Red Hat linux环境openssh升级到openssh-10.0p1

由于外网服务器扫描出SSH高危漏洞，需要升级SSH版本。

一、新版本SSH下载：https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/ 解压、编译配置(注意正确配置openssl路径)、编译、安装：

tar -zxvf openssh-10.0p1.tar.gz

cd openssh-10.0p1

./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl341 --sysconfdir=/etc/ssh --with-pam --with-gssapi --with-rsa --with-rhosts-allowed --with-zlib --with-md5-passwords

make && make install

在configure openssh时，有参数 --with-pam，会提示：
PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/subdirectory
就是如果启用PAM，需要有一个控制文件，按照提示的路径找到redhat/sshd.pam，并复制到/etc/pam.d/sshd，在/etc/ssh/sshd_config中设置UsePAM yes。
/etc/pam.d/sshd中内容如下：

# 文件内容如下
#%PAM-1.0
auth	   required	pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

/etc/ssh/sshd_config 中设置UsePAM yes

二、替换原openssh
1、备份替换相关文件

mv /usr/sbin/sshd /usr/sbin/sshd_bak
mv /usr/bin/ssh /usr/bin/ssh_bak
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen_bak

2、建立软连接

ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd //建立软连接
ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh //建立软连接
ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen //建立软连接

或复制文件

cp -rf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp -rf /usr/local/openssh/bin/ssh /usr/bin/ssh
cp -rf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

三、修改配置：
解决root不能远程SSH登录问题(如果不需要root帐户登陆不用配置)

1、注释/etc/pam.d/password-auth或/etc/pam.d/password-auth-ac中
#auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success

2、设置/etc/ssh/sshd_config 中PermitRootLogin yes

四、重启ssh服务：
systemctl restart sshd
如果重启报错Permissions 0640 for’/etc/ssh/*****.key’ are too open.

为文件的权限设置过于宽松执行

chmod -R 600 /etc/ssh

限制权限后再重启ssh服务解决
查询服务状态:

systemctl status sshd.service

正常运行，升级成功！！！
备注帐户解锁:
sudo passwd -u root
参考资料：
解决Linux系统Root不能远程SSH登录_linux ssh无法远程登录-CSDN博客

解决 OpenSSH开启 PAM后 root用户无法远程登录问题_failed password for root from-CSDN博客

解决openssh，openssl升级出现的坑_pam is enabled. you may need to install a pam cont-CSDN博客

启用UsePAM后用户登录失败_pam is enabled. you may need to install a pam cont-CSDN博客

openssl升级后开启UsePAM登录失败 - 焦国峰的随笔日记 - 博客园

linux环境openssl、openssh升级_openssl升级-CSDN博客

[SSH] Permissions 0644 for ‘.ssh/id_rsa‘ are too open._permissions 0644 for are too open-CSDN博客

key are too open_百度知道

磐维数据库openSSH 8.0到openSSH 9.3 - 墨天轮

docker启动sshd报错Could not load host key: /etc/ssh/ssh_host_rsa_key和Permissions 0640 for ‘/etc/ssh/ssh__docker could not load host key-CSDN博客

Linux系统下SSH服务启动失败故障处理_unit sshd.service entered failed state-CSDN博客

RedHat Linux 下升级SSH服务_redhat4.8 ssh升级-CSDN博客