CentOS openssh升级到openssh-7.2版本

最新推荐文章于 2024-08-01 15:12:48 发布
最新推荐文章于 2024-08-01 15:12:48 发布
阅读量3.6w 收藏 11
点赞数 2
分类专栏: LINUX
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/levy_cui/article/details/53100315
版权

安全部门漏洞检查,让升级openssh版本,升级操作不复杂,但毕竟是线上环境,主要注意如果你是通过ssh远程升级ssh版本,万一失败了,ssh不上去,是否可以到现场处理。(重要提示:当进行系统update的时候,会将sshd文件和ssh文件恢复到原来的版本,如果配置了支持jenkins相关的内容KexAlgorithms,会导致ssh无法启动,解决方式参考文章最后,使用不同目录安装方式)

环境:

cat /etc/issue

CentOS release 6.5 (Final)


ssh -V

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013


openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013

一、准备
备份ssh目录(重要)
cp -rf /etc/ssh /etc/ssh.bak

【 可以现场处理的,不用设置
安装telnet,避免ssh升级出现问题,导致无法远程管理
yum install telnet-server

vi /etc/xinetd.d/telnet
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no
}

默认不允许root登录

vi /etc/securetty
增加
pts/0
pts/1
pts/2
如果登录用户较多,需要更多的pts/*

/etc/init.d/xinetd restart
这样root可以telnet登录了

ssh升级后建议再修改回还原设置


二、安装
升级需要几个组件
yum install -y gcc openssl-devel pam-devel rpm-build

现在新版本,目前是openssh-7.3最新,但刚刚出来,为保险,我选用7.2版本
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p1.tar.gz

解压升级包,并安装
tar -zxvf openssh-7.2p1.tar.gz
cd openssh-7.2p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make && make install

安装后提示:
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
ssh-keygen: generating new host keys: ECDSA ED25519
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials


修改配置文件,允许root登录

vi /etc/ssh/sshd_config
#PermitRootLogin yes
修改为
PermitRootLogin yes

命令:
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config

重启openSSH
service sshd restart

升级后版本
ssh -V
OpenSSH_7.2p1, OpenSSL 1.0.1e-fips 11 Feb 2013


如果之前你将原ssh目录修改名字
mv /etc/ssh /etc/ssh_bak

需要修改下配置:
修改配置文件,禁止root登录
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

可以不操作,禁止dns解析
sed -i '/^#UseDNS yes/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config

可以不操作默认是22,修改ssh端口至6022
echo "Port 6022" >> /etc/ssh/sshd_config


注:在升级SSH时你的SSH是不会因为升级或重启服务而断掉的.


问题1:
[root@testserver2 tmp]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials [  OK  ]

解决:
将/etc/ssh/sshd_config文件中以上行数内容注释下即可

sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config

问题2:
更新后ssh有如下提示,但不影响使用:
[root@testserver2 tmp]# ssh 10.111.32.51
/etc/ssh/ssh_config line 50: Unsupported option "gssapiauthentication"                                           

解决:
可以注释/etc/ssh/ssh_config的gssapiauthentication内容


------------------------------------------------------------------------------------------

CentOS7升级openssh参考这里的内容

本次使用源码安装(系统需要gcc),各软件版本如下:

zlib-1.2.8
openssl-1.0.2h
openssh-7.3p1

安装步骤如下:

1、安装zlib
[root@CentOS7test ~]# cd zlib-1.2.8/
[root@CentOS7test zlib-1.2.8]# ./configure
[root@CentOS7test zlib-1.2.8]# make
[root@CentOS7test zlib-1.2.8]# make install

2、安装openssl
[root@CentOS7test ~]# cd openssl-1.0.2h/
[root@CentOS7test openssl-1.0.2h]# ./config --prefix=/usr/ --shared
[root@CentOS7test openssl-1.0.2h]# make
[root@CentOS7test openssl-1.0.2h]# make install

3、安装openssh
[root@CentOS7test ~]# cd openssh-7.3p1/
[root@CentOS7test openssh-7.3p1]# ./configure --prefix=/usr/local --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
[root@CentOS7test openssh-7.3p1]# make
[root@CentOS7test openssh-7.3p1]# make install

4、查看版本是否已更新
[root@CentOS7test openssh-7.3p1]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 2016

