CentOS7 升級 openssh 到 openssh-8.0p1版本

時間 2019-11-17

標籤 centos7 centos 升級 openssh 8.0p1 版本欄目 Tomcat 简体版

原文原文鏈接

centos7.3和centos7.6升級完畢測試登陸ssh以及重啓後登陸ssh均無問題。html

前期請自行配置好yum源（若是不會請百度）node

整個過程不須要卸載原先的openssl包和openssh的rpm包。不影響咱們的操做linux

本文的環境都是系統自帶的openssh，沒有經歷過手動編譯安裝方式。若是以前有手動編譯安裝過openssh，請參照本文自行測試是否能成功。c++

若是嚴格參照本文操做，我保證你升級沒問題vim

centos7.6升級後的效果centos

 
        [root@testssh ~] 
        # ssh -V 
       
        OpenSSH_8.0p1, OpenSSL 1.0.2r  26 Feb 2019 
       
        [root@testssh ~] 
        # openssl version 
       
        OpenSSL 1.0.2r  26 Feb 2019 
       
        [root@testssh ~] 
        # cat /etc/redhat-release 
       
        CentOS Linux release 7.6.1810 (Core) 
       
        [root@testssh ~] 
        #

centos7.3升級後的效果api

 
        [root@linux-node3 ~] 
        # openssl version 
       
        OpenSSL 1.0.2r  26 Feb 2019 
       
        [root@linux-node3 ~] 
        # ssh -V 
       
        OpenSSH_8.0p1, OpenSSL 1.0.2r  26 Feb 2019 
       
        [root@linux-node3 ~] 
        # cat /etc/redhat-release 
       
        CentOS Linux release 7.3.1611 (Core) 
       
        [root@linux-node3 ~] 
        #

若是ssh版本太低，最好先yum update openssh升級下到目前yum倉庫默認的openssh7.4p1版本數組

默認centos7.3的ssh是以下版本bash

 
        [root@linux-node3 ~] 
        # cat /etc/redhat-release 
       
        CentOS Linux release 7.3.1611 (Core) 
       
        [root@linux-node3 ~] 
        # ssh -V 
       
        OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013 
       
        [root@linux-node3 ~] 
        #

執行yum update openssh先升級下（反正官方提供的這種升級是沒問題的。若是以前手動編譯操做過openssh的升級，變動了默認配置文件路徑什麼的請自行測試。）session

（這裏準備統一openssh版本爲7.4p1以後再統一編譯安裝升級到openssh8.0p1）

 
        [root@linux-node3 ~] 
        # yum update openssh -y 
       
        [root@linux-node3 ~] 
        # ssh -V 
       
        OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 
       
        [root@linux-node3 ~] 
        #

安裝telnet-server以及xinetd

 
        [root@linux-node3 ~] 
        # yum install xinetd telnet-server -y 
       
        Loaded plugins: fastestmirror 
       
        Loading mirror speeds from cached hostfile 
       
        * base: mirrors.163.com 
       
        * epel: mirrors.aliyun.com 
       
        * extras: mirrors.cn99.com 
       
        * updates: mirrors.cn99.com 
       
        Package 2:xinetd-2.3.15-13.el7.x86_64 already installed and latest version 
       
        Package 1:telnet-server-0.17-64.el7.x86_64 already installed and latest version 
       
        Nothing to  
        do 
       
        [root@linux-node3 ~] 
        #

配置telnet

如今不少centos7版本安裝telnet-server以及xinetd以後沒有一個叫telnet的配置文件了。

若是下面telnet文件不存在的話，能夠跳過這部分的更改

 
        [root@linux-node3 ~] 
        # ll /etc/xinetd.d/telnet 
       
        ls 
        : cannot access  
        /etc/xinetd 
        .d 
        /telnet 
        : No such  
        file  
        or directory

