堂-DayDayUP VIM Linux Life
堂-DayDayUP
VIM Linux Life

openssh 升级

已发表 
1. yum升级到最新可用版本(openssh7.4p1)
yum update openssh

2. 安装telnet-server 以及 xinetd
yum install xinetd telnet-server -y

3. 配置telnet登录的终端类型,在/etc/securetty 文件末尾增加一些pts终端,如下
cp /etc/securetty /etc/securetty.bak
cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
EOF
4.启动telnet服务,并设置开机自动启动
systemctl enable xinetd 
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd

5.使用telnet 登陆,以后操作都是通过telnet

6.备份并移除老文件 ( 这些配置可能影响装完以后的登陆 所以备份)
mkdir /usr/local/src/sshupdate
cd /usr/local/src/sshupdate
cp /etc/ssh/sshd_config sshd_config
cp /etc/pam.d/sshd sshd
yum remove openssl-devel
cp -r /etc/ssl /etc/ssl.bak
rm -rf /etc/ssl

7.安装依赖包
yum install  -y gcc gcc-c++ glibc make autoconf pcre-devel  pam-devel pam* zlib*
yum install  -y pam* zlib*

8.下载openssh包和openssl的包
# https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
# https://ftp.openssl.org/source/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.9p1.tar.gz
wget https://ftp.openssl.org/source/openssl-1.1.1v.tar.gz

9.安装 openssl
tar xfz openssl-1.1.1v.tar.gz
openssl version
mv /usr/bin/openssl /usr/bin/openssl_bak
cd openssl-1.1.1v
./config  --prefix=/usr/local --openssldir=/usr/local/ssl
make && make install
./config shared --prefix=/usr/local --openssldir=/usr/local/ssl
make clean
make && make install
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl /usr/include/openssl
echo "/usr/local/lib" >> /etc/ld.so.conf
echo "/usr/local/lib64" >> /etc/ld.so.conf
/sbin/ldconfig
openssl version

10.安装openssh
cp -r /etc/ssh /etc/ssh.bak
rm -rf /etc/ssh
cd /usr/local/src/sshupdate
tar xfz openssh-8.9p1.tar.gz
cd openssh-8.9p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam
make clean
make && make install
cp -af contrib/redhat/sshd.init /etc/init.d/sshd
cp -af contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd

cat >> /etc/ssh/sshd_config <<EOF
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
KexAlgorithms +diffie-hellman-group1-sha1
PubkeyAcceptedKeyTypes +ssh-rsa
EOF

chkconfig --add sshd
mv /usr/lib/systemd/system/sshd.service /usr/local/src/sshupdate/sshd.service
chkconfig sshd on
systemctl enable sshd
systemctl restart sshd
ssh -V

11.检测ssh 可以正常登陆,使用ssh登陆,然后 停止telnet服务 并 移除
systemctl stop telnet.socket
systemctl stop xinetd
systemctl disable xinetd 
systemctl disable telnet.socket

遇到的坑:
mv /usr/lib/systemd/system/sshd.service /usr/local/src/sshupdate/sshd.service 
这一步会导致sshd重启后无法自启动,解决办法先卸载openssh 
for  i   in  $(rpm  -qa  |grep  openssh);do  rpm  -e  $i  --nodeps ;done
再重新安装openssh 安装后后需要还原/etc/pam.d/sshd 文件,原文件卸载时会被删除
cat /etc/pam.d/sshd

#%PAM-1.0
auth       required    pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare