前提
系统环境为:CentOS 6.8 ,
OpenSSH版本为:OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
目标:升级OpenSSH 到最新版本OpenSSH_7.7p1 (2018-04)
原因:因老版存在很多漏洞,因此需要升级到最新版本。
网络环境:服务器所在区域无法上网,需要离线安装所有软件和依赖包
相关资源:
CentOS 6.8 软件资源:http://vault.centos.org/6.8/os/x86_64/Packages/
OpenSSH 软件资源:https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
安装简化步骤:
1. 安装telnet-server (防止ssh更新时网络断开无法连接)
rpm -ivh telnet-server-0.17-48.el6.x86_64.rpm
2. 安装xinetd
rpm -ivh xinetd-2.3.14-40.el6.x86_64.rpm
将telnet在xinetd的配置中启用
vi /etc/xinetd.d/telnet
disable = no # 启用telnet
service xinetd start # 启动telnet
测试telnet是否可用。
3. 备份原始ssh配置cp -rf /etc/ssh /etc/ssh.bak
4. 安装vsftpd (防止sftp 无法使用时,使用ftp传文件)
rpm -ivh vsftpd-2.2.2-21.el6.x86_64.rpmvsftp的相关配置省略。
5. 安装ftp-client
rpm -ivh ftp-0.17-54.el6.x86_64.rpm
6. 安装openssh相关依赖包和编译环境
顺序安装gcc, libstdc++-devel,gcc-c++,zlib-devel,keyutils-libs-devel,libcom_err-devel,libsepol-devel,pkgconfig(libsepol),libselinux-devel,krb5-devel,openssl-devel
gcc-4.4.7-17.el6.x86_64.rpm
libstdc++-devel-4.4.7-17.el6.x86_64.rpm
zlib-devel-1.2.3-29.el6.x86_64.rpm
keyutils-libs-devel-1.4-5.el6.x86_64.rpm
libcom_err-devel-1.41.12-22.el6.x86_64.rpm
libsepol-devel-2.0.41-4.el6.x86_64.rpm
pkgconfig-0.23-9.1.el6.x86_64.rpm
libselinux-devel-2.0.94-7.el6.x86_64.rpm
krb5-devel-1.10.3-57.el6.x86_64.rpm
openssl-devel-1.0.1e-48.el6.x86_64.rpm
7. 卸载旧版sshyum remove openssh -y
8. 安装新版ssh
tar -zxvf openssh-7.7p1.tar.gz
cd openssh-7.7p1
./configure
make
make install
如果openssh不设置安装路径,默认安装路径为:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
9. 设置ssh开机启动将安装源程序目录下的/openssh-7.7p1/contrib/redhat/sshd.init 复制到 /etc/init.d/sshd
vi /etc/init.d/sshd #修改sshd文件
SSHD=/usr/local/sbin/sshd
/usr/local/bin/ssh-keygen -A
/sbin/restorecon /usr/local/etc/ssh_host_rsa_key.pub
/sbin/restorecon /usr/local/etc/ssh_host_dsa_key.pub
/sbin/restorecon /usr/local/etc/ssh_host_ecdsa_key.pub
将sshd添加到服务
chkconfig --add sshd
允许root远程登录
vim /usr/local/etc/sshd_config #配置sshd_config文件
PermitRootLogin yes #允许root登录
启动sshd服务
service sshd restart
查看ssh的版本
ssh -V
OpenSSH_7.7p1, OpenSSL 1.0.1e-fips 11 Feb 2013