QQ空间迁移_【OPENSSH升级后不能登录的问题】

OPENSSH升级后不能登录的问题

2016-03-10 14:47:04

Redhat 6.4 升级OPENSSH 遇到头疼的问题

Openssh 爆出很多安全漏洞，客户那边搞安全检查，扫描结果出来了，漏洞基本都是在openssh上面 于是打算升级

升级过程很顺利

具体情况这里http://pkgs.org/centos-6/ghettoforge-testing-x86_64/openssh-6.6.1p1-4.gf.el6.x86_64.rpm.html

备份原有源

cd /etc/yum.repos.d/

mv rhel-source.repo rhel-source.repo.bak

mv packagekit-media.repo packagekit-media.repo.bak

配置源

vi CentOS-Base.repo

[base]

name=CentOS-$releasever - Base - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/os/$basearch/

http://mirrors.aliyuncs.com/centos/6.7/os/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=KaTeX parse error: Expected 'EOF', got '&' at position 11: releasever&̲arch=basearch&repo=os

gpgcheck=1

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

#released updates

[updates]

name=CentOS-$releasever - Updates - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/updates/$basearch/

http://mirrors.aliyuncs.com/centos/6.7/updates/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=KaTeX parse error: Expected 'EOF', got '&' at position 11: releasever&̲arch=basearch&repo=updates

gpgcheck=1

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

#additional packages that may be useful

[extras]

name=CentOS-$releasever - Extras - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/extras/$basearch/

http://mirrors.aliyuncs.com/centos/$releasever/extras/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=KaTeX parse error: Expected 'EOF', got '&' at position 11: releasever&̲arch=basearch&repo=extras

gpgcheck=1

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

#additional packages that extend functionality of existing packages

[centosplus]

name=CentOS-$releasever - Plus - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/centosplus/$basearch/

http://mirrors.aliyuncs.com/centos/6.7/centosplus/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=KaTeX parse error: Expected 'EOF', got '&' at position 11: releasever&̲arch=basearch&repo=centosplus

gpgcheck=1

enabled=0

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

#contrib - packages by Centos Users

[contrib]

name=CentOS-$releasever - Contrib - mirrors.aliyun.com

failovermethod=priority

baseurl=http://mirrors.aliyun.com/centos/6.7/contrib/$basearch/

http://mirrors.aliyuncs.com/centos/6.7/contrib/$basearch/

#mirrorlist=http://mirrorlist.centos.org/?release=KaTeX parse error: Expected 'EOF', got '&' at position 11: releasever&̲arch=basearch&repo=contrib

gpgcheck=1

enabled=0

gpgkey=http://mirrors.aliyun.com/centos/RPM-GPG-KEY-CentOS-6

[gf-test]

baseurl=http://mirror.symnds.com/distributions/gf/el/6/testing/x86_64/

gpgcheck=0

enabled=1

更新缓存

yum clean

yum makecache

先安装telnet 以防止更新openssh的时候 终端断开。

yum install telnet

详细配置请看

http://jingyan.baidu.com/article/9f63fb91ac7ebcc8400f0e94.html

配置完成后 使用telnet 登录到服务器

开始更新openssh

yum update openssl

yum update openssh

重启服务

service sshd restart

使用ssh –V 查看更新成功没有

接下来就是噩梦的开始

升级好了之后，使用客户端怎么都登录不上去

一开始以为是配置文件的问题，把另外一台没升级过的配置文件sshd_config拷贝到本机，不行

寄出百度 http://bbs.51cto.com/thread-1098820-1.html

按照这个说法

修改配置文件后，发现还是不行，于是重启服务器，居然报错，起不来

妹的一个问题没有解决又来一个问题

按照http://jingyan.baidu.com/article/e9fb46e19c73167521f76681.html

所说的方法照做，进去后把参数修改回来，重启正常了，SSH 无法登陆的问题还是没有解决

又有说是算法的问题

http://bbs.51cto.com/thread-1176918-1.html

照做还是不行， 于是陷入了无休止的找资料之中

回过头来在来看

http://pkgs.org/centos-6/ghettoforge-testing-x86_64/openssh-6.6.1p1-4.gf.el6.x86_64.rpm.html

发现有关于pam的包，会不会是和这个有问题，果断安装，结果还是不行。

似乎陷入死循环了。

就在要暴走的情况下找到了这篇文章

http://bbs.csdn.net/topics/391893954?page=1

修改 UserPAM no 重启服务登录成功，但是服务端会有个警告报错

看来问题就是处在PAM上面

对比两台机器的/etc/pam.d/sshd文件 果真发现问题，修改成一样，UserPAM 改回成yes

重启服务器 问题搞定。

问题还有后续，发现另外一台机器升级之后，安装上面的方法root用户可以登录，普通用户不能登录。回想起来，把原始OPENSSH5.3的配置文件覆盖到本机的配置文件  sshd_config  .   覆盖完成，登录正常

以下是配置文件的内容，以免忘记，先拷贝出来吧

#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile     .ssh/authorized_keys
AuthorizedKeysFile /etc/ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don’t trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don’t read the user’s ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok no

# GSSAPI options

#GSSAPIAuthentication yes
#GSSAPICleanupCredentials no

#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

# Set this to ‘yes’ to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of “PermitRootLogin without-password”.
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to ‘no’.
# WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several
# problems.

# UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
“/etc/ssh/sshd_config” 166L, 4493C written

评论(0)