目录
13. 关闭ssh远程连接,并在 telnet 终端升级ssh服务
1. 安装前准备
- 所需安装包
- telnet.tar.gz
- openssh-9.0p1.tar.gz
- openssl102k.tar.gz
- openssl-3.0.5.tar.gz
- dependencies-7.6.tar.gz
2. 首先查看版本号
- ssh -V
3. 上传并解压安装包
- 安装工具
tar zxvf system-tools.tar.gz
cd system-tools/
su
yum -y localinstall *.rpm
cd ..
- 上传所需压缩包并解压
tar -zxvf telnet.tar.gz
tar -zxvf openssh-9.0p1.tar.gz
tar -zxvf openssl102k.tar.gz
tar -zxvf openssl-3.0.5.tar.gz
- 上传 7.6 依赖包并解压安装
tar zxvf dependencies-7.6.tar.gz
cd dependencies-7.6/
su
yum -y localinstall *.rpm
cd ..
4. 避免防火墙和 selinux 造成影响,先临时关闭
如果有docker运行,就不要关防火墙,以免影响docker服务
su
setenforce 0
systemctl stop firewalld
5. 更新 openssl
ssh -V
openssl version -a
rpm -qa | grep openssl
6. RPM 更新 openssl 1.0.2k 补丁
cd openssl102k
yum -y localinstall *.rpm
rpm -Uvh *.rpm --nodeps --force
7. 编译安装 openssl 3.0.5
cd ..
cd openssl-3.0.5/
mkdir -p /usr/local/openssl3
./config --prefix=/usr/local/openssl3
make && make install
8. 动态链接库生效
ln -s /usr/local/openssl3/bin/openssl /usr/bin/openssl3
echo "/usr/local/openssl3/lib64" >> /etc/ld.so.conf
ldconfig -v
9. 查看版本
openssl version -a
openssl3 version -a
10. 备份 ssh 组件
cp -r /etc/ssh /etc/ssh.bak-`date -I`
cp -r /etc/pam.d /etc/pam.d.bak-`date -I`
11. 安装telnet
- 避免 ssh 起不来,先临时安装telnet
12. 测试 telnet
- ss -ant | grep 23
- 自己的电脑上打开cmd通过telnet远程链接服务器
- C:\>telnet $IP
13. 关闭ssh远程连接,并在 telnet 终端升级ssh服务
ssh -V
su
systemctl stop sshd
rm -rf /etc/ssh
ss -antp | grep sshd
killall sshd
ss -antp | grep sshd
13. 编译安装 openssh
cd openssh-9.0p1/
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl3 --with-zlib --with-pam
make && make install
14. 修改 sshd_config 配置
cat >/etc/ssh/sshd_config<<-EOF
Protocol 2
UsePAM yes
MaxAuthTries 6
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 3
PermitRootLogin yes
IgnoreRhosts yes
IgnoreUserKnownHosts no
HostbasedAuthentication no
PubkeyAuthentication yes
PasswordAuthentication yes
PrintMotd no
PrintLastLog no
X11Forwarding yes
StrictModes yes
TCPKeepAlive yes
PermitEmptyPasswords no
Compression yes
UseDNS no
Banner none
LogLevel INFO
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
HostKey /etc/ssh/ssh_host_ed25519_key
EOF
15. 启动 sshd
cd openssh-9.0p1/
\cp -r contrib/redhat/sshd.init /etc/init.d/
chmod +x /etc/init.d/sshd.init
/etc/init.d/sshd.init start
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
\cp -r /run/systemd/generator.late/sshd.init.service /usr/lib/systemd/system/sshd.service
systemctl daemon-reload
systemctl restart sshd
16. 通过 ssh 登录,先不关闭 telnet!
- 务必确保ssh成功连接再关闭telnet!!!
- 如果之前使用的是mobaxterm,建议使用别的软件,否则容易引起密码错误导致账户被锁定
ssh -V
su
systemctl enable sshd
systemctl status sshd
- 成功后关闭telnet,并卸载
su
systemctl stop telnet.socket
systemctl stop xinetd
rpm -e --nodeps `rpm -qa | grep -E "telnet|xinetd"`