redhat7 升级openssh 8.5 p1手顺

本文介绍在redhat 7上升级openssh 8.5 p1的方法,包括openssl的依赖升级。

挂载yum源

编辑配置文件

#vim /etc/yum.repos.d/my.repo

添加如下信息

[my-yum]
name=Red Hat Enterprise Linux 7.3
baseurl=file:///run/media/root/RHEL-7.3\ Server.x86_64/
enabled=1 
gpgcheck=1
gpgkey=file:///run/media/root/RHEL-7.3\ Server.x86_64/RPM-GPG-KEY-redhat-beta,file:///run/media/root/RHEL-7.3\ Server.x86_64/RPM-GPG-KEY-redhat-release

保存,测试yum源

#yum clean all
#yummakecache

安装telnet

因为ssh是远程服务,如果不是在机房终端机,或者有带外管理的话,必须要临时安装一个远程工具,避免ssh无效后服务器无法远程访问了。

#yum search telnet

需要安装以下两个telnet包(server端和client端)

telnet.x86_64 : The client program for the Telnet remote login protocol
telnet-server.x86_64 : The server program for the Telnet remote login protocol

#yum install telnet-server.x86_64
#yum install telnet.x86_64

telnet登录

确认telnet服务可用,包括开机自启动,避免万一。

启动telnet服务

# systemctl enable telnet.socke
# systemctl start telnet.socket
# systemctl status telnet.socket

配置pst类型终端到/etc/securetty

注:/etc/securetty文件允许你规定“root”用户可以从那个TTY设备登录,登录程序(通常是“/bin/login”)需要读取“/etc/securetty”文件。

它的格式是:列出来的tty设备都是允许登录的,注释掉或是在这个文件中不存在的都是不允许root登录的。

注释掉(在这一行的开头加上#号)所有你想不让root登录的tty设备。

tty就是tty,是一个很宽泛的名词,它是Teletype的缩写

如果你指的是/dev/tty,那指当前终端  

pts是pesudotty slave,是伪终端的slave端  console好像是指当前的控制台(或者监视器),比如说你Ctrl+Alt+x,然后echo "123" > /dev/console,123总会显示在你的monitor上。

vc是virtual console,也可以理解为虚拟的监视器,当你Ctrl+Alt+x,就会切换到vc x,在/dev下面没有直接对应的设备文件,不过你如果尝试 echo "123" > /dev/vcs1, 你在monitor上也能看到,不过要切换到对应的vc。

vt指的是virtual terminal,虚拟终端,在我看来指的就是虚拟控制台

开启telnet的root登录

把/etc/securetty文件中的pts0 - pts3全部注释掉就可以了。

允许root用户telnet登录则需要添加上pst类型的终端。

如启动telnet服务后,root用户登录报如下错误,需要按照上述方式进行调整

# telnet 192.168.56.123
Trying 192.168.56.123...
Connected to 192.168.56.123.
Escape character is '^]'.

Kernel 3.10.0-514.el7.x86_64 on an x86_64
#localhost login: root
Password: 
Login incorrect

调整完成后:

# telnet192.168.56.123
#localhost login: root
Password: 
登录操作系统

查看openssh和openssl版本

# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013

# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

备份并移除老文件

# mkdir -p /root/update
# cd /root/update
# cp-rp/etc/ssh/sshd_configsshd_config
# cp -rp /etc/pam.d/sshdsshd
# cp -rp /etc/ssl/ ./
# cp -rp /usr/bin/opensslopenssl
# cp -rp /etc/ssh /root/update
mv /usr/bin/openssl /usr/bin/openssl_bak

# yum remove openssl-devel
# rm -rf /etc/ssl

安装依赖包

# yum install gcc
# yum install gcc-c++ 
# yum install glibc
# yum install make
# yum installautoconf
# yum installpcre-devel
# yum install pam-devel
# yum install zlib-devel.x86_64

解压并安装openssl包

解压

# tar -xvf openssl-1.1.1j.tar.gz
# cd openssl-1.1.1j

配置

# ./config  --prefix=/usr/local --openssldir=/usr/local/ssl
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1j (0x101010afL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL file first)         ***
***                                                                ***
**********************************************************************
# echo $? -- 检查配置是否成功

编译安装

# make&& make install
# echo $? -- 检查编译安装是否成功

后续

# ln -s /usr/local/bin/openssl /usr/bin/openssl
# ln -s /usr/local/include/openssl /usr/include/openssl

# cat /etc/ld.so.conf
includeld.so.conf.d/*.conf

# echo "/usr/local/lib" >> /etc/ld.so.conf
# echo "/usr/local/lib64" >> /etc/ld.so.conf
# cat /etc/ld.so.conf
includeld.so.conf.d/*.conf
/usr/local/lib
/usr/local/lib64

# /sbin/ldconfig
# openssl version
OpenSSL 1.1.1j  16 Feb 2021

解压并安装openssh包

# rm -rf /etc/ssh
# cd /root/update

# tar -xvf openssh-8.5p1.tar.gz
# cdopenssh-8.5p1

# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam
# echo $? -- 检查配置是否成功

# make clean
# make&& make install
# echo $? -- 检查安装是否成功

# cp -afcontrib/redhat/sshd.init /etc/init.d/sshd
# cp -afcontrib/redhat/sshd.pam /etc/pam.d/sshd.pam
# chmod +x /etc/init.d/sshd

# echo " HostKey /etc/ssh/ssh_host_rsa_key ">>/etc/ssh/sshd_config
#echo "HostKey /etc/ssh/ssh_host_ecdsa_key">>/etc/ssh/sshd_config
# echo "HostKey /etc/ssh/ssh_host_ed25519_key">>/etc/ssh/sshd_config
# echo"PermitRootLogin yes">>/etc/ssh/sshd_config
# echo"PasswordAuthentication yes">>/etc/ssh/sshd_config
# echo"ChallengeResponseAuthentication no">>/etc/ssh/sshd_config
# echo"UsePAM yes">>/etc/ssh/sshd_config
# echo"X11Forwarding yes">>/etc/ssh/sshd_config

# chkconfig --add sshd
# systemctl list-unit-files sshd.service
UNIT FILE    STATE  
sshd.service enabled

1 unit files listed.

# mv /usr/lib/systemd/system/sshd.service /root/update/sshd.service
# chkconfigsshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.

# systemctl enable sshd
sshd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfigsshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.

# systemctl start sshd
# ssh -V
OpenSSH_8.5p1, OpenSSL 1.1.1j  16 Feb 2021

让SHA1继续可用的方法

在sshd配置文件里增加这个认证方法

HostKeyAlgorithms ssh-rsa