CentOS 7.x 升级 OpenSSH 10.1 与 OpenSSL 3.5.4版本(2025)
作者: ryan 发布于: 10/31/2025 更新于: 11/3/2025 字数: 0 字 阅读: 0 分钟
背景
OpenSSH(OpenBSD Secure Shell)是加拿大 OpenBSD 项目组开发的一套用于安全远程访问的连接工具。它是 SSH 协议的开源实现,通过加密所有传输数据,有效防止窃听、连接劫持及其他网络攻击。
相关安全漏洞
以下是需要通过升级 OpenSSH 和 OpenSSL 修复的已知安全漏洞:
- CVE-2023-28531:影响 OpenSSH 9.3p2 及更早版本,源于 ssh-agent 的 PKCS11 功能存在安全缺陷,攻击者可利用此漏洞执行远程代码。
- CVE-2023-38408:同上,涉及 ssh-agent 的 PKCS11 功能,存在远程代码执行风险。
- CVE-2023-48795:影响 OpenSSH 10.0 及更早版本,DisableForwarding 指令未正确禁用 X11 和代理转发,可能导致未授权访问。
- CVE-2023-51385:同上,涉及转发功能的配置缺陷。
- CVE-2025-26465 和 CVE-2025-32728:影响 OpenSSH 10.0 及更早版本,具体细节待披露,但建议尽早升级以确保安全。
修复方法
本文为修复上述漏洞,将 CentOS 7.x 系统的 OpenSSH 升级至 10.1,并将 OpenSSL 升级至 3.5.4。这些版本包含针对上述漏洞的修复补丁,可显著提升系统安全性。
一、前置准备
1.确认系统版本
bash
cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
openssl version
OpenSSL 1.1.1n 15 Mar 20222.以 root 身份操作
bash
sudo -i3.备份关键数据
bash
# 创建备份目录
BACKUP_TIME=$(date +%Y%m%d%H%M%S)
mkdir -p /root/backup_$BACKUP_TIME
# 备份 OpenSSL 相关
cp -r /usr/bin/openssl /root/backup_$BACKUP_TIME/
cp -r /usr/include/openssl /root/backup_$BACKUP_TIME/
# 备份 SSH 相关
cp -rp /etc/ssh /root/backup_$BACKUP_TIME/
cp -rp /usr/local/openssh /root/backup_$BACKUP_TIME/
cp -rp /usr/local/openssl /root/backup_$BACKUP_TIME/
cp /usr/sbin/sshd /root/backup_$BACKUP_TIME/sshd.old
cp /usr/bin/ssh /root/backup_$BACKUP_TIME/ssh.old4.更换阿里云 yum 源
bash
mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup
wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repo
yum clean all
yum makecache安装 Telnet
bash
yum install -y epel-release
yum install -y telnet telnet-server xinetd配置 xinetd 中的 telnet 服务
bash
cat > /etc/xinetd.d/telnet << 'EOF'
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
EOF启动服务
bash
systemctl enable xinetd
systemctl restart xinetd开放防火墙
bash
if systemctl is-active --quiet firewalld; then
firewall-cmd --permanent --add-port=23/tcp
firewall-cmd --reload
fi创建临时用户
bash
useradd -m -s /bin/bash opi
echo 'opi:!QAZ@WSX' | chpasswd配置sudo
bash
# 允许 sudo(可选)
echo "opi ALL=(ALL:ALL) ALL" > /etc/sudoers.d/opi-perms
chmod 0440 /etc/sudoers.d/opi-perms注意:以下操作确认 Telnet 能登录后再继续!
