centos升級openssl方法及步驟

1.下載要升級到的openssl包
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz

2.升級openssh前開通telnet
1)查看telnet包
rpm -qa|grep telnet
--如未安裝，則yum安裝
# yum install telnet
# yum install telnet-server

2)啓動telnet
--編輯telnet文件,將disable改爲no
# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}

--重啓xinetd服務
service xinetd restart
or
/etc/rc.d/init.d/xinetd restart

--經過telnet鏈接服務器

c:\> telnet 192.168.5.5
--默認telnet只能鏈接普通用戶,而後,跳轉到root用戶

3.備份原openssh相關文件
# cp /usr/sbin/sshd /usr/sbin/sshd.bak
# cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# cp /etc/ssh/moduli /etc/ssh/moduli.bak
--刪除掉下面三個文件,不然安裝的時候會報錯.
rm -rf /etc/ssh/ssh_config
rm -rf /etc/ssh/sshd_config
rm -rf /etc/ssh/moduli
--安裝編譯所需包
yum install gcc
yum install pam-devel
yum install zlib-devel
yum install openssl-devel

4.解壓並安裝新版本openssh
# tar -zxvf openssh-7.4p1.tar.gz
# cd openssh-7.4p1
#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
--configure報錯終止,從新編譯前先清理以前的編譯信息.
# make clean
# ldconfig
# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
# make && make install

# /etc/init.d/sshd restart

5.覆蓋舊的文件
# cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
# hmod u+x /etc/init.d/sshd
# chkconfig --add sshd
# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp: overwrite `/usr/sbin/sshd'? y
cp: cannot create regular file `/usr/sbin/sshd': Text file busy
文件正在被使用
# ps -ef|grep sshd

# kill -9 77777
# ps -ef|grep sshd

--從新覆蓋：
# cp /usr/local/openssh/bin/ssh /usr/bin/ssh
# service sshd restart

Stopping sshd: [ OK ]
ssh-keygen: illegal option -- A
usage: ssh-keygen [options]
Options:
...

# cat /etc/init.d/sshd
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi

echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
--因低版本的ssh-keygen沒有-A參數,所以，以下解決。
# cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

--重啓sshd服務：
# service sshd restart

# vi /etc/ssh/sshd_config

--去掉以下條目註釋,容許root經過ssh登陸
PermitRootLogin yes

--註釋掉下面三個參數
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes

6.重啓sshd服務,並經過ssh鏈接服務器
# service sshd restart
c:\> ssh 192.168.5.5

# ssh -V

7.禁用telnet
# vi /etc/xinetd.d/telnet

# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}

--中止xinetd服務
# service xinetd stop
# chkconfig --list xinetd
# chkconfig xinetd off
# chkconfig --list xinetd

--如winscp登陸linux報錯,可以下解決
# vi /etc/ssh/sshd_config
--註釋掉以下條目
#Subsystem sftp /usr/libexec/openssh/sftp-server
--添加以下條目
Subsystem sftp internal-sftp

--重啓sshd服務：# service sshd restart