若是下面文件存在，請更改配置telnet能夠root登陸，把disable = yes改爲disable = no

 
        [root@rhel yum.repos.d] 
        # cat /etc/xinetd.d/telnet 
       
        # default: on 
       
        # description: The telnet server serves telnet sessions; it uses \ 
       
        #   unencrypted username/password pairs for authentication. 
       
        service telnet 
       
        { 
       
        disable = no 
       
        flags       = REUSE 
       
        socket_type = stream        
       
        wait        = no 
       
        user        = root 
       
        server      =  
        /usr/sbin/in 
        .telnetd 
       
        log_on_failure  += USERID 
       
        } 
       
        [root@rhel yum.repos.d] 
        # vim /etc/xinetd.d/telnet 
       
        [root@rhel yum.repos.d] 
        # cat /etc/xinetd.d/telnet 
       
        # default: on 
       
        # description: The telnet server serves telnet sessions; it uses \ 
       
        #   unencrypted username/password pairs for authentication. 
       
        service telnet 
       
        { 
       
        disable =  
        yes 
       
        flags       = REUSE 
       
        socket_type = stream        
       
        wait        = no 
       
        user        = root 
       
        server      =  
        /usr/sbin/in 
        .telnetd 
       
        log_on_failure  += USERID 
       
        }

配置telnet登陸的終端類型，在/etc/securetty文件末尾增長一些pts終端，以下

配置以後的顯示

 
        [root@linux-node3 ~] 
        # vim /etc/securetty 
       
        [root@linux-node3 ~] 
        # tail -5 /etc/securetty 
       
        xvc0 
       
        pts 
        /0 
       
        pts 
        /1 
       
        pts 
        /2 
       
        pts 
        /3 
       
        [root@linux-node3 ~] 
        #

啓動telnet服務，並設置開機自動啓動

 
        [root@linux-node3 ~] 
        # systemctl enable xinetd 
       
        [root@linux-node3 ~] 
        # systemctl enable telnet.socket 
       
        Created  
        symlink  
        from  
        /etc/systemd/system/sockets 
        .target.wants 
        /telnet 
        .socket to  
        /usr/lib/systemd/system/telnet 
        .socket. 
       
        [root@linux-node3 ~] 
        # 
       
        [root@linux-node3 ~] 
        # systemctl start telnet.socket 
       
        [root@linux-node3 ~] 
        # systemctl start xinetd 
       
        [root@linux-node3 ~] 
        # netstat -lntp|grep 23 
       
        tcp6       0      0 :::23                   :::*                    LISTEN      1 
        /systemd           
       
        [root@linux-node3 ~] 
        #

切換到telnet方式登陸，之後的操做都在telnet終端下操做，防止ssh鏈接意外中斷形成升級失敗

telnet方式登陸

安裝依賴包

升級須要幾個組件，有些是和編譯相關的等

 
        [root@linux-node3 ~] 
        # yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel 
       
        Loaded plugins: fastestmirror 
       
        Loading mirror speeds from cached hostfile 
       
        * base: mirrors.163.com 
       
        * epel: mirrors.aliyun.com 
       
        * extras: mirrors.cn99.com 
       
        * updates: mirrors.cn99.com 
       
        Package  
        gcc 
        -4.8.5-36.el7_6.1.x86_64 already installed and latest version 
       
        Package  
        gcc 
        -c++-4.8.5-36.el7_6.1.x86_64 already installed and latest version 
       
        Package glibc-2.17-260.el7_6.4.x86_64 already installed and latest version 
       
        Package 1: 
        make 
        -3.82-23.el7.x86_64 already installed and latest version 
       
        Package autoconf-2.69-11.el7.noarch already installed and latest version 
       
        Package 1:openssl-1.0.2k-16.el7_6.1.x86_64 already installed and latest version 
       
        Package 1:openssl-devel-1.0.2k-16.el7_6.1.x86_64 already installed and latest version 
       
        Package pcre-devel-8.32-17.el7.x86_64 already installed and latest version 
       
        Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version 
       
        Nothing to  
        do 
       
        [root@linux-node3 ~] 
        #

安裝pam和zlib等（後面的升級操做可能沒用到pam，安裝上也沒啥影響，若是不想安裝pam請自行測試）

 
        [root@linux-node3 ~] 
        # yum install  -y pam* zlib* 
       
        Loaded plugins: fastestmirror 
       
        Loading mirror speeds from cached hostfile 
       
        * base: mirrors.163.com 
       
        * epel: mirrors.aliyun.com 
       
        * extras: mirrors.cn99.com 
       
        * updates: mirrors.cn99.com 
       
        Package pam_yubico-2.26-1.el7.x86_64 already installed and latest version 
       
        Package pam_script-1.1.8-1.el7.x86_64 already installed and latest version 
       
        Package pam_oath-2.4.1-9.el7.x86_64 already installed and latest version 
       
        Package pam_snapper-0.2.8-4.el7.x86_64 already installed and latest version 
       
        Package pam_ssh_agent_auth-0.10.3-2.16.el7.x86_64 already installed and latest version 
       
