CentOS7 离线更新openssh
### 背景
#### 客户应网安部门要求需要升级openssh及配置禁用弱加密方法,今天做了下升级,记录一下
##### 一、升级openssh
###### 1、下载openssl、openssh、telnet、xinetd包以及pam包上传到/usr/local/src
说明:openssl需要不需要依赖openssh版本这边没有确认,按网上的方法一起更新了;
telnet和xinetd是用来防止更新过程中ssh不能用故配置telnet连接
需要的rpm包我是提前在另外一台centos上配置yum install缓存在本地,然后拷贝
###### 2、rpm安装telnet、xinetd
```
rpm -ivh xinetd-2.3.15-14.el7.x86_64.rpm
rpm -ivh telnet-server-0.17-66.el7.x86_64.rpm
```
###### 3、配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下:
```
pts/0
pts/1
pts/2
pts/3
```
###### 5、防火墙开放telnet端口
```
<?xml version="1.0" encoding="utf-8"?>
Public
For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.
```
###### 6、启动xinetd和telnet,并登陆
```
systemctl enable xinetd
systemctl start xinetd
systemctl enable telnet.socket
systemctl start telnet.socket
```
###### 7、安装pam包(不安装在编译ssh的时候会报错)
```
rpm -ivh --replacefiles pam-1.1.8-23.el7.x86_64.rpm
rpm -ivh pam-devel-1.1.8-23.el7.x86_64.rpm
```
###### 8、安装openssl
```
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
cd /usr/local/src/openssl-1.1.1k
./config shared --prefix=/usr/local/ssl && make && make install
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
```
###### 9、安装完后如果没有报错则继续安装openssh,如果有报哪个依赖包没有,则下载相应依赖包
```
mv /etc/ssh /etc/ssh.bak
cd /usr/local/src/openssh-8.0p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
```
###### 10、添加启动项,并启动
```
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
chkconfig sshd on
systemctl restart sshd
```
ssh -V查看版本
#### 二、配置禁用弱加密算法
vi /etc/ssh/sshd_config
添加
```
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
```