openssh升级方案

openssh升级说明

1、前置工作

  • 升级需要:openssh-8.7p1.tar.gz、update_ssh_rpm.sh。
  • 查看ssh版本:ssh -V
  • 切换root用户
  • 登录多个窗口,避免ssh失效无法登录。

2、升级准备

2.1、创建openssh目录

[root@VM-4-6-centos ~]# mkdir openssh

2.2、上传升级包

  • 将openssh-8.7p1.tar.gz上传需要升级的主机创建的openssh目录中。

  • 将sshd_config上传到openssh目录中。

  • 将update_ssh_rpm.sh脚本上传至openssh目录中。

给update_ssh_rpm.sh脚本赋予执行权限。

[root@VM-4-6-centos openssh]# chmod +x update_ssh_rpm.sh
[root@VM-4-14-centos openssh]# ll
total 4664
drwxr-xr-x 2 root root    4096 Nov 23 10:00 openssh
-rw-r--r-- 1 root root 4764070 Nov 23 09:59 openssh-8.7p1.tar.gz
-rwxr-xr-x 1 root root     987 Nov 23 09:59 update_ssh_rpm.sh

2.3、查看升级脚本内容

#!/bin/bash
$(cd "$(dirname "$0")";pwd)
mkdir openssh && tar zxvf openssh-8.7p1.tar.gz -C openssh
cp -r /etc/ssh /etc/ssh.bak
cp /usr/sbin/sshd /usr/sbin/sshd.bak
cp /usr/bin/ssh /usr/bin/ssh.bak
cp -rf /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp -rf /etc/pam.d/sshd /etc/pam.d/sshd.bak
systemctl stop sshd
cd openssh
rpm -Uvh *.rpm
cp -rf /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
cp -rf /etc/pam.d/sshd.bak /etc/pam.d/sshd
echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org" >> /etc/ssh/sshd_config
chmod 600 /etc/ssh/*
systemctl start sshd
status_a=$(systemctl is-active sshd)
if [ $status_a = "active" ];then
	echo "$(systemctl status sshd | grep Active)"
	echo "$(ssh -V)"
else
	echo "#######openssh8.5p1 update failed########"
	echo "$(systemctl status sshd)"
fi

3、升级操作

3.1、执行升级脚本

[root@VM-4-6-centos openssh]# ./update_ssh_rpm.sh
[root@VM-4-14-centos openssh]# ./update_ssh_rpm.sh 
./update_ssh_rpm.sh: line 2: /root/openssh: Is a directory
openssh-8.7p1-1.el7.x86_64.rpm
openssh-clients-8.7p1-1.el7.x86_64.rpm
openssh-debuginfo-8.7p1-1.el7.x86_64.rpm
openssh-server-8.7p1-1.el7.x86_64.rpm
Preparing...                          ################################# [100%]
Updating / installing...
   1:openssh-8.7p1-1.el7              ################################# [ 14%]
   2:openssh-clients-8.7p1-1.el7      ################################# [ 29%]
   3:openssh-server-8.7p1-1.el7       warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew
################################# [ 43%]
   4:openssh-debuginfo-8.7p1-1.el7    ################################# [ 57%]
Cleaning up / removing...
   5:openssh-server-7.4p1-23.el7_9    ################################# [ 71%]
   6:openssh-clients-7.4p1-23.el7_9   ################################# [ 86%]
   7:openssh-7.4p1-23.el7_9           ################################# [100%]
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
#######openssh8.7p1 update failed########
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2023-11-23 10:00:25 CST; 10ms ago
     Docs: man:systemd-sysv-generator(8)
  Process: 21694 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=255)
 Main PID: 1222 (code=exited, status=0/SUCCESS)

Nov 23 10:00:25 VM-4-14-centos systemd[1]: Starting SYSV: OpenSSH server daemon...
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: Starting sshd:/etc/ssh/sshd_config line 140: Bad SSH2 cipher spec 'aes128-ctr,aes192-ctr,aes256-ctrKexAlgorithms'.
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: [FAILED]
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service: control process exited, code=exited status=255
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Failed to start SYSV: OpenSSH server daemon.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Unit sshd.service entered failed state.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service failed.

