1、安装并开启telnet服务(安装telnet ,预防更新ssh失败)
先检查CentOS是否已经安装以下两个安装包:telnet-server、xinetd。
命令如下:
[root@localhost ~]# rpm -qa telnet-server
[root@localhost ~]# rpm -qa xinetd
默认系统没有安装
配置本地yum源
[root@localhost ~]# mkdir -p /mnt/cdrom
[root@localhost ~]# mount /dev/sr0 /mnt/cdrom
mount: /dev/sr0 写保护,将以只读方式挂载
[root@localhost ~]# mkdir -p /etc/yum.repos.d/bak
[root@localhost ~]# mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/
[root@localhost ~]# vi /etc/yum.repos.d/system-iso.repo
编辑yum配置文件,添加以下内容
[system-iso]
name=This is centos7.4 system iso repo
baseurl=file:///mnt/cdrom/
enabled=1
gpgcheck=0
[root@localhost ~]# yum clean all
[root@localhost ~]# yum list
安装命令:
# yum -y install telnet-server
# yum -y install xinetd
安装完成后,将xinetd服务加入开机自启动:
[root@localhost ~]# systemctl enable xinetd.service
将telnet服务加入开机自启动:
[root@localhost ~]# systemctl enable telnet.socket
最后,启动以上两个服务即可:
[root@localhost ~]# systemctl start telnet.socket
[root@localhost ~]# systemctl start xinetd.service
检查服务是否开启
[root@localhost ~]# systemctl status telnet.socket
[root@localhost ~]# systemctl status xinetd.service
开启root用户远程登陆,开启root在telnet登陆
mv /etc/securetty /etc/securetty.bak 这样root用户就可以用telnet登陆了!
SSH协议中root开启登陆的设置
编辑/etc/ssh/sshd_config将#PermitRootLogin yes这一行的“#”去掉,
然后重启SSH服务
systemctl restart sshd
关闭selinux、关闭防火墙
[root@localhost ~]# setenforce 0
[root@localhost ~]# systemctl stop firewalld.service
若系统不能关闭防火墙,需要Telnet开启端口
CentOS 7 采用了 firewalld 防火墙,查询是否开启23端口
[root@localhost ~]# firewall-cmd --query-port=23/tcp
no
显示23端口没有开启使用下面命令开启23端口
[root@localhost ~]# firewall-cmd --zone=public --add-port=23/tcp --permanent
success
重新加载firewall-cmd
[root@localhost ~]# firewall-cmd --complete-reload
success
重新查询23端口是否开放
[root@localhost ~]# firewall-cmd --query-port=23/tcp
yes
success表示已开启!现在可以用telnet命令远程登陆CentOS7.4系统了!
注:telnet使用的是文明密码,为安全建议使用SSH加密登陆!
2、查看现在的版本
[root@localhost ~]# rpm -qa|grep ssh
openssh-clients-7.4p1-11.el7.x86_64
openssh-7.4p1-11.el7.x86_64
openssh-server-7.4p1-11.el7.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64
3、下载新版本的openssh
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
下载openssh-8.5p1.tar.gz
上传安装包至/root目录
或者
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz
4、使用本地yum源,安装依赖包
yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel
5.创建对应目录并修改openssh.spec文件
[root@localhost ~]# tar -xf openssh-8.5p1.tar.gz
[root@localhost ~]# mkdir -p /root/rpmbuild/{SOURCES,SPECS}
[root@localhost ~]# cp openssh-8.5p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
[root@localhost ~]# cp /root/openssh-8.5p1.tar.gz /root/rpmbuild/SOURCES/
[root@localhost ~]# cd /root/rpmbuild/SPECS/
修改openssh.spec文件
[root@localhost SPECS]# sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
[root@localhost SPECS]# sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
[root@localhost SPECS]# sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
6.rpmbuild创建openssh rpm包
[root@localhost SPECS]# rpmbuild -bb openssh.spec
--告警1处理方法:
[root@localhost SPECS]# rpmbuild -bb openssh.spec
错误:文件 /root/rpmbuild/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz:没有那个文件或目录
解决方法:下载x11-ssh-askpass-1.2.4.1.tar.gz包并上传至/root/rpmbuild/SOURCES/目录
--告警2处理方法:
[root@localhost SPECS]# rpmbuild -bb openssh.spec
错误:构建依赖失败:
openssl-devel < 1.1 被 openssh-8.5p1-1.el7.centos.x86_64 需要
构建依赖失败:openssl-devel < 1.1 被 openssh-8.3p1-1.el7.x86_64 需要 解决方法:
vi openssh.spec 注释掉 BuildRequires: openssl-devel < 1.1 这一行
........................
