一、升级前准备工作
安装openssh过程需gcc,zlib-devel,openssl-devel,等编译环境,如果通过rpm包来安装,需要解决各种依赖包,故配置本地yum源解决依赖问题。
1. 配置本地yum源
[root@localhost cdrom]# mount /dev/cdrom /mnt/cdrom/ #挂载关盘 [root@localhost ~]# cd /etc/yum.repos.d/ [root@localhost yum.repos.d]# vi CentOS-Media.repo #配置yum源环境 [c6-media] name=CentOS-$releasever - Media baseurl=file:///mnt/cdrom #指定光盘路径 gpgcheck=1 enabled=1 gpgkey=file:///mnt/cdrom/RPM-GPG-KEY-CentOS-6
2. 安装telnet服务
安装telnet服务,防止升级openssh失败,不能远程登录操作系统(安装过程略,可以通过rpm或yum安装)
3.上传 openssh-7.5p1.tar.gz
二、升级openssh
1.升级前备份openssh配置
[root@localhost chu]# mv /etc/ssh /etc/ssh.old [root@localhost chu]# mv /etc/init.d/sshd /etc/init.d/sshd.old
2.卸载当前openssh
[root@localhost chu]# rpm -qa |grep openssh openssh-5.3p1-117.el6.x86_64 openssh-server-5.3p1-117.el6.x86_64 [root@localhost chu]# rpm -e --nodeps openssh-5.3p1-117.el6.x86_64 [root@localhost chu]# rpm -e --nodeps openssh-server-5.3p1-117.el6.x86_64 error reading information on service sshd: No such file or directory error: %preun(openssh-server-5.3p1-117.el6.x86_64) scriptlet failed, exit status 1 卸载 openssh-5.3p1-117.el6.x86_64报错 解决办法: [root@localhost chu]# rpm -e --noscripts openssh-server-5.3p1-117.el6.x86_64
3.源码编译
在编译源码过程中会多次出现报错问题,可以通过日志查看缺少编译环境,在安装对应包。
1)第一次编译
[root@localhost openssh-7.5p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking for gcc... no checking for cc... no checking for cl.exe... no configure: error: in `/home/packgates/ssh_pack/openssh-7.5p1': configure: error: no acceptable C compiler found in $PATH See `config.log' for more details 报错:缺少gcc
2)安装gcc编译器
[root@localhost openssh-7.5p1]# yum install gcc
3)第二次编译
[root@localhost openssh-7.5p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking for zlib.h... no configure: error: *** zlib.h missing - please install first or check config.log *** 报错:缺少zlib-devel
4)安装zlib-devel
[root@localhost openssh-7.5p1]# yum install zlib-devel
5)第三次编译
[root@localhost openssh-7.5p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh
checking openssl/opensslv.h presence... no checking for openssl/opensslv.h... no configure: error: *** OpenSSL headers missing - please install first or check config.log *** 报错:没有openssl-devel
6)安装openssl-devel
[root@localhost openssh-7.5p1]# yum install openssl-devel
7)第四次编译
[root@localhost openssh-7.5p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh ...... Host: x86_64-pc-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv 没有报错
8)最后一步 make && make install
[root@localhost openssh-7.5p1]# make && make install
...... ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 /usr/sbin/sshd -t -f /etc/ssh/sshd_config
检查安装结果:
[root@localhost openssh-7.5p1]# ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
安装成功。
4.配置ssh服务
1.复制启动文件到/etc/init.d/目录下并命名sshd
[root@localhost openssh-7.5p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
2.ssh加入到开机启动
[root@localhost openssh-7.5p1]# chkconfig --add sshd #ssh加入到开机启动 [root@localhost openssh-7.5p1]# chkconfig --list sshd #检查ssh开机启动状态 sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
3.允许root登录ssh
[root@localhost openssh-7.5p1]# vi /etc/ssh/sshd_config 新加一行PermitRootLogin yes
4.重启ssh服务
[root@localhost openssh-7.5p1]# service sshd restart Stopping sshd: [ OK ] /sbin/restorecon: lstat(/etc/ssh/ssh_host_key.pub) failed: No such file or directory Starting sshd: [ OK ]
最后测试,能ssh登录到操作系统,至此升级openssh完成。
其他
在安装openssh前,本想先卸载旧的openssl,安装新的openssl,结果卸载后yum不能使用,只要又重新openssl,过程见如下。
卸载openssl后踩的坑,卸载后yum安装报错。
[root@localhost ssh_pack]# rpm -e --nodeps openssl-1.0.1e-48.el6.x86
[root@localhost ssh_pack]# yum install gcc There was a problem importing one of the Python modules required to run yum. The error leading to this problem was: libssl.so.10: cannot open shared object file: No such file or directory Please install a package which provides this module, or verify that the module is installed correctly. It's possible that the above module doesn't match the current version of Python, which is: 2.6.6 (r266:84292, Jul 23 2015, 15:22:56) [GCC 4.4.7 20120313 (Red Hat 4.4.7-11)] If you cannot solve this problem yourself, please go to the yum faq at: http://yum.baseurl.org/wiki/Faq
挂载光盘,重新安装openssl
[root@localhost Packages]# rpm -ivh openssl-devel-1.0.1e-48.el6.x86_64.rpm openssl-1.0.1e-48.el6.x86_64.rpm --nodeps --force
ssh登录问题
问题1:crt登录报错(提示信息:Password authentication faild. Please verify that the username and password are correct.)
重启sshd服务后,crt能登录,但是重启过程中报如下错误。
[root@localhost chu]# service sshd restart
Stopping sshd: [ OK ]
/sbin/restorecon: lstat(/etc/ssh/ssh_host_key.pub) failed: No such file or directory
Starting sshd: [ OK ]
解决办法:
[root@localhost ssh]# vi /etc/init.d/sshd <<-------启动脚本
# /sbin/restorecon /etc/ssh/ssh_host_key.pub
官方通告(http://www.openssh.com/txt/release-6.9),openssh从7.0以后版本不在对version1.x支持了,相应的RSA1算法也不再支持,编译openssh源码后不会再/etc/ssh目录下生成ssh_host_key.pub文件。在启动脚本中注释掉/etc/ssh/ssh_host_key.pub即可。
问题2:crt不能登录,重启ssh服务,crt登录恢复,重启操作系统后,必须重启ssh服务,ssh登录恢复。
检查开机启动,ssh服务状态,都是正常的
[root@localhost ssh]# chkconfig --list sshd sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off [root@localhost ssh]# service sshd status sshd (pid 1309) is running... [root@localhost ssh]# netstat -npl |grep 22 tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1309/sshd tcp 0 0 :::22 :::* LISTEN 1309/sshd
1.通过在本地ssh root@127.0.0.1,报/root/.ssh/known_hosts错误,清空known_hosts文件内容,ssh登录恢复正常。
2.关闭selinux
总结:用ssh登录服务器,ssh会把每个访问服务器的公钥(public key)都记录在/root/.ssh/known_hosts文件中,当下次访问相同服务器时,ssh就会核对公钥。升级openssh后,以前的公钥信息还存在,登录时就会不匹配,因此需要清空以前的公钥,重新生成新的公钥才能重新登录。