centos7升级openssh9.3p1
centos7升级openssh9.3p1
制作rpm包
安装依赖包
yum install -y rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel xmkmf libXt-devel initscripts libXt-devel imake gtk2-devel lrzsz
创建制作rpm相关目录
mkdir -pv /root/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
下载openssh和x11-ssh-askpass安装包
cd /root/rpmbuild/SOURCES/
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
tar -xf openssh-9.3p1.tar.gz
#下载x11-ssh-askpass-1.2.4.1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz
编辑编译配置文件
cp openssh-9.3p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/
#不生产ask包
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" openssh.spec
#修改openssl-devel的报错
sed -i '/openssl-devel < 1.1/s/^/#/' openssh.spec
#修改PreReq的报错
sed -i '/PreReq:/s/^/#/' openssh.spec
编译文件
rpmbuild -ba openssh.spec
#生产rpm文件
[root@localhost SPECS]# ls /root/rpmbuild/RPMS/x86_64/
openssh-9.3p1-1.el7.x86_64.rpm openssh-debuginfo-9.3p1-1.el7.x86_64.rpm
openssh-clients-9.3p1-1.el7.x86_64.rpm openssh-server-9.3p1-1.el7.x86_64.rpm
升级openssh
yum localinstall openssh-9.3p1-1.el7.x86_64.rpm openssh-clients-9.3p1-1.el7.x86_64.rpm openssh-server-9.3p1-1.el7.x86_64.rpm -y
验证openssh是否升级成功
#修改文件权限
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
#检查是否有配置错误
sshd -t
#/etc/pam.d/sshd配置丢失,从其他机器拷贝一份配置过来
#注释掉/etc/pam.d/password-auth /etc/pam.d/system-auth中uid >= 1000的行,否则root不能登陆
sed -i '/uid < 1000/s/^/#/' /etc/pam.d/password-auth
sed -i '/uid < 1000/s/^/#/' /etc/pam.d/system-auth
#修改/etc/ssh/sshd_config
sed -i '/^#PermitRootLogin yes/s/^#//' /etc/ssh/sshd_config
#重启sshd服务
systemctl restart sshd
遇到的问题
读写权限不对
现象
[root@localhost x86_64]# sshd -t
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
解决方法
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
重启后服务正常,但是无法正常登陆
现象
Mar 25 17:44:22 localhost sshd[56496]: PAM adding faulty module: /usr/lib64/security/pam_stack.so
[root@localhost x86_64]# tail -f /var/log/secure
Mar 25 17:44:10 localhost polkitd[584]: Registered Authentication Agent for unix-process:56480:1949117 (system bus name :1.71 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Mar 25 17:44:10 localhost sshd[56494]: Server listening on 0.0.0.0 port 22.
Mar 25 17:44:10 localhost sshd[56494]: Server listening on :: port 22.
Mar 25 17:44:10 localhost polkitd[584]: Unregistered Authentication Agent for unix-process:56480:1949117 (system bus name :1.71, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
Mar 25 17:44:22 localhost sshd[56496]: PAM unable to dlopen(/usr/lib64/security/pam_stack.so): /usr/lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
Mar 25 17:44:22 localhost sshd[56496]: PAM adding faulty module: /usr/lib64/security/pam_stack.so
Mar 25 17:44:22 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:25 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:27 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:27 localhost sshd[56496]: Connection closed by authenticating user root 192.168.184.1 port 2515 [preauth]
解决方法
[root@localhost pam.d]# grep pam_stack.so *
sshd:auth required pam_stack.so service=system-auth
sshd:account required pam_stack.so service=system-auth
sshd:password required pam_stack.so service=system-auth
sshd:session required pam_stack.so service=system-auth
#查找在那个配置文件中启用了改模块。注释改行配置
[root@localhost pam.d]# grep pam_stack.so * -l
sshd
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 分享4款.NET开源、免费、实用的商城系统
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· 上周热点回顾(2.24-3.2)