        Package pam_2fa-1.0-1.el7.x86_64 already installed and latest version 
       
        Package pam_mapi-0.3.4-1.el7.x86_64 already installed and latest version 
       
        Package pam_ssh_user_auth-1.0-1.el7.x86_64 already installed and latest version 
       
        Package pam_mount-2.16-5.el7.x86_64 already installed and latest version 
       
        Package pam_radius-1.4.0-3.el7.x86_64 already installed and latest version 
       
        Package pamtester-0.1.2-4.el7.x86_64 already installed and latest version 
       
        Package pam_afs_session-2.6-5.el7.x86_64 already installed and latest version 
       
        Package pam_pkcs11-0.6.2-30.el7.x86_64 already installed and latest version 
       
        Package pam-1.1.8-22.el7.x86_64 already installed and latest version 
       
        Package pam_ssh-2.3-1.el7.x86_64 already installed and latest version 
       
        Package 1:pam_url-0.3.3-4.el7.x86_64 already installed and latest version 
       
        Package pam_wrapper-1.0.7-2.el7.x86_64 already installed and latest version 
       
        Package pam-kwallet-5.5.2-1.el7.x86_64 already installed and latest version 
       
        Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version 
       
        Package pam_krb5-2.4.8-6.el7.x86_64 already installed and latest version 
       
        Package zlib-devel-1.2.7-18.el7.x86_64 already installed and latest version 
       
        Package zlib-static-1.2.7-18.el7.x86_64 already installed and latest version 
       
        Package zlib-1.2.7-18.el7.x86_64 already installed and latest version 
       
        Package zlib-ada-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version 
       
        Package zlib-ada-devel-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version 
       
        Nothing to  
        do 
       
        [root@linux-node3 ~] 
        #

下載openssh包和openssl的包

咱們都下載最新版本，下載箭頭指的包

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

https://ftp.openssl.org/source/

開始安裝openssl

 
         [root@linux-node3 ~] 
         # mkdir /data/tools -p 
        
         [root@linux-node3 ~] 
         # cd /data/tools/ 
        
         [root@linux-node3  
         /data/tools 
         ] 
         # rz -E 
        
         rz waiting to receive. 
        
         [root@linux-node3  
         /data/tools 
         ] 
         # ll 
        
         total 5224 
        
         -rw-r--r-- 1 root root 5348369 Apr 27 12:19 openssl-1.0.2r. 
         tar 
         .gz 
        
         解壓文件 
        
         [root@linux-node3  
         /data/tools 
         ] 
         # tar xfz openssl-1.0.2r.tar.gz 
        
         [root@linux-node3  
         /data/tools 
         ] 
         # ll 
        
         total 5228 
        
         drwxr-xr-x 20 root root    4096 Apr 27 12:20 openssl-1.0.2r 
        
         -rw-r--r--  1 root root 5348369 Apr 27 12:19 openssl-1.0.2r. 
         tar 
         .gz 
        
         [root@linux-node3  
         /data/tools 
         ] 
         # cd 
        
         [root@linux-node3 ~] 
         # 
        
         如今是系統默認的版本，等會升級完畢對比下 
        
         [root@linux-node3 ~] 
         # openssl version 
        
         OpenSSL 1.0.2k-fips  26 Jan 2017 
        
         [root@linux-node3 ~] 
         #

備份下面2個文件或目錄（若是存在的話就執行）

 
         [root@linux-node3 ~] 
         # ll /usr/bin/openssl 
        
         -rwxr-xr-x 1 root root 555248 Mar 12 18:12  
         /usr/bin/openssl 
        
         [root@linux-node3 ~] 
         # mv /usr/bin/openssl /usr/bin/openssl_bak 
        
         [root@linux-node3 ~] 
         # ll /usr/include/openssl 
        
         total 1864 
        
         -rw-r--r-- 1 root root   6146 Mar 12 18:12 aes.h 
        
         -rw-r--r-- 1 root root  63204 Mar 12 18:12 asn1.h 
        
         -rw-r--r-- 1 root root  24435 Mar 12 18:12 asn1_mac.h 
        
         -rw-r--r-- 1 root root  34475 Mar 12 18:12 asn1t.h 
        
         -rw-r--r-- 1 root root  38742 Mar 12 18:12 bio.h 
        
         -rw-r--r-- 1 root root   5351 Mar 12 18:12 blowfish.h 
        
         ...... 
        
