OpenSSH升级后不能登录的问题

来源:个人博客     2016-03-30 10:10:11    人气:     我有话说( 0 人参与)

清泛网(www.tsingfun.com):升级OPENSSH 遇到头疼的问题Openssh 爆出很多安全漏洞,客户那边搞安全检查,扫描结果出来了,漏洞基本都是在openssh上面于是打算升级升...

升级OPENSSH 遇到头疼的问题

Openssh 爆出很多安全漏洞客户那边搞安全检查扫描结果出来了漏洞基本都是在openssh上面 于是打算升级

升级过程很顺利

具体情况这里http://pkgs.org/centos-6/ghettoforge-testing-x86_64/openssh-6.6.1p1-4.gf.el6.x86_64.rpm.html

备份原有源

cd /etc/yum.repos.d/

mv rhel-source.repo rhel-source.repo.bak

mv packagekit-media.repo packagekit-media.repo.bak

 

配置源

vi CentOS-Base.repo

[base]

name=CentOS-$releasever - Base - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/os/$basearch/

        http://mirrors.aliyuncs.com/centos/6.7/os/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os

gpgcheck=1

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

 

#released updates

[updates]

name=CentOS-$releasever - Updates - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/updates/$basearch/

        http://mirrors.aliyuncs.com/centos/6.7/updates/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates

gpgcheck=1

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

 

#additional packages that may be useful

[extras]

name=CentOS-$releasever - Extras - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/extras/$basearch/

        http://mirrors.aliyuncs.com/centos/$releasever/extras/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=extras

gpgcheck=1

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

 

#additional packages that extend functionality of existing packages

[centosplus]

name=CentOS-$releasever - Plus - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/centosplus/$basearch/

        http://mirrors.aliyuncs.com/centos/6.7/centosplus/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=centosplus

gpgcheck=1

enabled=0

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

 

#contrib - packages by Centos Users

[contrib]

name=CentOS-$releasever - Contrib - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/contrib/$basearch/

        http://mirrors.aliyuncs.com/centos/6.7/contrib/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=contrib

gpgcheck=1

enabled=0

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

 

 

[gf-test]

baseurl=http://mirror.symnds.com/distributions/gf/el/6/testing/x86_64/

gpgcheck=0

enabled=1

 

 

更新缓存

yum clean

yum makecache

 

 

先安装telnet 以防止更新openssh的时候 终端断开。

 

yum install telnet

 

详细配置请看

http://jingyan.baidu.com/article/9f63fb91ac7ebcc8400f0e94.html

 

配置完成后 使用telnet 登录到服务器

 

 

开始更新openssh

 

yum update openssl

yum update openssh

 

重启服务

 

service sshd restart

 

使用ssh –V 查看更新成功没有

 

接下来就是噩梦的开始

 

升级好了之后使用客户端怎么都登录不上去

 

一开始以为是配置文件的问题把另外一台没升级过的配置文件sshd_config拷贝到本机不行

 

寄出百度 http://bbs.51cto.com/thread-1098820-1.html

按照这个说法

 

修改配置文件后发现还是不行于是重启服务器居然报错起不来

 

妹的一个问题没有解决又来一个问题

按照http://jingyan.baidu.com/article/e9fb46e19c73167521f76681.html

所说的方法照做进去后把参数修改回来重启正常了,SSH 无法登陆的问题还是没有解决

 

又有说是算法的问题

http://bbs.51cto.com/thread-1176918-1.html

 

照做还是不行, 于是陷入了无休止的找资料之中

 

 

 

回过头来在来看

http://pkgs.org/centos-6/ghettoforge-testing-x86_64/openssh-6.6.1p1-4.gf.el6.x86_64.rpm.html

发现有关于pam的包会不会是和这个有问题果断安装结果还是不行

 

 

似乎陷入死循环了

 

就在要暴走的情况下找到了这篇文章

http://bbs.csdn.net/topics/391893954?page=1

 

 

修改 UserPAM no 重启服务登录成功但是服务端会有个警告报错

 

 

 

看来问题就是处在PAM上面

对比两台机器的/etc/pam.d/sshd文件  果真发现问题,修改成一样,UserPAM 改回成yes

重启服务器 问题搞定。

 



问题还有后续,发现另外一台机器升级之后,安装上面的方法root用户可以登录,普通用户不能登录。回想起来,把原始OPENSSH5.3的配置文件覆盖到本机的配置文件  sshd_config  .   覆盖完成,登录正常


以下是配置文件的内容,以免忘记,先拷贝出来吧

#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile     .ssh/authorized_keys
AuthorizedKeysFile /etc/ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok no

# GSSAPI options

#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no

#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.

# UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
"/etc/ssh/sshd_config" 166L, 4493C written

OpenSSH

本文源自互联网,采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可,
版权归原作者,如有问题请联系service@tsingfun.com (编辑:admin)