CentOS操作系统下SSH升级到8.0及OpenSSL升级

一.先安装telnet服务,以防卸载openssh后连接不到服务器

yum install -y telnet-server
yum install -y xinetd 
systemctl enable xinetd.service && systemctl enable telnet.socket && systemctl start telnet.socket && systemctl start xinetd

默认情况下，系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录，需设置如下内容:

echo  'pts/0'  >>/etc/securetty
echo 'pts/1' >>/etc/securetty
echo 'pts/2' >>/etc/securetty
echo 'pts/3' >>/etc/securetty
systemctl restart xinetd.service

然后在本地测试telnet能否连接到服务器 , 如果一直报密码无效要注意selinux和防火墙
连接到的话就是如下显示.输入root密码即可登录

localhost login: root
Password:

[root@localhost ~]#
二.升级开始:(注意 : 关闭SELinux)
1.升级openssl
1)查看当前ssl版本，以备后续对比
[root@instance-7d3ea75c ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
2)备份openssl相关文件
[root@instance-7d3ea75c ~]# whereis openssl
openssl: /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz
[root@instance-7d3ea75c ~]# mv /usr/bin/openssl /usr/bin/openssl_20190711bak
[root@instance-7d3ea75c ~]# mv /usr/include/openssl /usr/include/openssl_20190711bak
3)编译安装新版本的openssl

下载OpenSSL
[root@instance-7d3ea75c ~]# wget https://ftp.openssl.org/source/openssl-1.1.1c.tar.gz
[root@instance-7d3ea75c ~]# tar -zxvf openssl-1.1.1c.tar.gz
[root@instance-7d3ea75c ~]# cd openssl-1.1.1c
配置、编译、安装3个命令一起执行
[root@instance-7d3ea75c openssl-1.1.1c]# ./config --prefix=/usr shared && make && make install
以上命令执行完毕，echo $?查看下最后的make install是否有报错，0表示没有问题
4)查看确认版本
[root@instance-7d3ea75c ~]# openssl version
OpenSSL 1.1.1c  28 May 2019

#加载动态链接库
/sbin/ldconfig

wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
先把openssh-8.0p1.tar.gz传到服务器上 , 在进行升级的一系列操作.

1.yum安装依赖（我这里是SSH升级，已经安装过这些依赖，情况一样这个步骤可以忽略）
yum install -y gcc openssl openssl-devel pam-devel rpm-build pam-devel

2.卸载openssh

[root@localhost src]# rpm -qa | grep openssh
[root@localhost src]# rpm -e `rpm -qa | grep openssh` --nodeps
[root@localhost src]# rpm -qa | grep openssh
3.安装openssh8.0
1)执行如下命令,设置适当的环境
install -v -m700 -d /var/lib/sshd && chown -v root:sys /var/lib/sshd && groupadd -g 50 sshd && useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd
2)解压

tar -zxvf openssh-8.0p1.tar.gz 
cd openssh-8.0p1
3)安装
备份ssh相关目录
mv /etc/ssh /etc/ssh_20190711
[root@instance-7d3ea75c openssh-8.0p1]# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh  -with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam  --with-4in6

[root@instance-7d3ea75c openssh-8.0p1]# make && make install

linux openssh升级到8.0

4)执行如下命令
mv /usr/share/doc/openssh-7.9p1 /usr/share/doc/openssh-7.9p1_20190711bak
mv /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id_20190711bak
mv /usr/share/man/man1/ssh-copy-id.1 /usr/share/man/man1/ssh-copy-id.1_20190711bak
[root@instance-7d3ea75c openssh-8.0p1]# install -v -m755 contrib/ssh-copy-id /usr/bin && install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 && install -v -m755 -d /usr/share/doc/openssh-8.0p1 && install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.0p1

[root@instance-7d3ea75c openssh-8.0p1]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019

5)修改配置文件 PermitRootLogin yes 允许root远程登录 , 开机自启
mv /etc/init.d/sshd /etc/init.d/sshd_20190711bak
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config && cp -a /root/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd

chkconfig --add sshd
chkconfig sshd on
[root@instance-7d3ea75c ~]# service sshd restart
Restarting sshd (via systemctl):  [  OK  ]

4.把telnet关掉

[root@instance-7d3ea75c ~]# rpm -qa telnet-server
telnet-server-0.17-64.el7.x86_64
[root@instance-7d3ea75c ~]#  systemctl stop telnet.socket 
[root@instance-7d3ea75c ~]#  systemctl stop xinetd
[root@instance-7d3ea75c ~]#  systemctl disable xinetd.service   
Removed symlink /etc/systemd/system/multi-user.target.wants/xinetd.service.
[root@instance-7d3ea75c ~]#  systemctl disable telnet.socket
Removed symlink /etc/systemd/system/sockets.target.wants/telnet.socket.