一、安装telnet-server以及xinetd,防止openssh升级失败导致无法远程连接服务器
yum install xinetd telnet-server telnet -y
配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下
vi /etc/securetty
pts/0
pts/1
pts/2
pts/3
启动telnet服务,并使用telnet连接至服务器
systemctl start telnet.socket
systemctl start xinetd
telnet 127.0.0.1
输入服务器用户名和密码
二、环境准备:检查操作系统版本是否为以下版本
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
核实操作系统版本无误,执行安装以下所有依赖包
yum install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
三、开始进行升级安装步骤:
1、上传openssh升級包至/tmp目录下,并执行解压
cd /tmp
tar -xf openssh-8.2p1.tar.gz
tar -xf openssl-1.1.1g.tar.gz
tar -xf zlib-1.2.11.tar.gz
2、编译安装zlib
cd zlib-1.2.11
./configure
make
make install
ll /usr/local/lib
3、编译安装openssl-1.1.1g
cd openssl-1.1.1g
检查环境
./config shared zlib --prefix=/usr/local/ssl
./config -t
编译安装
make -j 4 && make install
执行echo $?返回0说明安装正常
echo $?
查看openssl默认安装路径
which openssl
备份原来的文件,以实际路径为准
mv /usr/bin/openssl /usr/bin/openssl.BAK
更新函数库
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
检查是否升级成功
openssl version -a
查询openssl版本输出信息如下表示安装成功:
OpenSSL 1.1.1g 21 Apr 2020
built on: Mon May 25 02:31:46 2020 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-1.1"
Seeding source: os-specific
4、编译安装openssh
cd openssh-8.2p1
备份原来的ssh目录
mv /etc/ssh/ /etc/ssh_bak
检查环境
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
正常情况下,初始化成功最后可以看到如下内容输出,如果输出为其他报错信息,一般情况是openssl配置不正确导致
检查环境若无报错提示,则执行以下步骤进行编译
make -j 4
安装
make install
install -v -m755 contrib/ssh-copy-id /usr/bin
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -v -m755 -d /usr/share/doc/openssh-8.2p1
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.2p1
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod u+x /etc/init.d/sshd
备份原来的启动脚本
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
加入开机启动项
chkconfig --add sshd
chkconfig sshd on
允许root登录
sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
重启验证sshd服务是否正常
/etc/init.d/sshd restart
systemctl restart sshd
5、检查sshd服务状态
systemctl status sshd
6、测试没问题后可以把telnet服务关闭了
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
常见问题:
1.服务器不能访问外网怎么安装依赖包,找一台可以访问外网的服务器,要求和需要升级的服务器操作系统版本一致,执行下以下命令,将rpm下载到/tmp/openssh目录下
yum install --downloadonly --downloaddir=/tmp/openssh gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
执行仅下载不安装命令后可以在/tmp/openssh目录下看到下载的rpm,将openssh目录打包上传到内网服务器上执行yum localinstall *.rpm命令即可
2、升级openssh后,执行ulimit -n查看到的打开文件数被重置为1024,过小
如图所示:
启用PAM验证
sed -i "83a UsePAM yes" /etc/ssh/sshd_config
编辑并添加vi /etc/pam.d/sshd配置信息
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_limits.so
重启sshd服务后,重新连接服务器即可
systemctl restart sshd
附上:openssh升级脚本,仅供参考.可以根据实际场景进行修改
#!/bin/bash
oldversion=`ssh -V 2>&1`
echo "开始执行 OpenSSH 版本升级脚本"
echo -e "现在的ssh版本是:\033[36m $oldversion \033[0m"
# 安装telnet-server和telnent
echo "检查是否已安装telnet 服务..."
if [ `rpm -qa|grep telnet|wc -l` == 2 ]
then
echo -e "\033[36m已安装telnet-server和telnet服务!\033[0m"
else
yum install xinetd telnet-server telnet -y>>install_telnet.log
if [ `echo $?` == 0 ]
then
echo -e "\033[36mtelnet-server和telnet安装成功!\033[0m"
fi
fi
# 配置telnet-server
if [ `grep pts /etc/securetty|wc -l` -lt 4 ]
then
cat>>/etc/securetty<<EOF
pts/0
pts/1
pts/2
pts/3
EOF
else
echo -e "/etc/securetty已存在\033[36mpts/0,pts/1,pts/2,pts/3\033[0m"
fi
echo "正在启动telnet服务..."
systemctl start telnet.socket
systemctl start xinetd
if [ `rpm -qa|grep net-tools|wc -l` == 1 ]
then
if [ `netstat -tuanp|grep -E ":::23"|wc -l` == 1 ]
then
echo -e "\033[36mtelnet-server服务已开启!\033[0m"
fi
else
yum -y install net-tools>>install_net-tools.log
if [ `netstat -anp|grep 23|wc -l` == 1 ]
then
echo -e "\033[36mtelnet-server服务已开启!\033[0m"
fi
fi
#echo "安装依赖包..."
