2023年6月15日
升级OpenSSL OpenSSH
#查看openssh版本命令 ssh -V
#查看openssl版本命令 openssl version
当前版本
[root@node01 ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@node01 ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@node01 ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
升级:
1.开启 telnet 服务,临时关闭防火墙
#安装telnet
yum install xinetd telnet-server telnet -y
#备份文件securetty
cp securetty securetty.bak
#配置telnet登录的终端类型,增加一些pts终端
pts=$'pts/0\npts/1\npts/2\npts/3' && echo "$pts" >> /etc/securetty
#开启服务
systemctl start telnet.socket
systemctl start xinetd.service
#关闭防火墙(或者开启23端口)
systemctl stop firewalld.service
systemctl disable firewalld.service
2.环境准备
yum install -y wget tar
#软件包准备
cd /opt
wget --no-check-certificate https://www.zlib.net/zlib-1.2.13.tar.gz
wget --no-check-certificate https://www.openssl.org/source/openssl-1.1.1u.tar.gz
wget --no-check-certificate https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
#解压软件包
tar -zxvf zlib-1.2.13.tar.gz
tar -zxvf openssl-1.1.1u.tar.gz
tar -zxvf openssh-9.3p1.tar.gz
#备份
mv /etc/ssh /etc/ssh.bak
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cp /etc/init.d/sshd /etc/init.d/sshd.bak #开机启动脚本
cp /usr/bin/openssl /usr/bin/openssl.bak
##卸载原有的openssh
rpm -e --nodeps `rpm -qa | grep openssh`
###安装相关依赖包
yum install -y vim gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
SSH安装
1.Zlib安装
#进入zlib解压目录
cd /opt/zlib-1.2.13
#编译安装
./configure --prefix=/usr/local/zlib
make && make test && make install
#
ldconfig -v
/sbin/ldconfig
2.OpenSSL安装
#进入openssl解压目录
cd /opt/openssl-1.1.1u
#编译安装
./config shared zlib --prefix=/usr/local/ssl
make clean && make && make install
#更新函数库
echo "/usr/lcoal/ssl/lib" >> /etc/ld.so.conf
ldconfig
mv /usr/bin/openssl /usr/bin/oldopenssl
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
#检查是否升级成功
openssl version -a
3.OpenSSH安装
#进入openssh解压目录
cd /opt/openssh-9.3p1
#编译安装
./configure --prefix=/usr/local/ssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib --with-pam
make && make install
#查看目录版本
/usr/local/ssh/bin/ssh -V
#复制新ssh文件
cp -rf /opt/openssh-9.3p1/contrib/redhat/sshd.init /etc/init.d/sshd
cp -rf /opt/openssh-9.3p1/contrib/redhat/sshd.pam /etc/pam.d/sshd #测试后使用原有pam.d/sshd配置文件可以正常使用,新安装包下的sshd.pam使用后root和普通用户都无法登陆
cp -rf /opt/openssh-9.3p1/sshd_config /etc/ssh/sshd_config
cp -rf /usr/local/ssh/sbin/sshd /usr/sbin/sshd
cp -rf /usr/local/ssh/bin/ssh /usr/bin/ssh
cp -rf /usr/local/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
#开启sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd ##自启动
chkconfig --list |grep sshd
chkconfig sshd on
#允许root登录
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
#重启sshd服务
/etc/init.d/sshd restart
/etc/init.d/sshd status
#查看升级后ssh版本
ssh -V
关闭telnet服务
#关闭telnet服务
systemctl stop xinetd.service
systemctl stop telnet.socket
#卸载telnet服务
yum remove xinetd telnet-server telnet -y
#开启防火墙
systemctl start firewalld.service
systemctl enable firewalld.service
