一、前期准备
- 关闭防火墙
#关闭防火墙与selinux
#升级完成后,如果未关闭selinux,可能会造成远程ssh连接时立即中断
setenforce 0
sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
systemctl disable --now firewalld
- 上传包
mkdir -p /opt/openssh && cd /opt/openssh
#将安装包上传到该目录 并解压
tar -zxvf openssl-1.1.1k.tar.gz
tar -zxvf openssh-8.6p1.tar.gz
[root@localhost openssh]# ls
openssh-8.6p1 openssh-8.6p1.tar.gz openssl-1.1.1k openssl-1.1.1k.tar.gz
- 安装依赖(有备无患)
yum install wget rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip gcc-c++ libXt-devel imake gtk2-devel -y
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
yum install -y pam* zlib*
二、安装telnet连接,以备ssh服务异常无法连接
- 安装
yum install telnet telnet-server xinetd -y
# 启动并设置开机自启
systemctl enable xinetd.service && systemctl enable telnet.socket && systemctl start telnet.socket && systemctl start xinetd
- 创建用户
# 创建用户供telnet使用
useradd test
passwd test
# 添加sudo权限
chmod +w /etc/sudoers
vim /etc/sudoers
100行左右添加
test ALL=(ALL) ALL
一定要测试telnet可以正常连接后再继续
三、安装openssl
- 备份
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
- 编译安装
cd openssl-1.1.1k
# 编译
./config --prefix=/usr/local/openssl
make && make install
- 链接
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
- 验证
openssl version
[root@localhost openssh]# openssl version
OpenSSL 1.1.1k 25 Mar 2021
四、安装openssh
- 备份
mv /etc/ssh /etc/ssh.bak
mv /usr/bin/ssh /usr/bin/ssh.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
mkdir /openssh.bak && cp /etc/pam.d/sshd /openssh.bak
- 编译安装
cd openssh-8.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-hardening
make && make install
- 调整权限,复制配置文件并设置允许root用户远程登录
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod u+x /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
- 调整ssh配置
vim /etc/ssh/sshd_config
# 修改如下配置
PermitRootLogin yes
PasswordAuthentication yes
UseDNS no
UsePAM yes
# 验证ssh配置文件正确性
sshd -t
# 设置开机自启
chkconfig --add sshd
chkconfig sshd on
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
五、验证
[root@localhost ~]# ssh -V
OpenSSH_8.6p1, OpenSSL 1.1.1k 25 Mar 2021