一、在生产服务上安装升级时,防止升级OpenSSH过程中出现远程断开无法远程情况,我们先做好备用远程处理。
本机测试环境centos7.2
1.安装telnet
[root@localhost ~]# yum install xinetd -y
[root@localhost xinetd.d]# yum install -y telnet-
(telnet-包含telnet客户端以及服务端。也可分开按软件名写为yum install -y telnet telnet-server)
注:如果服务器不能上网,请使用挂在光盘,使用光盘中的xinetd、telnet的RPM包进行安装。
2.修改telnet配置文件
打开文件/etc/xinetd.d/telnet
[root@localhost /]# cd /etc/xinetd.d/
[root@localhost xinetd.d]# vim telnet
修改 disable = yes 为 disable = no
注:如果在xinetd.d文件夹中没有telnet这个文件可手动创建一个,并添加以下代码:
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server =/usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
3.启动telnet和xinetd服务
[root@localhost xinetd.d]# /bin/systemctl start xinetd.service
[root@localhost xinetd.d]# ps -ef |grep xinetd (查看服务启动情况)
root 28017 1 0 18:41 ? 00:00:00 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid
root 28273 27581 0 18:41 pts/1 00:00:00 grep --color=auto xinetd
出现上述情况说明xinetd服务启动正常
[root@localhost xinetd.d]# /bin/systemctl status telnet.socket (查看telnet服务状态)
如果出现以下情况说明端口未开放
[root@localhost system]# /bin/systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: failed (Result: resources)
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
May 11 18:38:30 localhost.localdomain systemd[1]: Closed Telnet Server Activa...
May 11 18:43:27 localhost.localdomain systemd[1]: telnet.socket failed to lis...
May 11 18:43:27 localhost.localdomain systemd[1]: Failed to listen on Telnet ...
May 11 18:43:27 localhost.localdomain systemd[1]: Unit telnet.socket entered ...
May 11 18:43:27 localhost.localdomain systemd[1]: Starting Telnet Server Acti...
Hint: Some lines were ellipsized, use -l to show in full.
解决办法:
临时关闭防火墙
[root@localhost system]# systemctl stop firewalld.service
4.测试telnet连接情况:
成功!!
二、升级部署OpenSSH
OpenSSH下载地址:
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
直接升级OpenSSH
[root@localhost ~]# yum install -y zlib openssl-devel pam-devel
(下载依赖包)
[root@localhost src]# cd /usr/local/src/
[root@localhost src]#
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
(下载openSSH)
[root@localhost src]# tar -axvf openssh-8.6p1.tar.gz (解压openSSH)
[root@localhost src]# rpm -qa |grep openssh (查看openssh版本信息以及相关软件)
openssh-6.6.1p1-22.el7.x86_64
openssh-server-6.6.1p1-22.el7.x86_64
openssh-clients-6.6.1p1-22.el7.x86_64
[root@localhost src]# rpm -e --nodeps openssh-7.4p1-21.el7.x86_64
[root@localhost src]# rpm -e --nodeps openssh-clients-7.4p1-21.el7.x86_64
[root@localhost src]# rpm -e --nodeps openssh-server-7.4p1-21.el7.x86_64
(卸载旧版本)
以下操作在openssh目录执行如下目录
[root@localhost src]# cd openssh-8.6p1
[root@localhost openssh-8.6p1]#mkdir /usr/local/openssh
[root@localhost openssh-8.6p1]# ./configure --prefix=/usr/local/openssh/ --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd
[root@localhost openssh-8.6p1]# make && make install
[root@localhost openssh-8.6p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-8.6p1]# chmod +x /etc/init.d/sshd
[root@localhost openssh-8.6p1]# chkconfig --add sshd
[root@localhost openssh-8.6p1]# cp sshd_config /etc/ssh/sshd_config
[root@localhost openssh-8.6p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@localhost openssh-8.6p1]# cp ssh-keygen /usr/bin/
[root@localhost openssh-8.6p1]# vim /etc/init.d/sshd
修改第25、41和50行将(/usr/local/openssh/为openssh安装目录)
SSHD=/usr/sbin/sshd 为 SSHD=/usr/local/openssh/sbin/sshd
/usr/sbin/ssh-keygen -A 为 /usr/local/openssh/bin/ssh-keygen -A
$SSHD $OPTIONS && success || failure在上面加上OPTIONS="-f /etc/ssh/sshd_config"(“=”后面不能有空格否则ssh无法启动)
[root@localhost ~]# vim /etc/ssh/sshd_config
在最后添加PermitRootLogin yes
Subsystem sftp /usr/libexec/sftp-server修改为
Subsystem sftp /usr/local/openssh/libexec/sftp-server
#如果需要使用winSCP上传文件的话,必须修改要不然软件不能连接服务器
[root@localhost openssh-8.6p1]# systemctl daemon-reload
[root@localhost Desktop]# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
[root@localhost Desktop]# ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key
(提示是否覆盖按“y”,后面直接回车就好)
[root@localhost Desktop]# chmod 600 /etc/ssh/ssh_host_ecdsa_key
[root@localhost Desktop]# chmod 600 /etc/ssh/ssh_host_rsa_key
(修改文件权限)
[root@localhost openssh-8.6p1]# systemctl restart sshd
(重启ssh服务)
测试SSH连接情况:
正常连接。
查看openssh版本:
[root@localhost ~]# ssh -V
OpenSSH_8.6p1, OpenSSL 1.0.2k-fips 26 Jan 2017
三、开启防火墙,关闭telnet服务
systemctl start firewalld (开启防火墙)
Systemctl stop xinetd (关闭服务)
Systemctl disable xinetd (禁止开机启动)