Openssh 升级到9.0P1

Openssh升级

 

opensshopenssl下载地址

一、挂载本地yum或者网络yum安装依赖环境

[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# vi yum.repo

[yum]
name=centos7
baseurl=file:///mnt/
enable=1
gpgcheck=0

[root@localhost yum.repos.d]# yum repolist all
已加载插件:fastestmirror
Determining fastest mirrors
yum                                                                                                              | 3.6 kB  00:00:00     
(1/2): yum/group_gz                                                                                              | 153 kB  00:00:00     
(2/2): yum/primary_db                                                                                            | 3.3 MB  00:00:00     
源标识                                                        源名称                                                         状态
yum                                                           centos7                                                        启用: 4,070
repolist: 4,070

//安装依赖环境
# yum install  -y zlib-devel openssl-devel pam-devel openssl gcc perl

//备份依赖库
# cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
# cp /usr/lib64/libcrypto.so.1.0.2k /usr/lib64/libcrypto.so.1.0.2k.old
# cp /usr/lib64/libssl.so.10  /usr/lib64/libssl.so.10.old
# cp /usr/lib64/libssl.so.1.0.2k /usr/lib64/libssl.so.1.0.2k.old

二、升级openssl

# ls
openssh-9.0p1.tar.gz  openssl-1.1.1q.tar.gz


//先卸载老版本ssl
[root@localhost openssh_update]# rpm -e --nodeps openssl
[root@localhost openssh_update]# rm -rf /etc/ssl
[root@localhost openssh_update]# tar -xvf openssl-1.1.1q.tar.gz 
[root@localhost openssh_update]# cd openssl-1.1.1q

//编译
[root@localhost openssl-1.1.1q]# ./config shared --prefix=/usr/local/openssl-1.1.1q
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1q (0x1010111fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************

[root@localhost openssl-1.1.1q]# make && make install

//写入配置文件和创建软连接
# echo "/usr/local/openssl-1.1.1q/lib">>/etc/ld.so.conf
# ln -s /usr/local/openssl-1.1.1q/bin/openssl /usr/bin/openssl
# ln -s /usr/local/openssl-1.1.1q/include/openssl/ /usr/include/openssl/
# echo "/usr/local/openssl-1.1.1q/lib" >/etc/ld.so.conf.d/openssl.conf
# ldconfig
# openssl  version
OpenSSL 1.1.1q  5 Jul 2022

三、升级openssh

//备份卸载低版本ssh
[root@localhost openssl-1.1.1q]# rpm -qa|grep openssh
openssh-clients-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
[root@localhost openssl-1.1.1q]# rpm -e --nodeps `rpm -qa | grep openssh`
[root@localhost openssl-1.1.1q]# mkdir /data/openssh_update8.9p1/etc_OpenSSH_7.4p1_sshbk -p
[root@localhost openssl-1.1.1q]# mv /etc/ssh/ /data/openssh_update8.9p1/etc_OpenSSH_7.4p1_sshbk

//升级openssh到9.0P

# ls
openssh-9.0p1  openssh-9.0p1.tar.gz  openssl-1.1.1q  openssl-1.1.1q.tar.gz
# tar -xvf openssh-9.0p1.tar.gz
# cd openssh-9.0p1
# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam -with-ssl-dir=/usr/local/openssl-1.1.1q

# make && make install

//配置文件
[root@localhost openssh-9.0p1]# cp  contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-9.0p1]# cp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@localhost openssh-9.0p1]# echo "KexAlgorithms +diffie-hellman-group1-sha1">>/etc/ssh/sshd_config
[root@localhost openssh-9.0p1]# echo "PermitRootLogin yes">>/etc/ssh/sshd_config
[root@localhost openssh-9.0p1]# echo "PubkeyAuthentication yes">>/etc/ssh/sshd_config
[root@localhost openssh-9.0p1]# chkconfig sshd on
[root@localhost openssh-9.0p1]# mv /usr/lib64/libcrypto.so.10.old  /usr/lib64/libcrypto.so.10
mv:是否覆盖"/usr/lib64/libcrypto.so.10"? y
[root@localhost openssh-9.0p1]# mv /usr/lib64/libssl.so.10.old   /usr/lib64/libssl.so.10
mv:是否覆盖"/usr/lib64/libssl.so.10"? y
[root@localhost openssh-9.0p1]# /etc/init.d/sshd start
Starting sshd (via systemctl):                             [  确定  ]
[root@localhost openssh-9.0p1]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.1.1q  5 Jul 2022

四、重启下机器连接验证

[root@localhost openssh-9.0p1]# reboot

 

重启后提示无host key是连接工具xshell版本低了,升级到6.0之后就行

xshell拒绝连接的话,关闭selinux即可

[root@localhost ~]# setenforce 0
[root@localhost ~]# cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted 


[root@localhost ~]# sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/selinux/config

 

 

 

 

 

 

 

 

 

 

 

 

 

posted @ 2022-07-18 17:17  离愁落雨  阅读(2730)  评论(0编辑  收藏  举报