升级 OpenSSL
安装编译依赖
bash
yum install -y gcc gcc-c++ make perl perl-devel perl-IPC-Cmd perl-Data-Dumper perl-Time-Piece perl-CPAN zlib-devel perl-Test-Simple下载源码包
bash
cd /tmp
sudo wget https://github.com/openssl/openssl/releases/download/openssl-3.5.4/openssl-3.5.4.tar.gz
# 内网环境
#sudo wget http://10.1.0.67/softs/openssl-3.5.4.tar.gz
tar -zxvf openssl-3.5.4.tar.gz
cd openssl-3.5.4编译配置
bash
./Configure --prefix=/usr/local/openssl shared zlib编译
bash
make -j$(nproc)安装
bash
make test
make install创建系统链接
bash
# 备份旧版
mv /usr/bin/openssl /usr/bin/openssl.bak_$(date +%Y%m%d) 2>/dev/null || true
# 创建新链接
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -sf /usr/local/openssl/include/openssl /usr/include/openssl
# 配置动态库
echo "/usr/local/openssl/lib64" > /etc/ld.so.conf.d/openssl.conf
ldconfigbash
[root@localhost openssh-10.2p1]# ls -ls /usr/local/openssl
总用量 32
0 drwxr-xr-x 2 root root 37 11月 3 10:53 bin
0 drwxr-xr-x 2 root root 6 4月 9 2021 certs
4 -rw-r--r-- 1 root root 412 4月 9 2021 ct_log_list.cnf
4 -rw-r--r-- 1 root root 412 3月 18 2022 ct_log_list.cnf.dist
0 drwxr-xr-x 3 root root 21 4月 9 2021 include
0 drwxr-xr-x 4 root root 159 3月 18 2022 lib
0 drwxr-xr-x 6 root root 186 11月 3 10:53 lib64
0 drwxr-xr-x 2 root root 48 3月 18 2022 misc
12 -rw-r--r-- 1 root root 10909 4月 9 2021 openssl.cnf
12 -rw-r--r-- 1 root root 10909 3月 18 2022 openssl.cnf.dist
0 drwxr-xr-x 2 root root 6 4月 9 2021 private
0 drwxr-xr-x 4 root root 28 4月 9 2021 share
0 drwxr-xr-x 5 root root 140 11月 3 10:53 ssl
[root@localhost openssl-3.5.4]# ls /usr/local/openssl/ -ls
总用量 0
0 drwxr-xr-x 2 root root 37 11月 3 13:44 bin
0 drwxr-xr-x 3 root root 21 11月 3 13:44 include
0 drwxr-xr-x 6 root root 186 11月 3 13:44 lib64
0 drwxr-xr-x 4 root root 28 11月 3 13:44 share
0 drwxr-xr-x 5 root root 140 11月 3 13:44 ssl验证 OpenSSL 版本
bash
openssl version
# 应输出: OpenSSL 3.5.4 ...升级 OpenSSH
停止 SSH 服务
注意:此步骤请在保证telnet 可登录情况下执行(重要)
bash
systemctl stop sshd
pkill sshd卸载旧版 OpenSSH
bash
rpm -qa | grep openssh
yum remove -y openssh openssh-server openssh-clients
# 强制清除残留(如果还有)
rpm -e --nodeps $(rpm -qa | grep openssh) 2>/dev/null || true安装编译依赖
bash
yum install -y pcre-devel pam-devel zlib-devel下载 OpenSSH
bash
cd /tmp
mkdir ssh_install && cd ssh_install
sudo wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz
## 内网环境
## sudo wget http://10.1.0.67/softs/openssh-10.2p1.tar.gz
tar -zxf openssh-10.2p1.tar.gz
cd openssh-10.2p1清理旧版目录
bash
