行,然后 a yum update。幸运的是,这应该会重新安装 openssh 安装的所有可能受影响的部分。