升级openssh基于openssl
OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all traffic to eliminate eavesdropping, connection hijacking, and other attacks. In addition, OpenSSH provides a large suite of secure tunneling capabilities, several authentication methods, and sophisticated configuration options.
The OpenSSH suite consists of the following tools:
- Remote operations are done using ssh, scp, and sftp.
- Key management with ssh-add, ssh-keysign, ssh-keyscan, and ssh-keygen.
- The service side consists of sshd, sftp-server, and ssh-agent.
01、下载
http://www.openssh.com/ ###官网
openssh-7.4p1.tar.gz:点击下载
openssh-7.4p1.tar.gz:http://pan.baidu.com/s/1c1RUbeS
02、OpenSSH安装前准备工作
yum install -y zlib-devel gcc gcc-c++ openssl-devel #openssl也是有漏洞的,建议也升级下openssl
03、卸载旧版本openssh
[root@lab-120 tmp]# rpm -qa |grep openssh openssh-5.3p1-94.el6.x86_64 openssh-askpass-5.3p1-94.el6.x86_64 openssh-clients-5.3p1-94.el6.x86_64 openssh-server-5.3p1-94.el6.x86_64
移除openssh
[root@lab-120 tmp]# rpm -e openssh-5.3p1-94.el6 openssh-askpass-5.3p1-94.el6 openssh-clients-5.3p1-94.el6 openssh-server-5.3p1-94.el6 --nodeps
warning: /etc/ssh/sshd_config saved as /etc/ssh/sshd_config.rpmsave
删除遗留垃圾文件
rm -rf /etc/ssh/* #前提没有重大的配置变化,有的话建议备份下
04、编译安装
tar zxvf openssh-7.4p1.tar.gz
cd openssh-7.1
./configure --prefix=/usr --sysconfdir=/etc/ssh
make && make install
05、修改配置及启动脚本
vim /etc/ssh/sshd_config
PermitRootLogin yes #开放root远程登录认证,默认是不允许的
修改sshd
openssh-7.4p1\contrib\redhat\sshd.init #根据发行版本取不同的脚本
/etc/initd/sshd
#!/bin/bash # # Init file for OpenSSH server daemon # # chkconfig: 2345 55 25 # description: OpenSSH server daemon # # processname: sshd # config: /etc/ssh/ssh_host_key # config: /etc/ssh/ssh_host_key.pub # config: /etc/ssh/ssh_random_seed # config: /etc/ssh/sshd_config # pidfile: /var/run/sshd.pid # source function library . /etc/rc.d/init.d/functions # pull in sysconfig settings [ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd RETVAL=0 prog="sshd" # Some functions to make the below more readable SSHD=/usr/sbin/sshd #注意路径对不 PID_FILE=/var/run/sshd.pid do_restart_sanity_check() { $SSHD -t RETVAL=$? if [ $RETVAL -ne 0 ]; then failure $"Configuration file or keys are invalid" echo fi } start() { # Create keys if necessary /usr/bin/ssh-keygen -A #注意根据实际情况调整 if [ -x /sbin/restorecon ]; then /sbin/restorecon /etc/ssh/ssh_host_key.pub #根据实际情况调整 /sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub /sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub fi echo -n $"Starting $prog:" $SSHD $OPTIONS && success || failure RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd echo } stop() { echo -n $"Stopping $prog:" killproc $SSHD -TERM RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/sshd echo } reload() { echo -n $"Reloading $prog:" killproc $SSHD -HUP RETVAL=$? echo } case "$1" in start) start ;; stop) stop ;; restart) stop start ;; reload) reload ;; condrestart) if [ -f /var/lock/subsys/sshd ] ; then do_restart_sanity_check if [ $RETVAL -eq 0 ] ; then stop # avoid race sleep 3 start fi fi ;; status) status $SSHD RETVAL=$? ;; *) echo $"Usage: $0 {start|stop|restart|reload|condrestart|status}" RETVAL=1 esac exit $RETVAL
chmod +x /etc/init.d/sshd
重启sshd服务
service sshd restart #注意可能,当前在线的ssh终端会掉线,不过重新在连接就OK了
chkconfig sshd on #添加到开机启动项中
06、报错解决
安装报错信息解决方法:
configure: error: in `/usr/src/openssh-7.4p1':
configure: error: no acceptable C compiler found in $PATH
安装gcc编译器: yum install -y gcc
configure: error: *** zlib.h missing - please install first or check config.log ***
安装相关依赖包: yum -y install openssl openssl-devel #基本不升级openssl模式下编译openssh
查看OpenSSH版本号: ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
openssh不同版本的影响差异:https://sanwen8.cn/p/1f38HVm.html
openssh版本的命令:http://www.cnblogs.com/xiaochina/p/6280368.html
