文章目录
- 1.版本查看
- 2.配置备份
- 3.软件包openssh9.0下载
- 4.升级openssh9.0版本
- 5.配置备份恢复
- 6.服务器启动验证及问题排查
1.版本查看
#系统版本
[root@HZLOPENSSHTEST ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
#openssh版本
[root@HZLOPENSSHTEST ~]# rpm -qa |egrep "openssh|openssl"
openssh-clients-7.4p1-21.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
[root@HZLOPENSSHTEST ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 20172.配置备份
#备份sshd主配置文件&特权登录用户配置文件
[root@HZLOPENSSHTEST ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/login /etc/pam.d/login.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
#查看备份文件
[root@HZLOPENSSHTEST ~]# ls /etc/pam.d/ | egrep *.bak
login.bak
sshd.bak
system-auth.bak3.软件包openssh9.0下载
#下载升级的安装包,文件里是封装的rpm软件包
[root@HZLOPENSSHTEST ~]# wget openssh-9.0p1.tar.gz
[root@HZLOPENSSHTEST ~]# tar -xvfz openssh-9.0p1.tar.gz
[root@HZLOPENSSHTEST ~]# ls openssh-9.0p1
openssh-9.0p1-1.el7.x86_64.rpm openssh-clients-9.0p1-1.el7.x86_64.rpm openssh-debuginfo-9.0p1-1.el7.x86_64.rpm openssh-server-9.0p1-1.el7.x86_64.rpm4.升级openssh9.0版本
#端口检查&服务查看
[root@HZLOPENSSHTEST ~]# ss -ant |grep "22"
LISTEN 0 128 *:22 *:*
ESTAB 0 0 10.21.25.124:22 10.21.1.70:51233
ESTAB 0 0 10.21.25.124:22 10.21.1.70:61866
ESTAB 0 48 10.21.25.124:22 10.21.1.70:61848
ESTAB 0 0 10.21.25.124:22 10.21.1.70:61865
LISTEN 0 128 [::]:22 [::]:*
[root@HZLOPENSSHTEST ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since 二 2023-11-28 17:18:23 CST; 18h ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1123 (sshd)
CGroup: /system.slice/sshd.service
└─1123 /usr/sbin/sshd -D
[root@HZLOPENSSHTEST ~]# systemctl stop sshd
#本地升级openssh
[root@HZLOPENSSHTEST ~]# cd openssh-9.0p1
[root@HZLOPENSSHTEST openssh-9.0p1]# yum upgrade openssh-*
更新安装包:
openssh.x86_64 0:9.0p1-1.el7 openssh-clients.x86_64 0:9.0p1-1.el7 openssh-server.x86_64 0:9.0p1-1.el7
#检查升级的openssh安装包
[root@HZLOPENSSHTEST openssh-9.0p1]# rpm -qa |grep openssh
openssh-server-9.0p1-1.el7.x86_64
openssh-9.0p1-1.el7.x86_64
openssh-clients-9.0p1-1.el7.x86_64
[root@HZLOPENSSHTEST pam.d]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.0.2k-fips 26 Jan 20175.配置备份恢复
#备份openssh9.0的配置,恢复之前的ssh配置文件
[root@HZLOPENSSHTEST openssh-9.0p1]# cd /etc/ssh/
[root@HZLOPENSSHTEST ssh]# mv sshd_config sshd_config_1129.bak
[root@HZLOPENSSHTEST ssh]# cp sshd_config.bak sshd_config
[root@HZLOPENSSHTEST ssh]# cd /etc/pam.d/
[root@HZLOPENSSHTEST pam.d]# mv sshd sshd_1129.bak
[root@HZLOPENSSHTEST pam.d]# cp sshd.bak sshd6.服务器启动验证及问题排查
#服务启动失败,如下所示(根据系统提示日志,可确认为密钥文件权限问题,修改文件权限)
[root@HZLOPENSSHTEST ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: failed (Result: exit-code) since 三 2023-11-29 11:46:02 CST; 11s ago
Docs: man:systemd-sysv-generator(8)
Process: 16106 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=1/FAILURE)
Main PID: 11868 (code=exited, status=0/SUCCESS)
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: It is required that your private key files are NOT accessible by others.
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: This private key will be ignored.
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: sshd: no hostkeys available -- exiting.
