概要
CentOS6的OpenSSH5.x很多漏洞,现直接打包rpm文件升级
升级后发现无法登录,原因是升级了
OpenSSH但是PAM的配置文件/etc/pam.d/sshd没有跟着升级,所以拷贝了一份CentOS7的配置文件,重启sshd后可以登录
安装依赖包
yum install pam-devel rpm-build zlib zlib-devel openssl openssl-devel -y
打包OpenSSH
mkdir -p ~/rpmbuild/SOURCES/
cd ~/rpmbuild/SOURCES/
wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz
wget http://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
tar xf openssh-7.7p1.tar.gz
cp openssh-7.7p1/contrib/redhat/openssh.spec ~/rpmbuild/SOURCES/
sed -i 's@%define no_gnome_askpass 0@%define no_gnome_askpass 1@g' ~/rpmbuild/SOURCES/openssh.spec
sed -i 's@%define no_x11_askpass 0@%define no_x11_askpass 1@g' ~/rpmbuild/SOURCES/openssh.spec
rpmbuild -ba openssh.spec
升级OpenSSH
cd ~/rpmbuild/RPMS/x86_64/
rpm -Uvh *
修改pam的配置文件
/etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
/etc/pam.d/postlogin
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
重启sshd
service sshd restart
网友评论