精华内容
下载资源
问答
  • centos系统中openssh-7.9升级包、升级步骤详细文档,按步骤操作即可修复openssh漏洞
  • 在远程主机上运行的SSH服务器版本过低受到多个漏洞的影响。现在应安全要求需要升级OpenSSH6.9或者更高版本。网上收集资料和整理离线安装包。
  • openssh升级ansible-playbook
  • 把脚本和压缩包上传到centos系统任意目录,给脚本添加可执行权限,执行即可完成升级,需要挂载...一旦卸载openssh,新的ssh连接将无法建立,已存在连接,可继续使用。 此方法适用于服务器无法连接互联网时的离线升级
  • openssh升级

    2018-11-29 10:59:52
    linux系统更新系统时间
  • 快速升级openssh版本 rpm包简单快捷
  • 安装启用 Linux-PAM支持 遇到的问题 问题1:sshd启动失败 报错:Job for sshd.service failed because a timeout was exceeded. See "systemctl status sshd.service" and "journalctl -xe" for details. ...
  • 针对linux操作系统的openssh版本升级操作,给出了详细的操作命令和具体方法,可操作性强。
  • OpenSSH升级

    2021-07-22 14:34:36
    OpenSSH是SSH协议的免费开源...升级OpenSSH升级前首先需要升级OpenSSL。 本升级教程仅针对CentOS7 预处理防止升级过程中连接中断 #安装telnet服务 yum -y install telnet-server #启动telnet服务 systemctl start teln

    OpenSSH是SSH协议的免费开源实现,经常会曝出安全漏洞,由于CentOS7自带的OpenSSH版本(OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017)太低,有必要进行新服务器的OpenSSH版本升级。升级OpenSSH升级前首先需要升级OpenSSL。
    本升级教程仅针对CentOS7

    预处理防止升级过程中连接中断

    #安装telnet服务
    yum -y install telnet-server
    #启动telnet服务
    systemctl start telnet.socket
    #开启防火墙23端口
    firewall-cmd --permanent --add-port=23/tcp --zone=public
    firewall-cmd --reload
    #windows打开cmd窗口,telnet即可登陆服务器
    telnet [服务器ip]
    #默认情况下,linux不允许root用户以telnet方式登录linux主机,移除securetty文件
    mv /etc/securetty{,.bak}
    之后就可以用root登录
    

    由于telnet是明文传输,不安全,所以升级完成后,必须停止该服务
    停止服务并卸载原有的OpenSSH
    ::: danger
    同时打开两个ssh窗口,并在其中的一个窗口中运行top命令,防止升级过程中会话中断无法连接服务器

    systemctl stop sshd
    #查看rpm安装的ssh
    rpm -qa | grep openssh
    #卸载rpm安装的ssh
    rpm -e openssh --nodeps && rpm -e openssh-clients --nodeps && rpm -e openssh-server --nodeps
    #查看rpm安装的ssh是否卸载
    rpm -qa | grep openssh         
    

    预操作

    #安装相关依赖
    yum install -y pam* zlib*
    #备份原ssh配置
    mv /etc/ssh /etc/ssh_bak
    

    安装OpenSSL(1.1.1g)

    mkdir ./sshupdate
    cd ./sshupdate
    wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz
    tar -xzvf openssl-1.1.1g.tar.gz
    cd openssl-1.1.1g
    ./config --prefix=/usr/ --openssldir=/usr/ shared
    make && make install
    #完成后看下openssl版本
    openssl version
    OpenSSL 1.1.1g  21 Apr 2020
    

    安装OpenSSH(8.3p1)

    wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
    tar -xzvf openssh-8.3p1.tar.gz
    cd openssh-8.3p1
    ./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
    make && make install
    cp contrib/redhat/sshd.init /etc/init.d/sshd
    #完成后看下ssh版本
    ssh -V
    OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020
    

    修改配置文件

    
    vim /etc/ssh/sshd_config
    查找#PermitRootLogin prohibit-password 改成 PermitRootLogin yes 并取消注释
    同时如果端口非22端口,需要更改为对应端口
    
    #关闭selinux
    sed -i.bak 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
    setenforce 0
    

    重启OpenSSH

    nohup service sshd restart
    nohup systemctl restart sshd
    #添加到自启动
    chkconfig --add sshd
    

    测试

    重开窗口连接对应服务器,如ssh跳转登录失败的,清空/root/.ssh/下面的文件即可。

    展开全文
  • OpenSSH升级包、依赖包

    2018-08-20 09:35:50
    OpenSSH_7.7p1需要依赖ZLIB和OpenSSL,ZLIB是最新版1.2.11,openssl版本是openssl-1.0.2o.
  • Openssh 升级

    2020-05-13 11:21:29
    环境: [root@localhost /]# cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core)[root@localhost /]# ssh -V OpenSSH_7.4p1, ...1、安装telnet-server以及xinetd,防止升级失败无法连接远程服务器..

