tar -xf openssh-8.8p1.tar.gz -C /tmp
cd /tmp/openssh-8.8p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/local/openssl
make && make install
# sshd文件如果有的话先备份,没有的话直接写入一个
cp /etc/pam.d/postlogin /etc/pam.d/postlogin-bak-$(date +"%Y-%m-%d")
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak-$(date +"%Y-%m-%d")
echo 'UsePAM yes' >> /etc/ssh/sshd_config # 开启pam认证
echo 'MaxStartups 1000' >> /etc/ssh/sshd_config # MaxStartups是用来限制并行认证ssh客户端数量
echo 'MaxSessions 1000' >> /etc/ssh/sshd_config # 每个TCP连接可以并行开启多少个会话(session),并不是指某个ip连接的数量
# 写入/etc/pam.d/sshd
echo '#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare' > /etc/pam.d/sshd
# 写入/etc/pam.d/postlogin
echo '#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed' > /etc/pam.d/postlogin
# 修改权限
chmod 644 /etc/pam.d/postlogin
chmod 600 /etc/pam.d/sshd