3.2、排错

发现上述执行报错,查看sshd状态

[root@VM-4-14-centos openssh]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Thu 2023-11-23 10:00:25 CST; 1min 24s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 21694 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=255)
 Main PID: 1222 (code=exited, status=0/SUCCESS)

Nov 23 10:00:25 VM-4-14-centos systemd[1]: Starting SYSV: OpenSSH server daemon...
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: Starting sshd:/etc/ssh/sshd_config line 140: Bad SSH2 cipher spec 'aes128-ctr,ae...thms'.
Nov 23 10:00:25 VM-4-14-centos sshd[21694]: [FAILED]
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service: control process exited, code=exited status=255
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Failed to start SYSV: OpenSSH server daemon.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: Unit sshd.service entered failed state.
Nov 23 10:00:25 VM-4-14-centos systemd[1]: sshd.service failed.
Hint: Some lines were ellipsized, use -l to show in full.

通过上述问题发现140行有报错,应该是标点符号的问题,我们直接替换掉该配置文件。上传其他机器上升级成功的配置文件:/etc/ssh/sshd_config,替换前先将原有的进行备份。

# 备份原有的配置文件
[root@VM-4-14-centos ~]# cd /etc/ssh
[root@VM-4-14-centos ssh]# cp sshd_config sshd_config.bak20231123

因前期已上传,所以此处志杰替换配置文件

[root@VM-4-14-centos openssh]# cp sshd_config /etc/ssh/

查看配置文件内容:

#	$OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

# override default of no subsystems
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

对比正常配置文件与报错配置文件发现,140行不一样

[root@VM-4-14-centos ssh]# diff sshd_config sshd_config.bak20231123 
1c1
< #       $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
---
> #     $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
38c38
< PermitRootLogin yes
---
> #PermitRootLogin yes
47c47
< AuthorizedKeysFile      .ssh/authorized_keys
---
> AuthorizedKeysFile .ssh/authorized_keys
132c132
< Subsystem       sftp    /usr/libexec/openssh/sftp-server
---
> Subsystem sftp        /usr/libexec/openssh/sftp-server
136,140c136,140
< #       X11Forwarding no
< #       AllowTcpForwarding no
< #       PermitTTY no
< #       ForceCommand cvs server
< KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
---
> #     X11Forwarding no
> #     AllowTcpForwarding no
> #     PermitTTY no
> #     ForceCommand cvs server
> Ciphers aes128-ctr,aes192-ctr,aes256-ctrKexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

3.3、升级不报错

如果升级没有报错,需将/etc/ssh/sshd_config配置文件中RootLogin yes的注释放开

# 将38行的注释放开
[root@VM-4-14-centos ssh]# vim sshd_config
...
 37 #LoginGraceTime 2m
 38 PermitRootLogin yes
 39 #StrictModes yes
 40 #MaxAuthTries 6
 ...

重启sshd服务并查看状态

[root@VM-4-14-centos ssh]# systemctl restart sshd
[root@VM-4-14-centos ssh]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: active (running) since Thu 2023-11-23 10:16:25 CST; 2s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 25479 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 25487 (sshd)
   CGroup: /system.slice/sshd.service
           └─25487 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups

Nov 23 10:16:25 VM-4-14-centos systemd[1]: Starting SYSV: OpenSSH server daemon...
Nov 23 10:16:25 VM-4-14-centos sshd[25487]: Server listening on 0.0.0.0 port 22.
Nov 23 10:16:25 VM-4-14-centos sshd[25487]: Server listening on :: port 22.
Nov 23 10:16:25 VM-4-14-centos sshd[25479]: Starting sshd:[  OK  ]
Nov 23 10:16:25 VM-4-14-centos systemd[1]: Started SYSV: OpenSSH server daemon.

服务已正常。

4、查看ssh版本

# 版本已升级完成
[root@VM-4-14-centos ssh]# ssh -V
OpenSSH_8.7p1, OpenSSL 1.0.2k-fips  26 Jan 2017

5、测试登录

重新打开一个新窗口连接一下升级主机,如果可以正常登录就没问题了,升级完成!

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值