centos7.6升级OpenSSH 9.0
业务需要需要将openssh升级到最新,来弥补部分漏洞,服务器环境不能连接外网。
参考博客 :这位大哥的博客借用一下。
(14条消息) Centos7.9 升级OpenSSH 9.0_xxp8811的博客-CSDN博客_centos7.9 升级openssh
查看系统版本
1 2 3 4 5 6 7 | [root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@localhost ~]# ssh -VOpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017[root@localhost ~]# uname -aLinux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux[root@localhost ~]# |
经测试升级中ssh不会断开,不退出session ,建议保险起见安装telnet远程登陆
升级包下载
https://www.zlib.net/zlib-1.2.12.tar.gz
https://www.openssl.org/source/openssl-1.1.1d.tar.gz
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
备用链接:OpenSSH: Portable Release
下载后上传到需要升级的服务器上(我这里window 安装了ssh插件,可以使用sftp命令)
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | C:\Users\wenxi>sftp root@192.168.10.112root@192.168.10.112's password:Connected to 192.168.10.112.sftp> lpwdLocal working directory: c:\users\wenxisftp> pwdRemote working directory: /rootsftp> lcd D:\openssh9\sftp> lls Volume in drive D is 新加卷 Volume Serial Number is D26A-B1FA Directory of D:\openssh92022-07-15 13:28 <DIR> .2022-07-15 13:28 <DIR> ..2022-07-15 09:25 1,822,183 openssh-9.0p1.tar.gz2022-07-15 09:24 8,845,861 openssl-1.1.1d.tar.gz2022-07-15 09:27 1,490,071 zlib-1.2.12.tar.gz 3 File(s) 12,158,115 bytes 2 Dir(s) 28,574,048,256 bytes freesftp> put *.gzUploading openssh-9.0p1.tar.gz to /root/openssh-9.0p1.tar.gzopenssh-9.0p1.tar.gz 100% 1779KB 66.2MB/s 00:00Uploading openssl-1.1.1d.tar.gz to /root/openssl-1.1.1d.tar.gzopenssl-1.1.1d.tar.gz 100% 8639KB 75.0MB/s 00:00Uploading zlib-1.2.12.tar.gz to /root/zlib-1.2.12.tar.gzzlib-1.2.12.tar.gz 100% 1455KB 99.3MB/s 00:00sftp> |
挂载光盘配置本地源用于安装telnet gcc 和相关依赖
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 | [root@localhost ~]# pwd/root[root@localhost ~]# lsopenssh-9.0p1.tar.gz openssl-1.1.1d.tar.gz zlib-1.2.12.tar.gz[root@localhost ~]# tar -zxf openssl-1.1.1d.tar.gz && tar -zxf openssh-9.0p1.tar.gz && tar -zxf zlib-1.2.12.tar.gz [root@localhost ~]# lsopenssh-9.0p1 openssh-9.0p1.tar.gz openssl-1.1.1d openssl-1.1.1d.tar.gz zlib-1.2.12 zlib-1.2.12.tar.gz[root@localhost ~]# vi /etc/yum.repos.d/CentOS-CR.repo [root@localhost ~]# cat /etc/yum.repos.d/CentOS-CR.repo [cr]name=CentOS-7.4baseurl=file:///mnt/gpgcheck=1gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7enabled=1[root@localhost ~]# mount /dev/cdrom /mntmount: /dev/sr0 is write-protected, mounting read-onlymount: /dev/sr0 is already mounted or /mnt busy /dev/sr0 is already mounted on /mnt[root@localhost ~]# ls /mntCentOS_BuildTag EFI EULA GPL images isolinux LiveOS Packages repodata RPM-GPG-KEY-CentOS-7 RPM-GPG-KEY-CentOS-Testing-7 TRANS.TBL[root@localhost ~]# [root@localhost ~]# yum install gcc make perl telnet-server xinetd -y Loaded plugins: fastestmirrorLoading mirror speeds from cached hostfilecr | 3.6 kB 00:00:00 Package gcc-4.8.5-36.el7.x86_64 already installed and latest versionPackage 1:make-3.82-23.el7.x86_64 already installed and latest versionPackage 4:perl-5.16.3-293.el7.x86_64 already installed and latest versionResolving Dependencies--> Running transaction check---> Package telnet-server.x86_64 1:0.17-64.el7 will be installed---> Package xinetd.x86_64 2:2.3.15-13.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved================================================================================================================================================== Package Arch Version Repository Size==================================================================================================================================================Installing: telnet-server x86_64 1:0.17-64.el7 cr 41 k xinetd x86_64 2:2.3.15-13.el7 cr 128 kTransaction Summary==================================================================================================================================================Install 2 PackagesTotal download size: 169 kInstalled size: 316 kDownloading packages:--------------------------------------------------------------------------------------------------------------------------------------------------Total 15 MB/s | 169 kB 00:00:00 Running transaction checkRunning transaction testTransaction test succeededRunning transaction Installing : 2:xinetd-2.3.15-13.el7.x86_64 1/2 Installing : 1:telnet-server-0.17-64.el7.x86_64 2/2 Verifying : 1:telnet-server-0.17-64.el7.x86_64 1/2 Verifying : 2:xinetd-2.3.15-13.el7.x86_64 2/2Installed: telnet-server.x86_64 1:0.17-64.el7 xinetd.x86_64 2:2.3.15-13.el7 Complete![root@localhost ~]# |
