CentOS7 更新 openssh 到 openssh-8.0p1版本

centos7.3和centos7.6更新完畢測試登入ssh以及重新開機後登入ssh均無問題。

前期請自行配置好yum源（如果不會請百度）

整個過程不需要解除安裝原先的openssl包和openssh的rpm包。不影響我們的操作

本文的環境都是系統自帶的openssh，沒有經曆過手動編譯安裝方式。如果之前有手動編譯安裝過openssh，請參照本文自行測試是否能成功。

如果嚴格參照本文操作，我保證你更新沒問題

centos7.6更新後的效果

1 2 3 4 5 6 7 8

[[email protected] ~] # ssh -V OpenSSH_8.0p1, OpenSSL 1.0.2r  26 Feb 2019 [[email protected] ~] # openssl version OpenSSL 1.0.2r  26 Feb 2019 [[email protected] ~] # cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [[email protected] ~] #

　　

centos7.3更新後的效果

1 2 3 4 5 6 7

[[email protected] ~] # openssl version OpenSSL 1.0.2r  26 Feb 2019 [[email protected] ~] # ssh -V OpenSSH_8.0p1, OpenSSL 1.0.2r  26 Feb 2019 [[email protected] ~] # cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) [[email protected] ~] #

　　

如果ssh版本過低，最好先yum update openssh更新下到目前yum倉庫預設的openssh7.4p1版本

預設centos7.3的ssh是如下版本

1 2 3 4 5

[[email protected] ~] # cat /etc/redhat-release CentOS Linux release 7.3.1611 (Core) [[email protected] ~] # ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 [[email protected] ~] #

　　

執行yum update  openssh先更新下（反正官方提供的這種更新是沒問題的。如果之前手動編譯操作過openssh的更新，變更了預設配置檔案路徑什麼的請自行測試。）

（這裡準備統一openssh版本為7.4p1之後再統一編譯安裝更新到openssh8.0p1）

1 2 3 4 5

[[email protected] ~] # yum update openssh -y [[email protected] ~] # ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 [[email protected] ~] #

　

安裝telnet-server以及xinetd

1 2 3 4 5 6 7 8 9 10 11

[[email protected] ~] # yum install xinetd telnet-server -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.163.com * epel: mirrors.aliyun.com * extras: mirrors.cn99.com * updates: mirrors.cn99.com Package 2:xinetd-2.3.15-13.el7.x86_64 already installed and latest version Package 1:telnet-server-0.17-64.el7.x86_64 already installed and latest version Nothing to  do [[email protected] ~] #

　　

配置telnet

現在很多centos7版本安裝telnet-server以及xinetd之後沒有一個叫telnet的配置檔案了。

如果下面telnet檔案不存在的話，可以跳過這部分的更改

1 2	[[email protected] ~] # ll /etc/xinetd.d/telnet ls : cannot access  /etc/xinetd .d /telnet : No such  file or directory

　　

如果下面檔案存在，請更改配置telnet可以root登入，把disable = yes改成disable = no

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30

[[email protected] yum.repos.d] # cat /etc/xinetd.d/telnet # default: on # description: The telnet server serves telnet sessions; it uses \ #   unencrypted username/password pairs for authentication. service telnet { disable = no flags       = REUSE socket_type = stream        wait        = no user        = root server      =  /usr/sbin/in .telnetd log_on_failure  += USERID } [[email protected] yum.repos.d] # vim /etc/xinetd.d/telnet [[email protected] yum.repos.d] # cat /etc/xinetd.d/telnet # default: on # description: The telnet server serves telnet sessions; it uses \ #   unencrypted username/password pairs for authentication. service telnet { disable =  yes flags       = REUSE socket_type = stream        wait        = no user        = root server      =  /usr/sbin/in .telnetd log_on_failure  += USERID }

　　

配置telnet登入的終端類型，在/etc/securetty檔案末尾增加一些pts終端，如下

1 2 3 4

pts /0 pts /1 pts /2 pts /3

配置之後的顯示

1 2 3 4 5 6 7 8

[[email protected] ~] # vim /etc/securetty [[email protected] ~] # tail -5 /etc/securetty xvc0 pts /0 pts /1 pts /2 pts /3 [[email protected] ~] #

　　

