CentOS系統升級OpenSSH版本

一 、CentOS 6.x 升級 OpenSSH

一、查看環境：

[root@localhost ~]# lsb_release -a
LSB Version:    :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
Distributor ID:    CentOS
Description:    CentOS release 6.6 (Final)
Release:    6.6
Codename:    Final
[root@localhost ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@localhost ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

二、備份ssh目錄(重要)並安裝telnet(避免ssh升級出現問題，致使沒法遠程管理)

[root@localhost ~]# cp -rf /etc/ssh /etc/ssh.bak

　　安裝並配置telnet

[root@localhost ~]# yum -y install telnet telnet-server
[root@localhost ~]# vi /etc/xinetd.d/telnet

# default: on
# description: The telnet server serves telnet sessions; it uses \
#    unencrypted username/password pairs for authentication.
service telnet
{
    flags        = REUSE
    socket_type    = stream        
    wait        = no
    user        = root
    server        = /usr/sbin/in.telnetd
    log_on_failure    += USERID
    disable        = yes
}

　　默認不容許root用戶的登錄，將disable=yes 修改成 no

[root@localhost ~]# vi /etc/securetty
// 增長如下內容，若是登陸用戶較多，須要更多的pts/*
pts/0
pts/1
pts/2

　　配置完成後啓動telnet服務

[root@localhost ~]# service xinetd start
[root@localhost ~]# service xinetd status
xinetd (pid  28430) is running...

　　注：ssh升級後建議再修改，還原設置

三、OpenSSH安裝

　　3.1 安裝依賴包

[root@localhost ~]# yum install -y gcc openssl-devel pam-devel rpm-build

　　3.2 下載安裝包

[root@localhost Downloads]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.8p1.tar.gz

　　3.3 解壓並編譯安裝

[root@localhost Downloads]# tar -zxvf openssh-7.8p1.tar.gz 
[root@localhost Downloads]# cd openssh-7.8p1
[root@localhost openssh-7.8p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
[root@localhost openssh-7.8p1]# make && make install

　　3.4 配置OpenSSH

[root@localhost openssh-7.8p1]# vi /etc/ssh/sshd_config
// 將 #PermitRootLogin yes   修改成   PermitRootLogin yes
// 或者執行以下命令
[root@localhost openssh-7.8p1]# sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config

　　3.5 重啓sshd服務

[root@localhost openssh-7.8p1]# service sshd restart 
[root@localhost openssh-7.8p1]# service sshd status
openssh-daemon (pid  28331) is running...
[root@localhost openssh-7.8p1]# ssh -V
OpenSSH_7.8p1, OpenSSL 1.0.1e-fips 11 Feb 2013

2、CentOS 7.x 升級 OpenSSH

一、查看環境：

[root@localhost ~]# lsb_release -a
LSB Version:    :core-4.1-amd64:core-4.1-noarch:cxx-4.1-amd64:cxx-4.1-noarch:desktop-4.1-amd64:desktop-4.1-noarch:languages-4.1-amd64:languages-4.1-noarch:printing-4.1-amd64:printing-4.1-noarch
Distributor ID:    CentOS
Description:    CentOS Linux release 7.2.1511 (Core) 
Release:    7.2.1511
Codename:    Core
[root@localhost ~]# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@localhost ~]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

二、同上，備份ssh目錄(重要)並安裝telnet(避免ssh升級出現問題，致使沒法遠程管理)

[root@localhost ~]# cp -rf /etc/ssh /etc/ssh.bak

　　安裝並配置telnet

[root@localhost ~]# yum -y install telnet telnet-server xinetd
[root@localhost ~]# vi /etc/xinetd.d/telnet

　　　　#default:yes
　　　　## description: The telnet server servestelnet sessions; it uses \
　　　　## unencrypted username/password pairs for authentication.
　　　　service telnet
　　　　{
　　　　　　flags = REUSE
　　　　　　socket_type = stream
　　　　　　wait = no
　　　　　　user = root
　　　　　　server =/usr/sbin/in.telnetd
　　　　　　log_on_failure += USERID
　　　　　　disable = yes
　　　　}

　　默認不容許root用戶的登錄，將disable=yes 修改成 no

[root@localhost ~]# vi /etc/securetty
// 增長如下內容，若是登陸用戶較多，須要更多的pts/*
pts/0
pts/1
pts/2

　　配置完成後啓動telnet服務

[root@localhost ~]# systemctl start telnet.socket

[root@localhost ~]# systemctl start xinetd

[root@localhost ~]# systemctl status xinetd ● xinetd.service - Xinetd A Powerful Replacement For Inetd Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-12-17 10:45:35 CST; 23h ago Main PID: 4217 (xinetd) CGroup: /system.slice/xinetd.service └─4217 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid

　　注：ssh升級後建議再修改，還原設置

三、OpenSSH安裝

　　3.1 安裝依賴包

[root@localhost ~]# yum install -y gcc openssl-devel pam-devel rpm-build

　　3.2 下載安裝包

　　OpenSSH須要依賴zlib和OpenSSL，所以須要從官網下載三者的源碼包。三者源碼下載地址：
             http://www.zlib.net/         

             http://www.openssl.org/         

             http://www.openssh.org/

        分別下載openssh-7.6p1.tar.gz、openssl-1.0.2m.tar.gz和zlib-1.2.11.tar.gz

[root@localhost Downloads]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
[root@localhost Downloads]# wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2m.tar.gz 
[root@localhost Downloads]# wget http://www.zlib.net/zlib-1.2.11.tar.gz 
[root@localhost Downloads]# ll 
total 7300 
-rw-r--r--. 1 root root 1548026 Aug 24 07:53 openssh-7.6p1.tar.gz 
-rw-r--r--. 1 root root 5373776 Nov 2 2017 openssl-1.0.2m.tar.gz 
-rw-r--r--. 1 root root 607698 Jan 16 2017 zlib-1.2.11.tar.gz

