1.下载openssh8.3p1升级包
centos7 https://download.csdn.net/download/ChongDanYiQieHuiYi/12570967
centos6 https://download.csdn.net/download/ChongDanYiQieHuiYi/12507873
cp ssh.repo /etc/yum.repos.d/ssh.repo
mv x86_64 /tmp/
yum clean all
yum install -y openssh
[root@VM_0_11_centos RPMS]# sshd -v
unknown option -- v
OpenSSH_8.3p1, OpenSSL 1.0.2k-fips 26 Jan 2017
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
2.异常处理:
a.CRT7.0.0由于sshd升级弱算法将不采用
Key exchange failed.
No compatible key exchange method. The server supports these methods: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
No compatible hostkey. The server supports these methods: ssh-ed25519
增加配置
cat >>/etc/ssh/sshd_config <<-EOF
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
EOF
systemctl restart sshd
3.安全扫描合规
4.2020-7-2 修复BUG
centos7.x-7.6登录异常及systemctl 管理失败
[root@192 ~]# tar -xf openssh8.3p1.tar
[root@192 ~]# ls
anaconda-ks.cfg openssh8.3p1.tar original-ks.cfg x86_64
[root@192 ~]# mv x86_64/ /tmp/
[root@192 ~]# mv /tmp/x86_64/ssh.repo /etc/yum.repos.d/
[root@192 ~]# yum install -y openssh
Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager
This system is not registered with an entitlement server. You can use subscription-manager to register.
ssh | 2.9 kB 00:00:00
ssh/primary_db | 6.2 kB 00:00:00
Resolving Dependencies
--> Running transaction check
---> Package openssh.x86_64 0:7.4p1-21.el7 will be updated
--> Processing Dependency: openssh = 7.4p1-21.el7 for package: openssh-clients-7.4p1-21.el7.x86_64
--> Processing Dependency: openssh = 7.4p1-21.el7 for package: openssh-server-7.4p1-21.el7.x86_64
---> Package openssh.x86_64 0:8.3p1-1.el7 will be an update
--> Running transaction check
---> Package openssh-clients.x86_64 0:7.4p1-21.el7 will be updated
---> Package openssh-clients.x86_64 0:8.3p1-1.el7 will be an update
---> Package openssh-server.x86_64 0:7.4p1-21.el7 will be updated
---> Package openssh-server.x86_64 0:8.3p1-1.el7 will be an update
--> Finished Dependency Resolution
Dependencies Resolved
====================================================================================================================================
Package Arch Version Repository Size
====================================================================================================================================
Updating:
openssh x86_64 8.3p1-1.el7 ssh 562 k
Updating for dependencies:
openssh-clients x86_64 8.3p1-1.el7 ssh 568 k
openssh-server x86_64 8.3p1-1.el7 ssh 411 k
Transaction Summary
====================================================================================================================================
Upgrade 1 Package (+2 Dependent packages)
Total download size: 1.5 M
Downloading packages:
------------------------------------------------------------------------------------------------------------------------------------
Total 177 MB/s | 1.5 MB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Updating : openssh-8.3p1-1.el7.x86_64 1/6
Updating : openssh-clients-8.3p1-1.el7.x86_64 2/6
Updating : openssh-server-8.3p1-1.el7.x86_64 3/6
Cleanup : openssh-server-7.4p1-21.el7.x86_64 4/6
Cleanup : openssh-clients-7.4p1-21.el7.x86_64 5/6
Cleanup : openssh-7.4p1-21.el7.x86_64 6/6
Verifying : openssh-clients-8.3p1-1.el7.x86_64 1/6
Verifying : openssh-8.3p1-1.el7.x86_64 2/6
Verifying : openssh-server-8.3p1-1.el7.x86_64 3/6
Verifying : openssh-clients-7.4p1-21.el7.x86_64 4/6
Verifying : openssh-7.4p1-21.el7.x86_64 5/6
Verifying : openssh-server-7.4p1-21.el7.x86_64 6/6
Updated:
openssh.x86_64 0:8.3p1-1.el7
Dependency Updated:
openssh-clients.x86_64 0:8.3p1-1.el7 openssh-server.x86_64 0:8.3p1-1.el7
Complete!
[root@192 ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Thu 2020-07-02 04:31:58 PDT; 25s ago
Docs: man:systemd-sysv-generator(8)
Process: 31010 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
Process: 31016 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 1142 (code=exited, status=0/SUCCESS)
CGroup: /system.slice/sshd.service
└─31024 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Jul 02 04:31:58 192.168.1.15 systemd[1]: Stopped SYSV: OpenSSH server daemon.
Jul 02 04:31:58 192.168.1.15 systemd[1]: Starting SYSV: OpenSSH server daemon...
Jul 02 04:31:58 192.168.1.15 sshd[31016]: ssh-keygen: generating new host keys: DSA
Jul 02 04:31:58 192.168.1.15 sshd[31016]: Starting sshd:[ OK ]
Jul 02 04:31:58 192.168.1.15 systemd[1]: Can't open PID file /var/run/sshd.pid (yet?) after start: No such file or directory
Jul 02 04:31:58 192.168.1.15 systemd[1]: Started SYSV: OpenSSH server daemon.
Jul 02 04:31:59 192.168.1.15 sshd[31024]: Server listening on 0.0.0.0 port 22.
Jul 02 04:31:59 192.168.1.15 sshd[31024]: Server listening on :: port 22.
Jul 02 04:32:03 192.168.1.15 sshd[31026]: Accepted password for root from 192.168.1.6 port 11657 ssh2
6.安装了之前版本的修复安装下面步骤修复一下就行
/usr/bin/cat >/etc/pam.d/sshd<<EOF
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
EOF
[ -f /etc/ssh/ssh_host_rsa_key ] && /usr/bin/chmod 600 /etc/ssh/ssh_host_rsa_key
[ -f /etc/ssh/ssh_host_ecdsa_key ] && /usr/bin/chmod 600 /etc/ssh/ssh_host_ecdsa_key
[ -f /etc/ssh/ssh_host_ed25519_key ] && /usr/bin/chmod 600 /etc/ssh/ssh_host_ed25519_key
代码复制粘贴运行之后
1.vim /etc/ssh/sshd_config
PermitRootLogin yes
UsePAM yes
2.重启sshd
systemctl restart sshd
注意事项:
目前测试centos 7.2至7.7版本没有异常,有问题及时发给我修复bug
7.0及7.1如果想使用想先挂载7.2及ssh.repo 镜像源,然后升级openssh
1.会覆盖原来的配置文件/etc/ssh/sshd_config 注意保存
2.默认root可以登录
vim /etc/ssh/sshd_config
#注释了就需要从普通用户跳转登录了
#PermitRootLogin yes