centos7离线更新openssl和openssh
文章目录
- centos7离线更新openssl和openssh
- 一、 原来环境和版本
- 二、准备的包
- 三、安装依赖包
- 安装pam
- 安装xinted
- 安装zlib
- 安装telnet
- 开启xinetd
- 启动telnet
- 关闭selinux
- 关闭防火墙
- 四、升级OpenSSL
- 确保先有编译环境gcc,gcc-c++
- 卸载旧的openssl包
- 安装
- make
- 配置ssl库
- 五、升级OpenSSH
- 卸载
- 安装
- 备份ssh
- 删除原ssh配置目录
- make
- 配置
- 查看版本
- 执行命令(这一步也很重要):
- 六、关闭telnet
- 关闭telnet服务
- 还原
- 配置生效
- 删除(卸载)telnet-server包,命令如下:
- 注释23端口号
一、 原来环境和版本
centos7.2
[root@incloudos openssh-8.0p1]# uname -r
3.10.0-327.el7.x86_64
[root@incloudos openssh-8.0p1]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
openssl
[root@incloudos ~]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Mon Jun 29 12:45:07 UTC 2015
platform: linux-x86_64
openssh
[root@incloudos ~]# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
httpd
[root@incloudos ~]# httpd -V
Server version: Apache/2.4.6 (CentOS)
Server built: Jul 18 2016 15:30:14
Server’s Module Magic Number: 20120211:24
Server loaded: APR 1.4.8, APR-UTIL 1.5.2
Compiled using: APR 1.4.8, APR-UTIL 1.5.2
Architecture: 64-bit
二、准备的包
离线安装包下载地址:
openssl-1.0.2s.tar.gz
openssh-8.0p1.tar.gz
pam-1.1.8-22.el7.x86_64.rpm
pam-devel-1.1.8-22.el7.x86_64.rpm
zlib-1.2.7-17.el7.x86_64.rpm
zlib-devel-1.2.7-17.el7.x86_64.rpm
telnet-0.17-64.el7.x86_64.rpm
telnet-server-0.17-64.el7.x86_64.rpm
openssl-1.0.2k-12.el7.x86_64.rpm
之所以需要低版本的openssl,是因为如果在后面卸载openssl后,无法继续操作的话,再次安装openssl,不至于造成系统无法使用。
这些包可以自己搜索一下去下载,也可以通过yumdownloader来下载。(yumdownload 是安装yum-utils后可以使用)
先在外网安装yum-utils
yum install yum-utils
例如下载pam,可以执行:
#yumdownloader pam
也可以不用安装yum-utils,可以使用下面的命令下载相关依赖包
#yum install --downloadonly --downloaddir=/root/ pam
先下载好离线包,然后复制到内网机器,准备升级。
升级openssh,先要开启telnet,确保telnet可以正常登陆。这样当openssh升级出现问题的时候,还可以通过telnet登录到服务器操作。
三、安装依赖包
pam, pam-devel, xinted, zlib, zlib-devel, telnet, telnet-server
安装pam
先查看是否有pam已经安装
#rpm -qa |grep pam
[root@incloudos ~]# rpm -qa |grep pam
fprintd-pam-0.5.0-4.0.el7_0.x86_64
pam-1.1.8-12.el7_1.1.x86_64服务器上面有pam的包。
采用rpm -U升级安装,免得rpm -e --nodeps卸载包出现问题。(而且真有可能出现问题,尤其是zlib包)
#rpm -Uvh pam-1.1.8-22.el7.x86_64.rpm
#rpm -Uvh pam-devel-1.1.8-22.el7.x86_64.rpm[root@incloudos 2pam]# rpm -Uvh pam-1.1.8-22.el7.x86_64.rpm
warning: pam-1.1.8-22.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:pam-1.1.8-22.el7 ################################# [ 50%]
Cleaning up / removing...
2:pam-1.1.8-12.el7_1.1 ################################# [100%]
[root@incloudos 3pam-devel]# rpm -Uvh pam-devel-1.1.8-22.el7.x86_64.rpm
warning: pam-devel-1.1.8-22.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:pam-devel-1.1.8-22.el7 ################################# [100%]安装xinted
#rpm -Uvh xinetd-2.3.15-13.el7.x86_64.rpm
[root@incloudos 4xinted]# rpm -Uvh xinetd-2.3.15-13.el7.x86_64.rpm
warning: xinetd-2.3.15-13.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:xinetd-2:2.3.15-13.el7 ################################# [ 50%]
Cleaning up / removing...
