环境
升级前:
Linux版本 :Centos 7.0.2009
OpenSSH 的相关版本:
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级后:
Linux版本 :Centos 7.0.2009
OpenSSH 的相关版本:
OpenSSH_8.8p1, OpenSSL 1.1.1h 22 Sep 2020
文章目录
一、查看系统配置命令,记录好前期配置
--查看centos版本
[root@mysql /]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
--查看openssl版本
[root@mysql /]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
--查看ssh版本
[root@mysql /]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
二、安装步骤
1.安装包准备
openssh-8.8p1.tar.gz
openssl-1.1.1h.tar.gz
zlib-1.2.11.tar.gz
2.为预防安装失败,无法通过ssh连接服务启,先安装telnet-server以及xinetd
(1)执行telnet安装命令
[root@mysql ~]# yum install xinetd telnet-server -y
已加载插件:fastestmirror, langpacks
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Loading mirror speeds from cached hostfile
epel/x86_64/metalink | 6.7 kB 00:00:00
* base: mirrors.aliyun.com
* epel: my.mirrors.thegigabit.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
(2)配置telnet
现在很多centos7版本安装telnet-server以及xinetd之后没有一个叫telnet的配置文件了。
如果下面telnet文件不存在的话,可以跳过这部分的更改
[root@mysql ~]# ll /etc/xinetd.d/telnet
ls: 无法访问/etc/xinetd.d/telnet: 没有那个文件或目录
如果有就配置一下,请更改配置telnet可以root登录,把disable = no改成disable = yes
[root@rhel yum.repos.d]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
[root@rhel yum.repos.d]# vim /etc/xinetd.d/telnet
[root@rhel yum.repos.d]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下
pts/0
pts/1
pts/2
pts/3
配置之后的显示
[root@linux-node3 ~]# vim /etc/securetty
[root@linux-node3 ~]# tail -5 /etc/securetty
xvc0
pts/0
pts/1
pts/2
pts/3
[root@linux-node3 ~]#
启动telnet服务,并设置开机自动启动
[root@linux-node3 ~]# systemctl enable xinetd
[root@linux-node3 ~]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@linux-node3 ~]# systemctl start telnet.socket
[root@linux-node3 ~]# systemctl start xinetd
[root@linux-node3 ~]# netstat -lntp|grep 23
tcp6 0 0 :::23 :::* LISTEN 1/systemd
--telnet 方式连接不上可通过命令查看报错
[root@VM-0-14-centos wonxfey]# tail /var/log/secure
3.升级组件
[root@mysql ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
已加载插件:fastestmirror, langpacks
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: my.mirrors.thegigabit.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
软件包 gcc-4.8.5-44.el7.x86_64 已安装并且是最新版本
软件包 gcc-c++-4.8.5-44.el7.x86_64 已安装并且是最新版本
软件包 glibc-2.17-325.el7_9.x86_64 已安装并且是最新版本
软件包 1:make-3.82-24.el7.x86_64 已安装并且是最新版本
软件包 autoconf-2.69-11.el7.noarch 已安装并且是最新版本
软件包 1:openssl-1.0.2k-24.el7_9.x86_64 已安装并且是最新版本
软件包 1:openssl-devel-1.0.2k-24.el7_9.x86_64 已安装并且是最新版本
软件包 pcre-devel-8.32-17.el7.x86_64 已安装并且是最新版本
软件包 pam-devel-1.1.8-23.el7.x86_64 已安装并且是最新版本
无须任何处理
[root@mysql ~]# yum install -y pam* zlib*
已加载插件:fastestmirror, langpacks
Repository base is listed more than once in the configuration
Repository updates is listed more than once in the configuration
Repository extras is listed more than once in the configuration
Repository centosplus is listed more than once in the configuration
Repository contrib is listed more than once in the configuration
Loading mirror speeds from cached hostfile
* base: mirrors.aliyun.com
* epel: my.mirrors.thegigabit.com
* extras: mirrors.aliyun.com
* updates: mirrors.aliyun.com
软件包 pam_yubico-2.26-1.el7.x86_64 已安装并且是最新版本
软件包 pam_script-1.1.8-1.el7.x86_64 已安装并且是最新版本
软件包 pam_oath-2.6.2-1.el7.x86_64 已安装并且是最新版本
软件包 pam_snapper-0.2.8-4.el7.x86_64 已安装并且是最新版本
软件包 pam_ssh_agent_auth-0.10.3-2.22.el7_9.x86_64 已安装并且是最新版本
软件包 pam_2fa-1.0-1.el7.x86_64 已安装并且是最新版本
软件包 pam_mapi-0.3.5-1.el7.x86_64 已安装并且是最新版本
软件包 pam_ssh_user_auth-1.0-1.el7.x86_64 已安装并且是最新版本
软件包 pam_mount-2.18-3.el7.x86_64 已安装并且是最新版本
软件包 pam_radius-1.4.0-4.el7.x86_64 已安装并且是最新版本
软件包 pamtester-0.1.2-4.el7.x86_64 已安装并且是最新版本
软件包 pam_afs_session-2.6-5.el7.x86_64 已安装并且是最新版本
软件包 pam_pkcs11-0.6.2-30.el7.x86_64 已安装并且是最新版本
软件包 pam-1.1.8-23.el7.x86_64 已安装并且是最新版本
软件包 pam_ssh-2.3-2.el7.x86_64 已安装并且是最新版本
软件包 1:pam_url-0.3.3-4.el7.x86_64 已安装并且是最新版本
软件包 pam_wrapper-1.1.3-1.el7.x86_64 已安装并且是最新版本
软件包 pam-kwallet-5.5.2-1.el7.x86_64 已安装并且是最新版本
软件包 pam-devel-1.1.8-23.el7.x86_64 已安装并且是最新版本
软件包 pam_krb5-2.4.8-6.el7.x86_64 已安装并且是最新版本
软件包 zlib-devel-1.2.7-19.el7_9.x86_64 已安装并且是最新版本
软件包 zlib-static-1.2.7-19.el7_9.x86_64 已安装并且是最新版本
软件包 zlib-1.2.7-19.el7_9.x86_64 已安装并且是最新版本
软件包 zlib-ada-1.4-0.5.20120830CVS.el7.x86_64 已安装并且是最新版本
软件包 zlib-ada-devel-1.4-0.5.20120830CVS.el7.x86_64 已安装并且是最新版本
4.安装openssl
将安装包放在 /usr/local/src(个人喜好,放任意位置即可)
(1)安装之前先将之前得openssl备份
[root@mysql openssl-1.1.1h]# ll /usr/bin/openssl
-rwxr-xr-x 1 root root 555280 1月 18 21:56 /usr/bin/openssl
[root@mysql openssl-1.1.1h]# mv /usr/bin/openssl /usr/bin/openssl_bak
[root@mysql openssl-1.1.1h]# ll /usr/include/openssl
[root@mysql openssl-1.1.1h]# mv /usr/include/openssl /usr/include/openssl_bak
(2)执行安装openssl命令
[root@mysql openssl-1.1.1h]# ./config --prefix=/usr/local/ssl -d shared && make && make install
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1h (0x1010108fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
。。。。。。。。
--查看安装是否有错误
[root@mysql openssl-1.1.1h]# echo $?
0 ---代表没有错误
(3)执行完成就添加软链接,并查看版本,显示升级成功
[root@VM-0-14-centos openssl-1.1.1h]# ln -sf /usr/local/ssl/bin/openssl /usr/bin/openssl
[root@VM-0-14-centos openssl-1.1.1h]# ln -sf /usr/local/ssl/include/openssl /usr/include/openssl
[root@VM-0-14-centos openssl-1.1.1h]# ll /usr/bin/openssl
lrwxrwxrwx 1 root root 26 Jan 23 11:56 /usr/bin/openssl -> /usr/local/ssl/bin/openssl
[root@VM-0-14-centos openssl-1.1.1h]# ll /usr/include/openssl -ld
lrwxrwxrwx 1 root root 30 Jan 23 11:50 /usr/include/openssl -> /usr/local/ssl/include/openssl
[root@VM-0-14-centos openssl-1.1.1h]# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
[root@VM-0-14-centos openssl-1.1.1h]# /sbin/ldconfig
[root@VM-0-14-centos openssl-1.1.1h]# openssl version
OpenSSL 1.1.1h 22 Sep 2020
[root@VM-0-14-centos openssl-1.1.1h]#
5.安装openssh
(1) 先备份ssh文件
[root@VM-0-14-centos openssh-8.8p1]# mv /etc/ssh /etc/ssh_bak
(2) 编码openssh,并修改配置
[root@VM-0-14-centos openssh-8.8p1]# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install
--查看编译是否报错
[root@VM-0-14-centos openssh-8.8p1]# echo $?
0
--修改配置(第一步配置失败了,看(5)操作补充,不然root会连接不上服务器)
[root@VM-0-14-centos openssh-8.8p1]# grep "PermitRootLogin" /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
# the setting of "PermitRootLogin without-password".
[root@VM-0-14-centos openssh-8.8p1]# grep "UseDNS" /etc/ssh/sshd_config
#UseDNS no
(3)复制解压包中的某些文件到指定目录,如果存在就覆盖
[root@VM-0-14-centos openssh-8.8p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@VM-0-14-centos openssh-8.8p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@VM-0-14-centos openssh-8.8p1]# chmod +x /etc/init.d/sshd
[root@VM-0-14-centos openssh-8.8p1]# chkconfig --add sshd
[root@VM-0-14-centos openssh-8.8p1]# systemctl enable sshd
(4) 将原来的ssh文件移走,不然会影响重启,并进行重启ssh服务
[root@VM-0-14-centos data]# mv /usr/lib/systemd/system/sshd.service /data/
[root@VM-0-14-centos data]# chkconfig sshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.
[root@VM-0-14-centos data]# systemctl start sshd
[root@VM-0-14-centos data]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 7907/sshd: /usr/sbi
tcp6 0 0 :::22 :::* LISTEN 7907/sshd: /usr/sbi
tcp6 0 0 :::23 :::* LISTEN 1/systemd
--停止服务命令
[root@VM-0-14-centos data]# systemctl stop sshd
--重启服务命令
[root@VM-0-14-centos data]# systemctl restart sshd
--版本查看
[root@VM-0-14-centos data]# ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1h 22 Sep 2020
(5)启动ssh服务之前,root用户登录会出现拒绝密码的提示,这个时候就可以用telnet连接上,修改配置即可(步骤(2)修改配置没成功导致的)
[root@VM-0-14-centos ~]# vi /etc/ssh/sshd_config
PermitRootLogin yes
[root@VM-0-14-centos ~]# systemctl restart sshd
总结
安装成功,以上教程是为了解决安全扫描ssh版本过低的问题,仅供参考。