一、安装telnet-server以及xinetd,防止openssh升级失败导致无法远程连接服务器
yum install xinetd telnet-server telnet -y
配置telnet登录的终端类型,在/etc/securetty文件末尾增加一些pts终端,如下
vi /etc/securetty
pts/0
pts/1
pts/2
pts/3
启动telnet服务,并使用telnet连接至服务器
systemctl start telnet.socket
systemctl start xinetd
telnet 127.0.0.1 
输入服务器用户名和密码
二、环境准备:检查操作系统版本是否为以下版本
cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)
核实操作系统版本无误,执行安装以下所有依赖包
yum install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
三、开始进行升级安装步骤:
1、上传openssh升級包至/tmp目录下,并执行解压
cd /tmp
tar -xf openssh-8.2p1.tar.gz
tar -xf openssl-1.1.1g.tar.gz
tar -xf zlib-1.2.11.tar.gz
2、编译安装zlib
cd zlib-1.2.11
./configure
make
make install
ll /usr/local/lib
3、编译安装openssl-1.1.1g
cd openssl-1.1.1g
检查环境
./config shared zlib  --prefix=/usr/local/ssl
./config -t
编译安装
make -j 4 && make install
执行echo $?返回0说明安装正常
echo $?
查看openssl默认安装路径
which openssl
备份原来的文件,以实际路径为准
mv /usr/bin/openssl /usr/bin/openssl.BAK
更新函数库
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
检查是否升级成功
openssl version -a

centos 8 stream 升级openssl centos7.6升级openssh_bc

查询openssl版本输出信息如下表示安装成功:
OpenSSL 1.1.1g  21 Apr 2020
built on: Mon May 25 02:31:46 2020 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-1.1"
Seeding source: os-specific
4、编译安装openssh
cd openssh-8.2p1
备份原来的ssh目录
mv /etc/ssh/ /etc/ssh_bak
检查环境
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers  --with-ssl-dir=/usr/local/ssl --without-hardening
正常情况下,初始化成功最后可以看到如下内容输出,如果输出为其他报错信息,一般情况是openssl配置不正确导致

centos 8 stream 升级openssl centos7.6升级openssh_bc_02

检查环境若无报错提示,则执行以下步骤进行编译
make -j 4
安装
make install
install -v -m755    contrib/ssh-copy-id /usr/bin
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -v -m755 -d /usr/share/doc/openssh-8.2p1
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.2p1
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod u+x /etc/init.d/sshd
备份原来的启动脚本
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
加入开机启动项
chkconfig --add sshd
chkconfig sshd on
允许root登录
sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
重启验证sshd服务是否正常
/etc/init.d/sshd restart
systemctl restart sshd
5、检查sshd服务状态
systemctl status sshd
6、测试没问题后可以把telnet服务关闭了
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket

centos 8 stream 升级openssl centos7.6升级openssh_服务器_03

常见问题:
1.服务器不能访问外网怎么安装依赖包,找一台可以访问外网的服务器,要求和需要升级的服务器操作系统版本一致,执行下以下命令,将rpm下载到/tmp/openssh目录下

yum install --downloadonly --downloaddir=/tmp/openssh gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
执行仅下载不安装命令后可以在/tmp/openssh目录下看到下载的rpm,将openssh目录打包上传到内网服务器上执行yum localinstall *.rpm命令即可

2、升级openssh后,执行ulimit -n查看到的打开文件数被重置为1024,过小

如图所示:

centos 8 stream 升级openssl centos7.6升级openssh_服务器_04

启用PAM验证
sed -i "83a UsePAM yes" /etc/ssh/sshd_config
编辑并添加vi /etc/pam.d/sshd配置信息
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
session    required     pam_limits.so
重启sshd服务后,重新连接服务器即可
systemctl restart sshd

附上:openssh升级脚本,仅供参考.可以根据实际场景进行修改

#!/bin/bash

oldversion=`ssh -V 2>&1`
echo "开始执行 OpenSSH 版本升级脚本"
echo -e "现在的ssh版本是:\033[36m $oldversion \033[0m"


# 安装telnet-server和telnent
echo "检查是否已安装telnet 服务..."
if [ `rpm -qa|grep telnet|wc -l` == 2 ]
then
	echo -e "\033[36m已安装telnet-server和telnet服务!\033[0m"
else
	yum install xinetd telnet-server telnet -y>>install_telnet.log
	if [ `echo $?` == 0 ]
	then
		echo -e "\033[36mtelnet-server和telnet安装成功!\033[0m"
	fi
fi

# 配置telnet-server
if [ `grep pts /etc/securetty|wc -l` -lt 4 ]
then
cat>>/etc/securetty<<EOF
pts/0
pts/1
pts/2
pts/3
EOF
else
	echo -e "/etc/securetty已存在\033[36mpts/0,pts/1,pts/2,pts/3\033[0m"
fi

echo "正在启动telnet服务..."
systemctl start telnet.socket
systemctl start xinetd

if [ `rpm -qa|grep net-tools|wc -l` == 1 ]
then
	if [ `netstat -tuanp|grep -E ":::23"|wc -l` == 1 ]
	then
		echo -e "\033[36mtelnet-server服务已开启!\033[0m"
	fi
else
	yum -y install net-tools>>install_net-tools.log
	if [ `netstat -anp|grep 23|wc -l` == 1 ]
        then
                echo -e "\033[36mtelnet-server服务已开启!\033[0m"
        fi
fi	

