openssh升级7.9p1

  sre

openssh

安装Zlib

wget http://zlib.net/zlib-1.2.11.tar.gz
tar -zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --shared
make -j 8
make test
make install

安装OpenSSL

查看当前openssl版本:

[root@i-1E2B5395 ~]# which openssl
/usr/bin/openssl
[root@i-1E2B5395 ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013

wegt https://www.openssl.org/source/openssl-1.0.2r.tar.gz
tar zxvf openssl-1.0.2r.tar.gz
cd openssl-1.0.2r
#(默认安装路径/usr/local/ssl)
./config shared  
make -j 8 
make test 
make install

把老的openssl文件进行备份

mv /usr/bin/openssl /usr/bin/openssl.bak  
mv /usr/include/openssl /usr/include/openssl.bak  

做链接

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl 
ln -s /usr/local/ssl/include/openssl /usr/include/openssl 
vi /etc/ld.so.conf  #在第一行加/usr/local/ssl/lib

/usr/local/ssl/lib
include ld.so.conf.d/*.conf

让配置文件生效

[root@i-1E2B5395 openssl-1.0.2r]# ldconfig
[root@i-1E2B5395 openssl-1.0.2r]# openssl version -a
OpenSSL 1.0.2r  26 Feb 2019
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/ssl"

升级装OpenSSH

保险起见,升级前请开启telnet

yum -y install telnet telnet-server
vi /etc/xinetd.d/telnet

把disable修改为 no

# default: on
# description: The telnet server serves telnet sessions; it uses \
#       unencrypted username/password pairs for authentication.
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no
}

启动服务
service xinetd restart
测试telnet 登录

[root@i-1E2B5395 openssh-7.9p1]# lsof -i:23
COMMAND   PID USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
xinetd  14283 root    5u  IPv6 114815438      0t0  TCP *:telnet (LISTEN)

查看当前版本:

[root@i-1E2B5395 ~]# which ssh
/usr/bin/ssh
[root@i-1E2B5395 ~]#  ssh -version
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
Bad escape character 'rsion'.

安装:
卸载当前版本的ssh

[root@i-1E2B5395 ~]# rpm -e --nodeps `rpm -qa | grep openssh`
warning: /etc/ssh/sshd_config saved as /etc/ssh/sshd_config.rpmsave

安装:

wget http://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
tar zxvf openssh-7.9p1.tar.gz
cd openssh-7.9p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/src/openssl-1.0.2r/ --with-zlib --with-md5-passwords
make -j 8
make install

替换新版本

/usr/sbin/sshd -t -f /etc/ssh/sshd_config
cp contrib/redhat/sshd.init /etc/init.d/sshd

修改配置文件 允许root远程,注释#AuthorizedKeysFile
vim /etc/ssh/sshd_config

AuthorizedKeysFile .ssh/authorized_keys

PermitRootLogin yes
KexAlgorithms=+diffie-hellman-group1-sha1

service sshd restart
验证成功后关闭telnet
service xinetd stop

LEAVE A COMMENT

Captcha Code