啟動telnet服務，并設定開機自動啟動

1 2 3 4 5 6 7 8 9 10 11

[[email protected] ~] # systemctl enable xinetd [[email protected] ~] # systemctl enable telnet.socket Created  symlink from  /etc/systemd/system/sockets .target.wants /telnet .socket to  /usr/lib/systemd/system/telnet .socket. [[email protected] ~] # [[email protected] ~] # systemctl start telnet.socket [[email protected] ~] # systemctl start xinetd [[email protected] ~] # netstat -lntp|grep 23 tcp6       0      0 :::23                   :::*                    LISTEN      1 /systemd [[email protected] ~] #

　　

切換到telnet方式登入，以後的操作都在telnet終端下操作，防止ssh連接配接意外中斷造成更新失敗

telnet方式登入 

 安裝依賴包

 更新需要幾個元件，有些是和編譯相關的等

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18

[[email protected] ~] # yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.163.com * epel: mirrors.aliyun.com * extras: mirrors.cn99.com * updates: mirrors.cn99.com Package  gcc -4.8.5-36.el7_6.1.x86_64 already installed and latest version Package  gcc -c++-4.8.5-36.el7_6.1.x86_64 already installed and latest version Package glibc-2.17-260.el7_6.4.x86_64 already installed and latest version Package 1: make -3.82-23.el7.x86_64 already installed and latest version Package autoconf-2.69-11.el7.noarch already installed and latest version Package 1:openssl-1.0.2k-16.el7_6.1.x86_64 already installed and latest version Package 1:openssl-devel-1.0.2k-16.el7_6.1.x86_64 already installed and latest version Package pcre-devel-8.32-17.el7.x86_64 already installed and latest version Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version Nothing to  do [[email protected] ~] #

　　

 安裝pam和zlib等（後面的更新操作可能沒用到pam，安裝上也沒啥影響，如果不想安裝pam請自行測試）

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34

[[email protected] ~] # yum install  -y pam* zlib* Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.163.com * epel: mirrors.aliyun.com * extras: mirrors.cn99.com * updates: mirrors.cn99.com Package pam_yubico-2.26-1.el7.x86_64 already installed and latest version Package pam_script-1.1.8-1.el7.x86_64 already installed and latest version Package pam_oath-2.4.1-9.el7.x86_64 already installed and latest version Package pam_snapper-0.2.8-4.el7.x86_64 already installed and latest version Package pam_ssh_agent_auth-0.10.3-2.16.el7.x86_64 already installed and latest version Package pam_2fa-1.0-1.el7.x86_64 already installed and latest version Package pam_mapi-0.3.4-1.el7.x86_64 already installed and latest version Package pam_ssh_user_auth-1.0-1.el7.x86_64 already installed and latest version Package pam_mount-2.16-5.el7.x86_64 already installed and latest version Package pam_radius-1.4.0-3.el7.x86_64 already installed and latest version Package pamtester-0.1.2-4.el7.x86_64 already installed and latest version Package pam_afs_session-2.6-5.el7.x86_64 already installed and latest version Package pam_pkcs11-0.6.2-30.el7.x86_64 already installed and latest version Package pam-1.1.8-22.el7.x86_64 already installed and latest version Package pam_ssh-2.3-1.el7.x86_64 already installed and latest version Package 1:pam_url-0.3.3-4.el7.x86_64 already installed and latest version Package pam_wrapper-1.0.7-2.el7.x86_64 already installed and latest version Package pam-kwallet-5.5.2-1.el7.x86_64 already installed and latest version Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version Package pam_krb5-2.4.8-6.el7.x86_64 already installed and latest version Package zlib-devel-1.2.7-18.el7.x86_64 already installed and latest version Package zlib-static-1.2.7-18.el7.x86_64 already installed and latest version Package zlib-1.2.7-18.el7.x86_64 already installed and latest version Package zlib-ada-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version Package zlib-ada-devel-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version Nothing to  do [[email protected] ~] #

　　

下載下傳openssh包和openssl的包

 我們都下載下傳最新版本，下載下傳箭頭指的包

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

https://ftp.openssl.org/source/

 開始安裝openssl

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

[[email protected] ~] # mkdir /data/tools -p [[email protected] ~] # cd /data/tools/ [[email protected]  /data/tools ] # rz -E rz waiting to receive. [[email protected]  /data/tools ] # ll total 5224 -rw-r--r-- 1 root root 5348369 Apr 27 12:19 openssl-1.0.2r. tar .gz 解壓檔案 [[email protected]  /data/tools ] # tar xfz openssl-1.0.2r.tar.gz [[email protected]  /data/tools ] # ll total 5228 drwxr-xr-x 20 root root    4096 Apr 27 12:20 openssl-1.0.2r -rw-r--r--  1 root root 5348369 Apr 27 12:19 openssl-1.0.2r. tar .gz [[email protected]  /data/tools ] # cd [[email protected] ~] # 現在是系統預設的版本，等會更新完畢對比下 [[email protected] ~] # openssl version OpenSSL 1.0.2k-fips  26 Jan 2017 [[email protected] ~] #

