openssh升级到8.8

wuxl570

已于 2022-10-31 10:41:45 修改

阅读量1.5k

点赞数

文章标签： ssh 服务器 linux

于 2022-07-17 22:26:31 首次发布

本文链接：https://blog.csdn.net/qq_40598817/article/details/125838247

版权

1.查看openssh、openssl版本

openssl version
ssh -V

2.安装配置telnet

2.1 安装telnet-server

yum -y install xinetd telnet-server

2.2 配置telnet

#先看一下xinetd.d目录下是否有telnet文件
[root@localhost ~]# ll /etc/xinetd.d/telnet
ls: cannot access /etc/xinetd.d/telnet: No such file or directory
#如果有，则将文件里面的disable = no改成disable = yes
#如果没有，就进行下面的操作
[root@localhost ~]# cat > /etc/xinetd.d/telnet <<EOF
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
EOF

2.3 配置telnet登录的终端类型

[root@localhost ~]# cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
EOF

2.4 启动telnet服务

[root@localhost ~]# systemctl enable xinetd --now
[root@localhost ~]# systemctl enable telnet.socket --now
[root@localhost ~]# ss -nltp | grep 23
LISTEN 0 128 :::23 :::* users:(("systemd",pid=1,fd=46))
#23端口起来了，表示telnet服务正常运行

2.5 切换登录方式为telnet

后面的操作都是在telnet链接的方式下进行，避免ssh中断导致升级失败，以telnet方式登录的时候，注意选择协议和端口，协议为telnet，端口为23,需要开放23端口，使用telnet ip方式进行登录。
如果登录报错：
在这里插入图片描述
则执行: cat /var/log/secure 查看日志

执行：vi /etc/securetty 在末尾添加 pts/5 pts/6 保存即可

3.更新openssl

wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz --no-check-certificate
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
tar -zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l/
./config --prefix=/usr/local/openssl --shared
make
make install
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
openssl version

4.安装openssh

yum install -y pam* zlib* openssl-devel
chmod 600 /etc/ssh/* #权限要改为600,否则会报警
wget -c https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz --no-check-certificate

cp /usr/bin/ssh /usr/bin/ssh.bak
cp /usr/sbin/sshd /usr/sbin/sshd.bak
mv /etc/ssh /etc/ssh.bak
tar -zxvf openssh-8.8p1.tar.gz
cd openssh-8.8p1.tar.gz

./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam
make && make install

# 修改启动文件和pam
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak


#编辑/etc/pam.d/sshd文件，删除原有，添加以下
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare


#编辑/etc/ssh/sshd_config，修改如下配置
#PermitRootLogin yes
#PubkeyAuthentication yes
#PasswordAuthentication yes

systemctl daemon-reload
systemctl restart sshd
systemctl status sshd

5.还原ssh方式登录

5.1 开启sshd方式登录

vi /etc/ssh/sshd_config
# 设置  PasswordAuthentication yes
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd

5.2 关闭telnet服务

[root@localhost ~]# systemctl disable xinetd.service --now
[root@localhost ~]# systemctl disable telnet.socket --now