環境介紹
(操作前配置好yum)
整個過程不需要解除安裝原先的openssl包和openssh的rpm包。不影響我們的操作
本文的環境都是系統自帶的openssh,沒有經曆過手動編譯安裝方式。如果之前有手動編譯安裝過openssh,請參照本文自行測試是否能成功。
centos7.6更新後的效果
![](https://img.laitimes.com/img/9ZDMuAjOiMmIsIjOiQnIsIyZuBnL2YTOzMjN1YTM0EjMxAjMwIzLc52YucWbp5GZzNmLn9Gbi1yZtl2Lc9CX6MHc0RHaiojIsJye.png)
安裝依賴包
更新需要幾個元件,有些是和編譯相關的等
[[email protected] app]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.bfsu.edu.cn
* epel: mirrors.bfsu.edu.cn
* extras: mirrors.bfsu.edu.cn
* updates: mirrors.bfsu.edu.cn
Package gcc-4.8.5-44.el7.x86_64 already installed and latest version
Package gcc-c++-4.8.5-44.el7.x86_64 already installed and latest version
Package glibc-2.17-317.el7.x86_64 already installed and latest version
Package 1:make-3.82-24.el7.x86_64 already installed and latest version
Package autoconf-2.69-11.el7.noarch already installed and latest version
Package 1:openssl-1.0.2k-19.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-19.el7.x86_64 already installed and latest version
Package pcre-devel-8.32-17.el7.x86_64 already installed and latest version
Package pam-devel-1.1.8-23.el7.x86_64 already installed and latest version
Nothing to do
安裝pam和zlib等(後面的更新操作可能沒用到pam,安裝上也沒啥影響,如果不想安裝pam請自行測試)
yum install -y pam* zlib*
下載下傳openssh包和openssl的包
https://ftp.openssl.org/source/
我們都下載下傳最新版本,下載下傳箭頭指的包
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
開始安裝openssl
個人習慣把安裝包或者工具之類的放下面目錄。根據個人喜好随便放,不影響安裝
上傳,解壓如下
[[email protected] app]# pwd
/opt/app
[[email protected] app]# ls -l
total 11268
drwxr-xr-x. 5 oracle oracle 12288 May 27 2020 openssh-8.3p1
-rw-r--r--. 1 root root 1706358 Dec 14 16:52 openssh-8.3p1.tar.gz
drwxrwxr-x. 18 root root 4096 Dec 8 21:20 openssl-1.1.1i
-rw-r--r--. 1 root root 9808346 Dec 14 16:52 openssl-1.1.1i.tar.gz
現在是系統預設的版本,等會更新完畢對比下
[[email protected] app]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
備份下面2個檔案或目錄(如果存在的話就執行)
[[email protected] ldf]# ll /usr/bin/openssl
-rwxr-xr-x. 1 root root 555288 Aug 9 2019 /usr/bin/openssl
[[email protected] ldf]# mv /usr/bin/openssl /usr/bin/openssl_bak
[[email protected] ldf]# ll /usr/include/openssl
[[email protected] ldf]# mv /usr/include/openssl /usr/include/openssl_bak
編譯安裝新版本的openssl
配置、編譯、安裝3個指令一起執行
&&符号表示前面的執行成功才會執行後面的
[[email protected] app]# cd /opt/app/openssl-1.1.1i
[[email protected] openssl-1.1.1i]# ./config shared && make && make install
[[email protected] openssl-1.1.1i]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[[email protected] openssl-1.1.1i]#1037 ln -s /usr/local/ssl/include/openssl /usr/include/openssl
指令行執行下面2個指令加載新配置
echo "/usr/local/lib64" >> /etc/ld.so.conf
/sbin/ldconfig
安裝openssh
上傳openssh的tar包并解壓
可能檔案預設顯示uid和gid數組都是1000,這裡重新授權下。不授權可能也不影響安裝(請自行測試)
[[email protected] openssh-8.3p1]# chown -R root.root /opt/app/openssh-8.3p1
指令行删除原先ssh的配置檔案和目錄
然後配置、編譯、安裝
注意下面編譯安裝的指令是一行,請把第一行末尾的 \ 去掉,然後在文本裡弄成一行之後放指令行執行
rm
-rf
/etc/ssh/
*
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/include/openssl --with-ssl-dir=/usr/local/bin --with-zlib --with-md5-passwords --with-pam && make && make install
修改配置檔案最終為如下内容,其他的不要動
[[email protected] openssh-8.3p1]# grep "^PermitRootLogin" /etc/ssh/sshd_config
PermitRootLogin yes
[[email protected] openssh-8.3p1]# grep "UseDNS" /etc/ssh/sshd_config
#UseDNS no
UseDNS no
配置crt或其他putty工具連接配接算法(不配置可能出現工具連接配接失敗或其他機器ssh登入失敗)
注意:有些堡壘機可能設定了10022端口的連結,需要修改配置
/etc/ssh/sshd_config加上Port 10022否則連接配接失敗
從原先的解壓的包中拷貝一些檔案到目标位置(如果目标目錄存在就覆寫)
(可能下面的ssh.pam檔案都沒用到,因為sshd_config配置檔案貌似沒使用它,請自行測試。我這邊是拷貝了)
[[email protected] openssh-8.3p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[[email protected] openssh-8.3p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[[email protected] openssh-8.3p1]# chmod +x /etc/init.d/sshd
[[email protected] openssh-8.3p1]# chkconfig --add sshd
[[email protected] openssh-8.3p1]# systemctl enable sshd
[[email protected] openssh-8.3p1]# chkconfig
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
把原先的systemd管理的sshd檔案删除或者移走或者删除,不移走的話影響我們重新開機sshd服務
mv /usr/lib/systemd/system/sshd.service /data/
設定sshd服務開機啟動
[[email protected] openssh-8.3p1]# chkconfig sshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.
[[email protected] openssh-8.3p1]# chkconfig
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
netconsole 0:off 1:off 2:off 3:off 4:off 5:off 6:off
network 0:off 1:off 2:on 3:on 4:on 5:on 6:off
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
接下來測試啟停服務。都正常
以後管理sshd通過下面方式了
[[email protected] ~]# /etc/init.d/sshd restart
Restarting sshd (via systemctl): [ OK ]
[[email protected] ~]#
systemctl方式管理
[[email protected] ~]# systemctl stop sshd
[[email protected] ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4669/sendmail: acce
[[email protected] ~]#
[[email protected] ~]#
[[email protected] ~]# systemctl start sshd
[[email protected]1 ~]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 9248/sshd: /usr/sbi
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 4669/sendmail: acce
tcp6 0 0 :::22 :::* LISTEN 9248/sshd: /usr/sbi
系統重新開機後能自動啟動sshd服務,版本号正确
[[email protected] ~]# openssl version
OpenSSL 1.1.1i 8 Dec 2020
[[email protected] ~]# ssh -V
OpenSSH_8.3p1, OpenSSL 1.1.1i 8 Dec 2020
[[email protected] ~]#
引用https://www.cnblogs.com/nmap/p/10779658.html
遇到問題
安裝完openssl時運作報包libssl.so.1.1不存在
解決方法
echo "/usr/local/lib64" >> /etc/ld.so.conf
2、更新openssh報 PAM headers not found
在編譯openssh的時候報如下錯
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/include/openssl --with-ssl-dir=/usr/local/bin --with-zlib --with-md5-passwords --with-pam && make && make install
configure: error: PAM headers not found
解決方法
yum -y install pam-devel