openssh-升级

系统： centos7
openssh升级版本 openssh8.0 p1

---

准备工作

• 关闭防火墙

systemctl stop firewalld
systemctl disable firewalld

• 关闭selinux

setenforce 0
sed -i 's/^SELINUX.*$/SELINUX=disabled/g' /etc/selinux/config

• 安装telnet服务端

yum -y install telnet telnet-server xinetd

• 配置telnet-server（使其可远程登录）

#允许root用户通过telnet登陆：
 
vi /etc/pam.d/login
#编辑/etc/pam.d/login，注释掉下面这行
 
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so

#添加超级用户登陆设备：
 
cp /etc/securetty /etc/securetty.bak
#备份/etc/securetty文件
 
#添加超级用户登陆设备至/etc/securetty文件
echo "pts/1" >> /etc/securetty
echo "pts/2" >> /etc/securetty
echo "pts/3" >> /etc/securetty
echo "pts/4" >> /etc/securetty
echo "pts/5" >> /etc/securetty
echo "pts/6" >> /etc/securetty
echo "pts/7" >> /etc/securetty
echo "pts/8" >> /etc/securetty
echo "pts/9" >> /etc/securetty
echo "pts/10" >> /etc/securetty
echo "pts/11" >> /etc/securetty

#开启root用户远程登陆：
 
vi /etc/pam.d/remote
#编辑/etc/pam.d/remote，注释下列这行
 
#auth required pam_securetty.so

• 启动telnet-server并设置开机启动

systemctl start telnet.socket xinetd.service
systemctl enable xinetd.service telnet.socket

• 下载程序包

#openssl-1.0.2r / zlib-1.2.11 / openssh-8.0p1
mkdir -p /setup/openssh
wget https://www.openssl.org/source/openssl-1.0.2r.tar.gz -P /setup/openssh/
wget http://www.zlib.net/zlib-1.2.11.tar.gz -P /setup/openssh/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz -P /setup/openssh/

• 安装依赖包

yum -y install gcc make perl zlib zlib-devel pam pam-devel

---

升级openssh

升级顺序 zlib库-> openssl -> openssh
用telnet远程登录服务器

• 停止openssh

systemctl stop sshd.service

• 卸载原有openssh

#备份原配置
mv /etc/ssh /etc/ssh.bak
mv /etc/pam.d/sshd /etc/pam.d/sshd.bak
mv /etc/pam.d/ssh-keycat /etc/pam.d/ssh-keycat.bak
 
rpm -e --nodeps `rpm -qa | grep openssh`

• 编译安装zlib

cd /setup/openssh/
tar zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11/
./configure --prefix=/usr/local/zlib
make && make install
 
echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v

• 编译安装openssl

cd /setup/openssh/
tar zxvf openssl-1.0.2r.tar.gz
cd openssl-1.0.2r/
./config shared zlib
make && make install
 
mv /usr/bin/openssl /usr/bin/openssl.old
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v

#检测openssl版本
openssl version -a
 
OpenSSL 1.0.2r

• 编译安装openssh

cd /setup/openssh/
tar zxvf openssh-8.0p1.tar.gz
cd openssh-8.0p1/
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --mandir=/usr/share/man --with-zlib=/usr/local/zlib --with-pam --with-md5-passwords
make && make install
 
cp /usr/local/openssh/bin/* /usr/bin/
cp /usr/local/openssh/sbin/* /usr/sbin/
 
cp /setup/openssh/openssh-8.0p1/contrib/redhat/sshd.pam /etc/pam.d/sshd
cp /setup/openssh/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd

mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
vim /etc/ssh/sshd_config
#修改配置文件
 
echo 'HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTH
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication yes
PermitRootLogin yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseLogin yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/local/openssh/libexec/sftp-server
UseDNS=no' > /etc/ssh/sshd_config

echo '#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare' > /etc/pam.d/sshd

• 启动并设置开机启动

service sshd start
chkconfig sshd on