    ---------------------------------centos8  升级openssh---------------------------------

    升级需要gcc、make、perl、zlib、zlib-devel、pam、pam-devel;

    https://blog.csdn.net/Smile_Body/article/details/114962963

    http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

    升级SSH版本以后无法登录,可能是防火墙端口关闭 或者selinux 打开状态

    ---------------------------------20210420---------------------------------

    环境:

    [root@localhost /]# cat /etc/redhat-release
    CentOS Linux release 7.7.1908 (Core)

    [root@localhost /]# ssh -V
    OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

     

    整个过程不需要卸载原先的openssl包和openssh的rpm包。不影响我们的操作。

    前期准备:

    1、安装telnet-server以及xinetd,防止升级失败无法连接远程服务器

     yum install xinetd telnet-server -y

    2、配置telnet

    配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端

    pts/0
    pts/1
    pts/2
    pts/3

    tail -5 /etc/securetty

     xvc0
    pts/0
    pts/1
    pts/2
    pts/3

    3、启动telnet服务,并设置开机自动启动,然后测试下是否可以通过telnet 远程连接

    systemctl enable xinetd

    systemctl enable telnet.socket

    systemctl start telnet.socket

    systemctl start xinetd

    4、安装依赖包,升级需要几个组件,有些是和编译相关的等

    yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel zlib

    下载openssh包和openssl的包

    https://ftp.openssl.org/source/

    https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

    具体openssh 和openssl 的匹配关系自行查找

    方案一、先安装openssl,然后安装openssh

    查看当前openssl

    [root@localhost openssh-update]# openssl version
    OpenSSL 1.0.2r  26 Feb 2019

    1、解压文件 tar xfz openssl-1.0.2r.tar.gz

    2、备份下面2个文件或目录(如果存在的话就执行)

    [root@linux-node3 ~]# ll /usr/bin/openssl

    -rwxr-xr-x 1 root root 555248 Mar 12 18:12 /usr/bin/openssl

    [root@linux-node3 ~]# mv /usr/bin/openssl /usr/bin/openssl_bak

     

    [root@linux-node3 ~]# ll /usr/include/openssl

    total 1864

    -rw-r--r-- 1 root root   6146 Mar 12 18:12 aes.h

    -rw-r--r-- 1 root root  63204 Mar 12 18:12 asn1.h

    -rw-r--r-- 1 root root  24435 Mar 12 18:12 asn1_mac.h

    -rw-r--r-- 1 root root  34475 Mar 12 18:12 asn1t.h

    -rw-r--r-- 1 root root  38742 Mar 12 18:12 bio.h

    -rw-r--r-- 1 root root   5351 Mar 12 18:12 blowfish.h

    ......

    [root@linux-node3 ~]# mv /usr/include/openssl /usr/include/openssl_bak

    [root@linux-node3 ~]#

    3、编译安装新版本的openssl

    cd openssl-1.0.2r

     ./config shared && make && make install

    以上命令执行完毕,echo $?查看下最后的make install是否有报错,0表示没有问题

    4、建立软连接

    就是将openssl 指向 新编已安装文件

     下面2个文件或者目录做软链接 (刚才前面的步骤mv备份过原来的名字)

     ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

     ln -s /usr/local/ssl/include/openssl /usr/include/openssl

    如果报错,无法建立软连接,看下是否已经存在软连接,存在的话删除掉,重新建立软连接

    查看:

    [root@localhost openssh-update]# ll /usr/bin/openssl
    lrwxrwxrwx. 1 root root 26 May 11 06:32 /usr/bin/openssl -> /usr/local/ssl/bin/openssl

    [root@localhost openssh-update]# ll /usr/include/openssl/openssl
    lrwxrwxrwx. 1 root root 30 May 11 06:32 /usr/include/openssl/openssl -> /usr/local/ssl/include/openssl

     

    5、命令行执行下面2个命令加载新配置

    echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

    /sbin/ldconfig

    6、查看版本:

    [root@localhost openssh-update]# openssl version
    OpenSSL 1.0.2r  26 Feb 2019
     

    openssh 安装,请继续阅读方案二。

    方案二、如果openssl 版本不是很低的话,也可以直接安装openssh 无需经过方案一

    1、上传openssh的tar包并解压 ,tar xfz openssh-8.2p1.tar.gz

    2、cd openssh-8.2p1

    3、文件默认显示uid和gid数组都是1000,这里重新授权下。不授权可能也不影响安装(请自行测试)

    [root@testssh tools]# chown -R root.root /data/tools/openssh-8.2p1

     命令行删除原先ssh的配置文件和目录,然后配置、编译、安装

    rm -rf /etc/ssh/*

    如果执行了方案一,注意:with-openssl-includes 是ssl/include的路径,请确认,with-ssl-dir 是ssl的路径,请确认,然后执行以下命令:

    ./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam  && make && make install
    如果未执行方案一、执行以下命令:

    ./configure --prefix=/usr/ --sysconfdir=/etc/ssh    --with-zlib   --with-md5-passwords   --with-pam  && make && make install
    删除了两个参数,我们未动openssl 可以自动找得到。

