CentOS7.5升级OpenSSH

实验环境

  • OS:CentOS 7.5
  • 当前openssh版本:OpenSSH_7.4p1
  • 升级后的openssh版本:OpenSSH_8.0p1

开通telnet

为了防止升级过程中ssh断连,保险起见,先安装telnet并启动。

安装telnet-servertelnet服务

yum install -y telnet-server* telnet

安装xinetd服务

yum install -y xinetd

启动xinetdtelnet并做开机自启动

systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd.service

修改/etc/securetty文件

默认情况下,系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录,需向/etc/securetty中追加pts/0等内容,执行命令如下:

echo 'pts/0' >>/etc/securetty
echo 'pts/1' >>/etc/securetty
echo 'pts/2' >>/etc/securetty

测试telnet能否登录

测试能否通过telnet正常登陆到主机,检查开机自启是否生效(!!!生产环境中不能随意重启主机!!!)。

升级OpenSSH

因为设备一般都是不能通过外网下载文件,并且yum下载的openssh版本都较落后,所以需要通过下载包来编译安装。

备份原先的ssh

cp -r /etc/ssh /etc/ssh.bak`date +%Y%m%d`

准备安装包

OpenSSH_8.0下载地址:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz

下载相关依赖包

yum install -y gcc zlib zlib-devel openssl-devel

解压安装

  • 将安装包上传到/usr/local/src
  • 解压
cd /usr/local/src
tar -zxvf openssh-8.0p1.tar.gz
  • 编译安装
cd openssh-8.0p1/
# 需要指定openssh的安装路径
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --without-openssl-header-check --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd
make
  • 卸载旧版本
    make完成后先不着急执行make install,先卸载旧版的openssh;注意:卸载后ssh不能登录,最好不要退出当前终端,否则只能通过telnet登录做配置了。
rpm -e --nodeps `rpm -qa | grep openssh`
  • 执行make install
make install
  • 报错或告警解决
    • 编译安装报依赖包错误
      如果在编译安装的过程中发现有关于依赖包的报错,就通过yum安装相关依赖包
    • 告警信息
[root@kvm /usr/local/src/openssh-8.0p1]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Tue 2019-05-21 00:05:31 CST; 6s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 12325 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 12325 (code=exited, status=1/FAILURE)

May 21 00:05:31 kvm systemd[1]: sshd.service: main process exited, code=exited, status=1/FAILURE
May 21 00:05:31 kvm systemd[1]: Failed to start OpenSSH server daemon.
May 21 00:05:31 kvm systemd[1]: Unit sshd.service entered failed state.
May 21 00:05:31 kvm systemd[1]: sshd.service failed.

[root@kvm /usr/local/src/openssh-8.0p1]# systemctl status sshd.service
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2019-05-21 00:21:06 CST; 9s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 22813 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=1/FAILURE)
 Main PID: 22560 (code=exited, status=1/FAILURE)

May 21 00:21:06 kvm sshd[22813]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
May 21 00:21:06 kvm sshd[22813]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
May 21 00:21:06 kvm sshd[22813]: It is required that your private key files are NOT accessible by others.
May 21 00:21:06 kvm sshd[22813]: This private key will be ignored.
May 21 00:21:06 kvm sshd[22813]: sshd: no hostkeys available -- exiting.
May 21 00:21:06 kvm systemd[1]: sshd.service: control process exited, code=exited status=1
May 21 00:21:06 kvm sshd[22813]: [FAILED]
May 21 00:21:06 kvm systemd[1]: Failed to start SYSV: OpenSSH server daemon.
May 21 00:21:06 kvm systemd[1]: Unit sshd.service entered failed state.
May 21 00:21:06 kvm systemd[1]: sshd.service failed.
[root@kvm /usr/local/src/openssh-8.0p1]# sshd -t
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
sshd: no hostkeys available -- exiting.
[root@kvm /usr/local/src/openssh-8.0p1]#
  • 解决办法
    在执行完make install命令后可能就会有关于key文件的警告信息,这个时候需要将涉及到的key文件的权限改成600,如果没修改,则重启sshd服务时将报错。
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
  • 配置sshd服务
# 复制启动文件到/etc/init.d/下并命名为sshd
cp -p /usr/local/src/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
# 添加执行权限
chmod +x /etc/init.d/sshd
# 添加到开启自启服务中
systemctl enable sshd
/sbin/chkconfig sshd on
# 允许root远程登录
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
# 配置selinux服务
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config 
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config 
setenforce 0
# 重启sshd服务
systemctl restart sshd
  • 查看当前ssh版本
[root@kvm ~]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@kvm ~]# 

收尾工作

重启主机测试ssh是否可用

关闭并disable telnet服务

systemctl disable xinetd
systemctl disable telnet.socket
systemctl stop xinetd.service
systemctl stop telnet.socket 
posted @ 2019-05-21 00:42  长翅膀的蜗牛  阅读(9816)  评论(2编辑  收藏  举报