关于OpenSSH

  OpenSSH（OpenBSD Secure Shell）是OpenBSD计划组的一套用于安全访问远程计算机的连接工具。该工具是SSH协议的开源实现，支持对所有的传输进行加密，可有效阻止窃听、连接劫持以及其他网络级的攻击。
  OpenSSH 8.3p1及之前版本中scp的scp.c文件存在操作系统命令注入漏洞。该漏洞源于外部输入数据构造操作系统可执行命令过程中，网络系统或产品未正确过滤其中的特殊字符、命令等。攻击者可利用该漏洞执行非法操作系统命令。

详细参考国家信息安全漏洞库信息: CVE-2020-15778

  目前Rocky Linux 8.3 RC1 采用的为OpenSSH_8.0p1，所以建议通过升级OpenSSH修复此问题。同样OpenSSH before 8.5也存在漏洞，所以建议修复至最新版本OpenSSH_8.6p1。

升级OpenSSH版本

[root@devops-rocky83-privatecloud-shanghai-area0 ~]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1g FIPS  21 Apr 2020

[root@devops-rocky83-privatecloud-shanghai-area0 ~]# systemctl start telnet.socket 

[root@devops-rocky83-privatecloud-shanghai-area0 ~]# mv /etc/ssh/ /etc/ssh.bak # 备份现有SSH
[root@devops-rocky83-privatecloud-shanghai-area0 ~]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@devops-rocky83-privatecloud-shanghai-area0 ~]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@devops-rocky83-privatecloud-shanghai-area0 ~]# mv /etc/init.d/sshd /etc/init.d/sshd.bak # # 如果您是第一次升级，备份/etc/init.d/sshd时会不存在，不影响后续操作
[root@devops-rocky83-privatecloud-shanghai-area0 ~]# rpm -e --nodeps $(rpm -qa |grep openssh) # 卸载现有OpenSSH

[root@devops-rocky83-privatecloud-shanghai-area0 ~]# dnf install wget gcc openssl-devel pam-devel rpm-build make -y # 安装编译openssh所需要使用的包
[root@devops-rocky83-privatecloud-shanghai-area0 ~]# cd packages/
[root@devops-rocky83-privatecloud-shanghai-area0 packages]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz # 下载OpenSSH二进制包
[root@devops-rocky83-privatecloud-shanghai-area0 packages]# cd openssh-8.6p1/
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/local/ssl --without-hardening # 编译安装
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]#  make
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]#  make install
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key 
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam # 复制配置文件

[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config # 修改配置允许root用户远程登录
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# sed -i "s/^#Port/Port/g" /etc/ssh/sshd_config
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# chmod 755 /etc/init.d/sshd

[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# systemctl enable sshd # 启用sshd，生成服务配置文件
sshd.service is not a native service, redirecting to systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable sshd
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# systemctl restart sshd
[root@devops-rocky83-privatecloud-shanghai-area0 openssh-8.6p1]# ssh -V
OpenSSH_8.6p1, OpenSSL 1.1.1g FIPS  21 Apr 2020