    以上命令执行完毕,echo $?查看下最后的make install是否有报错,0表示没有问题

     修改配置文件/etc/ssh/sshd_config的如下内容,去掉前面的#号,其他的不要动

    PermitRootLogin yes

    UseDNS no

    从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)

    cp -a contrib/redhat/sshd.init /etc/init.d/sshd

    cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

    chmod +x /etc/init.d/sshd

     把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务

    mv  /usr/lib/systemd/system/sshd.service  ./

    设置开机启动:systemctl enable sshd

    启动sshd:systemctl restart sshd

     测试版本。都正常

    [root@localhost openssh-8.2p1]# ssh -V
    OpenSSH_8.2p1, OpenSSL 1.0.2r  26 Feb 2019
     

    测试没问题后可以把telnet服务关闭了

    systemctl disable xinetd

    systemctl stop xinetd

    systemctl disable telnet

    systemctl stop telnet

    参考文档:https://www.cnblogs.com/nmap/p/10779658.html

    其他:升级升secretCrt 7.x版本无法连接服务器,提示密钥交换失败,升级SecuretCRT

    FlashFXP 提示 SSH 错误 协商密钥交换算法失败

    openssh升级后,删除了一些旧的加密算法,所有导致部分ssh clients不能登录。根据网友的分享,我将这些加密算法添加到sshd_config,然后重启启动sshd。

    debian:~# cat << EOF >>/etc/ssh/sshd_config
    # there are old encryption algorithms
    Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
    MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
    KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdg
    EOF
    debian:~# systemctl restart ssh.service

    openssh网络安全分析     https://www.jianshu.com/p/9552559624f9

     

     

    展开全文
  • 2018年8月最新7.8p1版本编译,直接运行rpm -Uvh openssh-*.rpm,就可以升级。切记:升级以后可能会无法登陆,不能断开ssh连接,需要修改/etc/ssh/sshd_config的允许登陆方式等配置,确认可以登陆后再断开。
  • 最近被SSH 暴力枚举漏洞弄得头疼,奈何CentOS7最后版本是7.7(里面只openssh7.4,想升级openssh 8.0),用yum升级ssh是没戏了,rpm的依赖关系(擦汗)。。。。。。,所以只能学编译安装了,第一次使用编译安装...
  • openssh升级.zip

    2020-06-11 10:27:20
    因为客户出于服务器安全的角度进行了漏洞扫描,爆出openssh的问题,所以进行研究并修复。一般都是直接升级到最新版的软件,但是要根据实际情况进行判断,一般没什么问题
  • openssh-7.9p1.tar.gz ssh安装包 update.sh 安装脚本 脚本建议一步步执行,部分路径请参考实际服务器环境 注意事项:升级之xshell版本需要升级到4或以上; navicat里如果要用到ssh的跳转需要升级11.2或以上版本
  • openssh8.3升级

    2020-09-28 14:24:32
    openssh升级8.3p过程,包括centos,redhat系统,此文档已经成功实施。文档内所需资源包可以网上搜一下。
  • openssh升级

    2019-01-08 19:47:52
    包含2个文件,分别是openssh-7.9p1.tar.gz、openssl-1.0.2h.tar.gz
  • centos 6 openssh升级流程,最佳实践,本人亲测升级成功。
  • openssh升级安装手册

    2018-12-10 16:34:46
    openssh升级安装手册
  • openssh升级8.8

    千次阅读 2021-10-12 19:35:27
    升级openssl 先安装telnet 防止sshd升级失败无法连接服务器 yum install -y telnet-server* telnet xinetd systemctl enable xinetd.service systemctl enable telnet.socket systemctl start telnet.socket ...

    先升级openssl,所有涉及到的文件修改请先备份!!!

    先安装telnet 防止sshd升级失败无法连接服务器

    yum install -y telnet-server* telnet xinetd
    systemctl enable xinetd.service
    systemctl enable telnet.socket
    systemctl start telnet.socket
    systemctl start xinetd.service
    echo 'pts/0' >> /etc/securetty 
    echo 'pts/1' >> /etc/securetty 
    echo 'pts/2' >> /etc/securetty 
    echo 'pts/3' >> /etc/securetty
    
    systemctl start firewalld
    firewall-cmd --add-port=23/tcp --permanent
    firewall-cmd  --reload

    安装所需要的工具包

    yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel
    yum install  -y pam* zlib*

    进入自己的软件文件夹下载并编译安装

    d soft/
    wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz --no-check-certificate
    mv /usr/bin/openssl  /usr/bin/openssl.old
    mv /usr/include/openssl /usr/include/openssl.old
    tar -zxvf openssl-1.1.1l.tar.gz 
    cd openssl-1.1.1l/
    ./config --prefix=/usr/local/openssl
    make
    make install
    ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
    ln -s /usr/local/openssl/include/openssl /usr/include/openssl
    echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
    ldconfig -v
    openssl version

    显示如下图则安装成功

    安装openssh前(环境,证书登录,openssh7.4)

    修改/etc/ssh/ssh_config 

    Host *
    	ForwardX11Trusted yes
    	SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    	SendEnv XMODIFIERS

