Openssh 升级到9.0P1
Openssh升级
openssh和openssl下载地址
一、挂载本地yum或者网络yum安装依赖环境
[root@localhost ~]# cd /etc/yum.repos.d/ [root@localhost yum.repos.d]# vi yum.repo [yum] name=centos7 baseurl=file:///mnt/ enable=1 gpgcheck=0 [root@localhost yum.repos.d]# yum repolist all 已加载插件:fastestmirror Determining fastest mirrors yum | 3.6 kB 00:00:00 (1/2): yum/group_gz | 153 kB 00:00:00 (2/2): yum/primary_db | 3.3 MB 00:00:00 源标识 源名称 状态 yum centos7 启用: 4,070 repolist: 4,070 //安装依赖环境 # yum install -y zlib-devel openssl-devel pam-devel openssl gcc perl //备份依赖库 # cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old # cp /usr/lib64/libcrypto.so.1.0.2k /usr/lib64/libcrypto.so.1.0.2k.old # cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old # cp /usr/lib64/libssl.so.1.0.2k /usr/lib64/libssl.so.1.0.2k.old
二、升级openssl
# ls openssh-9.0p1.tar.gz openssl-1.1.1q.tar.gz
//先卸载老版本ssl [root@localhost openssh_update]# rpm -e --nodeps openssl [root@localhost openssh_update]# rm -rf /etc/ssl [root@localhost openssh_update]# tar -xvf openssl-1.1.1q.tar.gz [root@localhost openssh_update]# cd openssl-1.1.1q //编译 [root@localhost openssl-1.1.1q]# ./config shared --prefix=/usr/local/openssl-1.1.1q Operating system: x86_64-whatever-linux2 Configuring OpenSSL version 1.1.1q (0x1010111fL) for linux-x86_64 Using os-specific seed configuration Creating configdata.pm Creating Makefile ********************************************************************** *** *** *** OpenSSL has been successfully configured *** *** *** *** If you encounter a problem while building, please open an *** *** issue on GitHub <https://github.com/openssl/openssl/issues> *** *** and include the output from the following command: *** *** *** *** perl configdata.pm --dump *** *** *** *** (If you are new to OpenSSL, you might want to consult the *** *** 'Troubleshooting' section in the INSTALL file first) *** *** *** ********************************************************************** [root@localhost openssl-1.1.1q]# make && make install //写入配置文件和创建软连接 # echo "/usr/local/openssl-1.1.1q/lib">>/etc/ld.so.conf # ln -s /usr/local/openssl-1.1.1q/bin/openssl /usr/bin/openssl # ln -s /usr/local/openssl-1.1.1q/include/openssl/ /usr/include/openssl/ # echo "/usr/local/openssl-1.1.1q/lib" >/etc/ld.so.conf.d/openssl.conf # ldconfig # openssl version OpenSSL 1.1.1q 5 Jul 2022
三、升级openssh
//备份卸载低版本ssh [root@localhost openssl-1.1.1q]# rpm -qa|grep openssh openssh-clients-7.4p1-21.el7.x86_64 openssh-7.4p1-21.el7.x86_64 openssh-server-7.4p1-21.el7.x86_64 [root@localhost openssl-1.1.1q]# rpm -e --nodeps `rpm -qa | grep openssh` [root@localhost openssl-1.1.1q]# mkdir /data/openssh_update8.9p1/etc_OpenSSH_7.4p1_sshbk -p [root@localhost openssl-1.1.1q]# mv /etc/ssh/ /data/openssh_update8.9p1/etc_OpenSSH_7.4p1_sshbk //升级openssh到9.0P # ls openssh-9.0p1 openssh-9.0p1.tar.gz openssl-1.1.1q openssl-1.1.1q.tar.gz # tar -xvf openssh-9.0p1.tar.gz # cd openssh-9.0p1 # ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam -with-ssl-dir=/usr/local/openssl-1.1.1q # make && make install //配置文件 [root@localhost openssh-9.0p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd [root@localhost openssh-9.0p1]# cp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam [root@localhost openssh-9.0p1]# echo "KexAlgorithms +diffie-hellman-group1-sha1">>/etc/ssh/sshd_config [root@localhost openssh-9.0p1]# echo "PermitRootLogin yes">>/etc/ssh/sshd_config [root@localhost openssh-9.0p1]# echo "PubkeyAuthentication yes">>/etc/ssh/sshd_config [root@localhost openssh-9.0p1]# chkconfig sshd on [root@localhost openssh-9.0p1]# mv /usr/lib64/libcrypto.so.10.old /usr/lib64/libcrypto.so.10 mv:是否覆盖"/usr/lib64/libcrypto.so.10"? y [root@localhost openssh-9.0p1]# mv /usr/lib64/libssl.so.10.old /usr/lib64/libssl.so.10 mv:是否覆盖"/usr/lib64/libssl.so.10"? y [root@localhost openssh-9.0p1]# /etc/init.d/sshd start Starting sshd (via systemctl): [ 确定 ] [root@localhost openssh-9.0p1]# ssh -V OpenSSH_9.0p1, OpenSSL 1.1.1q 5 Jul 2022
四、重启下机器连接验证
[root@localhost openssh-9.0p1]# reboot
重启后提示无host key是连接工具xshell版本低了,升级到6.0之后就行
xshell拒绝连接的话,关闭selinux即可
[root@localhost ~]# setenforce 0 [root@localhost ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=enforcing # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@localhost ~]# sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config