【转载自CNBLOG】centos7 升级openssh版本

时间 2020-12-22 标签 Linux运维

搬运自nmap的cnblog：http://www.noobyard.com/article/p-aopcrfef-v.html

测试后有效，修正和补充了一些地方（红字部分）

centos7.3和centos7.6升级完毕测试登录ssh以及重启后登录ssh均无问题。

前期请自行配置好yum源（如果不会请百度）

整个过程不需要卸载原先的openssl包和openssh的rpm包。不影响我们的操作

本文的环境都是系统自带的openssh，没有经历过手动编译安装方式。如果之前有手动编译安装过openssh，请参照本文自行测试是否能成功。

如果严格参照本文操作，我保证你升级没问题

centos7.6升级后的效果

[[email protected] ~]# ssh -V

OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019

[[email protected] ~]# openssl version

OpenSSL 1.0.2r 26 Feb 2019

[[email protected] ~]# cat /etc/redhat-release

CentOS Linux release 7.6.1810 (Core)

[[email protected] ~]#

centos7.3升级后的效果

[[email protected] ~]# openssl version

OpenSSL 1.0.2r 26 Feb 2019

[[email protected] ~]# ssh -V

OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019

[[email protected] ~]# cat /etc/redhat-release

CentOS Linux release 7.3.1611 (Core)

[[email protected] ~]#

如果ssh版本过低，最好先yum update openssh升级下到目前yum仓库默认的openssh7.4p1版本

默认centos7.3的ssh是如下版本

[[email protected] ~]# cat /etc/redhat-release

CentOS Linux release 7.3.1611 (Core)

[[email protected] ~]# ssh -V

OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013

[[email protected] ~]#

执行yum update openssh先升级下（反正官方提供的这种升级是没问题的。如果之前手动编译操作过openssh的升级，变更了默认配置文件路径什么的请自行测试。）

（这里准备统一openssh版本为7.4p1之后再统一编译安装升级到openssh8.0p1）

[[email protected] ~]# yum update openssh -y

[[email protected] ~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

[[email protected] ~]#

安装telnet-server以及xinetd

[[email protected] ~]# yum install xinetd telnet-server -y

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: mirrors.163.com

* epel: mirrors.aliyun.com

* extras: mirrors.cn99.com

* updates: mirrors.cn99.com

Package 2:xinetd-2.3.15-13.el7.x86_64 already installed and latest version

Package 1:telnet-server-0.17-64.el7.x86_64 already installed and latest version

Nothing to do

[[email protected] ~]#

配置telnet

现在很多centos7版本安装telnet-server以及xinetd之后没有一个叫telnet的配置文件了。

如果下面telnet文件不存在的话，可以跳过这部分的更改

1 2	`[[email protected] ~]# ll /etc/xinetd.d/telnet` `ls: cannot access` `/etc/xinetd.d/telnet: No such` `file` `or directory`

如果下面文件存在，请更改配置telnet可以root登录，把disable = no改成disable = yes

[[email protected] yum.repos.d]# cat /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses \

# unencrypted username/password pairs for authentication.

service telnet

{

disable = no

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

}

[[email protected] yum.repos.d]# vim /etc/xinetd.d/telnet

[[email protected] yum.repos.d]# cat /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses \

# unencrypted username/password pairs for authentication.

service telnet

{

disable = yes

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

}

配置telnet登录的终端类型，在/etc/securetty文件末尾增加一些pts终端，如下

pts/0

pts/1

pts/2

pts/3

配置之后的显示

[[email protected] ~]# vim /etc/securetty

[[email protected] ~]# tail -5 /etc/securetty

xvc0

pts/0

pts/1

pts/2

pts/3

[[email protected] ~]#

启动telnet服务，并设置开机自动启动

[[email protected] ~]# systemctl enable xinetd

[[email protected] ~]# systemctl enable telnet.socket

Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.