关闭防火墙和selinux
新建用户admin,用于telnet 登陆,默认root是禁止telnet登陆的
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 | [root@localhost ~]# vi /etc/selinux/config [root@localhost ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system.# SELINUX= can take one of these three values:# enforcing - SELinux security policy is enforced.# permissive - SELinux prints warnings instead of enforcing.# disabled - No SELinux policy is loaded.SELINUX=disabled# SELINUXTYPE= can take one of three values:# targeted - Targeted processes are protected,# minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection.SELINUXTYPE=targeted [root@localhost ~]# systemctl disable firewall Failed to execute operation: No such file or directory[root@localhost ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service.Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service.[root@localhost ~]# systemctl stop firewalld [root@localhost ~]# systemctl start xinetd[root@localhost ~]# systemctl start telnet Failed to start telnet.service: Unit not found.[root@localhost ~]# systemctl start telnet.socket[root@localhost ~]# netstat -tunlp-bash: netstat: command not found[root@localhost ~]# yum install net-tools -yLoaded plugins: fastestmirrorLoading mirror speeds from cached hostfileResolving Dependencies--> Running transaction check---> Package net-tools.x86_64 0:2.0-0.24.20131004git.el7 will be installed--> Finished Dependency ResolutionDependencies Resolved================================================================================================================================================== Package Arch Version Repository Size==================================================================================================================================================Installing: net-tools x86_64 2.0-0.24.20131004git.el7 cr 306 kTransaction Summary==================================================================================================================================================Install 1 PackageTotal download size: 306 kInstalled size: 918 kDownloading packages:Running transaction checkRunning transaction testTransaction test succeededRunning transaction Installing : net-tools-2.0-0.24.20131004git.el7.x86_64 1/1 Verifying : net-tools-2.0-0.24.20131004git.el7.x86_64 1/1Installed: net-tools.x86_64 0:2.0-0.24.20131004git.el7 Complete![root@localhost ~]# netstat -tunlp Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3115/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::22 :::* LISTEN 3115/sshd tcp6 0 0 :::23 :::* LISTEN 1/systemd tcp6 0 0 ::1:25 :::* LISTEN 3439/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd udp6 0 0 :::111 :::* 1/systemd udp6 0 0 ::1:323 :::* 2701/chronyd [root@localhost ~]# useradd admin [root@localhost ~]# passwd adminChanging password for user admin.New password: BAD PASSWORD: The password is shorter than 8 charactersRetype new password: passwd: all authentication tokens updated successfully.[root@localhost ~]# |
配置telnet并登陆验证。
使用新建的admin用户登陆成功
安装zlib
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | [root@localhost zlib-1.2.12]# ./configure --prefix=/usr/local/zlib Checking for gcc...Checking for shared library support...Building shared library libz.so.1.2.12 with gcc.Checking for size_t... Yes.Checking for off64_t... Yes.Checking for fseeko... Yes.Checking for strerror... Yes.Checking for unistd.h... Yes.Checking for stdarg.h... Yes.Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().Checking for vsnprintf() in stdio.h... Yes.Checking for return value of vsnprintf()... Yes.Checking for attribute(visibility) support... Yes.[root@localhost zlib-1.2.12]# make && make install gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o example.o test/example.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c...............................................................................................输出部分省略........................................[root@localhost zlib-1.2.12]# |