　　3.3 編譯並安裝配置zlib、openssl

// 編譯安裝zlib
[root@localhost Downloads]# tar -zxvf zlib-1.2.11.tar.gz 
[root@localhost Downloads]# cd zlib-1.2.11/
[root@localhost zlib-1.2.11]# ./configure --prefix=/usr/local/zlib-1.2.11 -share
[root@localhost zlib-1.2.11]# make && make install
[root@localhost zlib-1.2.11]# vi /etc/ld.so.conf              // 配置庫文件搜索路徑，在最後加入
/usr/local/zlib-1.2.11/lib
[root@localhost zlib-1.2.11]# ldconfig -v                     // 刷新緩存文件/etc/ld.so.cache
[root@localhost zlib-1.2.11]# ln -s /usr/local/zlib-1.2.11 /usr/local/zlib
[root@localhost zlib-1.2.11]# cd /root/Downloads/
// 編譯安裝openssl
[root@localhost Downloads]# tar -zxvf openssl-1.0.2m.tar.gz 
[root@localhost Downloads]# cd openssl-1.0.2m/
[root@localhost openssl-1.0.2m]# ./config --prefix=/usr/local/openssl-1.0.2m --with-zlib-lib=/usr/local/zlib-1.2.11/lib --with-zlib-include=/usr/local/zlib-1.2.11/include
[root@localhost openssl-1.0.2m]# make && make install
[root@localhost openssl-1.0.2m]# vi /etc/ld.so.conf           // 配置庫文件搜索路徑，在最後加入
/usr/local/openssl-1.0.2m/lib
[root@localhost openssl-1.0.2m]# ldconfig -v                  // 刷新緩存文件/etc/ld.so.cache
[root@localhost openssl-1.0.2m]# ln -s /usr/local/openssl-1.0.2m /usr/local/openssl
[root@localhost openssl-1.0.2m]# vi /etc/profile              // 配置環境變量，在最後加入如下兩行
PATH=/usr/local/openssl/bin:$PATH
export PATH
[root@localhost openssl-1.0.2m]# source /etc/profile          // 讓配置生效
[root@localhost openssl-1.0.2m]# openssl version -a           // 查看openssl版本，驗證是否安裝成功
OpenSSL 1.0.2m  14 Aug 2018
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include -I/usr/local/zlib-1.2.11/include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.2m/ssl"

　　3.4 卸載原OpenSSH

[root@localhost Downloads]# rpm -qa |grep openssh
openssh-clients-6.6.1p1-22.el7.x86_64
openssh-6.6.1p1-22.el7.x86_64
openssh-server-6.6.1p1-22.el7.x86_64
[root@localhost Downloads]# for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done

　　3.5 編譯安裝配置OpenSSH

[root@localhost Downloads]# tar -zxvf openssh-7.6p1.tar.gz 
[root@localhost Downloads]# cd openssh-7.6p1/
[root@localhost openssh-7.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam--with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib --without-hardening --with-tcp-wrappers
[root@localhost openssh-7.6p1]# rm -rf /etc/ssh
[root@localhost openssh-7.6p1]# make && make install
[root@localhost openssh-7.6p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-7.6p1]# chkconfig --add sshd
[root@localhost openssh-7.6p1]# chkconfig sshd on
[root@localhost openssh-7.6p1]# chkconfig --list|grep sshd
[root@localhost openssh-7.6p1]# sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config

　　3.6 重啓sshd服務

[root@localhost openssh-7.6p1]# systemctl restart sshd
[root@localhost openssh-7.6p1]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd)
   Active: active (running) since Tue 2018-12-18 14:45:59 CST; 11s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 16931 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 16939 (sshd)
   CGroup: /system.slice/sshd.service
           └─16939 /usr/sbin/sshd

Dec 18 14:45:59 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
Dec 18 14:45:59 localhost.localdomain sshd[16939]: Server listening on 0.0.0.0 port 22.
Dec 18 14:45:59 localhost.localdomain sshd[16939]: Server listening on :: port 22.
Dec 18 14:45:59 localhost.localdomain sshd[16931]: Starting sshd:[  OK  ]
Dec 18 14:45:59 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
[root@localhost openssh-7.6p1]# ssh -V
OpenSSH_7.6p1, OpenSSL 1.0.2k-fips  26 Jan 2017

 踩坑：

　　如下是linux打開端口命令的使用方法。
　　nc -lp 23 &(打開23端口，即telnet)
　　netstat -an | grep 23 (查看是否打開23端口)

　　使用nmap檢測端口是否打開

　　nmap X.X.X.X -p 端口號

參考連接：http://bbs.51cto.com/thread-1547903-1.html參考連接：https://blog.csdn.net/levy_cui/article/details/53100315 參考連接：https://www.cnblogs.com/liangjingfu/p/9635657.html