- 升级openssl
1.备份
[root@localhost tmp]# whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz
[root@localhost tmp]# whereis ssl
ssl: /etc/ssl /usr/share/man/man3/ssl.3ssl.gz
[root@localhost /]# find / -name openssl
/etc/pki/ca-trust/extracted/openssl
/usr/lib64/openssl
/usr/include/openssl
/usr/bin/openssl
[root@localhost tmp]# cp -a /usr/bin/openssl /usr/bin/openssl.bak
[root@localhost tmp]# cp -a /usr/lib64/openssl /usr/lib64/openssl.bak
[root@localhost tmp]# cp -a /usr/include/openssl /usr/include/openssl.bak
[root@localhost tmp]# cp -a /etc/ssl /etc/ssl.bak
[root@localhost tmp]# cp -a /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.bak
[root@localhost tmp]# cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.bak
[root@localhost tmp]# cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.bak
/usr/lib64/libcrypto.so.10、/usr/lib64/libssl.so.10这两个文件要备份,系统内部分工具(如yum、wget等)依赖此库,有的ssl包并不含这两个库文件,以防万一。
2.卸载
[root@localhost tmp]# rpm -qa | grep openssl
openssl-devel-1.0.1e-42.el6.x86_64
openssl-1.0.1e-42.el6.x86_64
[root@localhost tmp]# rpm -e --nodeps openssl-devel-1.0.1e-42.el6.x86_64
[root@localhost tmp]# rpm -e --nodeps openssl-1.0.1e-42.el6.x86_64
3.编译安装
[root@localhost tmp]# tar -zxvf openssl-1.0.2p.tar.gz
...省略...
[root@localhost tmp]# cd openssl-1.0.2p
[root@localhost openssl-1.0.2p]# ./config --prefix=/usr --openssldir=/etc/ssl --shared zlib
...省略...
[root@localhost openssl-1.0.2p]# make
...省略...
[root@localhost openssl-1.0.2p]# make test #最后结果出现pass且无error信息证明编译成功
.......
PASS
make[1]: Leaving directory `/tmp/openssl-1.0.2p/test'
OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
OpenSSL 1.0.2p 14 Aug 2018
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/etc/ssl"
[root@localhost openssl-1.0.2p]# make install
...省略...
4.查看版本是否安装成功
[root@localhost openssl-1.0.2p]# openssl version
OpenSSL 1.0.2p 14 Aug 2018
- 升级openssh(升级完后重启)
1.备份
[root@localhost openssl-1.0.2p]# whereis openssh
openssh: /usr/libexec/openssh
[root@localhost openssl-1.0.2p]# find / -name openssh
/usr/libexec/openssh
[root@localhost openssl-1.0.2p]# find / -name ssh
/etc/ssh
/usr/bin/ssh
[root@localhost openssl-1.0.2p]# whereis ssh
ssh: /usr/bin/ssh /etc/ssh /usr/share/man/man1/ssh.1.gz
[root@localhost openssl-1.0.2p]# cp -a /usr/libexec/openssh /usr/libexec/openssh.bak
[root@localhost openssl-1.0.2p]# cp -ar /etc/ssh /etc/ssh.bak
[root@localhost openssl-1.0.2p]# cp -a /usr/bin/ssh /usr/bin/ssh.bak
2.卸载
[root@localhost openssl-1.0.2p]# rpm -qa | grep openssh
openssh-askpass-5.3p1-123.el6_9.x86_64
openssh-server-5.3p1-123.el6_9.x86_64
openssh-5.3p1-123.el6_9.x86_64
openssh-clients-5.3p1-123.el6_9.x86_64
[root@localhost openssl-1.0.2p]# rpm -e --nodeps openssh-askpass-5.3p1-123.el6_9.x86_64
[root@localhost openssl-1.0.2p]# rpm -e --nodeps openssh-server-5.3p1-123.el6_9.x86_64
[root@localhost openssl-1.0.2p]# rpm -e --nodeps openssh-5.3p1-123.el6_9.x86_64
[root@localhost openssl-1.0.2p]# rpm -e --nodeps openssh-clients-5.3p1-123.el6_9.x86_64
3.编译安装前配置openssh
[root@localhost openssl-1.0.2p]# install -v -m700 -d /var/lib/sshd
install: creating directory `/var/lib/sshd'
[root@localhost openssl-1.0.2p]# chown -v root:sys /var/lib/sshd
changed ownership of `/var/lib/sshd' to root:sys
[root@localhost openssl-1.0.2p]# groupadd -g 50 sshd
groupadd: group 'sshd' already exists
[root@localhost openssl-1.0.2p]useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd
useradd: user 'sshd' already exists #已经安装可忽略
4.解压编译安装
[root@localhost tmp]# tar -zxvf openssh-7.8p1.tar.gz
[root@localhost tmp]# cd openssh-7.8p1
[root@localhost openssh-7.8p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5--passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd
.......
configure: error: PAM headers not found #编译报错,缺少PAM库文件,需安装pam-devel
[root@localhost openssh-7.8p1]# yum install -y pam-devel
........
Dependency Updated:
pam.x86_64 0:1.1.1-24.el6
Complete! #继续上次的编译
root@localhost openssh-7.8p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5--passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd
........ #无error信息openssl可以make、make install成功,下面提示无影响,可以在安装后进行配置。
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
[root@localhost openssh-7.8p1]# make
.....
[root@localhost openssh-7.8p1]# make test
make: *** No rule to make target `test'. Stop.ake test #源码中无test测试配置文件,可忽略
[root@localhost openssh-7.8p1]# make install
......
/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: ECDSA ED25519
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
5.安装后配置
[root@localhost ~]# echo 'X11Forwarding yes' >> /etc/ssh/sshd_config #允许 SSH的X 转发
[root@localhost ~]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config #允许root用户通过ssh登录
[root@localhost ~]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd #把源码中的sshd.init文件添加到系统开机启动的/etc/init.d/sshd目录中,为一下的开机自启做准备
[root@localhost ~]# chkconfig --add sshd #添加sshd服务
[root@localhost ~]# chkconfig sshd on #开机自启
[root@localhost ~]# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@localhost ~]# service sshd restart
[root@localhost ~]# service sshd restart
Stopping sshd: [ OK ] #此处远程连接可能会断开,因此远程操作尽量开启telnet。
Starting sshd: [ OK ]
[root@localhost ~]# ssh -V
OpenSSH_7.8p1, OpenSSL 1.0.2p 14 Aug 2018 #安装成功