[[email protected] ~]#

[[email protected] ~]# systemctl start telnet.socket

[[email protected] ~]# systemctl start xinetd

[[email protected] ~]# netstat -lntp|grep 23

tcp6 0 0 :::23 :::* LISTEN 1/systemd

[[email protected] ~]#

切换到telnet方式登录，以后的操作都在telnet终端下操作，防止ssh连接意外中断造成升级失败

telnet方式登录

安装依赖包

升级需要几个组件，有些是和编译相关的等

[[email protected] ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: mirrors.163.com

* epel: mirrors.aliyun.com

* extras: mirrors.cn99.com

* updates: mirrors.cn99.com

Package gcc-4.8.5-36.el7_6.1.x86_64 already installed and latest version

Package gcc-c++-4.8.5-36.el7_6.1.x86_64 already installed and latest version

Package glibc-2.17-260.el7_6.4.x86_64 already installed and latest version

Package 1:make-3.82-23.el7.x86_64 already installed and latest version

Package autoconf-2.69-11.el7.noarch already installed and latest version

Package 1:openssl-1.0.2k-16.el7_6.1.x86_64 already installed and latest version

Package 1:openssl-devel-1.0.2k-16.el7_6.1.x86_64 already installed and latest version

Package pcre-devel-8.32-17.el7.x86_64 already installed and latest version

Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version

Nothing to do

[[email protected] ~]#

安装pam和zlib等（后面的升级操作可能没用到pam，安装上也没啥影响，如果不想安装pam请自行测试）

[[email protected] ~]# yum install -y pam* zlib*

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

* base: mirrors.163.com

* epel: mirrors.aliyun.com

* extras: mirrors.cn99.com

* updates: mirrors.cn99.com

Package pam_yubico-2.26-1.el7.x86_64 already installed and latest version

Package pam_script-1.1.8-1.el7.x86_64 already installed and latest version

Package pam_oath-2.4.1-9.el7.x86_64 already installed and latest version

Package pam_snapper-0.2.8-4.el7.x86_64 already installed and latest version

Package pam_ssh_agent_auth-0.10.3-2.16.el7.x86_64 already installed and latest version

Package pam_2fa-1.0-1.el7.x86_64 already installed and latest version

Package pam_mapi-0.3.4-1.el7.x86_64 already installed and latest version

Package pam_ssh_user_auth-1.0-1.el7.x86_64 already installed and latest version

Package pam_mount-2.16-5.el7.x86_64 already installed and latest version

Package pam_radius-1.4.0-3.el7.x86_64 already installed and latest version

Package pamtester-0.1.2-4.el7.x86_64 already installed and latest version

Package pam_afs_session-2.6-5.el7.x86_64 already installed and latest version

Package pam_pkcs11-0.6.2-30.el7.x86_64 already installed and latest version

Package pam-1.1.8-22.el7.x86_64 already installed and latest version

Package pam_ssh-2.3-1.el7.x86_64 already installed and latest version

Package 1:pam_url-0.3.3-4.el7.x86_64 already installed and latest version

Package pam_wrapper-1.0.7-2.el7.x86_64 already installed and latest version

Package pam-kwallet-5.5.2-1.el7.x86_64 already installed and latest version

Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version

Package pam_krb5-2.4.8-6.el7.x86_64 already installed and latest version

Package zlib-devel-1.2.7-18.el7.x86_64 already installed and latest version

Package zlib-static-1.2.7-18.el7.x86_64 already installed and latest version

Package zlib-1.2.7-18.el7.x86_64 already installed and latest version

Package zlib-ada-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version

Package zlib-ada-devel-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version

Nothing to do

[[email protected] ~]#

下载openssh包和openssl的包

我们都下载最新版本，下载箭头指的包

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

https://ftp.openssl.org/source/

开始安装openssl

PS:如果下载慢或者有问题，可以通过迅雷在windows下载好传过去

个人习惯把安装包或者工具之类的放下面目录。根据个人喜好随便放，不影响安装

[[email protected] ~]# mkdir /data/tools -p

[[email protected] ~]# cd /data/tools/

[[email protected] /data/tools]# rz -E

rz waiting to receive.