　　

　　

 備份下面2個檔案或目錄（如果存在的話就執行）

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16

[[email protected] ~] # ll /usr/bin/openssl -rwxr-xr-x 1 root root 555248 Mar 12 18:12  /usr/bin/openssl [[email protected] ~] # mv /usr/bin/openssl /usr/bin/openssl_bak [[email protected] ~] # ll /usr/include/openssl total 1864 -rw-r--r-- 1 root root   6146 Mar 12 18:12 aes.h -rw-r--r-- 1 root root  63204 Mar 12 18:12 asn1.h -rw-r--r-- 1 root root  24435 Mar 12 18:12 asn1_mac.h -rw-r--r-- 1 root root  34475 Mar 12 18:12 asn1t.h -rw-r--r-- 1 root root  38742 Mar 12 18:12 bio.h -rw-r--r-- 1 root root   5351 Mar 12 18:12 blowfish.h ...... [[email protected] ~] # mv /usr/include/openssl /usr/include/openssl_bak [[email protected] ~] #

　　

　　

編譯安裝新版本的openssl

配置、編譯、安裝3個指令一起執行

&&符号表示前面的執行成功才會執行後面的

1 2 3

[[email protected] ~] # cd /data/tools/openssl-1.0.2r/ [[email protected]  /data/tools/openssl-1 .0.2r] # ./config shared && make && make install

　　

以上指令執行完畢，echo $?檢視下最後的make install是否有報錯，0表示沒有問題

 下面2個檔案或者目錄做軟連結 （剛才前面的步驟mv備份過原來的）

1 2 3 4 5 6 7

[[email protected] ~] # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl [[email protected] ~] # ln -s /usr/local/ssl/include/openssl /usr/include/openssl [[email protected] ~] # ll /usr/bin/openssl lrwxrwxrwx 1 root root 26 Apr 27 12:31  /usr/bin/openssl ->  /usr/local/ssl/bin/openssl [[email protected] ~] # ll /usr/include/openssl -ld lrwxrwxrwx 1 root root 30 Apr 27 12:31  /usr/include/openssl ->  /usr/local/ssl/include/openssl [[email protected] ~] #

　　

指令行執行下面2個指令加載新配置

1 2 3

echo "/usr/local/ssl/lib" >>  /etc/ld .so.conf /sbin/ldconfig

　　

 檢視确認版本。沒問題

1 2	[[email protected] ~] # openssl version OpenSSL 1.0.2r  26 Feb 2019

　　

 安裝openssh 

上傳openssh的tar包并解壓

1 2 3 4 5 6 7 8 9 10 11 12 13

[[email protected] ~] # cd /data/tools/ [[email protected] tools] # ll total 7628 -rw-r--r--  1 root root 1597697 Apr 18 07:02 openssh-8.0p1. tar .gz drwxr-xr-x 20 root root    4096 Apr 23 23:12 openssl-1.0.2r -rw-r--r--  1 root root 5348369 Feb 26 22:34 openssl-1.0.2r. tar .gz -rwxr-xr-x  1 root root  853040 Apr 11  2018 sshd [[email protected] tools] # tar xfz openssh-8.0p1.tar.gz [[email protected] tools] # cd openssh-8.0p1 可能檔案預設顯示uid和gid數組都是1000，這裡重新授權下。不授權可能也不影響安裝（請自行測試） [[email protected] tools] # chown -R root.root /data/tools/openssh-8.0p1

　　

　　

 指令行删除原先ssh的配置檔案和目錄

然後配置、編譯、安裝

注意下面編譯安裝的指令是一行，請把第一行末尾的 \ 去掉，然後在文本裡弄成一行之後放指令行執行

1 2 3 4

rm -rf  /etc/ssh/ * . /configure --prefix= /usr/ --sysconfdir= /etc/ssh --with-openssl-includes= /usr/local/ssl/include \ --with-ssl- dir = /usr/local/ssl --with-zlib   --with-md5-passwords   --with-pam  &&  make &&  make install

　　

