이 문서는 기록 보관 및 자료 공유입니다. 백퍼센트 신뢰하지는 말아주세요.
KISA 권고문
https://knvd.krcert.or.kr/detailSecNo.do?IDX=5961
취약 대상 버전 : 5.5 ~ 9.3p1
관련 라이브러리 종속성이 매우 많으므로 인터넷 환경에서 구성하는 것을 추천합니다.
현재 구성된 테스트 서버의 스펙과 SSH 버전은 다음과 같습니다.
centos 7.9 1vCore 1GB, SSH version 7.4p1 , OpenSSL 1.0.2k-fips
첫번째로 openssh를 제거합니다.
해당 패키지를 제거할 경우 현재 붙어있는 세션 이후로, CLI 재접속이 불가하므로 신중하게 합니다.
rpm -e --nodeps openssh openssh-clients openssh-server
오류가 발생하여 원복이 필요할 경우에는 해당 패키지를 재설치하여, 원복 할 수 있습니다.
yum install -y openssh openssh-server openssh-client
패키지를 제거하게되면 ssh/sshd_config과 pam.d/sshd가 *.rpmsave으로 변경됩니다. (중요)
[root@test123 openssh-9.4p1]# rpm -e --nodeps openssh openssh-clients openssh-server
warning: /etc/ssh/sshd_config saved as /etc/ssh/sshd_config.rpmsave
warning: /etc/pam.d/sshd saved as /etc/pam.d/sshd.rpmsave
필요한 패키지
yum update && upgrade -y
yum install -y gcc zlib-devel openssl-devel pam-devel
gcc : 컴파일러
devel : 컴파일을 위한 라이브러리 패키지
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
wget 사용이 힘들 경우에는 Filezilla 같은 FTP 프로그램을 사용하도록 합니다.
tar -xvf openssh-9.3p2.tar.gz
cd openssh-9.3p2
이후 압축을 풀고 해당 디렉토리로 진입합니다.
컴파일을 하기에 앞서 OpenSSL 버전과 경로 확인이 필요합니다.
https://www.openssh.com/releasenotes.html
릴리즈 노트에 따르면, openssh 9.4 버전부터 openssl 1.1.1을 요구하므로 현재 설치되어있는 버전을 그대로 사용합니다.
OpenSSL 업그레이드 포스팅은 하단 링크를 참고하세요.
https://f0rest.tistory.com/entry/OpenSSL-%EC%97%85%EA%B7%B8%EB%A0%88%EC%9D%B4%EB%93%9C
OpenSSL의 경로는 /bin/openssl, 버전은 CentOS7 기본 배포 버전인 OpenSSL 1.0.2k-fips 입니다.
요구사항을 모두 갖추었으니, 컴파일을 진행하겠습니다.
./configure --prefix=패키지를 설치 할 경로 --with-ssl-dir=OpenSSL이 설치된 위치 --with-pam --sysconfdir=sshd 설정 경로 --with-kerberos5
./configure --prefix=/opt/openssh --with-pam --sysconfdir=/etc/ssh --with-kerberos5
make && make install
#--with-ssl-dir 옵션은 별도로 컴파일 설치를 하지 않았기에 생략하였습니다.
간혹 PAM이 작동하지 않을 경우에는 --with-md5-passwords 옵션을 추가하여 조치를 취할 수 있습니다.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
컴파일을 끝내고 설치까지 완료하니까 다음과 같은 오류 메시지가 출력되었습니다.
기본적으로 생성되어있는 SSH 키파일에 대한 권한 오류로 저는 별도로 수정하였습니다.
chmod 400 /etc/ssh/ssh_*
다음과 같이 버전 확인을 하였을 때, 정상적으로 설치된 것을 확인 할 수 있습니다.
/opt/openssh/bin/ssh -V
OpenSSH_9.3p2, OpenSSL 1.0.2k-fips 26 Jan 2017
맨 처음 openssh를 제거하였을 때, 변경되었던 기존 설정 값을 전부 원복하여 줍니다.
cp /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
cp /etc/pam.d/sshd.rpmsave /etc/pam.d/sshd
원본이 유실되었을 경우, 제가 사용하는 설정 값을 같이 공유드립니다.
- /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Match User root
Banner /etc/ssh/banner_centos
- /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
다음은 sshd 서비스를 다음과 같이 등록하였습니다.
cat <<EOF > /etc/systemd/system/sshd.service
[Unit]
Description=OpenSSH server 9.3p2
Wants=sshd-keygen.service
[Service]
ExecStart=/bin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
EOF
[root@test123 ~]# systemctl daemon-reload
[root@test123 ~]# systemctl restart sshd
[root@test123 ~]# systemctl status sshd
● sshd.service - OpenSSH server 9.3p2
Loaded: loaded (/etc/systemd/system/sshd.service; disabled; vendor preset: enabled)
Active: active (running) since Tue 2023-09-19 15:20:03 KST; 15min ago
Main PID: 24446 (sshd)
CGroup: /system.slice/sshd.service
└─24446 sshd: /bin/sshd -D [listener] 0 of 10-100 startups
마지막으로 심볼릭을 생성하여 바로 실행이 가능하도록 지정하여 줍니다.
ln -s /opt/openssh/bin/ssh /bin/ssh
ln -s /opt/openssh/sbin/sshd /bin/sshd
ln -s /opt/openssh/bin/sftp /bin/sftp
ln -s /opt/openssh/bin/ssh-keygen /bin/ssh-keygen
ssh -V
OpenSSH_9.3p2, OpenSSL 1.0.2k-fips 26 Jan 2017
모든 구성이 끝났으므로 마지막으로 원격 접속 테스트를 해보도록 하겠습니다.
키와 패스워드 모두 문제 없이 PAM이 동작하면서 정상적으로 접근되는 것을 확인 할 수 있습니다.
'Linux' 카테고리의 다른 글
[Linux] Squid 프록시 설치 (0) | 2023.09.21 |
---|---|
[Linux] IPTables 개념 (0) | 2023.09.21 |
CentOS 6 repolist (0) | 2023.09.20 |
CentOS 7 repolist (0) | 2023.09.20 |
OpenSSL 설치 및 업그레이드 (0) | 2023.09.20 |