2:xinetd-2:2.3.15-12.el7 ################################# [100%]安装zlib
#rpm -Uvh zlib-1.2.7-18.el7.x86_64.rpm
#rpm -Uvh zlib-devel-1.2.7-18.el7.x86_64.rpm
[root@incloudos 5zlib]# rpm -Uvh zlib-1.2.7-18.el7.x86_64.rpm
warning: zlib-1.2.7-18.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:zlib-1.2.7-18.el7 ################################# [ 50%]
Cleaning up / removing...
2:zlib-1.2.7-15.el7 ################################# [100%]
[root@incloudos 5zlib]# rpm -Uvh zlib-devel-1.2.7-18.el7.x86_64.rpm
warning: zlib-devel-1.2.7-18.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
error: Failed dependencies:
zlib-devel(x86-32) is needed by (installed) openssl-devel-1:1.0.1e-42.el7.9.i686先用createrepo,再新建zlib-devel.repo,试用 yum install zlib-devel安装,提示
[root@incloudos yum.repos.d]# yum install zlib-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.x86_64 0:1.2.7-15.el7 will be updated
---> Package zlib-devel.x86_64 0:1.2.7-18.el7 will be an update
--> Finished Dependency Resolution
Error: Multilib version problems found. This often means that the root
cause is something else and multilib version checking is just
pointing out that there is a problem. Eg.:
1. You have an upgrade for zlib-devel which is missing some
dependency that another package requires. Yum is trying to
solve this by installing an older version of zlib-devel of the
different architecture. If you exclude the bad architecture
yum will tell you what the root cause is (which package
requires what). You can try redoing the upgrade with
--exclude zlib-devel.otherarch ... this should give you an error
message showing the root cause of the problem.
2. You have multiple architectures of zlib-devel installed, but
yum can only see an upgrade for one of those architectures.
If you don't want/need both architectures anymore then you
can remove the one with the missing update and everything
will work.
3. You have duplicate versions of zlib-devel installed already.
You can use "yum check" to get yum show these errors.
...you can also use --setopt=protected_multilib=false to remove
this checking, however this is almost never the correct thing to
do as something else is very likely to go wrong (often causing
much more problems).
Protected multilib versions: zlib-devel-1.2.7-18.el7.x86_64 != zlib-devel-1.2.7-15.el7.i686没升成功zlib-devel, 因为之前已经在使用zlib-devel-1.2.7-15.el7.i686
先略过…
安装telnet
#rpm -Uvh telnet-0.17-64.el7.x86_64.rpm
#rpm -Uvh telnet-server-0.17-64.el7.x86_64.rpm
[root@incloudos 6telnet]# rpm -Uvh telnet-0.17-64.el7.x86_64.rpm
warning: telnet-0.17-64.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:telnet-1:0.17-64.el7 ################################# [ 50%]
Cleaning up / removing...
2:telnet-1:0.17-59.el7 ################################# [100%]
[root@incloudos 6telnet]# rpm -Uvh telnet-server-0.17-64.el7.x86_64.rpm
warning: telnet-server-0.17-64.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:telnet-server-1:0.17-64.el7 ################################# [100%]开启xinetd
#systemctl start xinetd
查看状态
#systemctl status xinetd
#systemctl enable xinetd
[root@incloudos openssl3]# systemctl status xinetd
● xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2019-06-04 10:50:10 CST; 27min ago
Main PID: 10004 (xinetd)
CGroup: /system.slice/xinetd.service
└─10004 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid
Jun 04 10:50:10 incloudos xinetd[10004]: removing discard
Jun 04 10:50:10 incloudos xinetd[10004]: removing discard
Jun 04 10:50:10 incloudos xinetd[10004]: removing echo
Jun 04 10:50:10 incloudos xinetd[10004]: removing echo
Jun 04 10:50:10 incloudos xinetd[10004]: removing tcpmux
Jun 04 10:50:10 incloudos xinetd[10004]: removing time
Jun 04 10:50:10 incloudos xinetd[10004]: removing time
Jun 04 10:50:10 incloudos xinetd[10004]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Jun 04 10:50:10 incloudos xinetd[10004]: Started working: 1 available service
Jun 04 10:50:10 incloudos systemd[1]: Started Xinetd A Powerful Replacement For Inetd.
