本文详细描述了如何在Linux192.168.20.113上从openssh7.4p1升级到openssh9.6p1的过程,包括安装依赖包、编译openssl3.2.0和zlib1.3.1,以及调整SSH配置以支持加密算法和root登录。
openssh7.x升级至openssh9.6p1(二进制版)
环境内核:Linux 192.168.20.11 3.10.0-862.el7.x86_64 #1 SMP Fri Apr 20 16:44:24 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
升级环境操作系统:centos7
升级前openssh版本:penSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
升级前openssh版本截图
升级后openssh版本截图
升级前将soft.tar上传至/root/目录下
1、依赖包安装
yum -y install wget tar gcc make gcc-c++
yum -y install perl-IPC-Cmd
yum install *Pod-Html -y
yum -y install pam-devel
yum install zlib-devel -y
2、安装telnet
# yum仓库安装
]# yum -y install telnet xinetd telnet-server
# rpm离线安装
]# cd /root/soft/telnet/centos7
]# rpm -Uvh *.rpm --nodeps --force
# 启动telnet和xinetd
]# systemctl start telnet.socket
]# systemctl start xinetd
# 追加以下字符到/etc/securetty文件
]# echo 'pts/0' >> /etc/securetty
]# echo 'pts/1' >> /etc/securetty
# 重启telnet
]# systemctl restart telnet.socket
# 设置开机自启
]# systemctl enable telnet.socket
]# systemctl enable xinetd
# 验证安装是否完成
]# rpm -qa | grep telnet
telnet-server-0.17-66.el7.x86_64
telnet-0.17-66.el7.x86_64
]# rpm -qa | grep xinetd
xinetd-2.3.15-14.el7.x86_64
# telnet远程登陆测试
]# telnet 192.168.10.128 23
Trying 192.168.10.128...
Connected to 192.168.10.128.
Escape character is '^]'.
Kernel 3.10.0-862.el7.x86_64 on an x86_64
192 login: root # 输入账号
Password: # 输入密码(输入时不显示输入内容)
Last login: Thu Feb 22 22:33:53 from 192.168.10.1
[root@192 ~]#
# 如果碰到Login incorrect字样,可以参考以下步骤
1、修改文件/etc/pam.d/remote,注释auth required pam_securetty.so这一行
2、重启telnet和xinetd
注意:如果远程登录一步到位,可忽略第二步
3、编译安装zlib
官方下载地址:https://zlib.net/zlib-1.3.1.tar.gz
]# cd /root/soft/zlib
]# tar -xf zlib-1.3.1.tar.gz
]# cd zlib-1.3.1
]# ./configure --prefix=/usr/local/zlib.1.3.1
]# make && make test && make install
]# ll /usr/local/zlib.1.3.1/
total 0
drwxr-xr-x 2 root root 35 Feb 22 23:09 include
drwxr-xr-x 3 root root 90 Feb 22 23:09 lib
drwxr-xr-x 3 root root 17 Feb 22 23:09 share
]# ldconfig -V
ldconfig (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Andreas Jaeger.
]# /sbin/ldconfig
4、编译安装openssl
官方下载地址:https://ftp.openssl.org/source/old/3.2/openssl-3.2.0.tar.gz
]# cd /root/soft/openssl
]# tar -xf openssl-3.2.0.tar.gz
]# cd openssl-3.2.0
]# ./config --prefix=/usr/local/openssl-3.2.0 --openssldir=/usr/shared
]# make clean && make -j 4 && make install
# 更新函数库
]# echo "/usr/local/openssl-3.2.0/lib" >> /etc/ld.so.conf
]# ldconfig
]# mv /usr/bin/openssl{,.20240222.bak}
]# ln -s /usr/local/openssl-3.2.0/bin/openssl /usr/bin/openssl
]# ln -s /usr/local/openssl-3.2.0/lib64/libssl.so.3 /usr/lib64/libssl.so.3
]# ln -s /usr/local/openssl-3.2.0/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
# 检查是否升级成功
]# openssl version -a
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
built on: Thu Feb 22 15:19:33 2024 UTC
platform: linux-x86_64
options: bn(64,64)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG
OPENSSLDIR: "/usr/shared"
ENGINESDIR: "/usr/openssl-3.2.0/lib64/engines-3"
MODULESDIR: "/usr/openssl-3.2.0/lib64/ossl-modules"
Seeding source: os-specific
CPUINFO: OPENSSL_ia32cap=0xfefa32034f8bffff:0x9c27ab
5、升级OpenSSH
官方下载地址:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
# 备份配置文件
]# mkdir ~/ssh_20240222_bak
]# cp /etc/ssh/sshd_config ~/ssh_20240222_bak
]# cp /etc/pam.d/sshd ~/ssh_20240222_bak
# 删除旧版本OpenSSH
]# rpm -e --nodeps `rpm -qa | grep openssh`
# 安装OpenSSH
]# cd /root/soft/openssh
]# tar -xf openssh-9.6p1.tar.gz
]# cd openssh-9.6p1
]# ./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl-3.2.0 --with-zlib=/usr/local/zlib.1.3.1
]# chmod 0600 /etc/ssh/ssh_host_rsa_key
]# chmod 0600 /etc/ssh/ssh_host_ecdsa_key
]# chmod 0600 /etc/ssh/ssh_host_ed25519_key
]# make -j 4 && make install
]# /usr/local/ssh/bin/ssh -V
# 复制新ssh文件
]# cp -rf contrib/redhat/sshd.init /etc/init.d/sshd
]# cp -rf contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
]# \cp -rf sshd_config /etc/ssh/sshd_config
]# cp -rf /usr/local/ssh/sbin/sshd /usr/sbin/sshd
]# \cp -rf /usr/local/ssh/bin/* /usr/bin/
# 开启sshd
]# \cp -rf /usr/local/ssh/sbin/sshd /usr/sbin/sshd
]# \cp -rf /usr/local/ssh/bin/ssh /usr/bin/ssh
]# \cp -rf /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
]# cp /root/soft/openssh/openssh-9.6p1/contrib/ssh-copy-id /bin/
]# chmod 0755 /bin/ssh-copy-id
]# chmod u+x /etc/init.d/sshd
]# chkconfig --add sshd
]# chkconfig --list | grep sshd
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
]# chkconfig sshd on
# 允许root登录
]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
]# echo "Subsystem sftp /usr/local/ssh/libexec/sftp-server" >> /etc/ssh/sshd_config
# 添加加密算法
]# echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/ssh/sshd_config
]# echo "HostKeyAlgorithms +ssh-rsa" >> /etc/ssh/sshd_config
# 重启sshd服务
]# /etc/init.d/sshd restart
]# /etc/init.d/sshd status
# 查看升级后ssh版本
]# ssh -V
OpenSSH_9.6p1, OpenSSL 3.2.0 23 Nov 2023
相关报错解决方法
升级openssh9.6p1后,使用scp传输报错scp: Connection closed解决方法
1、打开/etc/ssh/sshd_config,找到Subsystem sftp /usr/libexec/sftp-server配置项,将其注释或删除,重启sshd即可
扫一扫
1万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