rm /usr/local/openssh/ -rf配置编译
bash
#关键:指定 OpenSSL 路径
./configure \
--prefix=/usr/local/openssh \
--with-ssl-dir=/usr/local/openssl \
--with-zlib \
--with-pam \
--sysconfdir=/etc/sshbash
## 出现以下内容表示正常
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory编译安装
bash
make -j$(nproc)
make install配置新 SSH 服务
复制二进制文件
bash
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen还原配置文件
bash
[root@localhost openssh-10.2p1]# cp /root/backup_20251031160930/ssh/sshd_config /etc/ssh/sshd_config
cp:是否覆盖"/etc/ssh/sshd_config"? y启动 SSH 服务
bash
systemctl daemon-reload
systemctl start sshd
systemctl enable sshd验证版本
bash
ssh -V
OpenSSH_10.2p1, OpenSSL 3.5.4 30 Sep 2025验证升级结果
bash
echo "=== OpenSSL 版本 ==="
openssl version
echo "=== OpenSSH 版本 ==="
ssh -V
echo "=== 服务状态 ==="
systemctl is-active sshd
echo "=== 监听端口 ==="
ss -ltn | grep ':22'清理与收尾
清理软件包
bash
rm -rf /tmp/openssl-3.5.4 /tmp/ssh_install卸载telnet 服务
bash
# 停止 xinetd(Telnet 依赖它运行)
systemctl stop xinetd
# 禁用开机启动
systemctl disable xinetd卸载 Telnet 软件包
bash
yum remove -y telnet-server xinetd telnet删除 Telnet 配置文件
bash
rm -f /etc/xinetd.d/telnet关闭防火墙 23 端口
bash
if systemctl is-active --quiet firewalld; then
firewall-cmd --permanent --remove-port=23/tcp
firewall-cmd --reload
echo "防火墙已关闭 23 端口"
else
echo "firewalld 未运行,跳过防火墙配置"
fi清理临时账号
bash
# 删除用户及其家目录
userdel -r opi
# 删除 sudo 权限文件
rm -f /etc/sudoers.d/opi-perms-r 会同时删除 /home/opi 目录
检查
bash
echo "=== 检查是否还有 telnet 相关进程 ==="
ps aux | grep -E "(telnet|xinetd)" | grep -v grep || echo "无残留进程"
echo "=== 检查软件包是否卸载 ==="
rpm -q telnet-server xinetd telnet || echo "已全部卸载"
echo "=== 检查用户是否删除 ==="
id opi && echo "用户仍存在!" || echo "用户已删除"
echo "=== 检查 23 端口是否关闭 ==="
ss -ltn | grep ':23' || echo "23 端口已关闭"
echo "=== 检查防火墙规则 ==="
firewall-cmd --list-ports | grep 23 || echo "防火墙无 23 端口规则"回滚
使用 Telnet + opi 用户 登录
bash
# 恢复旧版 OpenSSL
mv /usr/bin/openssl.bak_* /usr/bin/openssl
ldconfig
# 恢复旧版 SSH
cp /root/backup_*/sshd.old /usr/sbin/sshd
cp /root/backup_*/ssh.old /usr/bin/ssh
cp -r /root/backup_*/etc/ssh /etc/ssh
systemctl start sshd常见问题
缺失Perl模块
Can't locate Test/More.pm in @INC (@INC contains: /tmp/openssl-3.5.4/util/perl ...)
这个问题是由于系统缺失Perl模块Test::More(属于Test-Simple套件),该模块是OpenSSL测试套件必需的依赖项
解决方法
bash
# RedHat/CentOS 系列:
yum install -y perl-Test-Simple
# Debian/Ubuntu 系列:
apt-get install -y libtest-simple-perl安装后重新运行测试:make test
OpenSSL头文件版本不匹配
在编译Openssh时出现configure: error: OpenSSL version test program failed.