[root@incloudos openssl3]# systemctl enable xinetd启动telnet
#systemctl start telnet.socket
#systemctl status telnet.socket
#systemctl enable telnet.socket
[root@incloudos openssl3]# systemctl start telnet.socket
[root@incloudos openssl3]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Tue 2019-06-04 11:19:15 CST; 4s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
Jun 04 11:19:15 incloudos systemd[1]: Listening on Telnet Server Activation Socket.
Jun 04 11:19:15 incloudos systemd[1]: Starting Telnet Server Activation Socket.
[root@incloudos openssl3]# .
-bash: .: filename argument required
.: usage: . filename [arguments]
[root@incloudos openssl3]# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.默认情况下,telnet是不允许root登录的。
执行命令:
#echo “pts/0” >> /etc/securetty
#echo “pts/1” >> /etc/securetty
关闭selinux
#vim /etc/selinux/config
将selinux设置为disable(记下改之前的状态)
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted关闭防火墙
先查看防火墙状态(升级完成后,要还原回原来iptables状态)
#systemctl status iptables
关闭防火墙
#systemctl stop iptables
编辑pam配置文件,以便telnet允许root登录。
#vim /etc/pam.d/login
注释掉第一行:auth [user_unknown=ignore success=ok jignore=ignore default=bad] pam_securetty.so前加#
#%PAM-1.0
#auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so编辑配置文件:
#vim /etc/pam.d/remote
注释这第一行:auth required pam_securetty.so前加#
#%PAM-1.0
#auth required pam_securetty.so
auth substack password-auth
auth include postlogin
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin重启xinetd,telnet服务
#systemctl restart xinetd
#systemctl restart telnet.socket
然后从其他服务器利用telnet测试登录(当然另外一台服务器上已经安装了telnet)
#telnet ip
输入账号密码,登录成功。
telnet可以登录,实际上是开了另外一条可以登录服务器的通道,以免ssh升级出错,造成无法登录服务器。
四、升级OpenSSL
确保先有编译环境gcc,gcc-c++
先确保你的服务器上已经有gcc,gcc-c++。这两个是编译工具。
#rpm -qa | grep gcc
若没有安装,则执行安装,这里我已经下载了gcc,gcc-c++的包。
将文件夹中的gcc.repo、gcc-c++.repo复制到/etc/yum.repos.d下
#yum install gcc gcc-c++
安装后
[root@incloudos yum.repos.d]# rpm -qa | grep gcc
gcc-4.8.5-4.el7.x86_64
libgcc-4.8.5-4.el7.x86_64
gcc-c++-4.8.5-4.el7.x86_64
gcc-objc++-4.8.5-4.el7.x86_64
gcc-objc-4.8.5-4.el7.x86_64[root@incloudos yum.repos.d]# gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
[root@incloudos yum.repos.d]# g++ --version
g++ (GCC) 4.8.5 20150623 (Red Hat 4.8.5-4)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.卸载旧的openssl包
查看已安装
#rpm -qa | grep openssl
[root@incloudos 8gcc]# rpm -qa | grep openssl
openssl-devel-1.0.1e-42.el7.9.x86_64
openssl-libs-1.0.1e-42.el7.9.x86_64
openssl-1.0.1e-42.el7.9.x86_64
openssl-devel-1.0.1e-42.el7.9.i686解压openssl安装包
#tar zxvf openssl-1.0.2s
卸载这些包
#for i in $(rpm -qa |grep openssl);do rpm -e $i --nodeps ;done
进入openssl-1.0.2s目录
#cd openssl-1.0.2s
安装
执行:
#./config shared
make[1]: Leaving directory `/root/openssl-openssh/openssl3/openssl-1.0.2s/tools'
generating dummy tests (if needed)...
make[1]: Entering directory `/root/openssl-openssh/openssl3/openssl-1.0.2s/test'
md2test.c => dummytest.c
rc5test.c => dummytest.c
jpaketest.c => dummytest.c
make[1]: Leaving directory `/root/openssl-openssh/openssl3/openssl-1.0.2s/test'
Configured for linux-x86_64.
