为保障在升级openssh过程中出现网络中断导致连接不上服务器,建议先安装telnet服务,当网络中断时,可通过telnet远程到服务器。
一、安装telnet服务
yum install xinetd 依赖
yum install telnet 客户端
yum install telnet-server 服务端
vim /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
#disable = yes 【将disable=yes行前加#注释掉,或者把yes改为no】
}
telnet登录设置
1、通过ssh进入系统,或者其他方式
执行命令:vim /etc/pam.d/login
vim /etc/pam.d/login
#%PAM-1.0
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
-session optional pam_ck_connector.so
~
2、securetty 设置
执行命令编辑securetty:vim /etc/securetty
vim /etc/securetty
console
vc/1
vc/2
vc/3
vc/4
tty1
tty2
tty3
pts/0
pts/1
把pts/0加入到securetty文件中,保存并退出,重启telnet服务。
重启telnet服务命令:/etc/init.d/xinetd resatrt
/etc/init.d/xinetd resatrt
3、执行tail -f /var/log/secure,查看登录日志:
tail -f /var/log/secure
Jun 29 16:22:15 localhost login: FAILED LOGIN 1 FROM 77.241.193.14 FOR root, Authentication failure
Jun 29 16:22:16 localhost login: pam_unix(remote:auth): check pass; user unknown
Jun 29 16:22:16 localhost login: pam_unix(remote:auth): authentication failure; logname= uid=0 euid=0 tty=pts/3 ruser= rhost=77.241.193.14
如果Authentication failure 查看第二部,确认服务是否重启
二、OpenSSH 升级
检查系统环境
目前自带的openssl版本符合安装条件,自带的zlib也符合依赖。如果达不到版本可以进行升级后进行openssh升级
[root@localhost ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@localhost ~]# rpm -q zlib
zlib-1.2.3-29.el6.x86_64
[root@localhost ~]# rpm -q zlib-devel
zlib-devel-1.2.3-29.el6.x86_64
安装相关组件
安装依赖
yum install -y gcc gcc-c++ glibc make autoconf openssl-devel pcre-devel pam-devel rpm-build
升级openssh版本
1、下载安装包:wget -P /usr/local/src https://cikeblog.com/e/openssh-8.0p1.tar.gz
wget -P /usr/local/src https://cikeblog.com/e/openssh-8.0p1.tar.gz
--2020-06-29 16:30:25-- https://cikeblog.com/e/openssh-8.0p1.tar.gz
Resolving cikeblog.com... 159.138.1.106
Connecting to cikeblog.com|159.138.1.106|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1597697 (1.5M) [application/octet-stream]
Saving to: “/usr/local/src/openssh-8.0p1.tar.gz”
100%[==================================================================================>] 1,597,697 522K/s in 3.0s
2020-06-29 16:30:29 (522 KB/s) - “/usr/local/src/openssh-8.0p1.tar.gz” saved [1597697/1597697]
2、卸载系统自带的openssh
rpm -qa | grep openssh
rpm -e `rpm -qa|grep openssh` --nodeps
3、解压openssh安装包
cd /usr/local/src && tar -zxf openssh-8.0p1.tar.gz && cd openssh-8.0p1
4、编译安装
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam --with-tcp-wrappers
make -j4 && make install
5、修改配置文件
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
sed -i 's/#PermitEmptyPasswords\(.*\)/PermitEmptyPasswords\ no/g' /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
6、重启
service sshd start
service sshd restart
ssh -V
升级完成后,退出服务器后重新登录。确认ssh可以登录服务器
三、卸载Telnet服务
mv /etc/securetty.bak /etc/securetty
service xinetd stop
chkconfig xinetd off
service iptables start
chkconfig iptables on
yum remove telnet-server xinetd