OpenSSL头文件(opensslv.h)中的版本号与实际的库文件版本(libssl.so)不一致,导致配置脚本检测失败
编译参数如下:
bash
#关键:指定 OpenSSL 路径
./configure \
--prefix=/usr/local/openssh \
--with-ssl-dir=/usr/local/openssl \
--with-zlib \
--with-pam \
--sysconfdir=/etc/ssh解决方法
bash
# 检查头文件版本
grep OPENSSL_VERSION_TEXT /usr/local/openssl/include/openssl/opensslv.h
# 检查库文件版本
openssl version通过验证两个OpenSSL版本都是一致的,
bash
## 删除 /usr/local/openssl 目录
mv /usr/local/openssl/ /tmp/openssl.bak
cd openssl-3.5.4/
./Configure --prefix=/usr/local/openssl shared zlib
## 重新编译并安装OpenSSL
make -j$(nproc)
make install重新编译OpenSSH
bash
root@localhost openssh-10.2p1]# ./configure \
> --prefix=/usr/local/openssh \
> --with-ssl-dir=/usr/local/openssl \
> --with-zlib \
> --with-pam \
> --sysconfdir=/etc/sshbash
make -j$(nproc)
make install过程记录
bash
[root@localhost openssh-10.2p1]# make install
(cd openbsd-compat && make)
make[1]: 进入目录“/tmp/ssh_install/openssh-10.2p1/openbsd-compat”
make[1]: 对“all”无需做任何事。
make[1]: 离开目录“/tmp/ssh_install/openssh-10.2p1/openbsd-compat”
/bin/mkdir -p /usr/local/openssh/bin
/bin/mkdir -p /usr/local/openssh/sbin
/bin/mkdir -p /usr/local/openssh/share/man/man1
/bin/mkdir -p /usr/local/openssh/share/man/man5
/bin/mkdir -p /usr/local/openssh/share/man/man8
/bin/mkdir -p /usr/local/openssh/libexec
/bin/mkdir -p -m 0755 /var/empty
/bin/install -c -m 0755 -s ssh /usr/local/openssh/bin/ssh
/bin/install -c -m 0755 -s scp /usr/local/openssh/bin/scp
/bin/install -c -m 0755 -s ssh-add /usr/local/openssh/bin/ssh-add
/bin/install -c -m 0755 -s ssh-agent /usr/local/openssh/bin/ssh-agent
/bin/install -c -m 0755 -s ssh-keygen /usr/local/openssh/bin/ssh-keygen
/bin/install -c -m 0755 -s ssh-keyscan /usr/local/openssh/bin/ssh-keyscan
/bin/install -c -m 0755 -s sshd /usr/local/openssh/sbin/sshd
/bin/install -c -m 0755 -s sshd-session /usr/local/openssh/libexec/sshd-session
/bin/install -c -m 0755 -s sshd-auth /usr/local/openssh/libexec/sshd-auth
/bin/install -c -m 4711 -s ssh-keysign /usr/local/openssh/libexec/ssh-keysign
/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/local/openssh/libexec/ssh-pkcs11-helper
/bin/install -c -m 0755 -s ssh-sk-helper /usr/local/openssh/libexec/ssh-sk-helper
/bin/install -c -m 0755 -s sftp /usr/local/openssh/bin/sftp
/bin/install -c -m 0755 -s sftp-server /usr/local/openssh/libexec/sftp-server
/bin/install -c -m 644 ssh.1.out /usr/local/openssh/share/man/man1/ssh.1
/bin/install -c -m 644 scp.1.out /usr/local/openssh/share/man/man1/scp.1
/bin/install -c -m 644 ssh-add.1.out /usr/local/openssh/share/man/man1/ssh-add.1
/bin/install -c -m 644 ssh-agent.1.out /usr/local/openssh/share/man/man1/ssh-agent.1
/bin/install -c -m 644 ssh-keygen.1.out /usr/local/openssh/share/man/man1/ssh-keygen.1
/bin/install -c -m 644 ssh-keyscan.1.out /usr/local/openssh/share/man/man1/ssh-keyscan.1
/bin/install -c -m 644 moduli.5.out /usr/local/openssh/share/man/man5/moduli.5
/bin/install -c -m 644 sshd_config.5.out /usr/local/openssh/share/man/man5/sshd_config.5
/bin/install -c -m 644 ssh_config.5.out /usr/local/openssh/share/man/man5/ssh_config.5
/bin/install -c -m 644 sshd.8.out /usr/local/openssh/share/man/man8/sshd.8
/bin/install -c -m 644 sftp.1.out /usr/local/openssh/share/man/man1/sftp.1
/bin/install -c -m 644 sftp-server.8.out /usr/local/openssh/share/man/man8/sftp-server.8
/bin/install -c -m 644 ssh-keysign.8.out /usr/local/openssh/share/man/man8/ssh-keysign.8
/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/openssh/share/man/man8/ssh-pkcs11-helper.8
/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh/share/man/man8/ssh-sk-helper.8
/bin/mkdir -p /etc/ssh
/etc/ssh/sshd_config already exists, install will not overwrite
/usr/local/openssh/sbin/sshd -t -f /etc/ssh/sshd_config