安装openssl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 | [root@localhost openssl-1.1.1d]# ./config --prefix=/usr/local/ssl -d sharedOperating system: x86_64-whatever-linux2Configuring OpenSSL version 1.1.1d (0x1010104fL) for linux-x86_64Using os-specific seed configurationCreating configdata.pmCreating Makefile************************************************************************* ****** OpenSSL has been successfully configured ****** ****** If you encounter a problem while building, please open an ****** issue on GitHub <https://github.com/openssl/openssl/issues> ****** and include the output from the following command: ****** ****** perl configdata.pm --dump ****** ****** (If you are new to OpenSSL, you might want to consult the ****** 'Troubleshooting' section in the INSTALL file first) ****** *************************************************************************[root@localhost openssl-1.1.1d]#make && make install省略部分代码.........................................................................................................../usr/local/ssl/share/doc/openssl/html/man7/SM2.html/usr/local/ssl/share/doc/openssl/html/man7/X25519.html/usr/local/ssl/share/doc/openssl/html/man7/X448.html -> /usr/local/ssl/share/doc/openssl/html/man7/X25519.html/usr/local/ssl/share/doc/openssl/html/man7/bio.html/usr/local/ssl/share/doc/openssl/html/man7/crypto.html/usr/local/ssl/share/doc/openssl/html/man7/ct.html/usr/local/ssl/share/doc/openssl/html/man7/des_modes.html/usr/local/ssl/share/doc/openssl/html/man7/evp.html/usr/local/ssl/share/doc/openssl/html/man7/ossl_store-file.html/usr/local/ssl/share/doc/openssl/html/man7/ossl_store.html/usr/local/ssl/share/doc/openssl/html/man7/passphrase-encoding.html/usr/local/ssl/share/doc/openssl/html/man7/scrypt.html/usr/local/ssl/share/doc/openssl/html/man7/ssl.html/usr/local/ssl/share/doc/openssl/html/man7/x509.html[root@localhost openssl-1.1.1d]#[root@localhost openssl-1.1.1d]# echo '/usr/local/ssl/lib' >> /etc/ld.so.conf[root@localhost openssl-1.1.1d]# ldconfig -vldconfig: Path `/usr/local/ssl/lib' given more than onceldconfig: Can't stat /libx32: No such file or directoryldconfig: Path `/usr/lib' given more than onceldconfig: Path `/usr/lib64' given more than onceldconfig: Can't stat /usr/libx32: No such file or directory/usr/lib64/iscsi: libiscsi.so.2 -> libiscsi.so.2.0.10900/usr/lib64/mysql: libmysqlclient.so.18 -> libmysqlclient.so.18.0.0/usr/local/ssl/lib: libssl.so.1.1 -> libssl.so.1.1 libcrypto.so.1.1 -> libcrypto.so.1.1/lib:/lib64: libini_config.so.3 -> libini_config.so.3.2.1 libpath_utils.so.1 -> libpath_utils.so.1.0.1 libpulse.so.0 -> libpulse.so.0.20.1 libpulse-simple.so.0 -> libpulse-simple.so.0.1.0 libsndfile.so.1 -> libsndfile.so.1.0.25 libgsm.so.1 -> libgsm.so.1.0.12 libXtst.so.6 -> libXtst.so.6.1.0 libnfsidmap.so.0 -> libnfsidmap.so.0.3.0 libxcb-screensaver.so.0 -> libxcb-screensaver.so.0.0.0 libXi.so.6 -> libXi.so.6.1.0......................................................................................................... libfreeblpriv3.so -> libfreeblpriv3.so libmenu.so.5 -> libmenu.so.5.9 libfreebl3.so -> libfreebl3.so libformw.so.5 -> libformw.so.5.9 libform.so.5 -> libform.so.5.9 libgcc_s.so.1 -> libgcc_s-4.8.5-20150702.so.1 libutil.so.1 -> libutil-2.17.so/lib/sse2: (hwcap: 0x0000000004000000)/lib64/sse2: (hwcap: 0x0000000004000000)/lib64/tls: (hwcap: 0x8000000000000000)[root@localhost openssl-1.1.1d]# |
