SSH升级
查看ssh版本
╭─root@zxw18 ~ ╰─➤ ssh -V OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
挂载
╭─root@zxw18 ~ ╰─➤ mount /dev/cdrom /mnt mount: /dev/sr0 写保护,将以只读方式挂载
安装必要的软件包gcc、telnet、xinetd、make、pam-devel、zlib等
╭─root@zxw18 ~
╰─➤ yum -y install gcc telnet xinetd make pam-devel zlib vnc libcap-devel openssl-devel telnet-server
centos7的telnet配置文件是:/etc/xinetd.conf。centos7以前的是/etc/xinetd.d/telnet
╭─root@zxw18 ~ ╰─➤ vim /etc/xinetd.conf disabled = no
或者
╭─root@zxw18 ~
╰─➤ echo -e "pts/0 \npts/1 \npts/2 \npts/3" >>/etc/securetty
启动xinet,查看端口23
╭─root@zxw18 ~
╰─➤ systemctl restart xinetd
╭─root@zxw18 ~
╰─➤ systemctl start telnet.socket
╭─root@zxw18 /usr/local/src/openssh-8.2p1
╰─➤ ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:111 *:*
LISTEN 0 128 :::111 :::*
LISTEN 0 128 :::23
创建telnet远程用户
╭─root@zxw18 ~ ╰─➤ useradd user ╭─root@zxw18 ~ ╰─➤ echo "123" |passwd --stdin user 更改用户 user 的密码 。 passwd:所有的身份验证令牌已经成功更新。
停止当前ssh服务,并备份
╭─root@zxw18 ~ ╰─➤ systemctl stop sshd ╭─root@zxw18 ~ ╰─➤ mv /etc/ssh /etc/ssh.old
查询并卸载openssh
╭─root@zxw18 ~ ╰─➤ rpm -qa |grep openssh openssh-server-6.6.1p1-31.el7.x86_64 openssh-6.6.1p1-31.el7.x86_64 openssh-clients-6.6.1p1-31.el7.x86_64 ╭─root@zxw18 ~ ╰─➤ rpm -e --nodeps `rpm -qa |grep openssh`
下载openssh安装包
官方下载地址http://www.openssh.com/portable.html#http
上次ssh安装包并进入解压
╭─root@zxw18 ~ ╰─➤ rz 127 ↵ rz waiting to receive. zmodem trl+C ȡ 100% 1661 KB 1661 KB/s 00:00:01 0 Errors. ╭─root@zxw18 ~ ╰─➤ tar -xzf openssh-8.2p1.tar.gz -C /usr/local/src/openssh-8.2p1
编译安装
╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ ./configure --prefix=/usr
--sysconfdir=/etc/ssh
--with-md5-passwords
--with-pam
--with-ssh1
--with-zlib
--with-openssl-includes=/usr
--with-privsep-path=/var/lib/sshd ╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ make && make install
安装后环境配置
╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ cp /usr/local/src/openssh-8.2p1/contrib/redhat/sshd.init /etc/init.d/sshd ╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ chmod +x /etc/init.d/sshd chkconfig --add sshd ╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ chkconfig --add sshd chkconfig --level 2345 sshd on#
╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ chkconfig --level 2345 sshd on
必须禁用selinux,否则会导致无法连接
╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ cat /etc/sysconfig/selinux SELINUX=disabled
╭─root@zxw18 /usr/local/src/openssh-8.2p1
╰─➤ getenforce 0
Disabled
启动ssh服务,查看ssh端口
╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ systemctl start sshd ╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ ss -tnl State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 128 *:111 *:* LISTEN 0 128 *:22 *:* LISTEN 0 128 :::111 :::* LISTEN 0 128 :::22 :::* LISTEN 0 128 :::23 :::*
验证是否升级成功
LISTEN 0 128 :::23 :::* ╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ ssh -V OpenSSH_8.2p1, OpenSSL 1.0.2k-fips 26 Jan 2017
验证完毕后,关闭telnet服务
╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ systemctl stop telnet.socket ╭─root@zxw18 /usr/local/src/openssh-8.2p1 ╰─➤ systemctl stop xinetd.service
报错
Key exchange failed.
No compatible key exchange method. The server supports these methods: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
解决
╭─root@zxw18 ~ ╰─➤ vim /etc/ssh/ssh_config Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc #打开注释 MACs hmac-md5,hmac-sha1,umac-64@openssh.com #打开注释
╭─root@zxw18 ~ ╰─➤ vim /etc/ssh/sshd_config #最后一行添加 KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-gr oup-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
╭─root@zxw18 ~
╰─➤ systemctl restart sshd
解决root用户不能登陆一直提示密码错误
╭─root@zxw18 ~ ╰─➤ vim /etc/ssh/sshd_config PasswordAuthentication yes #取消这一行注释 PermitRootLogin yes #添加PermitRootLogin yes行
╭─root@zxw18 ~ ╰─➤ vim /etc/init.d/sshd echo -n $"Starting $prog:" OPTIONS="-f /etc/ssh/sshd_config" #添加一行 $SSHD $OPTIONS && success || failure RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd echo }
在$SSHD $OPTIONS && success || failure这句话前面加一句:PTIONS="-f /etc/ssh/sshd_config"
╭─root@zxw18 ~ ╰─➤ systemctl restart sshd Warning: sshd.service changed on disk. Run 'systemctl daemon-reload' to reload units. ╭─root@zxw18 ~ ╰─➤ systemctl daemon-reload ╭─root@zxw18 ~ ╰─➤ systemctl restart sshd