CENTOS7 更新OpenSSL到OpenSSL 1.1.1i,更新openssh到 OpenSSH_8.3p1版本

環境介紹

（操作前配置好yum）

整個過程不需要解除安裝原先的openssl包和openssh的rpm包。不影響我們的操作

本文的環境都是系統自帶的openssh，沒有經曆過手動編譯安裝方式。如果之前有手動編譯安裝過openssh，請參照本文自行測試是否能成功。

centos7.6更新後的效果

 安裝依賴包

更新需要幾個元件，有些是和編譯相關的等

[[email protected] app]#  yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: mirrors.bfsu.edu.cn

 * epel: mirrors.bfsu.edu.cn

 * extras: mirrors.bfsu.edu.cn

 * updates: mirrors.bfsu.edu.cn

Package gcc-4.8.5-44.el7.x86_64 already installed and latest version

Package gcc-c++-4.8.5-44.el7.x86_64 already installed and latest version

Package glibc-2.17-317.el7.x86_64 already installed and latest version

Package 1:make-3.82-24.el7.x86_64 already installed and latest version

Package autoconf-2.69-11.el7.noarch already installed and latest version

Package 1:openssl-1.0.2k-19.el7.x86_64 already installed and latest version

Package 1:openssl-devel-1.0.2k-19.el7.x86_64 already installed and latest version

Package pcre-devel-8.32-17.el7.x86_64 already installed and latest version

Package pam-devel-1.1.8-23.el7.x86_64 already installed and latest version

Nothing to do

 安裝pam和zlib等（後面的更新操作可能沒用到pam，安裝上也沒啥影響，如果不想安裝pam請自行測試）

 yum install  -y pam* zlib*

下載下傳openssh包和openssl的包

https://ftp.openssl.org/source/

我們都下載下傳最新版本，下載下傳箭頭指的包

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

 開始安裝openssl

個人習慣把安裝包或者工具之類的放下面目錄。根據個人喜好随便放，不影響安裝

上傳，解壓如下

[[email protected] app]# pwd

/opt/app

[[email protected] app]# ls -l
total 11268
drwxr-xr-x.  5 oracle oracle   12288 May 27  2020 openssh-8.3p1
-rw-r--r--.  1 root   root   1706358 Dec 14 16:52 openssh-8.3p1.tar.gz
drwxrwxr-x. 18 root   root      4096 Dec  8 21:20 openssl-1.1.1i
-rw-r--r--.  1 root   root   9808346 Dec 14 16:52 openssl-1.1.1i.tar.gz
現在是系統預設的版本，等會更新完畢對比下

[[email protected] app]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
           

 備份下面2個檔案或目錄（如果存在的話就執行）

[[email protected] ldf]# ll /usr/bin/openssl

-rwxr-xr-x. 1 root root 555288 Aug  9  2019 /usr/bin/openssl

[[email protected] ldf]# mv /usr/bin/openssl /usr/bin/openssl_bak

[[email protected] ldf]# ll /usr/include/openssl

[[email protected] ldf]# mv /usr/include/openssl /usr/include/openssl_bak

編譯安裝新版本的openssl

配置、編譯、安裝3個指令一起執行

&&符号表示前面的執行成功才會執行後面的

[[email protected] app]# cd /opt/app/openssl-1.1.1i

[[email protected] openssl-1.1.1i]# ./config shared && make && make install

[[email protected] openssl-1.1.1i]# ln -s /usr/local/bin/openssl    /usr/bin/openssl

 [[email protected] openssl-1.1.1i]#1037  ln -s /usr/local/ssl/include/openssl     /usr/include/openssl

指令行執行下面2個指令加載新配置

echo "/usr/local/lib64" >> /etc/ld.so.conf

/sbin/ldconfig

安裝openssh 

上傳openssh的tar包并解壓

可能檔案預設顯示uid和gid數組都是1000，這裡重新授權下。不授權可能也不影響安裝（請自行測試）

[[email protected] openssh-8.3p1]# chown -R root.root /opt/app/openssh-8.3p1

 指令行删除原先ssh的配置檔案和目錄

然後配置、編譯、安裝

注意下面編譯安裝的指令是一行，請把第一行末尾的 \ 去掉，然後在文本裡弄成一行之後放指令行執行

rm

-rf 

/etc/ssh/

* ./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/include/openssl --with-ssl-dir=/usr/local/bin   --with-zlib   --with-md5-passwords   --with-pam  && make && make install

