openssh升级说明
1、前置工作
- 升级需要:openssh-8.7p1.tar.gz、update_ssh_rpm.sh。
- 查看ssh版本:ssh -V
- 切换root用户
- 登录多个窗口,避免ssh失效无法登录。
2、升级准备
2.1、创建openssh目录
[root@VM-4-6-centos ~]# mkdir openssh
2.2、上传升级包
-
将openssh-8.7p1.tar.gz上传需要升级的主机创建的openssh目录中。
-
将sshd_config上传到openssh目录中。
-
将update_ssh_rpm.sh脚本上传至openssh目录中。
给update_ssh_rpm.sh脚本赋予执行权限。
[root@VM-4-6-centos openssh]# chmod +x update_ssh_rpm.sh
[root@VM-4-14-centos openssh]# ll
total 4664
drwxr-xr-x 2 root root 4096 Nov 23 10:00 openssh
-rw-r--r-- 1 root root 4764070 Nov 23 09:59 openssh-8.7p1.tar.gz
-rwxr-xr-x 1 root root 987 Nov 23 09:59 update_ssh_rpm.sh
2.3、查看升级脚本内容
#!/bin/bash
$(cd "$(dirname "$0")";pwd)
mkdir openssh && tar zxvf openssh-8.7p1.tar.gz -C openssh
cp -r /etc/ssh /etc/ssh.bak
cp /usr/sbin/sshd /usr/sbin/sshd.bak
cp /usr/bin/ssh /usr/bin/ssh.bak
cp -rf /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp -rf /etc/pam.d/sshd /etc/pam.d/sshd.bak
systemctl stop sshd
cd openssh
rpm -Uvh *.rpm
cp -rf /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
cp -rf /etc/pam.d/sshd.bak /etc/pam.d/sshd
echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org" >> /etc/ssh/sshd_config
chmod 600 /etc/ssh/*
systemctl start sshd
status_a=$(systemctl is-active sshd)
if [ $status_a = "active" ];then
echo "$(systemctl status sshd | grep Active)"
echo "$(ssh -V)"
else
echo "#######openssh8.5p1 update failed########"
echo "$(systemctl status sshd)"
fi
3、升级操作
3.1、执行升级脚本
[root@VM-4-6-centos openssh]# ./update_ssh_rpm.sh
[root@VM-4-14-centos openssh]# ./update_ssh_rpm.sh
./update_ssh_rpm.sh: line 2: /root/openssh: Is a directory
openssh-8.7p1-1.el7.x86_64.rpm
openssh-clients-8.7p1-1.el7.x86_64.rpm
openssh-debuginfo-8.7p1-1.el7.x86_64.rpm
openssh-server-8.7p1-1.el7.x86_64.rpm
Preparing... ################################# [100%]
Updating / installing...
1:openssh-8.7p1-1.el7 ################################# [ 14%]
2:openssh-clients-8.7p1-1.el7 ################################# [ 29%]
3:openssh-server-8.7p1-1.el7 warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew
################################# [ 43%]
4:openssh-debuginfo-8.7p1-1.el7 ################################# [ 57%]
Cleaning up / removing...
5:openssh-server-7.4p1-23.el7_9 ################################# [ 71%]
6:openssh-clients-7.4p1-23.el7_9 ################################# [ 86%]
7:openssh-7.4p1-23.el7_9 ################################# [100%]
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
#######openssh8.7p1 update failed########
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2023-11-23 10:00:25 CST; 10ms ago
Docs: man:systemd-sysv-generator(8)
Process: 21694 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=255)
Main PID: 1222 (code=exited, status=0/SUCCESS)
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Starting SYSV: OpenSSH server daemon...
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: Starting sshd:/etc/ssh/sshd_config line 140: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctrKexAlgorithms'.
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: [FAILED]
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service: control process exited, code=exited status=255
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Failed to start SYSV: OpenSSH server daemon.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Unit sshd.service entered failed state.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service failed.