[root@incloudos openssl-1.0.2s]#make
#make && make install
See any operating system documentation and manpages about shared
libraries for your version of UNIX. The following manpages may be
helpful: ld(1), ld.so(1), ld.so.1(1) [Solaris], dld.sl(1) [HP],
ldd(1), crle(1) [Solaris], pldd(1) [Solaris], ldconfig(8) [Linux],
chatr(1) [HP].
cp libcrypto.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/libcrypto.pc
cp libssl.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/libssl.pc
cp openssl.pc /usr/local/ssl/lib/pkgconfig
chmod 644 /usr/local/ssl/lib/pkgconfig/openssl.pc安装完毕。
执行命令:
#echo “/usr/local/ssl/lib” >> /etc/ld.so.conf
#ldconfig
配置ssl库
#cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64
#cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64
#ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10
#ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
#ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
#ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so
#ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
#ln -s /usr/local/ssl/include/openssl /usr/include/openssl### 查看openssl版本
#openssl version -a
升级成功
五、升级OpenSSH
卸载
解压openssh安装包
#tar xvf openssh-8.0p1.tar.gz
#cd openssh-8.0p1
卸载原openssh
#rpm -qa | grep openssh
[root@incloudos openssl3]# rpm -qa | grep openssh
openssh-6.6.1p1-31.el7.x86_64
openssh-server-6.6.1p1-31.el7.x86_64
openssh-clients-6.6.1p1-31.el7.x86_64卸载
#for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
安装
执行:
#./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fstack-protector-strong
Preprocessor flags: -I/usr/local/ssl/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -L/usr/local/ssl/lib -fstack-protector-strong
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
+for sshd: -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
[root@incloudos openssh-8.0p1]#备份ssh
#cp /etc/ssh /root/ssh
删除原ssh配置目录
#rm -rf /etc/ssh
make
#make && make install
/usr/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
[root@incloudos openssh-8.0p1]#配置
安装完成,执行配置
#cp ./contrib/redhat/sshd.init /etc/init.d/sshd
#chkconfig --add sshd
#chkconfig sshd on
#chkconfig --list|grep sshd
[root@incloudos openssh-8.0p1]# chkconfig --list|grep sshd
Note: This output shows SysV services only and does not include native
systemd services. SysV configuration data might be overridden by native
systemd configuration.
If you want to list systemd services use 'systemctl list-unit-files'.
To see services enabled on particular target use
'systemctl list-dependencies [target]'.
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
[root@incloudos openssh-8.0p1]#查看版本
#ssh -V
[root@incloudos openssh-8.0p1]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2s 28 May 2019执行命令(这一步也很重要):
#sed -i “32 aPermitRootLogin yes” /etc/ssh/sshd_config
#service sshd restart
[root@incloudos openssh-8.0p1]# sed -i "32 aPermitRootLogin yes" /etc/ssh/sshd_config
[root@incloudos openssh-8.0p1]#
[root@incloudos openssh-8.0p1]# service sshd restart
Restarting sshd (via systemctl): [ OK ]
[root@incloudos openssh-8.0p1]#升级完成。
从其他服务器ssh登录升级的服务器,登录成功!
注意:不要轻易卸载zlib软件
六、关闭telnet
关闭telnet服务
#chkconfig telnet off
[root@incloudos openssh-8.0p1]# chkconfig telnet off
Note: Forwarding request to 'systemctl disable telnet.socket'.
Removed symlink /etc/systemd/system/sockets.target.wants/telnet.socket.“pts/0” >>
#vim /etc/securetty
删除pts/0和`pts/``
还原
还原selinux的config文件
#vim /etc/selinux/config
原来是什么值就还原什么值:SELINUX=disabled (enforcing、permissive和disabled)
还原iptables状态
原来开启的话,就再开启
#systemctl start iptables
配置生效
#systemctl restart xinetd
or
#/etc/init.d/xinetd restart
删除(卸载)telnet-server包,命令如下:
rpm -e telnet-server
[root@incloudos openssh-8.0p1]# rpm -e telnet-server
[root@incloudos openssh-8.0p1]#
[root@incloudos openssh-8.0p1]# rpm -qa | grep telnet
telnet-0.17-64.el7.x86_64注释23端口号
vim /etc/services
用另一台机器远程,提示失败
[root@k8s1 telnet]# telnet 100.2.29.123
Trying 100.2.29.123...
telnet: connect to address 100.2.29.123: No route to host
