zoukankan      html  css  js  c++  java

  • openssh-升级

    系统: centos7
    openssh升级版本 openssh8.0 p1

    准备工作

    • 关闭防火墙
    systemctl stop firewalld
systemctl disable firewalld
    • 关闭selinux
    setenforce 0
sed -i 's/^SELINUX.*$/SELINUX=disabled/g' /etc/selinux/config
    • 安装telnet服务端
    yum -y install telnet telnet-server xinetd
    • 配置telnet-server(使其可远程登录)
    #允许root用户通过telnet登陆:
 
vi /etc/pam.d/login
#编辑/etc/pam.d/login,注释掉下面这行
 
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

    #添加超级用户登陆设备:
 
cp /etc/securetty /etc/securetty.bak
#备份/etc/securetty文件
 
#添加超级用户登陆设备至/etc/securetty文件
echo "pts/1" >> /etc/securetty
echo "pts/2" >> /etc/securetty
echo "pts/3" >> /etc/securetty
echo "pts/4" >> /etc/securetty
echo "pts/5" >> /etc/securetty
echo "pts/6" >> /etc/securetty
echo "pts/7" >> /etc/securetty
echo "pts/8" >> /etc/securetty
echo "pts/9" >> /etc/securetty
echo "pts/10" >> /etc/securetty
echo "pts/11" >> /etc/securetty

    #开启root用户远程登陆:
 
vi /etc/pam.d/remote
#编辑/etc/pam.d/remote,注释下列这行
 
#auth required pam_securetty.so
    • 启动telnet-server并设置开机启动
    systemctl start telnet.socket xinetd.service
systemctl enable xinetd.service telnet.socket
    • 下载程序包
    #openssl-1.0.2r / zlib-1.2.11 / openssh-8.0p1
mkdir -p /setup/openssh
wget https://www.openssl.org/source/openssl-1.0.2r.tar.gz -P /setup/openssh/
wget http://www.zlib.net/zlib-1.2.11.tar.gz -P /setup/openssh/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz -P /setup/openssh/
    • 安装依赖包
    yum -y install gcc make perl zlib zlib-devel pam pam-devel

    升级openssh

    升级顺序 zlib库-> openssl -> openssh
    用telnet远程登录服务器

    • 停止openssh
    systemctl stop sshd.service
    • 卸载原有openssh
    #备份原配置
mv /etc/ssh /etc/ssh.bak
mv /etc/pam.d/sshd /etc/pam.d/sshd.bak
mv /etc/pam.d/ssh-keycat /etc/pam.d/ssh-keycat.bak
 
rpm -e --nodeps `rpm -qa | grep openssh`
    • 编译安装zlib
    cd /setup/openssh/
tar zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11/
./configure --prefix=/usr/local/zlib
make && make install
 
echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
    • 编译安装openssl
    cd /setup/openssh/
tar zxvf openssl-1.0.2r.tar.gz
cd openssl-1.0.2r/
./config shared zlib
make && make install
 
mv /usr/bin/openssl /usr/bin/openssl.old
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v

    #检测openssl版本
openssl version -a
 
OpenSSL 1.0.2r
    • 编译安装openssh
    cd /setup/openssh/
tar zxvf openssh-8.0p1.tar.gz
cd openssh-8.0p1/
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --mandir=/usr/share/man --with-zlib=/usr/local/zlib --with-pam --with-md5-passwords
make && make install
 
cp /usr/local/openssh/bin/* /usr/bin/
cp /usr/local/openssh/sbin/* /usr/sbin/
 
cp /setup/openssh/openssh-8.0p1/contrib/redhat/sshd.pam /etc/pam.d/sshd
cp /setup/openssh/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd

    mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
vim /etc/ssh/sshd_config
#修改配置文件
 
echo 'HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
PermitRootLogin yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseLogin yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/local/openssh/libexec/sftp-server
UseDNS=no' > /etc/ssh/sshd_config

    echo '#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare' > /etc/pam.d/sshd
    • 启动并设置开机启动
    service sshd start
chkconfig sshd on
  • 相关阅读:
    使用cwRsync在Windows的目录之间增量同步文件
    Linux搭建lnmp环境
    ie下文件上传无权访问的问题
    10
    8
    9
    7
    网络爬虫环境配置之的模块安装
    pip的更新问题
    【转】进程与线程的一个简单解释
  • 原文地址:https://www.cnblogs.com/taoyuxuan/p/12157522.html
Copyright © 2011-2022 走看看