openssh 9.5升级
1、创建快照和备份
快照:ecs创建快照
备份:
#!/bin/bash
mkdir /root/sshd_bak;
cd /root/sshd_bak ;
for i in `rpm -qa |grep openssh`;do
echo "===>$i"
name=$(echo $i |cut -d'.' -f1)
files=$(rpm -ql $i)
tar zcvf ${name}.tar.gz ${files}
done
确认yum可用,在异常情况下方便重新安装ssh
[root@tmp1 openssh]# ssh -V #确认安装前版本
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
2、安装telnet,确认可用
yum install telnet-server xinetd
cat >> /etc/xinetd.d/telnet << EOF
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
EOF
修改端口:vim /etc/services 中telnet的端口号 #22已经被占用
systemctl enable xinetd
chkconfig --list 2> /dev/null |grep telnet
systemctl enable xinetd
systemctl start xinetd
systemctl status xinetd
netstat -tnlp |grep xin
telnet $ip $端口号 测试验证没问题,验证没问题后,直接登录
4、安装
openssl:
yum install perl-IPC-Cmd perl-CPAN
wget --no-check-certificate https://www.openssl.org/source/openssl-3.2.0.tar.gz
./config --prefix=/usr/local/openssl shared
make && make install
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib/
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib/
zlib:
yum install zlib-devel
wget --no-check-certificate http://www.zlib.net/zlib-1.3.1.tar.gz
./configure --prefix=/usr/local/zlib
make && make install
openssh
wget --no-check-certificate https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz
killall sshd #kill进程
for i in `rpm -qa |grep openssh`;do rpm -e --nodeps $i ;done #卸载旧包
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib-dir=/usr/local/zlib --without-openssl-header-check
make -j4 && make install
chmod -R 755 /usr/local/
echo 'export PATH=$PATH:/usr/local/openssh/bin:/usr/local/openssl/bin/' >> /etc/profile
修改 :/etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
hubSc@#ycops3
[root@tmp1 ~]# cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
#After=network.target sshd-keygen.target
#Wants=sshd-keygen.target
After=network.target
[Service]
Type=notify
#EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/local/openssh/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
5、启动服务
systemctl enable sshd
systemctl start sshd
systemctl status sshd
6、同机型主机直接打包编译后的内容,直接用就可以
tar zcvf /root/openssh/9.5.tar.gz /usr/local/openssh /usr/local/openssl /usr/local/zlib /etc/ssh/sshd_config /usr/lib/systemd/system/sshd.service
传递后解压到相同目录:
killall sshd #kill进程
for i in `rpm -qa |grep openssh`;do rpm -e --nodeps $i ;done #卸载旧包
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib/
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib/
chmod -R 755 /usr/local/
echo 'export PATH=$PATH:/usr/local/openssh/bin:/usr/local/openssl/bin/' >> /etc/profile
cp etc/ssh/sshd_config /etc/ssh/
cp usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/
systemctl enable sshd
systemctl start sshd
systemctl status sshd
7、检查
1)sshd -V #确认安装后的版本是新的
OpenSSH_9.5p1, OpenSSL 1.1.1g FIPS 21 Apr 2020
2)用密码和密钥尝试登录正常登录
3)ps -ef |grep sshd 确认sshd为新的
4)ssh服务报错:/usr/lib64/security/pam_tally2.so
ln -sv /usr/lib64/security/pam_faillock.so /usr/lib64/security/pam_tally2.so
5)如果执行systemctl start sshd.service 卡住:注释掉 Type=notify 后可以正常
原因:sshd在启动后,没有返回消息给systemd,导致systemd一直等待
yum install systemd-devel #需要新增头文件
vi sshd.c #有两处修改内容如下:
#include <systemd/sd-daemon.h> #在前面添加
sd_notify(0, "READY=1");
/* Accept a connection and return in a forked child */
server_accept_loop(&sock_in, &sock_out, #找到这一行,在他的前面添加一样 "sd_notify(0, "READY=1");"
&newsock, config_s);
vi MakeFile
LIBS=-lcrypto -ldl -lutil -lz -lcrypt -lresolv -lsystemd
#注意make clean
6)如果提示 libcrypto.so.3: cannot open shared object file
echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf && ldconfig
7)根据systemctl status sshd中提示的错误信息进行处理
黑马腾空^_^