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: [失败]
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: sshd.service: control process exited, code=exited status=1
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: Failed to start SYSV: OpenSSH server daemon.
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: Unit sshd.service entered failed state.
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: sshd.service failed.
#查看密钥文件权限
[root@HZLOPENSSHTEST ~]# ll /etc/ssh/ssh_host_*
-rw-------. 1 root root 1393 11月 29 11:46 /etc/ssh/ssh_host_dsa_key
-rw-r--r--. 1 root root 609 11月 29 11:46 /etc/ssh/ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys 227 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1675 11月 28 17:18 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root 382 11月 28 17:18 /etc/ssh/ssh_host_rsa_key.pub
[root@HZLOPENSSHTEST ~]# chmod 600 /etc/ssh/ssh_host_*
[root@HZLOPENSSHTEST ~]# ll /etc/ssh/ssh_host_*
-rw-------. 1 root root 1393 11月 29 11:46 /etc/ssh/ssh_host_dsa_key
-rw-------. 1 root root 609 11月 29 11:46 /etc/ssh/ssh_host_dsa_key.pub
-rw-------. 1 root ssh_keys 227 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key
-rw-------. 1 root root 162 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-------. 1 root ssh_keys 387 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key
-rw-------. 1 root root 82 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key.pub
-rw-------. 1 root ssh_keys 1675 11月 28 17:18 /etc/ssh/ssh_host_rsa_key
-rw-------. 1 root root 382 11月 28 17:18 /etc/ssh/ssh_host_rsa_key.pub
#重启后服务正常
[root@HZLOPENSSHTEST ~]# systemctl restart sshd
#测试登录验证(验证登录时拒绝,拒绝使用root用户直接登录,查看服务日志状态)
[root@HZLOPENSSHTEST ~]# ssh 10.21.25.124
root@10.21.25.124's password:
Permission denied, please try again.
[root@HZLOPENSSHTEST ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since 三 2023-11-29 11:50:36 CST; 1min 58s ago
Docs: man:systemd-sysv-generator(8)
Process: 17740 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 17748 (sshd)
CGroup: /system.slice/sshd.service
├─17748 sshd: /usr/sbin/sshd [listener] 1 of 10-100 startups
├─18377 sshd: root [priv]
└─18378 sshd: root [net]
11月 29 11:50:36 HZLOPENSSHTEST sshd[17748]: Server listening on :: port 22.
11月 29 11:50:36 HZLOPENSSHTEST systemd[1]: Started SYSV: OpenSSH server daemon.
11月 29 11:52:23 HZLOPENSSHTEST sshd[18374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.1.70 user=root
11月 29 11:52:23 HZLOPENSSHTEST sshd[18374]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
11月 29 11:52:25 HZLOPENSSHTEST sshd[18374]: Failed password for root from 10.21.1.70 port 62880 ssh2
11月 29 11:52:25 HZLOPENSSHTEST sshd[18374]: Connection closed by authenticating user root 10.21.1.70 port 62880 [preauth]
11月 29 11:52:26 HZLOPENSSHTEST unix_chkpwd[18379]: password check failed for user (root)
11月 29 11:52:26 HZLOPENSSHTEST sshd[18377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.1.70 user=root
11月 29 11:52:26 HZLOPENSSHTEST sshd[18377]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
11月 29 11:52:28 HZLOPENSSHTEST sshd[18377]: Failed password for root from 10.21.1.70 port 62881 ssh2
#问题
“pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"”
由上可见,主要由于使用root用户认证,在openssh9.0配置,默认拒绝root直接登录服务器,需修改pam下auth的权限限制和sshd
检查sshd配置文件中的root登录限制。
#检查排查相关配置;
[root@HZLOPENSSHTEST ~]# vim /etc/pam.d/system-auth
auth requisite pam_succeed_if.so uid >= 1000 quiet_success #权限限制,注释或删除
[root@HZLOPENSSHTEST ~]# vim /etc/ssh/sshd_config
PermitRootLogin yes #允许root登录配置
#重启sshd后,手动验证,登录正常
[root@HZLOPENSSHTEST ~]# systemctl restart sshd
[root@HZLOPENSSHTEST ~]# ssh 10.21.25.124
root@10.21.25.124's password:
Last failed login: Wed Nov 29 11:53:23 CST 2023 from 10.21.25.124 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Nov 29 11:17:50 2023 from 10.21.1.70