写道:/root/rpmbuild/RPMS/x86_64/openssh-8.5p1-1.el7.centos.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-clients-8.5p1-1.el7.centos.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-server-8.5p1-1.el7.centos.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-8.5p1-1.el7.centos.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.5p1-1.el7.centos.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.5p1-1.el7.centos.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.qsk2AE
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-8.5p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.5p1-1.el7.centos.x86_64
+ exit 0
7.查看生成的rpm
[root@localhost SPECS]# ls -l /root/rpmbuild/RPMS/x86_64/
总用量 4836
-rw-r--r--. 1 root root 663112 5月 10 06:03 openssh-8.5p1-1.el7.centos.x86_64.rpm
-rw-r--r--. 1 root root 44340 5月 10 06:03 openssh-askpass-8.5p1-1.el7.centos.x86_64.rpm
-rw-r--r--. 1 root root 25596 5月 10 06:03 openssh-askpass-gnome-8.5p1-1.el7.centos.x86_64.rpm
-rw-r--r--. 1 root root 632680 5月 10 06:03 openssh-clients-8.5p1-1.el7.centos.x86_64.rpm
-rw-r--r--. 1 root root 3113920 5月 10 06:03 openssh-debuginfo-8.5p1-1.el7.centos.x86_64.rpm
-rw-r--r--. 1 root root 459308 5月 10 06:03 openssh-server-8.5p1-1.el7.centos.x86_64.rpm
8.升级openssh
[root@localhost SPECS]# rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm
准备中... ################################# [100%]
正在升级/安装...
1:openssh-8.5p1-1.el7.centos ################################# [ 11%]
2:openssh-askpass-8.5p1-1.el7.cento################################# [ 22%]
3:openssh-askpass-gnome-8.5p1-1.el7################################# [ 33%]
4:openssh-clients-8.5p1-1.el7.cento################################# [ 44%]
5:openssh-server-8.5p1-1.el7.centos警告:/etc/ssh/sshd_config 已建立为 /etc/ssh/sshd_config.rpmnew
################################# [ 56%]
6:openssh-debuginfo-8.5p1-1.el7.cen################################# [ 67%]
正在清理/删除...
7:openssh-server-7.4p1-11.el7 ################################# [ 78%]
8:openssh-clients-7.4p1-11.el7 ################################# [ 89%]
9:openssh-7.4p1-11.el7 ################################# [100%]
[root@localhost SPECS]#
9.检查升级后openssh版本
[root@localhost SPECS]# ssh -V
OpenSSH_8.5p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@localhost SPECS]# rpm -qa|grep ssh
openssh-8.5p1-1.el7.centos.x86_64
openssh-debuginfo-8.5p1-1.el7.centos.x86_64
openssh-askpass-gnome-8.5p1-1.el7.centos.x86_64
openssh-clients-8.5p1-1.el7.centos.x86_64
openssh-server-8.5p1-1.el7.centos.x86_64
libssh2-1.4.3-10.el7_2.1.x86_64
openssh-askpass-8.5p1-1.el7.centos.x86_64
10、修改ssh配置文件参数,测试ssh登录
设置/etc/ssh/sshd_config,看看PermitRootLogin 项 改为yes
检查/etc/ssh/sshd_config文件中的PasswordAuthentication 值改为yes
在文件最后添加
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
--设置参数后,重启sshd服务告警1处理方法:
[root@localhost SPECS]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@localhost SPECS]# journalctl -xe
5月 10 06:12:07 localhost.localdomain sshd[56090]: It is required that your private key files are NOT accessible by others.
5月 10 06:12:07 localhost.localdomain sshd[56090]: This private key will be ignored.
5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
5月 10 06:12:07 localhost.localdomain sshd[56090]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5月 10 06:12:07 localhost.localdomain sshd[56090]: @ WARNING: UNPROTECTED PRIVATE KEY FILE! @
5月 10 06:12:07 localhost.localdomain sshd[56090]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5月 10 06:12:07 localhost.localdomain sshd[56090]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
5月 10 06:12:07 localhost.localdomain sshd[56090]: It is required that your private key files are NOT accessible by others.
5月 10 06:12:07 localhost.localdomain sshd[56090]: This private key will be ignored.
5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
5月 10 06:12:07 localhost.localdomain sshd[56090]: sshd: no hostkeys available -- exiting.
5月 10 06:12:07 localhost.localdomain sshd[56090]: [失败]
从告警信息看,提示/etc/ssh/ssh_host_ecdsa_key、/etc/ssh/ssh_host_ed25519_key 文件权限有问题
修改文件权限
[root@localhost SPECS]# chmod 600 /etc/ssh/ssh_host_ecdsa_key
[root@localhost SPECS]# chmod 600 /etc/ssh/ssh_host_ed25519_key
[root@localhost SPECS]# chmod 600 /etc/ssh/ssh_host_rsa_key
重启sshd服务
[root@localhost SPECS]# systemctl restart sshd
测试ssh登录,无法登陆处理方法。
(坑一):
vi /etc/selinux/config---SELINUX=disabled 或者临时关闭setenforce 0
最后修改了/etc/selinux将SELINUX=enforcing修改成SELINUX=disabled
(坑二):
设置/etc/ssh/sshd_config,看看PermitRootLogin 项 改为yes
检查/etc/ssh/sshd_config文件中的PasswordAuthentication 值改为yes
在文件最后添加
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
(坑三):
# 不修改这个文件,会出现密码是对的,却无法登陆。
cat <
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
## pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
# 重启服务
systemctl restart sshd
ssh测试可以正常登录!