5、新介质替换原有内容
[root@CentOS7test openssh-7.3p1]# mv /usr/bin/ssh /usr/bin/ssh_bak
[root@CentOS7test openssh-7.3p1]# cp /usr/local/bin/ssh /usr/bin/ssh
[root@CentOS7test openssh-7.3p1]# mv /usr/sbin/sshd /usr/sbin/sshd_bak
[root@CentOS7test openssh-7.3p1]# cp /usr/local/sbin/sshd /usr/sbin/sshd

6-加载ssh配置重启ssh服务
[root@CentOS7test ~]# systemctl daemon-reload
[root@CentOS7test ~]# systemctl restart sshd.service

7、遇到的问题解决

问题1:
安装完成后,telnet 22端口不通,通过systemctl status sshd.service查看发现有警告信息
部分信息如Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open

修正:
修改相关提示文件的权限为600,并重启sshd服务(systemctl restart sshd.service)
查看服务状态(systemctl status sshd.service)
例:chmod 600 /etc/ssh/ssh_host_ecdsa_key

问题2:
安装完成后,如需root直接登录

修正:
修改/etc/ssh/sshd_config文件,将文件中#PermitRootLogin yes改为PermitRootLogin yes
并重启sshd服务
升级后验证


问题3:

如果你使用了jenkins进行部署,升级后会影响jenkins部署,测试连接web端会报错 Algorithm negotiation fail

修正:

在web端修改sshd_config文件最后一行增加以下内容

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

参考:http://stackoverflow.com/questions/32627998/algorithm-negotiation-fail-in-jenkins

--------------------------------------------------------------


临时修改版本号,运行很久的线上环境升级存在风险,如果可以的话只修改版本号吧(后期经过验证,这种修改版本号的方法无效,ssh -v IP可以查看版本)
查询
ssh -V
sshd -V

备份

cp /usr/bin/ssh /usr/bin/ssh.bak.version_edit
cp /usr/sbin/sshd /usr/sbin/sshd.bak.version_edit

修改

sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/bin/ssh
sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/sbin/sshd

补充汇总下:

centos7.X主机升级ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
mv /etc/ssh /etc/ssh.bak
---下载包、安装gcc 、编译等中间步骤参上边内容---
make && make install
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config

cp /etc/ssh.bak/sshd_config /etc/ssh/sshd_config 将原来的文件覆盖下这个新生成的内容

/bin/systemctl restart  sshd.service


centos6.X升级ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
cp -rf /etc/ssh /etc/ssh.bak
---下载包、安装gcc 、编译等中间步骤参上边内容---
make && make install
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^UsePAM/s/UsePAM yes/#UsePAM yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
service sshd restart


附录:

CentOS7 sshd_config配置内容

#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox          # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       PermitTTY no
#       ForceCommand cvs server

CentOS6 sshd_config配置内容 

#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
UseDNS no
#GSSAPIAuthentication no
#GSSAPIAuthentication yes


20161205补充:

实际使用中发现ansible和jenkins使用时有些问题,网上查询了下,需要在/etc/ssh/sshd_config文件中最后增加两行:

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
因为升级了openssh太新导致通信时加密算法出现问题,加上后重启就可以了。

20170428补充:

升级openssh版本脚本

cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
cp -rf /etc/ssh /etc/ssh.bak
yum install -y gcc openssl-devel pam-devel rpm-build
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
tar -zxvf openssh-7.2p1.tar.gz && cd openssh-7.2p1 && ./configure --prefix=/usr --sysconfdir=/etc/ssh  --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers && make && make install
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/ssh_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
#sed -i '/^#UsePAM/s/#UsePAM yes/UsePAM yes/' /etc/ssh/sshd_config 如果内网使用ldap需要设置这项

echo "
#ansible support" >>/etc/ssh/sshd_config
echo "Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc" >>/etc/ssh/sshd_config
echo "

service sshd restart

重要提示:最近发现,在升级完ssh版本后,如果你进行了系统update或者升级用到ssh包的相关软件包,会导致ssh的版本回退到原来的版本。


20170504补充:


对于linux执行update,会导致升级后的ssh恢复到之前版本问题,处理方式(新版本ssh安装到不用的目录中,系统启动使用新目录的ssh)

一、备份文件
cp /usr/bin/ssh /usr/bin/ssh.bak.20171124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20171124
cp -rf /etc/ssh /etc/ssh.bak.20171124

二、安装(/usr/local/ssh7为新目录,/usr/local/ssh7/ssh放置配置文件)
yum install -y gcc openssl-devel pam-devel rpm-build
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
tar -zxvf openssh-7.2p1.tar.gz && cd openssh-7.2p1 && ./configure --prefix=/usr/local/ssh7 --sysconfdir=/usr/local/ssh7/ssh  --with-pam --with-zlib --with-md5-passwords