    修改/etc/ssh/sshd_config

    Port 32222
    HostKey /etc/ssh/ssh_host_rsa_key
    HostKey /etc/ssh/ssh_host_ecdsa_key
    HostKey /etc/ssh/ssh_host_ed25519_key
    StrictModes no
    PubkeyAuthentication yes
    AuthorizedKeysFile	.ssh/authorized_keys
    ChallengeResponseAuthentication no
    UsePAM yes
    X11Forwarding yes
    ClientAliveInterval 600
    ClientAliveCountMax 2
    AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
    AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
    AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
    AcceptEnv XMODIFIERS
    Subsystem	sftp	/usr/libexec/openssh/sftp-server
    UseDNS no
    AddressFamily inet
    PermitRootLogin yes
    SyslogFacility AUTHPRIV
    PasswordAuthentication no
    
    #7.4版本用的,注掉
    #RSAAuthentication yes  
    
    #openssh8.2后禁用ssh-rsa
    PubkeyAcceptedAlgorithms +ssh-rsa 
    PubkeyAcceptedKeyTypes +ssh-rsa
    HostkeyAlgorithms +ssh-rsa
    KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
    

    添加或修改/root/.ssh/config文件(git for code.aliyun.com)

    Host code.aliyun.com
    	HostName code.aliyun.com
    	HostkeyAlgorithms +ssh-rsa
    	PubkeyAcceptedAlgorithms +ssh-rsa
    chmod 600 /etc/ssh/* #权限要改为600,否则会报警
    wget -c https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz --no-check-certificate
    tar -zxvf openssh-8.8p1.tar.gz
    cd openssh-8.8p1
    ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening
    make
    make install
    cp -a contrib/redhat/sshd.init /etc/init.d/sshd
    chmod +x /etc/init.d/sshd
    chkconfig --add sshd
    systemctl enable sshd
    chkconfig sshd on
    mv /usr/lib/systemd/system/sshd.service  /home/
    systemctl daemon-reload
    /etc/init.d/sshd restart

    编译中出现下图可忽略

    展开全文
  • CentOS8 OpenSSH 升级OpenSSH-8.5p1

    千次阅读 2021-03-18 09:15:37
    文章目录1、升级前准备1.1、openssh升级包1.2、 系统版本镜像下载2、升级前操作2.1、 YUM配置2.2、 安装telnet2.2.1、telnet登陆测试2.3、 依赖包安装3、开始升级openssh3.1、 上传已下载的升级包3.2、 卸载旧版本...
    CentOS8 OpenSSH 升级至OpenSSH-8.5p1

    1、升级前准备

    1.1、openssh升级包

    官网站点下载最新版本升级包:OpenSSH-8.5p1

    在这里插入图片描述

    1.2、 系统版本镜像下载

    本次升级的为CentOS 8.0.1905版本,此镜像已准备好并上传至系统中。

    如果没有此镜像,请下载。下载链接

    huaweicloud

    2、升级前操作

    2.1、 YUM配置

    挂载镜像

    [root@host-192-168-10-10 ~]# mount -t iso9660 /home/centos.iso /media    #挂载镜像
    [root@host-192-168-10-10 ~]# mount -o loop /home/centos.iso /media		#挂载镜像
    

    修改配置文件

    [root@host-192-168-10-10 ~]# cd /etc/yum.repos.d/
    [root@host-192-168-10-10 yum.repos.d]# ls
    CentOS-AppStream.repo  CentOS-centosplus.repo  CentOS-Debuginfo.repo  CentOS-fasttrack.repo  CentOS-PowerTools.repo  CentOS-Vault.repo
    CentOS-Base.repo       CentOS-CR.repo          CentOS-Extras.repo     CentOS-Media.repo      CentOS-Sources.repo
    [root@host-192-168-10-10 yum.repos.d]# mkdir bak
    [root@host-192-168-10-10 yum.repos.d]# mv CentOS-* bak
    [root@host-192-168-10-10 yum.repos.d]# vi system.repo
    # 8.0之后安装包分在两个目录下,需要按照如下来写
    [BaseOS]
    name=system
    baseurl=file:///media/BaseOS #镜像挂载路径,按照配置填写
    enabled=1
    gpgcheck=0  #0表示不用检查:
    
    [AppStream]
    name=system
    baseurl=file:///media/AppStream #镜像挂载路径,按照配置填写
    enabled=1
    gpgcheck=0  #0表示不用检查:
    
    [root@host-192-168-10-10 yum.repos.d]# cd /media/
    [root@host-192-168-10-10 media]# ls
    AppStream  BaseOS  EFI  images  isolinux  media.repo  TRANS.TBL
    [root@host-192-168-10-10 media]# yum clean all
    0 files removed
    [root@host-192-168-10-10 media]# yum makecache 
    system                                                                                                                                                        67 MB/s | 5.2 MB     00:00    
    system                                                                                                                                                        78 MB/s | 2.2 MB     00:00    
    Metadata cache created.
    [root@host-192-168-10-10 media]#
    

    2.2、 安装telnet

    [root@host-192-168-10-10 system]# yum install -y telnet-server
    Last metadata expiration check: 0:15:16 ago on Wed 17 Mar 2021 10:50:09 AM CST.
    Dependencies resolved.
    =============================================================================================================================================================================================
     Package                                         Arch                                     Version                                          Repository                                   Size
    =============================================================================================================================================================================================
    Installing:
     telnet-server                                   x86_64                                   1:0.17-73.el8                                    AppStream                                    48 k
    