安装openssh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 | [root@localhost openssh-9.0p1]# ./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/sslchecking for cc... ccchecking whether the C compiler works... yeschecking for C compiler default output file name... a.outchecking for suffix of executables... checking whether we are cross compiling... nochecking for suffix of object files... ochecking whether we are using the GNU C compiler... yeschecking whether cc accepts -g... yeschecking for cc option to accept ISO C89... none neededchecking if cc supports C99-style variadic macros... yeschecking build system type... x86_64-pc-linux-gnuchecking host system type... x86_64-pc-linux-gnuchecking how to run the C preprocessor... cc -Echecking for grep that handles long lines and -e... /usr/bin/grep..............................................................................................................config.status: creating Makefileconfig.status: creating buildpkg.shconfig.status: creating opensshd.initconfig.status: creating openssh.xmlconfig.status: creating openbsd-compat/Makefileconfig.status: creating openbsd-compat/regress/Makefileconfig.status: creating survey.shconfig.status: creating config.hOpenSSH has been configured with the following options: User binaries: /usr/local/openssh/bin System binaries: /usr/local/openssh/sbin Configuration files: /usr/local/openssh/etc Askpass program: /usr/local/openssh/libexec/ssh-askpass Manual pages: /usr/local/openssh/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no libedit support: no libldns support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: seccomp_filter PKCS#11 support: yes U2F/FIDO support: yes Host: x86_64-pc-linux-gnu Compiler: cc Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/zlib/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE Linker flags: -L/usr/local/ssl/lib -L/usr/local/zlib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv[root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# make && make installconffile=`echo sshd_config.out | sed 's/.out$//'`; \/usr/bin/sed -e 's|/etc/ssh/ssh_config|/usr/local/openssh/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/openssh/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/openssh/etc/sshd_config|g' -e ......................................................................................................./usr/local/openssh/share/man/man8/ssh-pkcs11-helper.8/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh/share/man/man8/ssh-sk-helper.8/usr/bin/mkdir -p /usr/local/openssh/etcssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 /usr/local/openssh/sbin/sshd -t -f /usr/local/openssh/etc/sshd_config[root@localhost openssh-9.0p1]# |
用yum 卸载原有旧的openssh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | [root@localhost openssh-9.0p1]# yum remove openssh -yLoaded plugins: fastestmirrorResolving Dependencies--> Running transaction check---> Package openssh.x86_64 0:7.4p1-16.el7 will be erased--> Processing Dependency: openssh = 7.4p1-16.el7 for package: openssh-server-7.4p1-16.el7.x86_64--> Processing Dependency: openssh = 7.4p1-16.el7 for package: openssh-clients-7.4p1-16.el7.x86_64--> Running transaction check---> Package openssh-clients.x86_64 0:7.4p1-16.el7 will be erased---> Package openssh-server.x86_64 0:7.4p1-16.el7 will be erased--> Finished Dependency ResolutionDependencies Resolved================================================================================================================================================== Package Arch Version Repository Size==================================================================================================================================================Removing: openssh x86_64 7.4p1-16.el7 @anaconda 1.9 MRemoving for dependencies: openssh-clients x86_64 7.4p1-16.el7 @anaconda 2.5 M openssh-server x86_64 7.4p1-16.el7 @anaconda 971 kTransaction Summary==================================================================================================================================================Remove 1 Package (+2 Dependent packages)Installed size: 5.4 MDownloading