#echo "安装依赖包..."
#echo -e "\033[36mgcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel\033[0m"
#yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel>>install_lib.log

#echo -e "\033[36mpam* zlib*\033[0m"
#yum install  -y pam* zlib*>>install_lib.log
echo "正在准备安装openssl"
echo "检查是否存在/tmp 目录,及软件安装包"
if [ -d "/tmp/" ]
then
	echo "目录已存在,检查是否在安装包"
	if [ -e "/tmp/openssl-1.1.1g.tar.gz" -a -e "/tmp/openssh-8.3p1.tar.gz" ]
	then
		echo "已存在安装包...开始安装..."
	else
		echo "请上传安装包到/tmp/目录"
		exit
	fi
else
	mkdir -p /tmp
	echo "请上传安装包到/tmp/目录"
	exit
fi

if [ `openssl version|grep "1.1.1g"|wc -l` -eq "1" ]
then
	echo -e "\033[36m已经安装所需版本的openssl\033[0m"
else
	echo -e "\033[36m开始安装openssl!\033[0m"
	cd /tmp
	tar xfz openssl-1.1.1g.tar.gz
	if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
	then
		mv /usr/bin/openssl /usr/bin/openssl_bak
		mv /usr/include/openssl /usr/include/openssl_bak
		if [ -e "/usr/bin/openssl_bak" -a -d "/usr/include/openssl_bak" ]
		then
			echo "备份完成!"
		fi
	fi
	echo -e "\033[36m配置、编译、安装!\033[0m"
	cd /tmp/openssl-1.1.1g/
	./config shared zlib --prefix=/usr/local/ssl && make -j 2 && make install>>install_openssl.log

	if [ `echo $?` == 0 ]
	then
		ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
		ln -s /usr/local/ssl/include/openssl /usr/include/openssl
		echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
		/usr/sbin/ldconfig
		if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
		then
			version_ssl=`openssl version`
			echo -e "\033[36mopenssl安装成功!当前版本为:$version_ssl\033[0m"
		fi
                else
                echo "openssl环境检查失败,请重新检查安装"
	fi
fi



echo "检查是否存在/tmp 目录,及软件安装包"
echo "正在准备安装openssh......"
if [ -d "/tmp/" ]
then
	echo "目录已存在,检查是否在安装包"
	if [ -e "/tmp/openssh-8.3p1.tar.gz" -a -e "/tmp/openssh-8.3p1.tar.gz" ]
	then
		echo "已存在安装包...开始安装..."
	else
		echo "请上传安装包到/tmp/目录"
		exit
	fi
else
	mkdir -p /tmp
	echo "请上传安装包到/tmp/目录"
	exit
fi

sshversion=`ssh -V 2>&1`
if [[ $sshversion = "OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020" ]]
then
        echo -e "\033[36mopenssh已是8.3p1版本\033[0m"
else

	echo -e "\033[36m开始安装openssh!\033[0m"
	cd /tmp/
	tar xfz openssh-8.3p1.tar.gz
	cd /tmp/openssh-8.3p1
	mv /etc/ssh/ /etc/ssh_bak
	cd /tmp/openssh-8.3p1
	./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers  --with-ssl-dir=/usr/local/ssl --without-hardenin
g && make -j 4 && make install && install -v -m755 contrib/ssh-copy-id /usr/bin && install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 && install -v -
m755 -d /usr/share/doc/openssh-8.3p1 && install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.3p1

	if [ `echo $?`==0 ]
	then
                        sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
                        sed -i "83a UsePAM yes" /etc/ssh/sshd_config
			cd /tmp/openssh-8.3p1
			\cp -a ./contrib/redhat/sshd.init /etc/init.d/sshd
			\cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
			chmod u+x /etc/init.d/sshd
			mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
	                chkconfig --add sshd
                        chkconfig sshd on
			/etc/init.d/sshd restart
                        sleep 2s
			newversion=`ssh -V 2>&1`
			echo -e "安装完成,当前SSH版本为: \033[32m $newversion \033[0m"
	fi
fi


echo -e "\033[36m是否关闭或卸载telnet-server?\033[0m"""
echo "1. 关闭telnet-server"
echo "2. 卸载telnet-server"
echo "3. 跳过并退出"
read -p "请输入选项:" choice
case $choice in
1)
command
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
echo -e "\033[36mtelnet-server已关闭\033[0m"""
;;
2)
rpm -qa|grep telnet
rpm -e telnet-server-0.17-64.el7.x86_64
if [ `rpm -qa|grep telnet|wc -l` == 1 ]
then
	echo -e "\033[36mtelnet-server已关闭\033[0m"""
fi
;;
*)
exit;;
esac