centos 6.5默认安装的openssl 和 openssh版本太久,之间暴露严重的漏洞,所以必须升级
下载
[root@local ~]# wget http://distfiles.macports.org/openssl/openssl-1.0.2n.tar.gz
[root@local ~]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
1. 查看环境
[root@local ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@local ~]# rpm -q zlib
zlib-1.2.3-29.el6.x86_64
[root@local ~]# rpm -q zlib-devel
package zlib-devel is not installed
2. 安装依赖
[root@local ~]# yum install -y gcc zlib-devel pam-devel
3. 卸载原有ssl ssh
[root@local ~]# yum remove -y openssh
[root@local ~]# rpm -qa | grep openssl | xargs rpm -e --nodeps
4. 安装openssl,下载openssl要求 1.0.2版本,1.0.1版本有严重安全漏洞,1.1.x版本不支持最新的openssh
[root@local ~]# tar -zxvf openssl-1.0.2n.tar.gz
[root@local ~]# cd openssl-1.0.2n/
[root@local ~]# ./config --prefix=/usr --shared
[root@local ~]# make
[root@local ~]# make test
[root@local ~]# make install
5. 备份原有ssh配置文件
[root@local ~]# mv /etc/ssh/ /etc/ssh.bak
6. 安装openssh
[root@local ~]# tar -zxvf openssh-7.6p1.tar.gz
[root@local ~]# cd openssh-7.6p1/
[root@local ~]# ./configure --prefix=/usr --with-zlib --sysconfdir=/etc/ssh --with-ssl-dir=/usr --with-md5-passwords --with-pam
[root@local ~]# make
[root@local ~]# make install
7. 配置
[root@local ~]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@local ~]# chkconfig --add sshd //加入开机启动
[root@local ~]# chkconfig sshd on
[root@local ~]# chkconfig sshd --list
8. 允许root登陆
[root@local ~]# vim /etc/ssh/sshd_config
PermitRootLogin yes 将这一句加入到配置中,则允许root登陆
9. 启动
[root@local ~]# /etc/init.d/sshd start
10. 其他
[root@local ~]# cd /usr/lib64/
[root@local ~]# ln -s /usr/lib64/libssl.so.1.0.0 libssl.so.10
[root@local ~]# ln -s /usr/lib64/libcrypto.so.1.0.0 libcrypto.so.10