跳至正文

Centos7 升级openssh8.3

参考

通过虚拟机下载提取安装包(有的机房禁止访问外网)

yum install --downloadonly --downloaddir=rpm gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel krb5-devel
cd rpm

rpm -ivh autoconf-2.69-11.el7.noarch.rpm cpp-4.8.5-39.el7.x86_64.rpm gcc-4.8.5-39.el7.x86_64.rpm gcc-c++-4.8.5-39.el7.x86_64.rpm glibc-devel-2.17-307.el7.1.x86_64.rpm glibc-headers-2.17-307.el7.1.x86_64.rpm kernel-headers-3.10.0-1127.18.2.el7.x86_64.rpm keyutils-libs-devel-1.5.8-3.el7.x86_64.rpm libcom_err-devel-1.42.9-17.el7.x86_64.rpm libkadm5-1.15.1-46.el7.x86_64.rpm libselinux-devel-2.5-15.el7.x86_64.rpm libsepol-devel-2.5-10.el7.x86_64.rpm libstdc++-devel-4.8.5-39.el7.x86_64.rpm libverto-devel-0.2.5-4.el7.x86_64.rpm m4-1.4.16-10.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm pam-devel-1.1.8-23.el7.x86_64.rpm pcre-devel-8.32-17.el7.x86_64.rpm zlib-devel-1.2.7-18.el7.x86_64.rpm krb5-devel-1.15.1-46.el7.x86_64.rpm

下载openssh8.3p1 和 openssl-1.1.9.tar.gz

wget -c https://ftp.openssl.org/source/openssl-1.1.1g.tar.gz

wget -c https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-8.3.tar.gz

解压并编译安装openssl

openssl version #查看当前版本,等升级完对比
OpenSSL 1.0.2k-fips  26 Jan 2017

mv /usr/bin/openssl /usr/bin/openssl_bak #备份
mv /usr/include/openssl /usr/include/openssl_bak #备份

tar -zxvf openssl-1.1.1g.tar.g
cd openssl-1.1.1g/
./config --prefix=/usr/local/ssl -d shared && make && make install

echo $?  #echo $?查看下最后的make install是否有报错,0表示没有问题
0

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl  #生成软链接
ln -s /usr/local/ssl/include/openssl /usr/include/openssl  #生成软链接

ll /usr/bin/openssl #查看是否生成成功
/usr/bin/openssl -> /usr/local/ssl/bin/openssl

ll /usr/include/openssl -ld #查看是否生成成功
/usr/include/openssl -> /usr/local/ssl/include/openssl

#执行下面命令加载配置
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
/sbin/ldconfig

openssl version #查看确认版本

如果出现openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

#查找libssl.so.1.1的目录 然后生成软链接
find / -name "libssl.so.1.1"
/usr/local/lib64/libssl.so.1.1

ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1  /usr/lib64/libcrypto.so.1.1

解压并安装openssh

ssh -V #查看ssh版本
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

tar -zxvf openssh-8.3p1.tar.gz
cd openssh-8.3p1
chown -R root.root /root/openssh/openssh-8.3p1 #更改当前目录所属用户和用户组为root

rm -rf /etc/ssh/* #删除原先ssh的配置文件和目录
./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam  && make && make install #配置编译安装

#如果遇到权限问题 permission 0640 for xxxx 将报权限问题的目录都设为600
chmod -R 0600 /etc/ssh/ssh_host_ecdsa_key

echo $? #同上
0

#修改sshd配置
vim /etc/sshd_config
PermitRootLogin yes
UseDNS no

#从安装目录cp文件到目标位置
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
#设置执行权限
chmod +x /etc/init.d/sshd

#添加启动项
chkconfig --add sshd
systemctl enable sshd
#把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务
mv /usr/lib/systemd/system/sshd.service  /tmp/
#设置开机启动
chkconfig sshd on

#重启sshd
systemctl restart sshd.service

#查看sshd是否启动
netstat -lntp

#测试版本
ssh -V
OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020