    Transaction Summary
    =============================================================================================================================================================================================
    Install  1 Package
    
    Total size: 48 k
    Installed size: 60 k
    Downloading Packages:
    Running transaction check
    Transaction check succeeded.
    Running transaction test
    Transaction test succeeded.
    Running transaction
      Preparing        :                                       1/1 
      Installing       : telnet-server-1:0.17-73.el8.x86_64    1/1 
      Running scriptlet: telnet-server-1:0.17-73.el8.x86_64    1/1 
      Verifying        : telnet-server-1:0.17-73.el8.x86_64    1/1 
    
    Installed:
      telnet-server-1:0.17-73.el8.x86_64                          
    Complete!
    [root@host-10-209-30-81 system]# yum install -y xinetd
    Last metadata expiration check: 0:13:50 ago on Wed 17 Mar 2021 10:50:09 AM CST.
    Dependencies resolved.
    =============================================================================================================================================================================================
     Package                                   Arch                                      Version                                              Repository                                    Size
    =============================================================================================================================================================================================
    Installing:
     xinetd                                    x86_64                                    2:2.3.15-23.el8                                      AppStream                                    135 k
    
    Transaction Summary
    =============================================================================================================================================================================================
    Install  1 Package
    
    Total size: 135 k
    Installed size: 284 k
    Downloading Packages:
    Running transaction check
    Transaction check succeeded.
    Running transaction test
    Transaction test succeeded.
    Running transaction
      Preparing        :                                        1/1 
      Installing       : xinetd-2:2.3.15-23.el8.x86_64          1/1 
      Running scriptlet: xinetd-2:2.3.15-23.el8.x86_64          1/1 
      Verifying        : xinetd-2:2.3.15-23.el8.x86_64          1/1 
    
    Installed:
      xinetd-2:2.3.15-23.el8.x86_64                            
    Complete!
    [root@host-192-168-10-10 system]# systemctl enable xinetd
    [root@host-192-168-10-10 system]# systemctl enable telnet.socket
    Created symlink /etc/systemd/system/sockets.target.wants/telnet.socket → /usr/lib/systemd/system/telnet.socket.
    [root@host-192-168-10-10 system]# systemctl start telnet.socket
    [root@host-192-168-10-10 system]# systemctl start xinetd
    
    

    默认情况下,系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录,需设置如下内容:

    echo ‘pts/0’ >>/etc/securetty

    echo ‘pts/1’ >>/etc/securetty

    2.2.1、telnet登陆测试

    使用telnet登陆成功后,在系统在查询,得出如下输出

    [root@host-192-168-10-10 ~]# who 
    root     pts/0        2021-03-17 11:10 (::ffff:172.25.246.218)
    root     pts/1        2021-03-17 11:10 (172.25.246.218)
    

    2.3、 依赖包安装

    [root@host-192-168-10-10 xinetd.d]# yum install -y gcc
    Last metadata expiration check: 0:19:07 ago on Wed 17 Mar 2021 10:50:09 AM CST.
    Package gcc-8.2.1-3.5.el8.x86_64 is already installed.
    Dependencies resolved.
    Nothing to do.
    Complete!
    [root@host-192-168-10-10 xinetd.d]# yum install openssl openssl-devel -y
    Last metadata expiration check: 0:19:22 ago on Wed 17 Mar 2021 10:50:09 AM CST.
    Package openssl-1:1.1.1-8.el8.x86_64 is already installed.
    Dependencies resolved.
    =============================================================================================================================================================================================
     Package                                              Arch                                    Version                                          Repository                               Size
    =============================================================================================================================================================================================
    Installing:
     openssl-devel                                        x86_64                                  1:1.1.1-8.el8                                    BaseOS                                  2.3 M
    Installing dependencies:
     keyutils-libs-devel                                  x86_64                                  1.5.10-6.el8                                     BaseOS                                   48 k
     krb5-devel                                           x86_64                                  1.16.1-22.el8                                    BaseOS                                  546 k
     libcom_err-devel                                     x86_64                                  1.44.3-2.el8                                     BaseOS                                   37 k
     libkadm5                                             x86_64                                  1.16.1-22.el8                                    BaseOS                                  184 k
     libselinux-devel                                     x86_64                                  2.8-6.el8                                        BaseOS                                  199 k
     libsepol-devel                                       x86_64                                  2.8-2.el8                                        BaseOS                                   85 k
     libverto-devel                                       x86_64                                  0.3.0-5.el8                                      BaseOS                                   18 k
     pcre2-devel                                          x86_64                                  10.32-1.el8                                      BaseOS                                  605 k
     pcre2-utf16                                          x86_64                                  10.32-1.el8                                      BaseOS                                  228 k
     pcre2-utf32                                          x86_64                                  10.32-1.el8                                      BaseOS                                  220 k
     zlib-devel                                           x86_64                                  1.2.11-10.el8                                    BaseOS                                   56 k
    
    Transaction Summary
    =============================================================================================================================================================================================
    Install  12 Packages
    