3.2、排错
发现上述执行报错,查看sshd状态
[root@VM-4-14-centos openssh]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2023-11-23 10:00:25 CST; 1min 24s ago
Docs: man:systemd-sysv-generator(8)
Process: 21694 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=255)
Main PID: 1222 (code=exited, status=0/SUCCESS)
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Starting SYSV: OpenSSH server daemon...
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: Starting sshd:/etc/ssh/sshd_config line 140: Bad SSH2 cipher spec 'aes128-ctr,ae...thms'.
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: [FAILED]
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service: control process exited, code=exited status=255
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Failed to start SYSV: OpenSSH server daemon.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Unit sshd.service entered failed state.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.
通过上述问题发现140行有报错,应该是标点符号的问题,我们直接替换掉该配置文件。上传其他机器上升级成功的配置文件:/etc/ssh/sshd_config,替换前先将原有的进行备份。
# 备份原有的配置文件
[root@VM-4-14-centos ~]# cd /etc/ssh
[root@VM-4-14-centos ssh]# cp sshd_config sshd_config.bak20231123
因前期已上传,所以此处志杰替换配置文件
[root@VM-4-14-centos openssh]# cp sshd_config /etc/ssh/
查看配置文件内容:
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
对比正常配置文件与报错配置文件发现,140行不一样
[root@VM-4-14-centos ssh]# diff sshd_config sshd_config.bak20231123
1c1
< # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
---
> # $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
38c38
< PermitRootLogin yes
---
> #PermitRootLogin yes
47c47
< AuthorizedKeysFile .ssh/authorized_keys
---
> AuthorizedKeysFile .ssh/authorized_keys
132c132
< Subsystem sftp /usr/libexec/openssh/sftp-server
---
> Subsystem sftp /usr/libexec/openssh/sftp-server
136,140c136,140
< # X11Forwarding no
< # AllowTcpForwarding no
< # PermitTTY no
< # ForceCommand cvs server
< KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
---
> # X11Forwarding no
> # AllowTcpForwarding no
> # PermitTTY no
> # ForceCommand cvs server
> Ciphers aes128-ctr,aes192-ctr,aes256-ctrKexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
3.3、升级不报错
如果升级没有报错,需将/etc/ssh/sshd_config配置文件中RootLogin yes的注释放开
# 将38行的注释放开
[root@VM-4-14-centos ssh]# vim sshd_config
...
37 #LoginGraceTime 2m
38 PermitRootLogin yes
39 #StrictModes yes
40 #MaxAuthTries 6
...
重启sshd服务并查看状态
[root@VM-4-14-centos ssh]# systemctl restart sshd
[root@VM-4-14-centos ssh]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Thu 2023-11-23 10:16:25 CST; 2s ago
Docs: man:systemd-sysv-generator(8)
Process: 25479 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 25487 (sshd)
CGroup: /system.slice/sshd.service
└─25487 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Nov 23 10:16:25 VM-4-14-centos systemd[1]: Starting SYSV: OpenSSH server daemon...
Nov 23 10:16:25 VM-4-14-centos sshd[25487]: Server listening on 0.0.0.0 port 22.
Nov 23 10:16:25 VM-4-14-centos sshd[25487]: Server listening on :: port 22.
Nov 23 10:16:25 VM-4-14-centos sshd[25479]: Starting sshd:[ OK ]
Nov 23 10:16:25 VM-4-14-centos systemd[1]: Started SYSV: OpenSSH server daemon.
服务已正常。
4、查看ssh版本
# 版本已升级完成
[root@VM-4-14-centos ssh]# ssh -V
OpenSSH_8.7p1, OpenSSL 1.0.2k-fips 26 Jan 2017
5、测试登录
重新打开一个新窗口连接一下升级主机,如果可以正常登录就没问题了,升级完成!
5502
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
