1.升级ssh
a) 安装依赖包
yum -y install gcc make perl zlib zlib-devel pam pam-devel
b) 停止ssh服务
systemctl stop sshd
cp -r /etc/ssh /etc/ssh.old
c) 查看系统原有openssh包
rpm -qa | grep openssh
openssh-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
d) 卸载ssh
rpm -e --nodeps openssh-7.4p1-16.el7.x86_64
rpm -e --nodeps openssh-clients-7.4p1-16.el7.x86_64
rpm -e --nodeps openssh-server-7.4p1-16.el7.x86_64
e) 安装zlib
安装依赖包
yum install perl-Module-Load-Conditional perl-core gcc perl-CPAN perl-devel
tar -xvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib
make
make install
验证zlib安装是否成功,要包含include、lib、share三个目录。
ll /usr/local/zlib
echo 配置zlib
echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
f) 安装openssl
yum remove openssl-devel
tar -xvf openssl-1.1.1m.tar.gz
cd openssl-1.1.1m
./config shared zlib
make (时间比较长,切勿打断)
make test (时间比较长,切勿打断)
make test成功会显示以下信息,否则不要继续make install
All tests successful.
Files=158, Tests=2639, 94 wallclock secs ( 1.70 usr 0.27 sys + 64.77 cusr 39.75 csys = 106.49 CPU)
Result: PASS
make[1]: Leaving directory `/tmp/openssl-1.1.1m'
否则查找原因,一般是依赖包的问题,然后make clean,再make和make test
make install (时间比较长,切勿打断)
g) 配置openssl
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf.d/ssl.conf
echo '/usr/local/lib' >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v
查看openssl版本
openssl version -a
版本应该变为:
OpenSSL 1.1.1m 14 Dec 2021
h) 升级ssh
tar -xvf openssh-8.9p1.tar.gz
cd openssh-8.9p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib --with-pam
make
确认PAM模块启用成功
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/ssl -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -L/usr/local/ssl -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
+for sshd: -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
i) 安装openssh
make install
修改配置文件,允许root直接登录
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
ssh服务必须开机自启动,因此要进行一些设置
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
systemctl restart sshd
j) 验证ssh服务及ssh和ssl版本
systemctl status sshd
●
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Tue 2022-04-12 06:03:04 CST; 1min 5s ago
Docs: man:systemd-sysv-generator(8)
Process: 69691 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 69701 (sshd)
Tasks: 1
CGroup: /system.slice/sshd.service
└─69701 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Apr 12 06:03:04 centos7n2 systemd[1]: Starting SYSV: OpenSSH server daemon...
Apr 12 06:03:04 centos7n2 sshd[69701]: Server listening on 0.0.0.0 port 22.
Apr 12 06:03:04 centos7n2 sshd[69701]: Server listening on :: port 22.
Apr 12 06:03:04 centos7n2 sshd[69691]: Starting sshd:[ OK ]
Apr 12 06:03:04 centos7n2 systemd[1]: Started SYSV: OpenSSH server daemon.
ssh -V
OpenSSH_8.9p1, OpenSSL 1.1.1m 14 Dec 2021
ssh登录主机可以正常登录
2.问题排查
升级到openssh8.9P1以后,有些低版本的secureCRT无法ssh登录,是因为有些密钥不支持了,可以修改配置文件来处理
vi /etc/ssh/sshd_config 添加如下内容:
HostKeyAlgorithms=+ssh-rsa,ssh-dss
KexAlgorithms=+diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
保存,然后systemclt restart sshd重启ssh服务就可以了
在配置configure openssh有参数 –with-pam,启用了PAM登录认证,因此需要提供一个/etc/pam.d/sshd 控制文件。
1. 解决方案
修改配置
PermitRootLogin yes #允许root帐号远程登录
PasswordAuthentication yes #开启密码认证方式
UsePAM yes #开启UsePAM登录
新增PAM控制文件
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth