由于openssh8.0有安全隐患,需要升级至8.1以上
一、环境介绍
查看openssh、openssl版本
[root@localhost ~]# openssl version
OpenSSL 1.1.1g
[root@localhost ~]# ssh -VOpenSSH_8.0p1, OpenSSL 1.1.1g
[root@localhost ~]# lsb_release -aLSB Version: :core-4.1-amd64:core-4.1-noarch
Distributor ID: CentOS
Description: CentOS Linux release 8.2.2004 (Core)
Release: 8.2.2004
Codename: Core
二、安装配置telnet
为了防止ssh升级失败,没办法远程通过ssh登录服务器,所以安装telnet
2.1、安装telnet-server
[root@localhost ~]# yum -y install xinetd telnet-server
2.2、配置telnet
先看一下xinetd.d目录下是否有telnet文件
[root@localhost ~]# ll /etc/xinetd.d/telnet
ls: cannot access /etc/xinetd.d/telnet: No such file or directory
如果有,则将文件里面的disable = no改成disable = yes
如果没有,就进行下面的操作
[root@localhost ~]# cat > /etc/xinetd.d/telnet <<EOF
service telnet
{
disable = yes
flags = REUSE
socket_type = streamwait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
EOF
2.3、配置telnet登录的终端类型
[root@localhost ~]# cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
EOF
2.4、启动telnet服务
[root@localhost ~]# systemctl enable xinetd --now
[root@localhost ~]# systemctl enable telnet.socket --now
[root@localhost ~]# netstat -nltp | grep 23
#查看23端口是否正常开启
#试下telnet是否可以登录,不能登录则关闭防火墙(或者开启23端口)
systemctl stop firewalld.service
systemctl disable firewalld.service 三、切换登录方式为telnet
后面的操作都是在telnet链接的方式下进行,避免ssh中断导致升级失败
以telnet方式登录的时候,注意选择协议和端口,协议为telnet,端口为23
看了很多参考文章都是要自己编译安装openssl,但是新版的openssl与centos有冲突,自己安装会出现意想不到的问题,建议使用yum安装,也能自动适配openssh
四、开始升级OpenSSH
4.1、下载升级所需依赖包
[root@localhost ~]# yum -y install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib zlib-devel
注:这里已经自动更新了openssl,zlib等,不要再手动安装,这里主要目的是升级openssh
4.2 下载openssh9.0
[root@localhost ~]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
[root@localhost ~]# tar zxvf openssh-9.0p1.tar.gz
4.3、备份原有的ssh目录以及安装
[root@localhost ~]# mv /etc/ssh{,.bak}
[root@localhost ~]# mkdir /usr/local/openssh
[root@localhost ~]# cd openssh-9.0p1/
[root@localhost openssh-9.0p1]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib
看配置编译是否能通过,如果没问题则,进行make
[root@localhost ~]# make如果make没报错,则可以进行安装
[root@localhost ~]# make install如果报类似这样的错误, Permissions 0644 for ‘/etc/ssh/ssh_host_rsa_key’ are too open”,则是私钥key的权限给的太大,必须是600才行
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_dsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
4.4 相关配置
配置sshd_config文件
[root@localhost ~]# echo "UseDNS no" >> /etc/ssh/sshd_config
[root@localhost ~]# echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
[root@localhost ~]# echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
[root@localhost ~]# echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
如果是图形化界面,需要x11的话,需要配置如下
[root@localhost ~]# echo "X11Forwarding yes" >> /etc/ssh/sshd_config
[root@localhost ~]# echo "X11UseLocalhost no" >> /etc/ssh/sshd_config
[root@localhost ~]# echo "XAuthLocation /usr/bin/xauth" >> /etc/ssh/sshd_config
创建新的sshd二进制文件
[root@localhost ~]# mv /usr/sbin/sshd{,.bak}
[root@localhost ~]# mv /usr/bin/ssh{,.bak}
[root@localhost ~]# mv /usr/bin/ssh-keygen{,.bak}
[root@localhost ~]# ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
[root@localhost ~]# ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
[root@localhost ~]# ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
可以查看安装的新版本ssh了
[root@localhost ~]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
4.5 创建开机启动服务
[root@localhost ~]# systemctl disable sshd --now
[root@localhost ~]# mv /usr/lib/systemd/system/sshd.service{,.bak}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# cp -a ~/openssh-9.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost ~]# chkconfig --add sshd
[root@localhost ~]# systemctl enable sshd --now
这个时候试一下远程ssh是否可以连接,能连接说明ssh安装成功,安全起见可以关闭telnet了
[root@localhost ~]# systemctl disable xinetd.service --now
[root@localhost ~]# systemctl disable telnet.socket --now
942
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
