checking for linux/seccomp.h... yes checking for linux/filter.h... yes checking for linux/audit.h... yes checking for seccomp architecture... "AUDIT_ARCH_X86_64" checking compiler and flags for sanity... yes checking for setsockopt... yes checking for dirname... yes checking for libgen.h... yes checking for getspnam... yes checking for library containing basename... none required checking for zlib... yes checking for zlib.h... no configure: error: *** zlib.h missing - please install first or check config.log ***
checking if getpgrp accepts zero args... yes checking for openssl... /usr/bin/openssl configure: error: *** working libcrypto not found, check config.log
安装 OpenSSL
解决方案
1 2 3 4 5 6
wget https://mirrors.cloud.tencent.com/openssl/source/openssl-1.1.1w.tar.gz tar zxvf openssl-1.1.1w.tar.gz cd openssl-1.1.1w ./config --prefix=/usr --openssldir=/etc/ssl shared zlib make make install
注意不要用 3.x 的版本,尝试过了问题较多
到 openssh 目录再次尝试
1 2 3
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr --with-md5-passwords make make install
报错信息
1 2 3 4 5 6 7 8 9 10 11 12
/etc/ssh/ssh_config already exists, install will not overwrite /etc/ssh/sshd_config already exists, install will not overwrite /etc/ssh/moduli already exists, install will not overwrite /usr/sbin/sshd -t -f /etc/ssh/sshd_config /etc/ssh/sshd_config line 16: Deprecated option UsePrivilegeSeparation /etc/ssh/sshd_config line 19: Deprecated option KeyRegenerationInterval /etc/ssh/sshd_config line 20: Deprecated option ServerKeyBits /etc/ssh/sshd_config line 31: Deprecated option RSAAuthentication /etc/ssh/sshd_config line 38: Deprecated option RhostsRSAAuthentication /etc/ssh/sshd_config line 88: Unsupported option UsePAM Unable to load host key "/etc/ssh/ssh_host_dsa_key": invalid format Unable to load host key: /etc/ssh/ssh_host_dsa_key
# key exchange algorithms (kex) sntrup761x25519-sha512@openssh.com -- [info] available since OpenSSH 8.5 `- [info] default key exchange since OpenSSH 9.0 (kex) curve25519-sha256 -- [info] available since OpenSSH 7.4, Dropbear SSH 2018.76 `- [info] default key exchange from OpenSSH 7.4to8.9 (kex) curve25519-sha256@libssh.org -- [info] available since OpenSSH 6.4, Dropbear SSH 2013.62 `- [info] default key exchange from OpenSSH 6.5to7.3 (kex) ecdh-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp384 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [info] available since OpenSSH 4.4 `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477). (kex) diffie-hellman-group16-sha512 -- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) diffie-hellman-group18-sha512 -- [info] available since OpenSSH 7.3 (kex) diffie-hellman-group14-sha256 -- [warn] 2048-bit modulus only provides 112-bits of symmetric strength `- [info] available since OpenSSH 7.3, Dropbear SSH 2016.73 (kex) ext-info-s -- [info] pseudo-algorithm that denotes the peer supports RFC8308 extensions (kex) kex-strict-s-v00@openssh.com -- [info] pseudo-algorithm that denotes the peer supports a stricter key exchange method as a counter-measure to the Terrapin attack (CVE-2023-48795)
# host-key algorithms (key) rsa-sha2-512 (3072-bit) -- [info] available since OpenSSH 7.2 (key) rsa-sha2-256 (3072-bit) -- [info] available since OpenSSH 7.2, Dropbear SSH 2020.79 (key) ecdsa-sha2-nistp256 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency `- [warn] using weak random number generator could reveal the key `- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62 (key) ssh-ed25519 -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79
# encryption algorithms (ciphers) (enc) chacha20-poly1305@openssh.com -- [info] available since OpenSSH 6.5, Dropbear SSH 2020.79 `- [info] default cipher since OpenSSH 6.9 (enc) aes128-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes192-ctr -- [info] available since OpenSSH 3.7 (enc) aes256-ctr -- [info] available since OpenSSH 3.7, Dropbear SSH 0.52 (enc) aes128-gcm@openssh.com -- [info] available since OpenSSH 6.2 (enc) aes256-gcm@openssh.com -- [info] available since OpenSSH 6.2
# message authentication code algorithms (mac) umac-64-etm@openssh.com -- [warn] using small 64-bit tag size `- [info] available since OpenSSH 6.2 (mac) umac-128-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha2-512-etm@openssh.com -- [info] available since OpenSSH 6.2 (mac) hmac-sha1-etm@openssh.com -- [fail] using broken SHA-1 hash algorithm `- [info] available since OpenSSH 6.2 (mac) umac-64@openssh.com -- [warn] using encrypt-and-MAC mode `- [warn] using small 64-bit tag size `- [info] available since OpenSSH 4.7 (mac) umac-128@openssh.com -- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 6.2 (mac) hmac-sha2-256-- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha2-512-- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 5.9, Dropbear SSH 2013.56 (mac) hmac-sha1 -- [fail] using broken SHA-1 hash algorithm `- [warn] using encrypt-and-MAC mode `- [info] available since OpenSSH 2.1.0, Dropbear SSH 0.28
# algorithm recommendations (for OpenSSH 9.8) (rec) -ecdh-sha2-nistp256 -- kex algorithm to remove (rec) -ecdh-sha2-nistp384 -- kex algorithm to remove (rec) -ecdh-sha2-nistp521 -- kex algorithm to remove (rec) -ecdsa-sha2-nistp256 -- key algorithm to remove (rec) -hmac-sha1 -- mac algorithm to remove (rec) -hmac-sha1-etm@openssh.com -- mac algorithm to remove (rec) -diffie-hellman-group14-sha256 -- kex algorithm to remove (rec) -hmac-sha2-256-- mac algorithm to remove (rec) -hmac-sha2-512-- mac algorithm to remove (rec) -umac-128@openssh.com -- mac algorithm to remove (rec) -umac-64-etm@openssh.com -- mac algorithm to remove (rec) -umac-64@openssh.com -- mac algorithm to remove
# additional info (nfo) For hardening guides on common OSes, please see: <https://www.ssh-audit.com/hardening_guides.html> (nfo) Be aware that, while this target properly supports the strict key exchange method (via the kex-strict-?-v00@openssh.com marker) needed to protect against the Terrapin vulnerability (CVE-2023-48795), all peers must also support this feature as well, otherwise the vulnerability will still be present. The following algorithms would allow an unpatched peer to create vulnerable SSH channels with this target: chacha20-poly1305@openssh.com. If any CBC ciphers are in this list, you may remove them while leaving the *-etm@openssh.com MACs in place; these MACs are fine while paired with non-CBC cipher types.
如果有问题,扫描结果中会出现漏洞列表
1 2 3 4 5 6 7 8 9 10 11 12 13
# security (cve) CVE-2021-41617 -- (CVSSv2: 7.0) privilege escalation via supplemental groups (cve) CVE-2020-15778 -- (CVSSv2: 7.8) command injection via anomalous argument transfers (cve) CVE-2018-15919 -- (CVSSv2: 5.3) username enumeration via GS2 (cve) CVE-2018-15473 -- (CVSSv2: 5.3) enumerate usernames due to timing discrepancies (cve) CVE-2016-20012 -- (CVSSv2: 5.3) enumerate usernames via challenge response (cve) CVE-2016-3115 -- (CVSSv2: 5.5) bypass command restrictions via crafted X11 forwarding data (cve) CVE-2016-1907 -- (CVSSv2: 5.0) cause DoS via crafted network traffic (out of bounds read) (cve) CVE-2015-8325 -- (CVSSv2: 7.2) privilege escalation via triggering crafted environment (cve) CVE-2015-6564 -- (CVSSv2: 6.9) privilege escalation via leveraging sshd uid (cve) CVE-2015-6563 -- (CVSSv2: 1.9) conduct impersonation attack