[[email protected] /data/tools]# ll

total 5224

-rw-r--r-- 1 root root 5348369 Apr 27 12:19 openssl-1.0.2r.tar.gz

解压文件

[[email protected] /data/tools]# tar xfz openssl-1.0.2r.tar.gz

[[email protected] /data/tools]# ll

total 5228

drwxr-xr-x 20 root root 4096 Apr 27 12:20 openssl-1.0.2r

-rw-r--r-- 1 root root 5348369 Apr 27 12:19 openssl-1.0.2r.tar.gz

[[email protected] /data/tools]# cd

[[email protected] ~]#

现在是系统默认的版本，等会升级完毕对比下

[[email protected] ~]# openssl version

OpenSSL 1.0.2k-fips 26 Jan 2017

[[email protected] ~]#

备份下面2个文件或目录（如果存在的话就执行）

[[email protected] ~]# ll /usr/bin/openssl

-rwxr-xr-x 1 root root 555248 Mar 12 18:12 /usr/bin/openssl

[[email protected] ~]# mv /usr/bin/openssl /usr/bin/openssl_bak

[[email protected] ~]# ll /usr/include/openssl

total 1864

-rw-r--r-- 1 root root 6146 Mar 12 18:12 aes.h

-rw-r--r-- 1 root root 63204 Mar 12 18:12 asn1.h

-rw-r--r-- 1 root root 24435 Mar 12 18:12 asn1_mac.h

-rw-r--r-- 1 root root 34475 Mar 12 18:12 asn1t.h

-rw-r--r-- 1 root root 38742 Mar 12 18:12 bio.h

-rw-r--r-- 1 root root 5351 Mar 12 18:12 blowfish.h

......

[[email protected] ~]# mv /usr/include/openssl /usr/include/openssl_bak

[[email protected] ~]#

编译安装新版本的openssl

配置、编译、安装3个命令一起执行

&&符号表示前面的执行成功才会执行后面的

[[email protected] ~]# cd /data/tools/openssl-1.0.2r/

[[email protected] /data/tools/openssl-1.0.2r]# ./config shared && make && make install

PS：这里安装的时候，最好带上安装路径的参数，以免找不到。例如以下：

./configure --prefix=/usr/local/openssl && make && make install

以上命令执行完毕，echo $?查看下最后的make install是否有报错，0表示没有问题

下面2个文件或者目录做软链接（刚才前面的步骤mv备份过原来的）

[[email protected] ~]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

[[email protected] ~]# ln -s /usr/local/ssl/include/openssl /usr/include/openssl

[[email protected] ~]# ll /usr/bin/openssl

lrwxrwxrwx 1 root root 26 Apr 27 12:31 /usr/bin/openssl -> /usr/local/ssl/bin/openssl

[[email protected] ~]# ll /usr/include/openssl -ld

lrwxrwxrwx 1 root root 30 Apr 27 12:31 /usr/include/openssl -> /usr/local/ssl/include/openssl

