自拍偷在线精品自拍偷,亚洲欧美中文日韩v在线观看不卡

升級(jí) SSH 引發(fā)的程序連接異常及解決全記錄

作者:一安
安全 應(yīng)用安全
由于現(xiàn)網(wǎng)要做安全整改,舊版本的??OpenSSH??和??OpenSSL??存在安全風(fēng)險(xiǎn),為提升服務(wù)器的安全性和穩(wěn)定性,需要對(duì)其進(jìn)行升級(jí)。

前言

由于現(xiàn)網(wǎng)要做安全整改,舊版本的OpenSSH和OpenSSL存在安全風(fēng)險(xiǎn),為提升服務(wù)器的安全性和穩(wěn)定性,需要對(duì)其進(jìn)行升級(jí)。

本文將詳細(xì)講述升級(jí)后,程序連接出現(xiàn)異常的情況,以及排查和解決問題的全過程

安裝說明

安裝環(huán)境


虛擬機(jī)環(huán)境

OpenSSH版本

OpenSSL版本

升級(jí)前

linux CentOS

OpenSSH_7.4p1

OpenSSL 1.0.2k

升級(jí)后

linux CentOS

OpenSSH_9.7p1

OpenSSL 3.0.14

下載地址

  • openssl:https://openssl-library.org/source/old/3.0/index.html
  • openssh:https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

注意事項(xiàng)

  • 升級(jí)前務(wù)必保證虛擬機(jī)已經(jīng)打快照或備份。
  • 注意:升級(jí)過程全程不要關(guān)閉xshell窗口?。?!關(guān)閉后將無法ssh登錄。
  • 注意:提前將openssh和openssl安裝包上傳到虛擬機(jī)?。?!卸載ssh后將無法上傳。
  • 注意:升級(jí)openssh后檢查服務(wù)器ulimit值?。?!

安裝OpenSSL

查看當(dāng)前版本,并上傳OpenSSH和OpenSSL

圖片圖片

安裝編譯環(huán)境:

yum -y install perl-IPC-Cmd perl-Data-Dumper gcc gcc-c++ perl perl-devel zlib zlib-devel pam pam-devel

備份原openssl:

whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/share/man/man1/openssl.1ssl.gz

# 備份/usr/bin/openssl目錄
cp /usr/bin/openssl /usr/bin/openssl.bak

# 備份/usr/lib64/openssl目錄
cp /usr/lib64/openssl /usr/lib64/openssl.bak

解壓安裝openssl:

tar -zxvf openssl-3.0.14.tar.gz # 解壓安裝包
mkdir -p /usr/local/openssl  # 創(chuàng)建安裝目錄

編譯:

cd /opt/ssh/openssl-3.0.14
./config --prefix=/usr/local/openssl --shared
make && make install

圖片圖片

更新openssl:

# 建立軟連接, 替換原有的openssl
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

# 檢查軟連接建立情況
ls -al /usr/bin/openssl
lrwxrwxrwx. 1 root root 30 4月  10 13:31 /usr/bin/openssl -> /usr/local/openssl/bin/openssl

# 添加動(dòng)態(tài)鏈接庫
echo "/usr/local/openssl/lib64" >> /etc/ld.so.conf
# 刷新庫
ldconfig

查看版本:

[root@localhost openssl]# openssl version -a
OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024)
built on: Thu Apr 10 05:23:47 2025 UTC
platform: linux-x86_64
options:  bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/local/openssl/ssl"
ENGINESDIR: "/usr/local/openssl/lib64/engines-3"
MODULESDIR: "/usr/local/openssl/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0xfffa3203478bffff:0xd11e4fb9

安裝OpenSSH

備份原有的ssh

# 查看ssh服務(wù)所在的目錄
whereis ssh
ssh: /usr/bin/ssh /etc/ssh /usr/share/man/man1/ssh.1.gz

# 備份/etc/ssh/目錄
cp /etc/ssh/ /etc/ssh.bak

# 備份/usr/bin/ssh目錄
cp /usr/bin/ssh /usr/bin/ssh.bak

whereis sshd
sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz

# 備份/usr/sbin/shhd文件
cp /usr/sbin/sshd /usr/sbin/sshd.bak

# 備份/etc/init.d/shhd文件
cp /etc/init.d/sshd /etc/init.d/sshd.bak
# 注意/etc/init.d/sshd不存在,則無需備份

# /etc/pam.d/sshd文件
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
# 注意sshd不存在,則無需備份

卸載原有
rpm -e --nodeps `rpm -qa | grep openssh`

解壓安裝openssh:

tar -zxvf openssh-9.7p1.tar.gz
cd openssh-9.7p1

# 使用默認(rèn)安裝目錄的openssl
./configure --prefix=/usr --syscnotallow=/etc/ssh --with-md5-passwords --with-pam --with-privsep-path=/var/lib/sshd --without-hardening

