升级openssh9 软件 版本 openssl 3.0.11 openssh 9.5p1
节点 IP 系统 功能 CPU 内存 硬盘 node1 10.80.10.1 centos7.9 openssl 4核心 8GB 20GB
node1
查看openssl版本:
1 2 # openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
下载安装openssl:
下载地址:https://www.openssl.org/source/
1 2 3 4 5 6 7 # yum install -y gcc gcc-c++ glibc openssl openssl-devel zlib zlib-devel automake autoconf perl-IPC-Cmd # cd /usr/local/src/ # wget https://www.openssl.org/source/openssl-3.0.11.tar.gz --no-check-certificate # tar -xzvf openssl-3.0.11.tar.gz # cd openssl-3.0.11 # ./config shared zlib -fPIC --prefix=/usr/local/openssl # make -j 4 && make -j 4 install
备份openssl:
1 2 # mv /usr/bin/openssl /usr/bin/openssl.bak # mv /usr/include/openssl /usr/include/openssl.bak
创建openssl软连接:
1 2 # ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl # ln -s /usr/local/openssl/include/openssl/ /usr/include/openssl
更新动态链接库数据:
1 2 # vim /etc/ld.so.conf.d/openssl.conf /usr/local/openssl/lib64/
检查更新:
1 2 # openssl version OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)
查看ssh版本:
1 2 # ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
卸载旧版本openssh,多开几个窗口:
1 2 3 4 5 6 7 8 # rpm -qa | grep openssh openssh-clients-7.4p1-21.el7.x86_64 openssh-7.4p1-21.el7.x86_64 openssh-server-7.4p1-21.el7.x86_64 # rpm -e --nodeps openssh-clients-7.4p1-21.el7.x86_64 # rpm -e --nodeps openssh-7.4p1-21.el7.x86_64 # rpm -e --nodeps openssh-server-7.4p1-21.el7.x86_64 # mv /etc/ssh /etc/ssh.bak
下载安装openssh:
下载地址:https://www.openssh.com/releasenotes.html
1 2 3 4 5 6 7 # yum install -y pcre pcre-devel perl perl-devel perl-Test-Simple pam pam-devel # cd /usr/local/src/ # wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz # tar -xzvf openssh-9.5p1.tar.gz # cd openssh-9.5p1 # ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --sysconfdir=/etc/ssh --with-zlib --with-pam # make -j 4 && make -j 4 install
复制启动脚本和配置文件:
1 2 3 4 # cp contrib/redhat/sshd.init /etc/init.d/sshd # cp contrib/redhat/sshd.pam /etc/pam.d/ # ln -s /usr/local/openssh/sbin/sshd /usr/sbin/ # ln -s /usr/local/openssh/bin/* /usr/bin/
新版本ssh默认禁止root登录,修改配置文件:
1 2 3 # vim /etc/ssh/sshd_config # 32行,修改配置 PermitRootLogin yes
启动sshd:
1 2 3 4 # systemctl daemon-reload # systemctl restart sshd # systemctl enable sshd # systemctl status sshd
检查更新:
1 2 # ssh -V OpenSSH_9.5p1, OpenSSL 3.0.11 19 Sep 2023
开启pam模块,可以不开启:
1 2 3 # vim /etc/ssh/sshd_config # 82行,修改配置 UsePAM yes
修改pam配置:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 # vim /etc/pam.d/sshd #%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
1 2 # systemctl restart sshd # systemctl status sshd