修改配置檔案最終為如下内容，其他的不要動

[[email protected] openssh-8.3p1]# grep "^PermitRootLogin"  /etc/ssh/sshd_config

PermitRootLogin yes

[[email protected] openssh-8.3p1]# grep  "UseDNS"  /etc/ssh/sshd_config

#UseDNS no

UseDNS no

配置crt或其他putty工具連接配接算法（不配置可能出現工具連接配接失敗或其他機器ssh登入失敗）

注意：有些堡壘機可能設定了10022端口的連結，需要修改配置

/etc/ssh/sshd_config加上Port 10022否則連接配接失敗

 從原先的解壓的包中拷貝一些檔案到目标位置（如果目标目錄存在就覆寫）

(可能下面的ssh.pam檔案都沒用到，因為sshd_config配置檔案貌似沒使用它，請自行測試。我這邊是拷貝了)

[[email protected] openssh-8.3p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd

[[email protected] openssh-8.3p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

[[email protected] openssh-8.3p1]# chmod +x /etc/init.d/sshd

[[email protected] openssh-8.3p1]# chkconfig --add sshd

[[email protected] openssh-8.3p1]# systemctl enable sshd

[[email protected] openssh-8.3p1]# chkconfig

Note: This output shows SysV services only and does not include native

      systemd services. SysV configuration data might be overridden by native

      systemd configuration.

      If you want to list systemd services use 'systemctl list-unit-files'.

      To see services enabled on particular target use

      'systemctl list-dependencies [target]'.

netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off

network         0:off   1:off   2:on    3:on    4:on    5:on    6:off

 把原先的systemd管理的sshd檔案删除或者移走或者删除，不移走的話影響我們重新開機sshd服務

 mv  /usr/lib/systemd/system/sshd.service  /data/

設定sshd服務開機啟動

[[email protected] openssh-8.3p1]# chkconfig sshd on

Note: Forwarding request to 'systemctl enable sshd.socket'.

Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.

[[email protected] openssh-8.3p1]# chkconfig

Note: This output shows SysV services only and does not include native

      systemd services. SysV configuration data might be overridden by native

      systemd configuration.

      If you want to list systemd services use 'systemctl list-unit-files'.

      To see services enabled on particular target use

      'systemctl list-dependencies [target]'.

netconsole      0:off   1:off   2:off   3:off   4:off   5:off   6:off

network         0:off   1:off   2:on    3:on    4:on    5:on    6:off

sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off

 接下來測試啟停服務。都正常

以後管理sshd通過下面方式了

[[email protected] ~]# /etc/init.d/sshd restart

Restarting sshd (via systemctl):                           [  OK  ]

[[email protected] ~]#

systemctl方式管理

[[email protected] ~]# systemctl stop sshd

[[email protected] ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      4669/sendmail: acce

[[email protected] ~]#

[[email protected] ~]#

[[email protected] ~]# systemctl start sshd

[[email protected]1 ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      9248/sshd: /usr/sbi

tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      4669/sendmail: acce

tcp6       0      0 :::22                   :::*                    LISTEN      9248/sshd: /usr/sbi

系統重新開機後能自動啟動sshd服務，版本号正确

[[email protected] ~]# openssl version

OpenSSL 1.1.1i  8 Dec 2020

[[email protected] ~]# ssh -V

OpenSSH_8.3p1, OpenSSL 1.1.1i  8 Dec 2020

[[email protected] ~]#

引用https://www.cnblogs.com/nmap/p/10779658.html

遇到問題

安裝完openssl時運作報包libssl.so.1.1不存在

解決方法

echo "/usr/local/lib64" >> /etc/ld.so.conf

2、更新openssh報 PAM headers not found

在編譯openssh的時候報如下錯

./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/include/openssl --with-ssl-dir=/usr/local/bin   --with-zlib   --with-md5-passwords   --with-pam  && make && make install

configure: error: PAM headers not found

解決方法

yum -y install pam-devel