1.yum源配置
mkdir -p /media/cdrom
mount -o loop /tmp/CentOS-7-x86_64-DVD-1810.iso /media/cdrom
mv /etc/yum.repos.d /etc/yum.repos.d.bak
mkdir /etc/yum.repos.d
vi /etc/yum.repos.d/local.repo
[base-local]
name=CentOS-local
baseurl=file:///media/cdrom
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
2.安装telnet
yum -y install xinetd telnet-server
vi /etc/pam.d/login
注释#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
vi /etc/pam.d/remote
注释#auth required pam_securetty.so
添加超级用户登陆设备至/etc/securetty文件
cp /etc/securetty /etc/securetty.bak
echo "pts/0" >> /etc/securetty
echo "pts/1" >> /etc/securetty
echo "pts/2" >> /etc/securetty
重启telnet和xinetd服务【telnet服务依赖于xinetd服务】
systemctl restart telnet.socket && systemctl restart xinetd
systemctl enable telnet.socket
systemctl enable xinetd
3.关闭防火墙和selinux
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
cat /etc/selinux/config
systemctl stop firewalld.service
systemctl disable firewalld.service
退出ssh,使用root用户telnet登录
4.升级ssh
安装依赖包
yum -y install gcc make perl zlib zlib-devel pam pam-devel
停止ssh服务
systemctl stop sshd
cp -r /etc/ssh /etc/ssh.old
查看系统原有openssh包
rpm -qa | grep openssh
openssh-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
卸载ssh
rpm -e --nodeps openssh-7.4p1-16.el7.x86_64
rpm -e --nodeps openssh-clients-7.4p1-16.el7.x86_64
rpm -e --nodeps openssh-server-7.4p1-16.el7.x86_64
安装zlib
安装依赖包
yum install perl-Module-Load-Conditional perl-core gcc perl-CPAN perl-devel
tar -xvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib
make
make install
验证zlib安装是否成功,要包含include、lib、share三个目录。
ll /usr/local/zlib
echo 配置zlib
echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
安装openssl
yum remove openssl-devel
tar -xvf openssl-1.1.1m.tar.gz
cd openssl-1.1.1m
./config shared zlib
make (时间比较长,切勿打断)
make test (时间比较长,切勿打断)
make test成功会显示以下信息,否则不要继续make install
All tests successful.
Files=158, Tests=2639, 94 wallclock secs ( 1.70 usr 0.27 sys + 64.77 cusr 39.75 csys = 106.49 CPU)
Result: PASS
make[1]: Leaving directory `/tmp/openssl-1.1.1m'
否则查找原因,一般是依赖包的问题,然后make clean,再make和make test
make install (时间比较长,切勿打断)
配置openssl
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf.d/ssl.conf
echo '/usr/local/lib' >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v
查看openssl版本
openssl version -a
版本应该变为:
OpenSSL 1.1.1m 14 Dec 2021
升级ssh
tar -xvf openssh-8.9p1.tar.gz
cd openssh-8.9p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib
make
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
make install
修改配置文件,允许root直接登录
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
ssh服务必须开机自启动,因此要进行一些设置
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
systemctl restart sshd
验证ssh服务及ssh和ssl版本
systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Tue 2022-04-12 06:03:04 CST; 1min 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 69691 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 69701 (sshd)
Tasks: 1
CGroup: /system.slice/sshd.service
└─69701 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Apr 12 06:03:04 centos7n2 systemd[1]: Starting SYSV: OpenSSH server daemon...
Apr 12 06:03:04 centos7n2 sshd[69701]: Server listening on 0.0.0.0 port 22.
Apr 12 06:03:04 centos7n2 sshd[69701]: Server listening on :: port 22.
Apr 12 06:03:04 centos7n2 sshd[69691]: Starting sshd:[ OK ]
Apr 12 06:03:04 centos7n2 systemd[1]: Started SYSV: OpenSSH server daemon.
ssh -V
OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021
ssh登录主机可以正常登录
重启主机,确认主机ssh服务正常后,过一周再卸载telnet服务
systemctl stop telnet.socket && systemctl stop xinetd
systemctl disable telnet.socket && systemctl disable xinetd
yum remove xinetd telnet-server
vi /etc/pam.d/login
打开注释#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
vi /etc/pam.d/remote
打开注释#auth required pam_securetty.so
升级到openssh8.9P1以后,有些低版本的secureCRT无法ssh登录,是因为有些密钥不支持了,可以修改配置文件来处理
vi /etc/ssh/sshd_config 添加如下内容:
HostKeyAlgorithms=+ssh-rsa,ssh-dss
KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
保存,然后systemclt restart sshd重启ssh服务就可以了
1388
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
