1.Centos7.6 OpenSSH_7.4p1升级到OpenSSH_8.0p1

1)查看现有版本和算法

ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

sshd -T | grep ciphers

ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc

2)配置telnet服务,防止ssh升级失败无法连接

yum install xinetd telnet-server -y

配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下

pts/0

pts/1

pts/2

pts/3

3)启动服务

systemctl start xinetd

systemctl start telnet.socket

4)测试telnet连接

5)安装依赖包

yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam* zlib*

6)下载安装包

openssl

https://ftp.openssl.org/source/

openssh

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

mkdir /data/tools

cd /data/tools/

wget https://ftp.openssl.org/source/old/1.0.2/openssl-1.0.2r.tar.gz

wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz

7)升级OpenSSL

备份下面2个文件或目录(如果存在的话就执行)

mv /usr/bin/openssl /usr/bin/openssl_bak

mv /usr/include/openssl /usr/include/openssl_bak

tar xf openssl-1.0.2r.tar.gz

cd openssl-1.0.2r

./config shared && make && make install

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

/sbin/ldconfig

openssl version

8)升级openssh

mkdir /tmp/ssh

mv /etc/ssh/* /tmp/ssh/

tar xf openssh-8.0p1.tar.gz

cd openssh-8.0p1

./configure--prefix=/usr/--sysconfdir=/etc/ssh--with-openssl-includes=/usr/local/ssl/include\

 --with-ssl-dir=/usr/local/ssl--with-zlib   --with-md5-passwords   --with-pam  && make&& makeinstall

修改配置文件最终为如下内容,其他的不要动

[root@linux-node3 ~]# grep "^PermitRootLogin"  /etc/ssh/sshd_config

PermitRootLogin yes

[root@linux-node3 ~]# grep  "UseDNS"  /etc/ssh/sshd_config

UseDNS no

cp -a contrib/redhat/sshd.init /etc/init.d/sshd

cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

chmod +x /etc/init.d/sshd

chkconfig --add sshd

systemctl enable sshd

chkconfig sshd on

mv /usr/lib/systemd/system/sshd.service /tmp/

/etc/init.d/sshd restart

9)关闭telnet

systemctl stop xinetd.service

systemctl stop telnet.socket

10)查看加密算法

sshd -T | grep ciphers

ciphers chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
平台声明:文章内容(如有图片或视频亦包括在内)由作者上传并发布,文章内容仅代表作者本人观点,简书系信息发布平台,仅提供信息存储服务。