[[email protected] ~]#

PS:这里注意路径，我的就不在/usr/local/ssl/，而是在/usr/local/openssl/

命令行执行下面2个命令加载新配置

echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

/sbin/ldconfig

查看确认版本。没问题

1 2	`[[email protected] ~]# openssl version` `OpenSSL 1.0.2r 26 Feb 2019`

安装openssh

上传openssh的tar包并解压

[[email protected] ~]# cd /data/tools/

[[email protected] tools]# ll

total 7628

-rw-r--r-- 1 root root 1597697 Apr 18 07:02 openssh-8.0p1.tar.gz

drwxr-xr-x 20 root root 4096 Apr 23 23:12 openssl-1.0.2r

-rw-r--r-- 1 root root 5348369 Feb 26 22:34 openssl-1.0.2r.tar.gz

-rwxr-xr-x 1 root root 853040 Apr 11 2018 sshd

[[email protected] tools]# tar xfz openssh-8.0p1.tar.gz

[[email protected] tools]# cd openssh-8.0p1

可能文件默认显示uid和gid数组都是1000，这里重新授权下。不授权可能也不影响安装（请自行测试）

[[email protected] tools]# chown -R root.root /data/tools/openssh-8.0p1

命令行删除原先ssh的配置文件和目录

然后配置、编译、安装

注意下面编译安装命令是两个，1和3/4，然后在文本里弄成一行之后放命令行执行

rm -rf /etc/ssh/*

./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include

--with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install

PS：这里同样要注意路径问题：/usr/local/ssl/include 和 --with-ssl-dir=/usr/local/ssl

这里的etc/ssh，就是ssh的默认路径，参照1

参考下我的截图

安装完毕检查下结果

修改配置文件最终为如下内容，其他的不要动

[[email protected] ~]# grep "^PermitRootLogin" /etc/ssh/sshd_config

PermitRootLogin yes

[[email protected] ~]# grep "UseDNS" /etc/ssh/sshd_config

UseDNS no

[[email protected] ~]#

从原先的解压的包中拷贝一些文件到目标位置（如果目标目录存在就覆盖）

(可能下面的ssh.pam文件都没用到，因为sshd_config配置文件貌似没使用它，请自行测试。我这边是拷贝了)

[[email protected] /data/tools/openssh-8.0p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd

[[email protected] /data/tools/openssh-8.0p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

[[email protected] /data/tools/openssh-8.0p1]# chmod +x /etc/init.d/sshd

[[email protected] /data/tools/openssh-8.0p1]# chkconfig --add sshd

[[email protected] /data/tools/openssh-8.0p1]# systemctl enable sshd

[[email protected] /data/tools/openssh-8.0p1]#

把原先的systemd管理的sshd文件删除或者移走或者删除，不移走的话影响我们重启sshd服务

1	`[[email protected] ~]# mv /usr/lib/systemd/system/sshd.service /data/`

设置sshd服务开机启动

[[email protected] ~]# chkconfig sshd on

Note: Forwarding request to 'systemctl enable sshd.socket'.

Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.

接下来测试启停服务。都正常

以后管理sshd通过下面方式了

[[email protected] ~]# /etc/init.d/sshd restart

Restarting sshd (via systemctl): [ OK ]

[[email protected] ~]#

[[email protected] ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 31800/sshd

tcp6 0 0 :::22 :::* LISTEN 31800/sshd

tcp6 0 0 :::23 :::* LISTEN 1/systemd

[[email protected] ~]# /etc/init.d/sshd stop

Stopping sshd (via systemctl): [ OK ]

[[email protected] ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp6 0 0 :::23 :::* LISTEN 1/systemd

[[email protected] ~]# /etc/init.d/sshd start

Starting sshd (via systemctl): [ OK ]

[[email protected] ~]#

使用systemd方式也行

[[email protected] ~]# systemctl stop sshd

[[email protected] ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp6 0 0 :::23 :::* LISTEN 1/systemd

[[email protected] ~]# systemctl start sshd

[[email protected] ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 31958/sshd

tcp6 0 0 :::22 :::* LISTEN 31958/sshd

tcp6 0 0 :::23 :::* LISTEN 1/systemd

[[email protected] ~]# systemctl restart sshd

[[email protected] ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 31999/sshd

tcp6 0 0 :::22 :::* LISTEN 31999/sshd

tcp6 0 0 :::23 :::* LISTEN 1/systemd

[[email protected] ~]#

测试版本。都正常

[[email protected] ~]# ssh -V

OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019

[[email protected] ~]#

[[email protected] ~]# telnet 127.0.0.1 22

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

SSH-2.0-OpenSSH_8.0

PS：最后，因为替换了ssh，以前做的ssh配置就都没有了，还要修改端口号等信息

如果不是生产机器。可以试着重启机器测试下登录sshd是否正常。我这边测试都没问题

测试没问题后可以把telnet服务关闭了

[[email protected] ~]# systemctl disable xinetd.service

Removed symlink /etc/systemd/system/multi-user.target.wants/xinetd.service.

[[email protected] ~]# systemctl stop xinetd.service

[[email protected] ~]# systemctl disable telnet.socket

[[email protected] ~]# systemctl stop telnet.socket

[[email protected] ~]# netstat -lntp