packages:Running transaction checkRunning transaction testTransaction test succeededRunning transaction Erasing : openssh-server-7.4p1-16.el7.x86_64 1/3 Erasing : openssh-clients-7.4p1-16.el7.x86_64 2/3 Erasing : openssh-7.4p1-16.el7.x86_64 3/3 Verifying : openssh-clients-7.4p1-16.el7.x86_64 1/3 Verifying : openssh-7.4p1-16.el7.x86_64 2/3 Verifying : openssh-server-7.4p1-16.el7.x86_64 3/3Removed: openssh.x86_64 0:7.4p1-16.el7 Dependency Removed: openssh-clients.x86_64 0:7.4p1-16.el7 openssh-server.x86_64 0:7.4p1-16.el7 Complete![root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# ps aux | grep ssh root 3347 0.0 0.5 158752 5620 ? Ss 05:08 0:00 sshd: root@pts/0root 31409 0.0 0.0 112708 976 pts/0 R+ 05:38 0:00 grep --color=auto ssh[root@localhost openssh-9.0p1]# netstat -tunlpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::23 :::* LISTEN 1/systemd tcp6 0 0 ::1:25 :::* LISTEN 3439/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd udp6 0 0 :::111 :::* 1/systemd udp6 0 0 ::1:323 :::* 2701/chronyd [root@localhost openssh-9.0p1]# |
此时已经没有22端口在监听状态,但是远程此时还没断开,配置新的ssh 并设置自启动
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | [root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# ssh -bash: /usr/bin/ssh: No such file or directory[root@localhost openssh-9.0p1]# sftp-bash: sftp: command not found[root@localhost openssh-9.0p1]# ssh -^C[root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# ssh -V -bash: /usr/bin/ssh: No such file or directory[root@localhost openssh-9.0p1]# sftp-bash: sftp: command not found[root@localhost openssh-9.0p1]# cp /usr/local/openssopenssh/ openssl/ [root@localhost openssh-9.0p1]# cp /usr/local/openssh/bin/ etc/ libexec/ sbin/ share/ [root@localhost openssh-9.0p1]# cp /usr/local/openssh/bin/sshssh ssh-add ssh-agent ssh-keygen ssh-keyscan [root@localhost openssh-9.0p1]# cp /usr/local/openssh/bin/sshssh ssh-add ssh-agent ssh-keygen ssh-keyscan [root@localhost openssh-9.0p1]# cp /usr/local/openssh/bin/ssh* /usr/bin/[root@localhost openssh-9.0p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd [root@localhost openssh-9.0p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd[root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# systemctl start sshd Failed to start sshd.service: Unit not found.[root@localhost openssh-9.0p1]# systemctl start sshd.serviceFailed to start sshd.service: Unit not found.[root@localhost openssh-9.0p1]# chkconfig --add sshd[root@localhost openssh-9.0p1]# systemctl start sshd.service[root@localhost openssh-9.0p1]# systemctl start sshd[root@localhost openssh-9.0p1]# systemctl status sshd ● sshd.service - SYSV: OpenSSH server daemon Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled) Active: active (running) since Thu 2022-07-07 05:49:57 EDT; 15s ago Docs: man:systemd-sysv-generator(8) Process: 32048 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS) Main PID: 32056 (sshd) Tasks: 1 CGroup: /system.slice/sshd.service └─32056 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startupsJul 07 05:49:57 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...Jul 07 05:49:57 localhost.localdomain sshd[32048]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directoryJul 07 05:49:57 localhost.localdomain sshd[32048]: Starting sshd:[ OK ]Jul 07 05:49:57 localhost.localdomain systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.Jul 07 05:49:57 localhost.localdomain sshd[32056]: Server listening on 0.0.0.0 port 22.Jul 07 05:49:57 localhost.localdomain sshd[32056]: Server listening on :: port 22.Jul 07 05:49:57 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.[root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# netstat -tunlp Active Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 32056/sshd: /usr/sbtcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::22 :::* LISTEN 32056/sshd: /usr/sbtcp6 0 0 :::23 :::* LISTEN 1/systemd tcp6 0 0 ::1:25 :::* LISTEN 3439/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd udp6 0 0 :::111 :::* 1/systemd udp6 0 0 ::1:323 :::* 2701/chronyd [root@localhost openssh-9.0p1]# |
