### 背景 #### 客户应网安部门要求需要升级openssh及配置禁用弱加密方法，今天做了下升级，记录一下 ##### 一、升级openssh ###### 1、下载openssl、openssh、telnet、xinetd包以及pam包上传到/usr/local/src           说明：openssl需要不需要依赖openssh版本这边没有确认，按网上的方法一起更新了；           telnet和xinetd是用来防止更新过程中ssh不能用故配置telnet连接 需要的rpm包我是提前在另外一台centos上配置yum install缓存在本地，然后拷贝 ###### 2、rpm安装telnet、xinetd ``` rpm -ivh xinetd-2.3.15-14.el7.x86_64.rpm rpm -ivh telnet-server-0.17-66.el7.x86_64.rpm ``` ###### 3、配置telnet登录的终端类型，在/etc/securetty文件末尾增加一些pts终端，如下： ``` pts/0 pts/1 pts/2 pts/3 ``` ###### 5、防火墙开放telnet端口 ``` <?xml version="1.0" encoding="utf-8"?>   Public   For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.     ``` ###### 6、启动xinetd和telnet,并登陆 ``` systemctl enable xinetd systemctl start xinetd systemctl enable telnet.socket systemctl start telnet.socket ``` ###### 7、安装pam包(不安装在编译ssh的时候会报错) ``` rpm -ivh --replacefiles pam-1.1.8-23.el7.x86_64.rpm rpm -ivh pam-devel-1.1.8-23.el7.x86_64.rpm ``` ###### 8、安装openssl ``` mv /usr/bin/openssl /usr/bin/openssl_bak mv /usr/include/openssl /usr/include/openssl_bak cd /usr/local/src/openssl-1.1.1k ./config shared --prefix=/usr/local/ssl && make && make install ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl ln -s /usr/local/ssl/include/openssl /usr/include/openssl ``` ###### 9、安装完后如果没有报错则继续安装openssh,如果有报哪个依赖包没有，则下载相应依赖包 ``` mv /etc/ssh /etc/ssh.bak cd /usr/local/src/openssh-8.0p1 ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install cp -a contrib/redhat/sshd.init /etc/init.d/sshd cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam chmod +x /etc/init.d/sshd ``` ###### 10、添加启动项，并启动 ``` mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak chkconfig sshd on systemctl restart sshd ``` ssh -V查看版本 #### 二、配置禁用弱加密算法 vi /etc/ssh/sshd_config 添加 ``` Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc ```