openssh升级

openssh升级

###获取安装包

wget -q ftp://10.56.81.253/openssh/* /root/

###7系统版本

安装telnet后，使用telnet链接另开一个窗口进行升级，因为升级ssh会stop服务。

yum install xinetd telnet-server -y
echo "service telnet
{
        disable = no
        flags       = REUSE
        socket_type = stream       
        wait        = no
        user        = root
        server      = /usr/sbin/in.telnetd
        log_on_failure  += USERID
}" > /etc/xinetd.d/telnet
        

echo "pts/0
pts/1
pts/2
pts/3" >> /etc/securetty

systemctl enable xinetd
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
netstat -lntp|grep 23

###6系统版本

yum -y install xinetd telnet telnet-server
sed -i "s/auth       required     pam_securetty.so/#auth       required     pam_securetty.so/g" /etc/pam.d/remote
sed -i "s/yes/no/g" /etc/xinetd.d/telnet
service xinetd restart
netstat -lntp|grep 23

###安装依赖包

yum -y install gcc gcc-c++ kernel-devel

###解压安装包

tar -xf /root/openssh-8.4p1.tar.gz -C /usr/local/src/
tar -xf /root/openssl-1.1.1i.tar.gz -C /usr/local/src/
tar -xf /root/zlib-1.2.11.tar.gz -C /usr/local/src/
chown root:root /usr/local/src/* -R

###编译安装zlib-1.2.11

cd /usr/local/src/zlib-1.2.11/
./configure --prefix=/usr/local/zlib
make -j 4
make install

###编译安装openssl-1.1.1i

cd /usr/local/src/openssl-1.1.1i/
./config --prefix=/usr/local/ssl -d shared
make -j 4
make install
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
ldconfig -v

###编译安装openssh-8.4p1

yum install -y pam-devel
cd /usr/local/src/openssh-8.4p1/
mv /etc/ssh /etc/ssh.bak
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib --with-pam
make -j 4
make install

###sshd_config文件修改

echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
echo 'X11UseLocalhost no' >> /etc/ssh/sshd_config
echo 'XAuthLocation /usr/bin/xauth' >> /etc/ssh/sshd_config
echo 'UseDNS no' >> /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
echo 'UsePAM yes' >> /etc/ssh/sshd_config

###复制新文件

mv /usr/sbin/sshd /usr/sbin/sshd.bak
cp -rf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
mv /usr/bin/ssh /usr/bin/ssh.bak
cp -rf /usr/local/openssh/bin/ssh /usr/bin/ssh
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
cp -rf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

vim /etc/pam.d/sshd
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    include      system-auth
session    required     pam_limits.so
文件添加到末尾

###重启sshd服务
7版本：

systemctl stop sshd
rm -rf /lib/systemd/system/sshd.service
cp -rf /usr/local/src/openssh-8.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
systemctl daemon-reload
/etc/init.d/sshd restart
systemctl status sshd

6系统版本：

service sshd stop
rm -rf /lib/systemd/system/sshd.service
cp -rf /usr/local/src/openssh-8.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
/etc/init.d/sshd restart
service sshd status

###添加开机启动

chkconfig --add sshd
chkconfig --list sshd

###关闭telnet服务
7版本系统

systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
yum remove telnet-server xinetd -y

6版本系统

sed -i "s/#auth       required     pam_securetty.so/auth       required     pam_securetty.so/g" /etc/pam.d/remote
service xinetd stop
yum -y remove xinetd telnet telnet-server

###清理安装包

rm -rf /root/openssh-8.4p1.tar.gz
rm -rf /root/openssl-1.1.1i.tar.gz
rm -rf /root/zlib-1.2.11.tar.gz

###查看openssh版本

ssh -V

开启sha1（可选）：
KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1