客户端验证升级后的版本
cmd中使用ssh 命令连接验证
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 | C:\Users\wenxi>ssh root@192.168.10.112@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!Someone could be eavesdropping on you right now (man-in-the-middle attack)!It is also possible that a host key has just been changed.The fingerprint for the ED25519 key sent by the remote host isSHA256:7TZnXWtjXRFK1AyCoa6hIO/7Gma9zcxYN/mnoywKww0.Please contact your system administrator.Add correct host key in C:\\Users\\wenxi/.ssh/known_hosts to get rid of this message.Offending ECDSA key in C:\\Users\\wenxi/.ssh/known_hosts:5Host key for 192.168.10.112 has changed and you have requested strict checking.Host key verification failed.C:\Users\wenxi>echo "" > .ssh\known_hostsC:\Users\wenxi>ssh root@192.168.10.112The authenticity of host '192.168.10.112 (192.168.10.112)' can't be established.ED25519 key fingerprint is SHA256:7TZnXWtjXRFK1AyCoa6hIO/7Gma9zcxYN/mnoywKww0.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.10.112' (ED25519) to the list of known hosts.root@192.168.10.112's password:Permission denied, please try again.root@192.168.10.112's password:C:\Users\wenxi> |
限制了root远程登陆,修改sshd_config ,重启sshd服务。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | [root@localhost openssh-9.0p1]# vi /usr/local/openssh/etc/sshd_config [root@localhost openssh-9.0p1]# grep root /usr/local/openssh/etc/sshd_config #ChrootDirectory none[root@localhost openssh-9.0p1]# grep -i Root /usr/local/openssh/etc/sshd_config PermitRootLogin yes# the setting of "PermitRootLogin without-password".#ChrootDirectory none[root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# systemctl restart sshd [root@localhost openssh-9.0p1]# systemctl status sshd ● sshd.service - SYSV: OpenSSH server daemon Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled) Active: active (running) since Thu 2022-07-07 06:13:51 EDT; 4s ago Docs: man:systemd-sysv-generator(8) Process: 899 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS) Process: 905 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS) Main PID: 913 (sshd) Tasks: 1 CGroup: /system.slice/sshd.service └─913 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startupsJul 07 06:13:51 localhost.localdomain systemd[1]: Stopped SYSV: OpenSSH server daemon.Jul 07 06:13:51 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...Jul 07 06:13:51 localhost.localdomain sshd[905]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directoryJul 07 06:13:51 localhost.localdomain sshd[905]: Starting sshd:[ OK ]Jul 07 06:13:51 localhost.localdomain systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.Jul 07 06:13:51 localhost.localdomain sshd[913]: Server listening on 0.0.0.0 port 22.Jul 07 06:13:51 localhost.localdomain sshd[913]: Server listening on :: port 22.Jul 07 06:13:51 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.[root@localhost openssh-9.0p1]# |
再次登录,则root登陆成功,删除telnnet 或者禁用
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | [root@localhost openssh-9.0p1]# systemctl stop xinetd[root@localhost openssh-9.0p1]# systemctl stop telnet.socket[root@localhost openssh-9.0p1]# systemctl stop telnetFailed to stop telnet.service: Unit telnet.service not loaded.[root@localhost openssh-9.0p1]# userdel -r admin[root@localhost openssh-9.0p1]# cd[root@localhost ~]# netstat -tunlpActive Internet connections (only servers)Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd: /usr/sbintcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::22 :::* LISTEN 913/sshd: /usr/sbintcp6 0 0 ::1:25 :::* LISTEN 3439/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd udp6 0 0 :::111 :::* 1/systemd udp6 0 0 ::1:323 :::* 2701/chronyd [root@localhost ~]# |
至此升级完毕。
【推荐】国内首个AI IDE,深度理解中文开发场景,立即下载体验Trae
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步
· 分享4款.NET开源、免费、实用的商城系统
· 全程不用写代码,我用AI程序员写了一个飞机大战
· MongoDB 8.0这个新功能碉堡了,比商业数据库还牛
· 白话解读 Dapr 1.15:你的「微服务管家」又秀新绝活了
· 记一次.NET内存居高不下排查解决与启示