#echo -e "\033[36mgcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel\033[0m"
#yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel>>install_lib.log
#echo -e "\033[36mpam* zlib*\033[0m"
#yum install -y pam* zlib*>>install_lib.log
echo "正在准备安装openssl"
echo "检查是否存在/tmp 目录,及软件安装包"
if [ -d "/tmp/" ]
then
echo "目录已存在,检查是否在安装包"
if [ -e "/tmp/openssl-1.1.1g.tar.gz" -a -e "/tmp/openssh-8.3p1.tar.gz" ]
then
echo "已存在安装包...开始安装..."
else
echo "请上传安装包到/tmp/目录"
exit
fi
else
mkdir -p /tmp
echo "请上传安装包到/tmp/目录"
exit
fi
if [ `openssl version|grep "1.1.1g"|wc -l` -eq "1" ]
then
echo -e "\033[36m已经安装所需版本的openssl\033[0m"
else
echo -e "\033[36m开始安装openssl!\033[0m"
cd /tmp
tar xfz openssl-1.1.1g.tar.gz
if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
then
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
if [ -e "/usr/bin/openssl_bak" -a -d "/usr/include/openssl_bak" ]
then
echo "备份完成!"
fi
fi
echo -e "\033[36m配置、编译、安装!\033[0m"
cd /tmp/openssl-1.1.1g/
./config shared zlib --prefix=/usr/local/ssl && make -j 2 && make install>>install_openssl.log
if [ `echo $?` == 0 ]
then
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
/usr/sbin/ldconfig
if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
then
version_ssl=`openssl version`
echo -e "\033[36mopenssl安装成功!当前版本为:$version_ssl\033[0m"
fi
else
echo "openssl环境检查失败,请重新检查安装"
fi
fi
echo "检查是否存在/tmp 目录,及软件安装包"
echo "正在准备安装openssh......"
if [ -d "/tmp/" ]
then
echo "目录已存在,检查是否在安装包"
if [ -e "/tmp/openssh-8.3p1.tar.gz" -a -e "/tmp/openssh-8.3p1.tar.gz" ]
then
echo "已存在安装包...开始安装..."
else
echo "请上传安装包到/tmp/目录"
exit
fi
else
mkdir -p /tmp
echo "请上传安装包到/tmp/目录"
exit
fi
sshversion=`ssh -V 2>&1`
if [[ $sshversion = "OpenSSH_8.3p1, OpenSSL 1.1.1g 21 Apr 2020" ]]
then
echo -e "\033[36mopenssh已是8.3p1版本\033[0m"
else
echo -e "\033[36m开始安装openssh!\033[0m"
cd /tmp/
tar xfz openssh-8.3p1.tar.gz
cd /tmp/openssh-8.3p1
mv /etc/ssh/ /etc/ssh_bak
cd /tmp/openssh-8.3p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardenin
g && make -j 4 && make install && install -v -m755 contrib/ssh-copy-id /usr/bin && install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 && install -v -
m755 -d /usr/share/doc/openssh-8.3p1 && install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.3p1
if [ `echo $?`==0 ]
then
sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
sed -i "83a UsePAM yes" /etc/ssh/sshd_config
cd /tmp/openssh-8.3p1
\cp -a ./contrib/redhat/sshd.init /etc/init.d/sshd
\cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod u+x /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
chkconfig --add sshd
chkconfig sshd on
/etc/init.d/sshd restart
sleep 2s
newversion=`ssh -V 2>&1`
echo -e "安装完成,当前SSH版本为: \033[32m $newversion \033[0m"
fi
fi
echo -e "\033[36m是否关闭或卸载telnet-server?\033[0m"""
echo "1. 关闭telnet-server"
echo "2. 卸载telnet-server"
echo "3. 跳过并退出"
read -p "请输入选项:" choice
case $choice in
1)
command
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
echo -e "\033[36mtelnet-server已关闭\033[0m"""
;;
2)
rpm -qa|grep telnet
rpm -e telnet-server-0.17-64.el7.x86_64
if [ `rpm -qa|grep telnet|wc -l` == 1 ]
then
echo -e "\033[36mtelnet-server已关闭\033[0m"""
fi
;;
*)
exit;;
esac