Shulou(Shulou.com)06/01 Report--

The names of the vulnerabilities are Portable OpenSSH GSSAPI remote Code execution vulnerability (CVE-2006-5051) and OpenSSH J-PAKE Authorization problem vulnerability (CVE-2010-4478). The solution given by the manufacturer is very general. After searching for information from all parties, the general solution is to upgrade to a high version of openssh, and the latest version is openssh 6.7p1.

Download address: http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/

You can choose to download and upgrade according to your needs. In fact, you don't have to upgrade to the latest version. You usually choose the newer and stable version. In today's article, we take the latest openssh 6.7p1 as an example. As the servers are currently in the production environment, based on the idea that all operations are safe, prepare telnet during a steady period to prevent problems in ssh updates, and can not connect to the server remotely, so it is sad to run on the site by yourself.

Let's look at the update steps.

one。 Install and enable the telnet service

Yum install telnet-*-y#vi / etc/xinetd.d/telnet change yes to no# / etc/init.d/xinetd restart

Note 1: if "Unencrypted connection refused. Goodbye." The error message may be that the "ekrb5-telnet" service was started. The solution: change the disable in / etc/xinetd.d/ekrb5-telnet to = yes, and then restart the xinetd service service xinetd restart to OK!

Note the telnet of 2:linux does not allow root users to log in directly by default. You can choose a user account to log in and jump to root permissions. You can also modify the configuration file, which is not recommended by the author, or for security reasons.

two。 Install and update openssh

Download address: http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/

Wget-S http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.7p1.tar.gz

Now the high version of the OPENSSH installer, now the highest version is 6.7p1

Tar xvf openssh-6.7p1.tar.gz cd openssh-6.7p1./configure-prefix=/usr-sysconfdir=/etc/ssh

Note: compile the source code, pay attention to the compilation path, OPENSSH is installed in the original path, so that after the installation is completed, you do not have to copy SSHD the service to / etc/init.d/ again.

Make mv / etc/ssh/* / etc/sshbak/

Install in the original path, you need to remove the original configuration file, otherwise make install may report an error

Make install cp / etc/ssh/sshd_config / etc/ssh/sshd_config_bakcp / etc/sshbak/sshd_config / etc/ssh/sshd_configvim / etc/ssh/sshd_config modifies Subsystem sftp / usr/local/libexec/sftp-server/etc/init.d/sshd restart

Pay attention to security here. If you report an error in the previous compilation and force the installation, the SSHD service may not work.

Chkconfig-add sshd chkconfig sshd on

Use the ssh-V command to check

Ssh-V

OpenSSH_6.7p1, OpenSSL 1.0.1e-fips 11 Feb 2013

Successfully upgraded to version 6.7!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.