 參考下我的截圖

 安裝完畢 檢查下結果

 修改配置檔案最終為如下内容，其他的不要動

1 2 3 4 5

[[email protected] ~] # grep "^PermitRootLogin"  /etc/ssh/sshd_config PermitRootLogin  yes [[email protected] ~] # grep  "UseDNS"  /etc/ssh/sshd_config UseDNS no [[email protected] ~] #

　　

 從原先的解壓的包中拷貝一些檔案到目标位置（如果目标目錄存在就覆寫）

(可能下面的ssh.pam檔案都沒用到，因為sshd_config配置檔案貌似沒使用它，請自行測試。我這邊是拷貝了)

1 2 3 4 5 6 7

[[email protected]  /data/tools/openssh-8 .0p1] # cp -a contrib/redhat/sshd.init /etc/init.d/sshd [[email protected]  /data/tools/openssh-8 .0p1] # cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam [[email protected]  /data/tools/openssh-8 .0p1] # chmod +x /etc/init.d/sshd [[email protected]  /data/tools/openssh-8 .0p1] # chkconfig --add sshd [[email protected]  /data/tools/openssh-8 .0p1] # systemctl enable sshd [[email protected]  /data/tools/openssh-8 .0p1] #

　　

 把原先的systemd管理的sshd檔案删除或者移走或者删除，不移走的話影響我們重新開機sshd服務

1 2	[[email protected] ~] # mv  /usr/lib/systemd/system/sshd.service  /data1 [[email protected] ~] # mv  /usr/lib/systemd/system/sshd.socket  /data2

　　

設定sshd服務開機啟動

1 2 3

[[email protected] ~] # chkconfig sshd on Note: Forwarding request to  'systemctl enable sshd.socket' . Created  symlink from  /etc/systemd/system/sockets .target.wants /sshd .socket to  /usr/lib/systemd/system/sshd .socket.

　　

 接下來測試啟停服務。都正常

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

以後管理sshd通過下面方式了 [[email protected] ~] # /etc/init.d/sshd restart Restarting sshd (via systemctl):                           [  OK  ] [[email protected] ~] # [[email protected] ~] # [[email protected] ~] # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID /Program name    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      31800 /sshd tcp6       0      0 :::22                   :::*                    LISTEN      31800 /sshd tcp6       0      0 :::23                   :::*                    LISTEN      1 /systemd [[email protected] ~] # /etc/init.d/sshd stop Stopping sshd (via systemctl):                             [  OK  ] [[email protected] ~] # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID /Program name    tcp6       0      0 :::23                   :::*                    LISTEN      1 /systemd [[email protected] ~] # /etc/init.d/sshd start Starting sshd (via systemctl):                            [  OK  ] [[email protected] ~] # [[email protected] ~] #

　　

 使用systemd方式也行

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20

[[email protected] ~] # systemctl stop sshd [[email protected] ~] # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID /Program name    tcp6       0      0 :::23                   :::*                    LISTEN      1 /systemd [[email protected] ~] # systemctl start sshd [[email protected] ~] # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID /Program name    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      31958 /sshd tcp6       0      0 :::22                   :::*                    LISTEN      31958 /sshd tcp6       0      0 :::23                   :::*                    LISTEN      1 /systemd [[email protected] ~] # systemctl restart sshd [[email protected] ~] # netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID /Program name    tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      31999 /sshd tcp6       0      0 :::22                   :::*                    LISTEN      31999 /sshd tcp6       0      0 :::23                   :::*                    LISTEN      1 /systemd [[email protected] ~] #

　　

 測試版本。都正常

1 2 3 4 5 6 7 8 9

[[email protected] ~] # ssh -V OpenSSH_8.0p1, OpenSSL 1.0.2r  26 Feb 2019 [[email protected] ~] # [[email protected] ~] # telnet 127.0.0.1 22 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is  '^]' . SSH-2.0-OpenSSH_8.0

　　

 如果不是生産機器。可以試着重新開機機器測試下登入sshd是否正常。我這邊測試都沒問題

測試沒問題後可以把telnet服務關閉了

1 2 3 4 5 6

[[email protected] ~] # systemctl disable xinetd.service Removed  symlink /etc/systemd/system/multi-user .target.wants /xinetd .service. [[email protected] ~] # systemctl stop xinetd.service [[email protected] ~] # systemctl disable telnet.socket [[email protected] ~] # systemctl stop telnet.socket [[email protected] ~] # netstat -lntp

注：轉載請注明出處

本文轉載至：https://www.cnblogs.com/nmap/p/10779658.html ，并對其中錯誤進行了更正。

轉載于:https://www.cnblogs.com/Bluesky-bk/p/11330316.html