         [root@linux-node3 ~] 
         # mv /usr/include/openssl /usr/include/openssl_bak 
        
         [root@linux-node3 ~] 
         #

編譯安裝新版本的openssl

配置、編譯、安裝3個命令一塊兒執行

&&符號表示前面的執行成功纔會執行後面的

 
        [root@linux-node3 ~] 
        # cd /data/tools/openssl-1.0.2r/ 
       
        [root@linux-node3  
        /data/tools/openssl-1 
        .0.2r] 
        # ./config shared && make && make install

以上命令執行完畢，echo $?查看下最後的make install是否有報錯，0表示沒有問題

下面2個文件或者目錄作軟連接（剛纔前面的步驟mv備份過原來的）

 
        [root@linux-node3 ~] 
        # ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl 
       
        [root@linux-node3 ~] 
        # ln -s /usr/local/ssl/include/openssl /usr/include/openssl 
       
        [root@linux-node3 ~] 
        # ll /usr/bin/openssl 
       
        lrwxrwxrwx 1 root root 26 Apr 27 12:31  
        /usr/bin/openssl  
        ->  
        /usr/local/ssl/bin/openssl 
       
        [root@linux-node3 ~] 
        # ll /usr/include/openssl -ld 
       
        lrwxrwxrwx 1 root root 30 Apr 27 12:31  
        /usr/include/openssl  
        ->  
        /usr/local/ssl/include/openssl 
       
        [root@linux-node3 ~] 
        #

命令行執行下面2個命令加載新配置

 
        echo  
        "/usr/local/ssl/lib"  
        >>  
        /etc/ld 
        .so.conf 
       
        /sbin/ldconfig

查看確認版本。沒問題

 
        [root@testssh ~] 
        # openssl version 
       
        OpenSSL 1.0.2r  26 Feb 2019

安裝openssh

上傳openssh的tar包並解壓

 
        [root@testssh ~] 
        # cd /data/tools/ 
       
        [root@testssh tools] 
        # ll 
       
        total 7628 
       
        -rw-r--r--  1 root root 1597697 Apr 18 07:02 openssh-8.0p1. 
        tar 
        .gz 
       
        drwxr-xr-x 20 root root    4096 Apr 23 23:12 openssl-1.0.2r 
       
        -rw-r--r--  1 root root 5348369 Feb 26 22:34 openssl-1.0.2r. 
        tar 
        .gz 
       
        -rwxr-xr-x  1 root root  853040 Apr 11  2018 sshd 
       
        [root@testssh tools] 
        # tar xfz openssh-8.0p1.tar.gz 
       
        [root@testssh tools] 
        # cd openssh-8.0p1 
       
        可能文件默認顯示uid和gid數組都是1000，這裏從新受權下。不受權可能也不影響安裝（請自行測試） 
       
        [root@testssh tools] 
        # chown -R root.root /data/tools/openssh-8.0p1

命令行刪除原先ssh的配置文件和目錄

而後配置、編譯、安裝

注意下面編譯安裝的命令是一行，請把第一行末尾的 \ 去掉，而後在文本里弄成一行以後放命令行執行

 
         rm  
         -rf  
         /etc/ssh/ 
         * 
        
         . 
         /configure  
         --prefix= 
         /usr/  
         --sysconfdir= 
         /etc/ssh   
         --with-openssl-includes= 
         /usr/local/ssl/include  
         \ 
        
         --with-ssl- 
         dir 
         = 
         /usr/local/ssl    
         --with-zlib   --with-md5-passwords   --with-pam  &&  
         make  
         &&  
         make  
         install

參考下個人截圖

安裝完畢檢查下結果

修改配置文件最終爲以下內容，其餘的不要動

 
        [root@linux-node3 ~] 
        # grep "^PermitRootLogin"  /etc/ssh/sshd_config 
       
        PermitRootLogin  
        yes 
       
        [root@linux-node3 ~] 
        # grep  "UseDNS"  /etc/ssh/sshd_config 
       
        UseDNS no 
       
        [root@linux-node3 ~] 
        #

從原先的解壓的包中拷貝一些文件到目標位置（若是目標目錄存在就覆蓋）

(可能下面的ssh.pam文件都沒用到，由於sshd_config配置文件貌似沒使用它，請自行測試。我這邊是拷貝了)

 
        [root@linux-node3  
        /data/tools/openssh-8 
        .0p1] 
        # cp -a contrib/redhat/sshd.init /etc/init.d/sshd 
       
        [root@linux-node3  
        /data/tools/openssh-8 
        .0p1] 
        # cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam 
       
        [root@linux-node3  
        /data/tools/openssh-8 
        .0p1] 
        # chmod +x /etc/init.d/sshd 
       
        [root@linux-node3  
        /data/tools/openssh-8 
        .0p1] 
        # chkconfig --add sshd 
       
        [root@linux-node3  
        /data/tools/openssh-8 
        .0p1] 
        # systemctl enable sshd 
       
        [root@linux-node3  
        /data/tools/openssh-8 
        .0p1] 
        #

把原先的systemd管理的sshd文件刪除或者移走或者刪除，不移走的話影響咱們重啓sshd服務

 
        [root@linux-node3 ~] 
        # mv  /usr/lib/systemd/system/sshd.service  /data1 
       
        [root@linux-node3 ~] 
        # mv  /usr/lib/systemd/system/sshd.socket  /data2

設置sshd服務開機啓動

 
        [root@linux-node3 ~] 
        # chkconfig sshd on 
       
        Note: Forwarding request to  
        'systemctl enable sshd.socket' 
        . 
       
