Centos7 升级 openssh 和openssl

@[TOC]Centos7 升级 openssh 和openssl

centos7.6升级后的效果
[root@testssh ~]``# ssh -V``OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019``
[root@testssh ~]``# openssl version``OpenSSL 1.0.2r 26 Feb 2019` `
[root@testssh ~]``# cat /etc/redhat-release``CentOS Linux release 7.6.1810 (Core)``
[root@testssh ~]``#

安装过程中SSH会中断,为防止无法连接,先安装telent服务,待升级完成后删除telnet服务。

1. 安装telnet-server以及xinetd
[root@testssh ~]``# yum install xinetd telnet-server -y

2. 配置telnet

现在很多centos7版本安装telnet-server以及xinetd之后没有一个叫telnet的配置文件了。

如果下面telnet文件不存在的话,可以跳过这部分的更改

如果下面文件存在,请更改配置telnet可以root登录,把disable = no改成disable = yes

[root@testssh]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = no
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}
 
[root@testssh]# vim /etc/xinetd.d/telnet
[root@testssh]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = yes
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}

配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下

pts/0
pts/1
pts/2
pts/3

启动telnet服务,并设置开机自动启动

[root@testssh ~]# systemctl enable xinetd
  
[root@testssh ~]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.
[root@testssh ~]#
 
[root@testssh ~]# systemctl start telnet.socket
[root@testssh ~]# systemctl start xinetd
[root@testssh ~]# netstat -lntp|grep 23
tcp6       0      0 :::23                   :::*                    LISTEN      1/systemd          
[root@testssh ~]#

3. 安装依赖包


升级需要几个组件,有些是和编译相关的等

[root@testssh ~]# yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel
[root@testssh ~]# yum install  -y pam* zlib*

下载openssh包和openssl的包


我们都下载最新版本,下载箭头指的包

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

https://ftp.openssl.org/source/

开始安装openssl


备份下面2个文件或目录(如果存在的话就执行)

[root@testssh ~]# mv /usr/bin/openssl /usr/bin/openssl_bak
[root@testssh ~]# mv /usr/include/openssl /usr/include/openssl_bak

编译安装新版本的openssl

./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared
make
make install

下面2个文件或者目录做软链接
# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# ln -s /usr/local/ssl/include/openssl /usr/include/openssl

命令行执行下面2个命令加载新配置
# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
# /sbin/ldconfig

查看确认版本。没问题
# openssl version
OpenSSL 1.1.1l  24 Aug 2021

安装openssh


删除低版本OpenSSH的的rpm包

# rpm -e --nodeps `rpm -qa| grep openssh`

解压,并进入目录,执行配置命令

./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam
make
make install

复制配置文件并设置允许root用户远程登录

# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
# chmod +x /etc/init.d/sshd
# chkconfig --add sshd
# systemctl enable sshd

把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务

# mv  /usr/lib/systemd/system/sshd.service  /data/
设置sshd服务开机启动
# chkconfig sshd on
接下来测试启停服务。都正常
# /etc/init.d/sshd restart
# netstat -lntp

测试版本。都正常

# ssh -V
OpenSSH_8.6p1, OpenSSL 1.1.1l  24 Aug 2021

网上的把contrib/redhat/sshd.pam文件拷贝到/etc/pam.d目录下发现无法ssh登陆,把相同机器的sshd.pam拷过来就正常了。

# cd /etc/pam.d/
# cat sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

测试没问题后可以把telnet服务关闭了

[root@testssh ~]# systemctl disable xinetd.service
Removed symlink /etc/systemd/system/multi-user.target.wants/xinetd.service.
[root@testssh ~]# systemctl stop xinetd.service
[root@testssh ~]# systemctl disable telnet.socket
[root@testssh ~]# systemctl stop telnet.socket
[root@testssh ~]# netstat -lntp
上一篇:openssl交叉编译


下一篇:生成ssl 证书