--with-tcp-wrappers && make && make install


三、修改sshd_config内容
vi /usr/local/ssh7/ssh/sshd_config文件内容:

Port 22
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile      .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem       sftp    /usr/local/ssh7/libexec/sftp-server
UseDNS no
#ansible支持加入
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
#jenkins支持加入
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-

sha256,diffie-hellman-group14-sha1


四、修改启动文件
cp /etc/init.d/sshd /etc/init.d/sshd7
mv /etc/init.d/sshd /etc/init.d/sshd.bak.20171124

vi /etc/init.d/sshd7
修改:
#SSHD=/usr/sbin/sshd 为
SSHD=/usr/local/ssh7/sbin/sshd

修改:
#[ -f /etc/ssh/sshd_config ] || exit 6 为
[ -f /usr/local/ssh7/ssh/sshd_config ] || exit 6

五、root下修改环境变量
# vi /etc/profile.d/ssh7.sh
export SSH_7=/usr/local/ssh7
export PATH=${SSH_7}/bin:${SSH_7}/sbin:$PATH

六、重启ssh
service sshd7 restart
以后需要这样重启ssh服务

参考:
http://blog.c1gstudio.com/archives/1474

https://www.douban.com/note/306958442/

http://www.cnblogs.com/elisun/p/5523696.html

TURING.DT
关注
专栏目录
CentOS7.2本地升级openSSH7.9
菜鸡笔录
04-19 1141
一、背景: 因老版存在很多漏洞,因此需要升级到最新版本,服务器所在区域无法上网,需要离线安装所有软件和依赖包; 相关资源: https://download.csdn.net/download/gz_jax/11128971 (里面缺少gcc-c++包,自行下载添加) 二、升级openssh7.9 所有的依赖包上传服务器(我是放在/home/soft目录下) 1、先安装telnet-server ...
CentOS7.2升级openSSH7.9资源包
04-19
本资源包针对的是CentOS 7.2系统中的OpenSSH服务,它提供了一个升级方案,将OpenSSH从旧版本升级到7.9版本,以应对可能存在的安全漏洞。 CentOS 7.2是基于RHEL(Red Hat Enterprise Linux)的一个社区支持的发行版...
Openssh升级
weixin_34187822的博客
01-12 100
Openssh升级一、实验环境操作系统:预装Red Hat EL6.4 64位桌面服务器IP:192.168.0.104二、前期准备①准备安装openssh-6.7p1.tar.gzopenssl-1.0.1j.tar.gz②利用dropbear进行备用,可参考dropbear的安装篇主要是利用dropbear进行ssh远程,因升级openssh过程中原s...
Linux(Centos7)OpenSSH漏洞修复,升级最新openssh-9.7p1
dontYouWorry的博客
06-17 2292
Linux(Centos7)OpenSSH漏洞修复,升级最新openssh-9.7p1
Centos7,升级OpenSSH(亲测有效适用于小白)
最新发布
weixin_61753702的博客
08-01 3122
该漏洞影响 Linux、macOS、BSD 以及其他操作系统上 OpenSSH 客户端和服务器实现的所有用户。由于 OpenSSH 是使用最广泛的 SSH 实现之一,因此影响相当广泛。如果成功利用,该缺陷可能会被用来绕过身份验证并获得对运行易受攻击的 OpenSSH 版本的系统的未经授权的远程访问。如是个人学习升级openssh,建议升级前拍摄快照。安装所需软件包,以及用于编译和安装从源代码构建的软件。如出现一下内容为以及将所需软件包安装完成,无需再安装。服务器,确保在SSH服务器升级异常时,可以通过。
openssh升级7.2版本
weixin_30411239的博客
07-14 478
环境:RHEL 6.1_x86_64 准备相关的包openssh下载地址:http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssl相关包下载:http://www.openssl.org/source/pam相关包下载:http://pkgs.org/centos-6/centos-x86_64/zlib包下载: ht...
openssh升级7.2p1过程
weixin_33817333的博客
01-09 228
一、升级和卸载均需要使用root用户来执行(哪怕是考文件),以免在安装的过程中,出现权限的问题。在升级openssh之前,要先安装telnet server,以解决在卸载了openssh之后,登录不上服务器。安装telnet server之前,需要依赖xinetd,所以在安装telnet server 将 xinetd这个包安装上。rpm -ivhxinetd-2.3.1...
