1、更新yum仓库默认的openssh版本
yum update openssh -y
2、安装telnet-server以及xinetd
yum install xinetd telnet-server -y
离线情况
telnet:telnet-0.17-64.el7.x86_64
telnet-server:telnet-server-0.17-64.el7.x86_64
xinetd:xinetd-2.3.15-13.el7.x86_64
1.先检测是否这些软件包是否已经安装
安装顺序:xinetd–>telnet–>telnet-server
rpm -qa | grep telnet
rpm -qa | grep telnet-server
rpm -qa | grep xinetd
卸载rpm包
rpm -e telnet-0.17-64.el7.x86_64
rpm -e telnet-server-0.17-64.el7.x86_64
rpm -e xinetd-2.3.15-13.el7.x86_64
2.安装rpm包
rpm -ivh xinetd-2.3.15-13.el7.x86_64.rpm
rpm -ivh telnet-0.17-64.el7.x86_64.rpm
rpm -ivh telnet-server-0.17-64.el7.x86_64.rpm
3.配置telnet
#如果下面telnet文件不存在的话,可以跳过这部分的更改
ll /etc/xinetd.d/telnet
#文件存在,请更改配置telnet可以root登录,把disable = no改成disable = yes
cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
[root@rhel yum.repos.d]# vim /etc/xinetd.d/telnet
[root@rhel yum.repos.d]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
#配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下
pts/0
pts/1
pts/2
pts/3
#配置之后的显示
[root@linux-node3 ~]# vim /etc/securetty
[root@linux-node3 ~]# tail -5 /etc/securetty
xvc0
pts/0
pts/1
pts/2
pts/3
#启动telnet服务,并设置开机自动启动
[root@linux-node3 ~]# systemctl enable xinetd
[root@linux-node3 ~]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@linux-node3 ~]#
[root@linux-node3 ~]# systemctl start telnet.socket
[root@linux-node3 ~]# systemctl start xinetd
[root@linux-node3 ~]# netstat -lntp|grep 23
tcp6 0 0 :::23 :::* LISTEN 1/systemd
#切换到telnet方式登录,以后的操作都在telnet终端下操作,防止ssh连接意外中断造成升级失败
4、安装依赖包
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
yum install -y pam* zlib*
5、下载openssh包和openssl的包
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
http://www.openssh.com/portable.html#http
选择一个下载地址后再wget,例如选择香港的节点
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
如果上述地址下载不了,可以从官网进中国区镜像找
官网: http://www.openssh.com/portable.html
中国区阿里云镜像: https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/
日区镜像:
https://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/
5、开始安装openssl
mkdir /opt/tools/
cd /opt/tools/
#将下载包放到此目录
tar -xvf openssl-1.1.1g.tar.gz
#现在是系统默认的版本,等会升级完毕对比下
[root@linux-node3 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
#备份下面2个文件或目录(如果存在的话就执行)
ll /usr/bin/openssl
mv /usr/bin/openssl /usr/bin/openssl_bak
ll /usr/include/openssl
mv /usr/include/openssl /usr/include/openssl_bak
#编译安装新版本的openssl
# 配置参数
cd /opt/tools/openssl-1.1.1g
./config shared --openssldir=/usr/local/openssl --prefix=/usr/local/openssl
#编译和安装
make && make install
#以上命令执行完毕,echo $?查看下最后的make install是否有报错,0表示没有问题
echo $?
# 下面2个文件或者目录做软链接 (刚才前面的步骤mv备份过原来的)
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ll /usr/bin/openssl
ll /usr/include/openssl -ld
#命令行执行下面2个命令加载新配置
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
/sbin/ldconfig
# 查看确认版本。没问题
> openssl version
OpenSSL 1.1.1g 21 Apr 2020
6、安装openssh
#上传openssh的tar包并解压
tar -xvf openssh-8.3p1.tar.gz
cd /opt/tools/openssh-8.3p1
#配置权限
chown -R root.root /opt/tools/openssh-8.3p1
#删除原先ssh的配置文件和目录
rm -rf /etc/ssh/*
#修改版本号(安全扫描低危漏洞)
vi version.h
#找到此行#define SSH_VERSION "OpenSSH_8.3",将OpenSSH_8.3修改为自定义的
> sed -i 's/OpenSSH_8.3/welcome back/g' version.h
> cat version.h
#配置、编译、安装
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam && make && make install
#以上命令执行完毕,echo $?查看下最后的make install是否有报错,0表示没有问题
echo $?
# 修改配置文件最终为如下内容,其他的不要动
> grep "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin yes
> grep "UseDNS" /etc/ssh/sshd_config
UseDNS no
> sed -i 's/#UseDNS no/UseDNS no/g' /etc/ssh/sshd_config
> grep "UseDNS" /etc/ssh/sshd_config
#从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)
cd /opt/tools/openssh-8.3p1
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd
# 把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务
mkdir /opt/tools/bak
mv /usr/lib/systemd/system/sshd.service /opt/tools/bak/
#设置sshd服务开机启动
> chkconfig sshd on
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket
# 接下来测试启停服务。都正常、以后管理sshd通过下面方式了
/etc/init.d/sshd restart
#查看22端口
netstat -lntp
/etc/init.d/sshd stop
#查看22端口
netstat -lntp
/etc/init.d/sshd start
#也可以使用systemd方式也行
systemctl stop sshd
systemctl start sshd
systemctl restart sshd
#测试版本。都正常
> ssh -V
welcome backp1, OpenSSL 1.1.1g 21 Apr 2020
> telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-welcome back
# 注意SSH-2.0-后面是自定义的版本号
369
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