        Created  
        symlink  
        from  
        /etc/systemd/system/sockets 
        .target.wants 
        /sshd 
        .socket to  
        /usr/lib/systemd/system/sshd 
        .socket.

接下來測試啓停服務。都正常

 
        之後管理sshd經過下面方式了 
       
        [root@linux-node3 ~] 
        # /etc/init.d/sshd restart 
       
        Restarting sshd (via systemctl):                           [  OK  ] 
       
        [root@linux-node3 ~] 
        # 
       
        [root@linux-node3 ~] 
        # 
       
        [root@linux-node3 ~] 
        # netstat -lntp 
       
        Active Internet connections (only servers) 
       
        Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID 
        /Program  
        name    
       
        tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      31800 
        /sshd          
       
        tcp6       0      0 :::22                   :::*                    LISTEN      31800 
        /sshd          
       
        tcp6       0      0 :::23                   :::*                    LISTEN      1 
        /systemd           
       
        [root@linux-node3 ~] 
        # /etc/init.d/sshd stop 
       
        Stopping sshd (via systemctl):                             [  OK  ] 
       
        [root@linux-node3 ~] 
        # netstat -lntp 
       
        Active Internet connections (only servers) 
       
        Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID 
        /Program  
        name    
       
        tcp6       0      0 :::23                   :::*                    LISTEN      1 
        /systemd           
       
        [root@linux-node3 ~] 
        # /etc/init.d/sshd start 
       
        Starting sshd (via systemctl):                            [  OK  ] 
       
        [root@linux-node3 ~] 
        # 
       
        [root@linux-node3 ~] 
        #

使用systemd方式也行

 
        [root@linux-node3 ~] 
        # systemctl stop sshd 
       
        [root@linux-node3 ~] 
        # netstat -lntp 
       
        Active Internet connections (only servers) 
       
        Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID 
        /Program  
        name    
       
        tcp6       0      0 :::23                   :::*                    LISTEN      1 
        /systemd           
       
        [root@linux-node3 ~] 
        # systemctl start sshd 
       
        [root@linux-node3 ~] 
        # netstat -lntp 
       
        Active Internet connections (only servers) 
       
        Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID 
        /Program  
        name    
       
        tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      31958 
        /sshd          
       
        tcp6       0      0 :::22                   :::*                    LISTEN      31958 
        /sshd          
       
        tcp6       0      0 :::23                   :::*                    LISTEN      1 
        /systemd           
       
        [root@linux-node3 ~] 
        # systemctl restart sshd 
       
        [root@linux-node3 ~] 
        # netstat -lntp 
       
        Active Internet connections (only servers) 
       
        Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID 
        /Program  
        name    
       
        tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      31999 
        /sshd          
       
        tcp6       0      0 :::22                   :::*                    LISTEN      31999 
        /sshd          
       
        tcp6       0      0 :::23                   :::*                    LISTEN      1 
        /systemd           
       
        [root@linux-node3 ~] 
        #

測試版本。都正常

 
        [root@linux-node3 ~] 
        # ssh -V 
       
        OpenSSH_8.0p1, OpenSSL 1.0.2r  26 Feb 2019 
       
        [root@linux-node3 ~] 
        # 
       
        [root@linux-node3 ~] 
        # telnet 127.0.0.1 22 
       
        Trying 127.0.0.1... 
       
        Connected to 127.0.0.1. 
       
        Escape character is  
        '^]' 
        . 
       
        SSH-2.0-OpenSSH_8.0

若是不是生產機器。能夠試着重啓機器測試下登陸sshd是否正常。我這邊測試都沒問題

測試沒問題後能夠把telnet服務關閉了

 
        [root@linux-node3 ~] 
        # systemctl disable xinetd.service 
       
        Removed  
        symlink  
        /etc/systemd/system/multi-user 
        .target.wants 
        /xinetd 
        .service. 
       
        [root@linux-node3 ~] 
        # systemctl stop xinetd.service 
       
        [root@linux-node3 ~] 
        # systemctl disable telnet.socket 
       
        [root@linux-node3 ~] 
        # systemctl stop telnet.socket 
       
        [root@linux-node3 ~] 
        # netstat -lntp