# 使用指定安裝目錄的openssl(使用這個(gè))
./configure --prefix=/usr --syscnotallow=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-privsep-path=/var/lib/sshd --without-hardening

# 使用指定安裝目錄的openssl和zlib
./configure --prefix=/usr --syscnotallow=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-privsep-path=/var/lib/sshd --without-hardening

# 編譯安裝
make && make install

圖片圖片

圖片圖片

配置:

mv /etc/pam.d/sshd.bak /etc/pam.d/sshd

# 修改ssh的相關(guān)秘鑰文件的權(quán)限
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

#修改允許遠(yuǎn)程登錄
# 修改配置文件,允許root直接登錄
echo"PasswordAuthentication yes" >> /etc/ssh/sshd_config
echo"PermitRootLogin yes" >> /etc/ssh/sshd_config
echo"UsePAM yes" >> /etc/ssh/sshd_config

#開機(jī)自啟
cp -p /opt/ssh/openssh-9.7p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
systemctl restart sshd
systemctl status sshd

驗(yàn)證OpenSSH服務(wù):

ssh -V
OpenSSH_9.7p1, OpenSSL 3.0.14 4 Jun 2024

程序連接異常問題出現(xiàn)

升級(jí)完成后,發(fā)現(xiàn)ch.ethz.ssh2報(bào)錯(cuò):

java.io.IOException: There was a problem while connecting to 172.18.2.76:22
 at ch.ethz.ssh2.Connection.connect(Connection.java:699)
 at ch.ethz.ssh2.Connection.connect(Connection.java:490)
 at org.example.ssh.SSH2Util.openConnection(SSH2Util.java:30)
 at org.example.ssh.SSH2Util.main(SSH2Util.java:221)
Caused by: java.io.IOException: Key exchange was not finished, connection is closed.
 at ch.ethz.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:91)
 at ch.ethz.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:229)
 at ch.ethz.ssh2.Connection.connect(Connection.java:655)
 ... 3 more
Caused by: java.io.IOException: Cannot negotiate, proposals do not match.
 at ch.ethz.ssh2.transport.KexManager.handleMessage(KexManager.java:412)
 at ch.ethz.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:753)
 at ch.ethz.ssh2.transport.TransportManager$1.run(TransportManager.java:468)
 at java.lang.Thread.run(Thread.java:748)

通過報(bào)錯(cuò)信息可知,問題出在密鑰交換階段,客戶端和服務(wù)端的提議不匹配。找到ch.ethz.ssh2.transport.KexManager類,其中有個(gè)方法mergeKexParameters,這個(gè)就是匹配服務(wù)端客戶端兩邊相關(guān)參數(shù)通用的算法,底層調(diào)用getFirstMatch去比較二者相同的算法。

圖片圖片

  • kex_algo比較的是KexAlgorithms參數(shù)的值
  • server_host_key_algorithms比較的是HostKeyAlgorithms參數(shù)的值
  • mac_algorithms_client_to_server比較的是MACs參數(shù)的值

在ch.ethz.ssh2.crypto.CryptoWishlist類中查看默認(rèn)支持的算法,如KexAlgorithms、HostKeyAlgorithms、MACs等參數(shù)的值。發(fā)現(xiàn)默認(rèn)算法列表可能與升級(jí)后的OpenSSH和OpenSSL不兼容。

查看支持算法:

圖片圖片

public static final String[] getDefaultKexAlgorithmList() {
    return new String[]{"diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"};
}

public static final String[] getDefaultServerHostkeyAlgorithmList() {
    return new String[]{"ssh-rsa", "ssh-dss"};
}

public static final String[] getMacList() {
    return new String[]{"hmac-sha1-96", "hmac-sha1", "hmac-md5-96", "hmac-md5"};
}

補(bǔ)充一個(gè)較完整的算法配置,在相關(guān)配置文件(/etc/ssh/sshd_config)中添加以下內(nèi)容::

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
HostbasedAcceptedKeytypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512
CASignatureAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256
HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss
PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa
MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha1-96

添加完成后,重啟SSH服務(wù),程序連接異常問題得到解決

最后附上ssh工具類:

public class SSH2Util {

    private static String DEFAULT_CHARSET = "UTF-8";
    private Connection connection;
    private String hostname;
    private int port;
    private String username;
    private String password;

    public SSH2Util(String hostname, int port, String username, String password) {
        this.hostname = hostname;
        this.port = port;
        this.username = username;
        this.password = password;
    }

