目录

安装telnet

编译安装openssl

解压并编译安装OpenSSH

修改配置允许root用户远程登录

测试没问题后开启防火墙关闭telnet

回滚办法(如果没有备份的话)

安装telnet

为了防止升级安装失败,无法使用ssh做远程连接,因此安装telnet预防

环境

#查看当前版本

ssh -V

#关闭防火墙

systemctl stop firewalld

setenforce 0

安装

yum install telnet-server -y

yum install telnet -y

启动telnet服务

systemctl enable telnet.socket

systemctl start telnet.socket

安全文件关闭或者修改(否则root无法telnet登录) 默认情况下,系统是不允许root用户telnet远程登陆的,如果要使用root用户直接登录

echo 'pts/0' >>/etc/securetty

echo 'pts/1' >>/etc/securetty

编译安装openssl

官网下载安装包:openssl官网

https://www.openssl.org/source/old/

依赖

yum install wget gcc openssl-devel pam-devel rpm-build zlib-devel -y

下载

wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz

解压

tar xf openssl-1.1.1t.tar.gz -C /usr/local

进入openssl目录

cd /usr/local/openssl-1.1.1t

编译

./config shared --prefix=/usr/local/openssl

make -j 4

make install

为openssl做软连接

echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf

加载配置文件

ldconfig

备份以前的openssl

mv /usr/bin/openssl /usr/bin/openssl.old

ln -sv /usr/local/openssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1

ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

查看当前OpenSSH版本(Centos7 默认使用OpenSSH_7.4p1)

ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

备份现有的SSH

mv /etc/ssh/ /etc/ssh.bak

mv /usr/bin/ssh /usr/bin/ssh.bak

mv /usr/sbin/sshd /usr/sbin/sshd.bak

如果你是第一次升级,备份/etc/init.d/sshd时会不存在,不影响后续操作

mv /etc/init.d/sshd /etc/init.d/sshd.bak

mv: 无法获取'/etc/init.d/sshd' 的文件状态(stat): No such file or directory

卸载现有OpenSSH

rpm -e --nodeps $(rpm -qa |grep openssh)

确保已经卸载成功(没有返回则卸载成功)

rpm -qa | grep openssh

解压并编译安装OpenSSH

下载OpenSSH官方二进制包

https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/

安装

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz

cd /usr/local/

#解压

tar -zxvf openssh-9.5p1.tar.gz

#编译安装

cd openssh-9.5p1

CCFLAGS="-I/usr/local/include" \

LDFLAGS="-L/usr/local/lib64" \

./configure \

--sysconfdir=/etc/ssh \

--with-zlib \

--with-ssl-dir=/usr/local/openssl

make -j 4

make install

#授权

chmod 600 /etc/ssh/*

复制配置文件

cp -rf /usr/local/sbin/sshd /usr/sbin/sshd

cp -rf /usr/local/bin/ssh /usr/bin/ssh

cp -rf /usr/local/bin/ssh-keygen /usr/bin/ssh-keygen

cp -ar /usr/local/openssh-9.5p1/contrib/redhat/sshd.init /etc/init.d/sshd

cp -ar /usr/local/openssh-9.5p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

修改配置允许root用户远程登录

修改配置允许root用户远程登录(允许使用密码登录,允许root远程登录,开启端口,赋予/etc/init.d/sshd权限)

cat >>/etc/ssh/sshd_config<

PermitRootLogin yes

X11Forwarding yes

PasswordAuthentication yes

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

EOF

sed -i "s/^#Port/Port/g" /etc/ssh/sshd_config

chmod 755 /etc/init.d/sshd

启用sshd,生成服务配置文件,并重启服务

# 启用sshd,生成服务配置文件

systemctl enable sshd

sshd.service is not a native service, redirecting to /sbin/chkconfig.

Executing /sbin/chkconfig sshd on

# 重启服务

systemctl restart sshd

# 查看服务状态

systemctl status sshd

验证升级是否成功

ssh -V

OpenSSH_9.5p1, OpenSSL 1.1.1t 7 Feb 2023

测试没问题后开启防火墙关闭telnet

vim /etc/securetty

systemctl start firewalld

systemctl stop telnet.socket

setenforce 1

systemctl status firewalld

systemctl status telnet.socket

 回滚办法(如果没有备份的话)

先回滚openssh到yum最新版本

yum remove -y openssh && yum install -y openssh openssh-clients openssh-server

然后再删除开头的那些公私钥

rm -rf /etc/ssh/ssh_host

最后重新生成这些应该就可以恢复sshd服务

service sshd restart

精彩链接

评论可见,请评论后查看内容,谢谢!!!
 您阅读本篇文章共花了: