openssh升级到9.0

Openssh 升级到9.0p1版本

一、环境介绍
查看openssh、openssl版本

[root@localhost ~]# openssl version

OpenSSL 1.1.1m 14 Dec 2021

[root@localhost ~]# ssh -V

OpenSSH_8.9p1, OpenSSL 1.1.1i-fips 26 Jan 2017
查看linux发行版和内核

[root@localhost ~]# cat /etc/os-release

OpenSSH_9.0p1, OpenSSL 1.1.1m  14 Dec 2021
[root@mdmapptest01 openssh-9.0p1]# cat /etc/os-release
NAME="Red Hat Enterprise Linux Server"
VERSION="7.2 (Maipo)"
ID="rhel"
ID_LIKE="fedora"
VERSION_ID="7.2"
PRETTY_NAME="Red Hat Enterprise Linux Server 7.2 (Maipo)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:redhat:enterprise_linux:7.2:GA:server"
HOME_URL="https://www.redhat.com/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"

REDHAT_BUGZILLA_PRODUCT="Red Hat Enterprise Linux 7"
REDHAT_BUGZILLA_PRODUCT_VERSION=7.2
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="7.2"

[root@localhost ~]# uname -r
3.10.0-327.el7.x86_64

二、安装配置telnet
2.1、安装telnet-server

[root@localhost ~]# yum -y install xinetd telnet-server

2.2、配置telnet
先看一下xinetd.d目录下是否有telnet文件
[root@localhost ~]# ll /etc/xinetd.d/telnetls: cannot access /etc/xinetd.d/telnet: No such file or directory
如果有，则将文件里面的disable = no改成disable = yes
如果没有，就进行下面的操作

[root@localhost ~]# cat > /etc/xinetd.d/telnet <<EOF
service telnet
{
disable = yes
flags = REUSE
socket_type = streamwait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
EOF

2.3、配置telnet登录的终端类型

[root@localhost ~]# cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
EOF

2.4、启动telnet服务

[root@localhost ~]# systemctl enable xinetd --now
[root@localhost ~]# systemctl enable telnet.socket --now
[root@localhost ~]# ss -nltp | grep 23
LISTEN 0 128 :::23 :::* users:(("systemd",pid=1,fd=46))

23端口起来了，表示telnet服务正常运行
三、切换登录方式为telnet
后面的操作都是在telnet链接的方式下进行，避免ssh中断导致升级失败
以telnet方式登录的时候，注意选择协议和端口，协议为telnet，端口为23
四、开始升级OpenSSH
4.1、下载升级所需依赖包

[root@localhost ~]# yum -y install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel

4.2、下载OpenSSL和OpenSSH

openssl官网：https://www.openssl.org/
openssh官网：http://www.openssh.com/

[root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
[root@localhost ~]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
[root@localhost ~]# cd /data/openssh9.0
[root@localhost ~]# tar -xf openssl-1.1.1m.tar.gz
[root@localhost ~]# tar -xf openssh-9.0p1.tar.gz

4.3、编译安装OpenSSL
开始之前，先备份一下原有的OpenSSL文件

[root@localhost ~]# mv /usr/bin/openssl{,.bak}
[root@localhost ~]# mv /usr/include/openssl{,.bak}
[root@localhost ~]# cd openssl-1.1.1i/
[root@localhost openssl-1.1.1i]# ./config shared && make && make install

编译完成后，可以在/usr/local目录下找到openssl的二进制文件和目录

[root@localhost ~]# ll /usr/local/bin/openssl-rwxr-xr-x 1 root root 749136 Jan 14 14:25 /usr/local/bin/openssl
[root@localhost ~]# ll -d /usr/local/include/openssl/
drwxr-xr-x 2 root root 4096 Jan 14 14:25 /usr/local/include/openssl/

建立软连接

[root@localhost ~]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@localhost ~]# ln -s /usr/local/include/openssl/ /usr/include/openssl
[root@localhost ~]# ll /usr/bin/openssl
lrwxrwxrwx 1 root root 22 Jan 14 14:32 /usr/bin/openssl -> /usr/local/bin/openssl

[root@localhost ~]# ll -d /usr/include/openssl
lrwxrwxrwx 1 root root 27 Jan 14 14:33 /usr/include/openssl -> /usr/local/include/openssl/

重新加载配置，验证openssl版本

[root@localhost ~]# echo "/usr/local/lib64" >> /etc/ld.so.conf
[root@localhost ~]# /sbin/ldconfig
[root@localhost ~]# openssl version
OpenSSL 1.1.1i 8 Dec 2020

4.3.1、可能会有的一些报错和解决方法

[root@localhost ~]# openssl version openssl: error while loading
shared libraries: libssl.so.1.1: cannot open shared object file: No
such file or directory"这是因为libssl.so.1.1文件找不到，执行find / -name
‘libssl.so.1.1’，将/etc/ld.so.conf里面的lib64改成find出来的路径即可" [root@localhost
~]# find / -name
“openssl”“编译完，可以用上面的find命令看一下openssl所在的路径，以及include/openssl所在的路径”

4.4、编译安装OpenSSH
备份原有的ssh目录

[root@localhost ~]# mv /etc/ssh{,.bak}
[root@localhost ~]# mkdir /usr/local/openssh
[root@localhost ~]# cd openssh-9.0p1/
[root@localhost openssh-9.0p1]# ./configure --prefix=/usr/local/openssh \--sysconfdir=/etc/ssh \--with-openssl-includes=/usr/local/include \--with-ssl-dir=/usr/local/lib64 \--with-zlib \--with-md5-passwords \--with-pam && \make && \make install

4.4.1、配置sshd_config文件

[root@localhost ~]# echo "UseDNS no" >> /etc/ssh/sshd_config
[root@localhost ~]# echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
[root@localhost ~]# echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
[root@localhost ~]# echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config

如果是图形化界面，需要x11的话，需要配置如下

[root@localhost ~]# echo "X11Forwarding yes" >> /etc/ssh/sshd_config
[root@localhost ~]# echo "X11UseLocalhost no" >> /etc/ssh/sshd_config　　　　　　　　　　　　　　　　
[root@localhost ~]# echo "XAuthLocation /usr/bin/xauth" >> /etc/ssh/sshd_config

4.4.2、创建新的sshd二进制文件

[root@localhost ~]# mv /usr/sbin/sshd{,.bak}
[root@localhost ~]# mv /usr/bin/ssh{,.bak}
[root@localhost ~]# mv /usr/bin/ssh-keygen{,.bak}
[root@localhost ~]# ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
[root@localhost ~]# ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
[root@localhost ~]# ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd

查看openssh当前版本

[root@localhost ~]# ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1m 8 Dec 2021

4.4.3、重新启动openssh服务

[root@localhost ~]# systemctl disable sshd --now
[root@localhost ~]# mv /usr/lib/systemd/system/sshd.service{,.bak}
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# cp -a /data/openssh/openssh-9.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost ~]# cp -a /data/openssh/openssh-8.9p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@localhost ~]# chkconfig --add sshd
[root@localhost ~]# systemctl enable sshd --now

4.5、ssh链接成功后的处理

[root@localhost ~]# ssh root@172.30.******

成功连接上之后，可以关闭telnet服务，当然，也可以不关闭

[root@localhost ~]# systemctl disable xinetd.service --now
[root@localhost ~]# systemctl disable telnet.socket --now