    /**
     * 連接到 SSH 服務(wù)器
     * @return 是否連接成功
     * @throws IOException 連接過程中發(fā)生的 I/O 異常
     */
    public boolean connect() throws IOException {
        connection = new Connection(hostname, port);
        connection.connect();
        return connection.authenticateWithPassword(username, password);
    }

    /**
     * 執(zhí)行 SSH 命令
     * @param command 要執(zhí)行的命令
     * @return 命令執(zhí)行結(jié)果
     * @throws IOException 執(zhí)行命令過程中發(fā)生的 I/O 異常
     */
    public String executeCommand(String command) throws IOException {
        if (connection == null ||!connection.isAuthenticationComplete()) {
            throw new IllegalStateException("未連接到 SSH 服務(wù)器");
        }
        Session session = connection.openSession();
        session.execCommand(command);
        InputStream stdout = new StreamGobbler(session.getStdout());
        BufferedReader reader = new BufferedReader(new InputStreamReader(stdout,DEFAULT_CHARSET));
        StringBuilder result = new StringBuilder();
        String line;
        while ((line = reader.readLine()) != null) {
            result.append(line).append("\n");
        }
        session.close();
        return result.toString();
    }

    /**
     * 上傳文件到 SSH 服務(wù)器
     * @param localFilePath 本地文件路徑
     * @param remoteFilePath 遠(yuǎn)程文件路徑
     * @throws IOException 上傳過程中發(fā)生的 I/O 異常
     */
    public void uploadFile(String localFilePath, String remoteFilePath) throws IOException {
        if (connection == null ||!connection.isAuthenticationComplete()) {
            throw new IllegalStateException("未連接到 SSH 服務(wù)器");
        }
        SCPClient scpClient = connection.createSCPClient();
        scpClient.put(localFilePath, remoteFilePath);
    }

    /**
     * 從 SSH 服務(wù)器下載文件
     * @param remoteFilePath 遠(yuǎn)程文件路徑
     * @param localFilePath 本地文件路徑
     * @throws IOException 下載過程中發(fā)生的 I/O 異常
     */
    public void downloadFile(String remoteFilePath, String localFilePath) throws IOException {
        if (connection == null ||!connection.isAuthenticationComplete()) {
            throw new IllegalStateException("未連接到 SSH 服務(wù)器");
        }
        SCPClient scpClient = connection.createSCPClient();
        scpClient.get(remoteFilePath, localFilePath);
    }

    /**
     * 關(guān)閉 SSH 連接
     */
    public void close() {
        if (connection != null) {
            connection.close();
        }
    }

    public static void main(String[] args) throws IOException {
        SSH2Util sshUtil = new SSH2Util("your_hostname", 22, "your_username", "your_password");
        try {
            if (sshUtil.connect()) {
                System.out.println("連接成功");
                String result = sshUtil.executeCommand("ls -l");
                System.out.println("命令執(zhí)行結(jié)果:\n" + result);
                sshUtil.uploadFile("local_file_path", "remote_file_path");
                sshUtil.downloadFile("remote_file_path", "local_file_path");
            } else {
                System.out.println("連接失敗");
            }
        } catch (IOException e) {
            e.printStackTrace();
        } finally {
            sshUtil.close();
        }
    }
}


責(zé)任編輯:武曉燕 來源: 一安未來
SSH程序連接安全
相關(guān)推薦

2011-04-27 10:14:38

2018-12-11 10:55:00

SQLFuzzWEB安全

2014-07-29 17:46:09

Linuxtomcattomcat集群

2015-07-20 15:46:28

2011-05-31 15:28:23

筆記本體驗(yàn)

2012-05-11 16:33:36

ARP緩存服務(wù)器

2024-01-26 15:19:30

新榜大會(huì)內(nèi)容好生意

2015-01-15 10:50:46

CoreOSUnitedStackDocker

2010-09-07 14:33:30

DIVmargin

2015-03-09 15:41:08

MongoDB查詢超時(shí)異常Socket Time

2009-08-04 09:09:56

Java常見異常

2018-06-20 13:01:27

2014-12-15 14:57:58

2009-12-25 10:01:23

WinForm程序

2010-08-31 09:30:28

非授權(quán)DHCP

2010-01-08 09:58:42

Ubuntu Secu

2023-07-20 09:13:02

Jedis服務(wù)器

2009-04-14 16:14:51

2018-01-18 10:46:01

服務(wù)器磁盤原因

2011-07-27 22:50:50

激光打印機(jī)用戶體驗(yàn)
點(diǎn)贊
收藏

51CTO技術(shù)棧公眾號(hào)