    Total size: 4.4 M
    Installed size: 8.1 M
    Downloading Packages:
    Running transaction check
    Transaction check succeeded.
    Running transaction test
    Transaction test succeeded.
    Running transaction
      Preparing        :                                                                                                                                                                     1/1 
      Installing       : zlib-devel-1.2.11-10.el8.x86_64                                                                                                                                    1/12 
      Installing       : pcre2-utf32-10.32-1.el8.x86_64                                                                                                                                     2/12 
      Installing       : pcre2-utf16-10.32-1.el8.x86_64                                                                                                                                     3/12 
      Installing       : pcre2-devel-10.32-1.el8.x86_64                                                                                                                                     4/12 
      Installing       : libverto-devel-0.3.0-5.el8.x86_64                                                                                                                                  5/12 
      Installing       : libsepol-devel-2.8-2.el8.x86_64                                                                                                                                    6/12 
      Installing       : libselinux-devel-2.8-6.el8.x86_64                                                                                                                                  7/12 
      Installing       : libkadm5-1.16.1-22.el8.x86_64                                                                                                                                      8/12 
      Installing       : libcom_err-devel-1.44.3-2.el8.x86_64                                                                                                                               9/12 
      Installing       : keyutils-libs-devel-1.5.10-6.el8.x86_64                                                                                                                           10/12 
      Installing       : krb5-devel-1.16.1-22.el8.x86_64                                                                                                                                   11/12 
      Installing       : openssl-devel-1:1.1.1-8.el8.x86_64                                                                                                                                12/12 
      Running scriptlet: openssl-devel-1:1.1.1-8.el8.x86_64                                                                                                                                12/12 
      Verifying        : keyutils-libs-devel-1.5.10-6.el8.x86_64                                                                                                                            1/12 
      Verifying        : krb5-devel-1.16.1-22.el8.x86_64                                                                                                                                    2/12 
      Verifying        : libcom_err-devel-1.44.3-2.el8.x86_64                                                                                                                               3/12 
      Verifying        : libkadm5-1.16.1-22.el8.x86_64                                                                                                                                      4/12 
      Verifying        : libselinux-devel-2.8-6.el8.x86_64                                                                                                                                  5/12 
      Verifying        : libsepol-devel-2.8-2.el8.x86_64                                                                                                                                    6/12 
      Verifying        : libverto-devel-0.3.0-5.el8.x86_64                                                                                                                                  7/12 
      Verifying        : openssl-devel-1:1.1.1-8.el8.x86_64                                                                                                                                 8/12 
      Verifying        : pcre2-devel-10.32-1.el8.x86_64                                                                                                                                     9/12 
      Verifying        : pcre2-utf16-10.32-1.el8.x86_64                                                                                                                                    10/12 
      Verifying        : pcre2-utf32-10.32-1.el8.x86_64                                                                                                                                    11/12 
      Verifying        : zlib-devel-1.2.11-10.el8.x86_64                                                                                                                                   12/12 
    
    Installed:
      openssl-devel-1:1.1.1-8.el8.x86_64   keyutils-libs-devel-1.5.10-6.el8.x86_64   krb5-devel-1.16.1-22.el8.x86_64     libcom_err-devel-1.44.3-2.el8.x86_64   libkadm5-1.16.1-22.el8.x86_64   
      libselinux-devel-2.8-6.el8.x86_64    libsepol-devel-2.8-2.el8.x86_64           libverto-devel-0.3.0-5.el8.x86_64   pcre2-devel-10.32-1.el8.x86_64         pcre2-utf16-10.32-1.el8.x86_64  
      pcre2-utf32-10.32-1.el8.x86_64       zlib-devel-1.2.11-10.el8.x86_64          
    
    Complete!
    [root@host-192-168-10-10 xinetd.d]#  echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config   #防止报错:Permission denied (publickey,keyboard-interactive)
    [root@host-192-168-10-10 xinetd.d]# 
    

    3、开始升级openssh

    3.1、 上传已下载的升级包

    [root@host-192-168-10-10 user01]# ls
    openssh-8.5p1.tar.gz  vmtools  vmtools-3.0.0.002.tar.bz2
    [root@host-192-168-10-10 user01]
    

    3.2、 卸载旧版本openssh

    [root@host-192-168-10-10 ~]#  rpm -qa|grep openssh
    openssh-7.8p1-4.el8.x86_64
    openssh-server-7.8p1-4.el8.x86_64
    openssh-clients-7.8p1-4.el8.x86_64
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# rpm -e --nodeps openssh-7.8p1-4.el8.x86_64
    [root@host-192-168-10-10 ~]# rpm -e --nodeps openssh-server-7.8p1-4.el8.x86_64
    warning: /etc/ssh/sshd_config saved as /etc/ssh/sshd_config.rpmsave
    [root@host-192-168-10-10 ~]# rpm -e --nodeps openssh-clients-7.8p1-4.el8.x86_64
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# 
    [root@host-192-168-10-10 ~]# rpm -qa | grep openssh 
    [root@host-192-168-10-10 ~]#
    

    3.3、 解压openssh并安装

    [root@host-192-168-10-10 user01]# 
    [root@host-192-168-10-10 user01]# tar -zxvf openssh-8.5p1.tar.gz 
    openssh-8.5p1
    openssh-8.5p1/.depend
    openssh-8.5p1/.github
    openssh-8.5p1/.github/configs
    openssh-8.5p1/.github/configure.sh
    ... ... ...
    ... ... ...
    ... ... ...
    openssh-8.5p1/sshd_config.0
    openssh-8.5p1/ssh_config.0
    openssh-8.5p1/aclocal.m4
    openssh-8.5p1/configure
    openssh-8.5p1/config.h.in
    [root@host-192-168-10-10 user01]#
    [root@host-192-168-10-10 openssh-8.5p1]# install  -v -m700 -d /var/lib/sshd &&
    > chown    -v root:sys /var/lib/sshd &&
    > groupadd -g 50 sshd        &&
    > useradd  -c 'sshd PrivSep' \
    > -d /var/lib/sshd  \
    > -g sshd           \
    > -s /bin/false     \
    > -u 50 sshd
    install: creating directory '/var/lib/sshd'
    changed ownership of '/var/lib/sshd' from root:root to root:sys
    groupadd: group 'sshd' already exists
    [root@host-192-168-10-10 openssh-8.5p1]# ./configure --prefix=/usr                     \
    > --sysconfdir=/etc/ssh             \
    > --with-md5-passwords              \
    > --with-privsep-path=/var/lib/sshd &&
    > make
    configure: loading site script /usr/share/config.site
    checking for cc... cc
    checking whether the C compiler works... yes
    checking for C compiler default output file name... a.out
    checking for suffix of executables... 
    checking whether we are cross compiling... no
    checking for suffix of object files... o
    checking whether we are using the GNU C compiler... yes
    checking whether cc accepts -g... yes
    ... ... ...
    ... ... ...
    ... ... ...
    [root@host-192-168-10-10 openssh-8.5p1]# make install
    (cd openbsd-compat && make)
    make[1]: Entering directory '/home/user01/openssh-8.5p1/openbsd-compat'
    make[1]: Nothing to be done for 'all'.
    make[1]: Leaving directory '/home/user01/openssh-8.5p1/openbsd-compat'
    /usr/bin/mkdir -p /usr/bin
    /usr/bin/mkdir -p /usr/sbin
    /usr/bin/mkdir -p /usr/share/man/man1
    /usr/bin/mkdir -p /usr/share/man/man5
    /usr/bin/mkdir -p /usr/share/man/man8
    ... ... ...
    ... ... ...
    ... ... ...
    /usr/sbin/sshd -t -f /etc/ssh/sshd_config 
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
    It is required that your private key files are NOT accessible by others.
    This private key will be ignored.
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
    It is required that your private key files are NOT accessible by others.
    This private key will be ignored.
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
    @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
    Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
    It is required that your private key files are NOT accessible by others.
    This private key will be ignored.
    sshd: no hostkeys available -- exiting.
    make: [Makefile:374: check-config] Error 1 (ignored)
    [root@host-192-168-10-10 openssh-8.5p1]# chmod 600 /etc/ssh/ssh_host_rsa_key
    [root@host-192-168-10-10 openssh-8.5p1]# chmod 600 /etc/ssh/ssh_host_ecdsa_key
    [root@host-192-168-10-10 openssh-8.5p1]# chmod 600 /etc/ssh/ssh_host_ed25519_key
    [root@host-192-168-10-10 openssh-8.5p1]# 
    [root@host-192-168-10-10 openssh-8.5p1]# make install 
    (cd openbsd-compat && make)
    make[1]: Entering directory '/home/user01/openssh-8.5p1/openbsd-compat'
    make[1]: Nothing to be done for 'all'.
    make[1]: Leaving directory '/home/user01/openssh-8.5p1/openbsd-compat'
    /usr/bin/mkdir -p /usr/bin
    /usr/bin/mkdir -p /usr/sbin
    /usr/bin/mkdir -p /usr/share/man/man1
    ... ... ...
    ... ... ...
    ... ... ...
    /usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
    /usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
    /usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
    /usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
    /usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
    /usr/bin/mkdir -p /etc/ssh
    /etc/ssh/ssh_config already exists, install will not overwrite
    /etc/ssh/sshd_config already exists, install will not overwrite
    /etc/ssh/moduli already exists, install will not overwrite
    /usr/sbin/sshd -t -f /etc/ssh/sshd_config
    [root@host-192-168-10-10 openssh-8.5p1]# ssh -V   #检查版本号
    OpenSSH_8.5p1, OpenSSL 1.1.1 FIPS  11 Sep 2018
    [root@host-192-168-10-10 openssh-8.5p1]# install -v -m755    contrib/ssh-copy-id /usr/bin     &&
    > install -v -m644    contrib/ssh-copy-id.1 \
    > /usr/share/man/man1              &&
    > install -v -m755 -d /usr/share/doc/openssh-8.5p1     &&
    > install -v -m644    INSTALL LICENCE OVERVIEW README* \
    > /usr/share/doc/openssh-8.5p1
    'contrib/ssh-copy-id' -> '/usr/bin/ssh-copy-id'
    'contrib/ssh-copy-id.1' -> '/usr/share/man/man1/ssh-copy-id.1'
    install: creating directory '/usr/share/doc/openssh-8.5p1'
    'INSTALL' -> '/usr/share/doc/openssh-8.5p1/INSTALL'
    'LICENCE' -> '/usr/share/doc/openssh-8.5p1/LICENCE'
    'OVERVIEW' -> '/usr/share/doc/openssh-8.5p1/OVERVIEW'
    'README' -> '/usr/share/doc/openssh-8.5p1/README'
    'README.dns' -> '/usr/share/doc/openssh-8.5p1/README.dns'
    'README.md' -> '/usr/share/doc/openssh-8.5p1/README.md'
    'README.platform' -> '/usr/share/doc/openssh-8.5p1/README.platform'
    'README.privsep' -> '/usr/share/doc/openssh-8.5p1/README.privsep'
    'README.tun' -> '/usr/share/doc/openssh-8.5p1/README.tun'
    [root@host-192-168-10-10 openssh-8.5p1]# 
    

