升级OpenSSH和OpenSSL版本

重要提醒:升级OpenSSH和OpenSSL版本可能会导致无法SSH连接服务器,请务必开启telnet服务确保能通过telnet连接服务器。
 
 
 
查看当前OpenSSH和OpenSSL版本
[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@localhost ~]#
 
 
 
安装依赖
[root@localhost ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
[root@localhost ~]# yum install -y pam* zlib*
[root@localhost ~]# yum install -y perl-IPC-Cmd
 
 
 
下载新版OpenSSL和OpenSSH
[root@localhost ~]# cd /src/
[root@localhost src]# wget https://ftp.openssl.org/source/openssl-3.0.4.tar.gz
[root@localhost src]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
 
 
 
备份旧版OpenSSL
[root@localhost src]# mv /usr/bin/openssl /usr/bin/openssl.bak
[root@localhost src]# mv /usr/include/openssl /usr/include/openssl.bak
 
 
 
安装新版OpenSSL
[root@localhost src]# tar -xf openssl-3.0.4.tar.gz
[root@localhost src]# cd openssl-3.0.4
[root@localhost openssl-3.0.4]# ./config --prefix=/program/openssl && make && make install
 
 
 
安装完OpenSSL后的一些收尾工作
[root@localhost ~]# cp -ar /program/openssl/bin/openssl /usr/bin/
[root@localhost ~]# cp -ar /program/openssl/include/openssl /usr/include
[root@localhost ~]# cp /etc/ld.so.conf /etc/ld.so.conf.default && cp /etc/ld.so.conf /etc/ld.so.conf.bak
[root@localhost ~]# echo "/program/openssl/lib64" >> /etc/ld.so.conf
[root@localhost ~]# ldconfig -v


 
设置PKG_CONFIG_PATH环境变量
[root@localhost ~]# vim /etc/profile
…………此处省略内容若干…………
export PKG_CONFIG_PATH=$PKG_CONFIG_PATH:/program/openssl/lib64/pkgconfig
[root@localhost ~]# source /etc/profile


 
查看OpenSSL版本
[root@localhost ~]# openssl version
OpenSSL 3.0.4 21 Jun 2022 (Library: OpenSSL 3.0.4 21 Jun 2022)
[root@localhost ~]#
 
 
 
备份旧版OpenSSH相关的文件
[root@localhost ~]# mv /etc/ssh /etc/ssh.bak
[root@localhost ~]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@localhost ~]# mv /etc/sysconfig/sshd /etc/sysconfig/sshd.bak
[root@localhost ~]# mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
 
 
 
安装新版OpenSSH
[root@localhost ~]# cd /src/
[root@localhost src]# tar -xf openssh-9.0p1.tar.gz
[root@localhost src]# cd openssh-9.0p1
[root@localhost openssh-9.0p1]# ./configure --prefix=/program/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/program/openssl --with-zlib=/usr/local/lib64 --without-hardening
[root@localhost openssh-9.0p1]# make
[root@localhost openssh-9.0p1]# make install
 
 
 
卸载旧版OpenSSH
[root@localhost openssh-9.0p1]# for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
警告:/etc/ssh/ssh_config 已另存为 /etc/ssh/ssh_config.rpmsave
警告:文件 /usr/sbin/sshd: 移除失败: 没有那个文件或目录
警告:文件 /usr/lib/systemd/system/sshd.service: 移除失败: 没有那个文件或目录
警告:文件 /etc/sysconfig/sshd: 移除失败: 没有那个文件或目录
警告:/etc/ssh/sshd_config 已另存为 /etc/ssh/sshd_config.rpmsave
警告:/etc/ssh/moduli 已另存为 /etc/ssh/moduli.rpmsave
[root@localhost openssh-9.0p1]#
 
 
 
配置文件处理(使用旧版的配置,这样就不用重复配置)
[root@localhost openssh-9.0p1]# cp -a /etc/ssh.bak/sshd_config /etc/ssh/sshd_config
[root@localhost openssh-9.0p1]# mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
[root@localhost openssh-9.0p1]# mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli
 
 
 
把新版的程序文件复制到/usr/bin目录
[root@localhost openssh-9.0p1]# cp -arf /program/openssh/bin/* /usr/bin/
[root@localhost openssh-9.0p1]# cp -arf /program/openssh/sbin/sshd /usr/sbin/sshd
 
 
 
由于安装新版OpenSSH时使用了--with-pam参数启用PAM登录认证,需要为其创建一个配置文件,否则无法登录(密码正确也会提示密码错误)
[root@localhost ~]# vim /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
[root@localhost ~]#
 
 
 
创建开机启动脚本
[root@localhost openssh-9.0p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-9.0p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@localhost openssh-9.0p1]# chmod +x /etc/init.d/sshd
[root@localhost openssh-9.0p1]# systemctl daemon-reload
[root@localhost openssh-9.0p1]# chkconfig --add sshd && chkconfig sshd on
 
 
 
重启sshd并查看版本号
[root@localhost openssh-9.0p1]# systemctl restart sshd
[root@localhost openssh-9.0p1]# ssh -V
OpenSSH_9.0p1, OpenSSL 3.0.4 21 Jun 2022
[root@localhost openssh-9.0p1]#
 
 
 
解决“/bin/bash: Permission denied”问题
[root@localhost ~]# ausearch -c 'sshd' --raw | audit2allow -M my-sshd
******************** IMPORTANT ***********************
To make this policy package active, execute:
 
semodule -i my-sshd.pp
 
[root@localhost ~]# semodule -i my-sshd.pp
[root@localhost ~]#



如果服务器上搭建了Git服务器还需要修改SSH配置文件
[root@localhost ~]# vim /etc/ssh/sshd_config
………………(此处省略号内容若干)………………
 
# 升级了OpenSSH需要增加如下算法,否则客户端可能无法连接Git服务器
HostKeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
[root@localhost ~]# systemctl restart sshd

Copyright © 2024 码农人生. All Rights Reserved