CentOS7.2配置SSH
weibin_6388的专栏
08-23 1433
这篇文章写SSH配置思路很清楚,虽然还没有试,但是还是被这清晰的思路震惊了。 自己问了自己介个问题,记录一下答案。 1,为什么新建用户? ssh为了安全期间不建议使用Root用户,所以使用root用户就比较麻烦。 2,为什么要修改配置文件? 修改的意思是打开SSH的公钥认证。 3,为什么要修改用户名? 因为在集群中同样的服务器用户名大都会相同,登陆到不同的机器效果就不太容易区分。
CentOS7.2离线安装openssh8.6p1软件包-步骤及依赖.rar
06-03
CentOS7.2上,我们可能需要升级OpenSSH到更安全的版本,例如8.6p1,以获得最新的安全修复和特性。在没有网络连接的环境下,离线安装是唯一的选择。以下是一个详细的步骤指南,教你如何在CentOS7.2上离线安装...
Centos7.2 7.4 7.6 7.8升级openssh9.6方法和详解(脚本一键升级
01-18
rpm -Uvh openssh-*.rpm chmod 0600 /etc/ssh/ssh_host_*_key sed -i "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_...
更新openssh的一些报错
weixin_43110668的博客
01-21 4216
升级openSSH之后,所有主机使用root无法ssh登陆 /etc/ssh/ssh_config line 50: Unsupported option"gssapiauthentication" 于是,便猜想ssh升级后,为了安全,默认不再采用原来一些加密算法。 最后,解决办法为,注释sshd_config的以下参数: #GSSAPIAuthentication yes #GSSAPICleanupCredentials yes #UsePAM yes 允许root ssh登陆 Permit...
Linux:启动sshd服务的时候提示错误Unsupported option UsePAM
hhd1988的专栏
07-27 6459
Linux:启动sshd服务的时候提示错误Unsupported option UsePAM
scp失败
林鹤霄
03-29 2280
/etc/crypto-policies/back-ends/openssh.config: line 3: Bad configuration option: gssapikexalgorithms /etc/crypto-policies/back-ends/openssh.config: terminating, 1 bad configuration options lost connection
sshd_config 限制
weixin_33698043的博客
09-04 1201
1、只允许某个IP登录,拒绝其他所有IP在 /etc/hosts.allow 写:sshd: 1.2.3.4在 /etc/hosts.deny 写:sshd: ALL 用 iptables 也行:iptables -A INPUT -p tcp --dport 22 -j DROPiptables -A INPUT -p tcp --dport 22 -s 1.2.3....
Centos7.9配置SSH无秘钥链接ssh-copy-id报错/usr/bin/ssh-copy-id: ERROR: ssh: 的解决方法
m0_70800810的博客
05-28 7095
查看自己的主机名是否有误,和我们所要创建的(ssh ‘controller’ )无秘钥名称是否一致。第三句报错内容翻译出来是:无法解析主机名控制器:名称或服务未知。进入这个文件把里面创建的所有内容都删除。再运行一次,问题就可以解决了。
openssh与linux对应版本,linux更新openssh
weixin_31677427的博客
04-30 436
回 1楼(jeanjia) 的帖子楼主您好,请问您使用的系统是CentOS吗?运行以下命令时,返回到的系统版本是什么呢?cat /etc/redhat-release-------------------------回 3楼(jeanjia) 的帖子您好,我为您在测试机里安装了CentOS 7.2的公共镜像,显示的输出信息和您差不多,但我在FileZilla FTP里使用sftp协议,能正常登录。...
OpenSSH&OpenSSL至最新版本
qq_49081692的博客
03-27 5742
openssh&openssl升级
解决OpenSSH升级后root用户无法登录的问题
热门推荐
卧龙居
01-06 1万+
由于系统内置的OpenSSH版本过低,存在一些用户名枚举信息泄露之类的问题。所以做了一次加固,将OpenSSH版本升级到了最新版,即OpenSSH_8.1p1, OpenSSL 1.0.2k-fips 。 但是升级之后,root用户就不能登录了。用另一个具有sudo权限的用户登录后,查看/var/log/secure日志发现里面有这样一条记录: reprocess config line 93:...
centos7.2升级openssh7.9p1
08-19
现在您的CentOS 7.2系统应该已经升级OpenSSH 7.9p1版本了。 请注意,升级操作可能会有风险,请确保在操作前备份重要数据,并确保您对系统有足够的了解和熟悉以及足够的权限来执行这些操作。
评论 18
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值