    3.4、 root用户访问

    [root@host-192-168-10-10 ssh]# echo "PermitRootLogin no" >> /etc/ssh/sshd_config
    [root@host-192-168-10-10 ssh]# echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
    [root@host-192-168-10-10 ssh]# echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
    [root@host-192-168-10-10 ssh]#
    

    4、 系统服务处理

    [root@host-192-168-10-10 ssh]# cd /home/user01/openssh-8.5p1/
    [root@host-192-168-10-10 openssh-8.5p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd 
    [root@host-192-168-10-10 openssh-8.5p1]# chmod +x /etc/init.d/sshd 
    [root@host-192-168-10-10 openssh-8.5p1]# chkconfig  --add  sshd 
    [root@host-192-168-10-10 openssh-8.5p1]# chkconfig  sshd  on 
    [root@host-192-168-10-10 openssh-8.5p1]# chkconfig  --list  sshd
    
    Note: This output shows SysV services only and does not include native
          systemd services. SysV configuration data might be overridden by native
          systemd configuration.
    
          If you want to list systemd services use 'systemctl list-unit-files'.
          To see services enabled on particular target use
          'systemctl list-dependencies [target]'.
    
    sshd            0:off   1:off   2:on    3:on    4:on    5:on    6:off
    [root@host-192-168-10-10 openssh-8.5p1]# 
    [root@host-192-168-10-10 openssh-8.5p1]# systemctl restart sshd
    [root@host-192-168-10-10 openssh-8.5p1]# systemctl status sshd
    ● sshd.service - SYSV: OpenSSH server daemon
       Loaded: loaded (/etc/rc.d/init.d/sshd; generated)
       Active: active (running) since Wed 2021-03-17 11:28:26 CST; 5s ago
         Docs: man:systemd-sysv-generator(8)
      Process: 16347 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
     Main PID: 16357 (sshd)
        Tasks: 1 (limit: 11512)
       Memory: 1.2M
       CGroup: /system.slice/sshd.service
               └─16357 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
    
    Mar 17 11:28:26 host-192-168-10-10 systemd[1]: Starting SYSV: OpenSSH server daemon...
    Mar 17 11:28:26 host-192-168-10-10 sshd[16357]: Server listening on 0.0.0.0 port 22.
    Mar 17 11:28:26 host-192-168-10-10 sshd[16357]: Server listening on :: port 22.
    Mar 17 11:28:26 host-192-168-10-10 sshd[16347]: [27B blob data]
    Mar 17 11:28:26 host-192-168-10-10 systemd[1]: Started SYSV: OpenSSH server daemon.
    [root@host-192-168-10-10 openssh-8.5p1]# 
    [root@host-192-168-10-10 openssh-8.5p1]# ssh -V
    OpenSSH_8.5p1, OpenSSL 1.1.1 FIPS  11 Sep 2018
    [root@host-192-168-10-10 openssh-8.5p1]# vi /etc/selinux/config
    ......
    ......
    #SELINUX=enforcing
    SELINUX=disabled 
    ......
    ......
    [root@host-192-168-10-10 openssh-8.5p1]#
    [root@host-192-168-10-10 openssh-8.5p1]# reboot 
    
    Connection closed by foreign host.
    

    5、 参考资料

    OpenSSH-8.5p1: http://www.linuxfromscratch.org/blfs/view/svn/postlfs/openssh.html

    展开全文
  • openssh8.4升级

    2020-10-21 15:15:30
    openssh8.4p1升级步骤和安装包 ## telnet安装 ### centos 7 yum install telnet-server.x86_64 yum install telnet.x86_64 yum install xinetd.x86_64 systemctl start telnet.socket systemctl start xinetd ### ...
  • openssh升级至8.6

    千次阅读 2021-05-13 17:17:48
    解决方法:openssh升级到openssh-8.6p1。 二、环境信息 操作系统:Centos7.6.1810 openssh:OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 openssl:OpenSSL 1.0.2k-fips 26 Jan 2017 三、注意事项 1、检查防火墙...
  • ubuntu下openssh升级

    千次阅读 2020-08-21 10:25:10
    ubuntu下openssh升级 OpenSSH(OpenBSD Secure Shell)是OpenBSD计划组所维护的一套用于安全访问远程计算机的连接工具。该工具 是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 11,001
精华内容 4,400
关键字:

openssh升级