升级openssh9

发表于 2023-12-02 分类于运维

OpenSSH的升级：

升级openssh9

软件	版本
openssl	3.0.11
openssh	9.5p1

节点	IP	系统	功能	CPU	内存	硬盘
node1	10.80.10.1	centos7.9	openssl	4核心	8GB	20GB

node1

查看openssl版本：

1 2	# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017

下载安装openssl：

下载地址：https://www.openssl.org/source/

# yum install -y gcc gcc-c++ glibc openssl openssl-devel zlib zlib-devel automake autoconf perl-IPC-Cmd
# cd /usr/local/src/
# wget https://www.openssl.org/source/openssl-3.0.11.tar.gz --no-check-certificate
# tar -xzvf openssl-3.0.11.tar.gz
# cd openssl-3.0.11
# ./config shared zlib -fPIC --prefix=/usr/local/openssl
# make -j 4 && make -j 4 install

备份openssl：

1 2	# mv /usr/bin/openssl /usr/bin/openssl.bak # mv /usr/include/openssl /usr/include/openssl.bak

创建openssl软连接：

1 2	# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl # ln -s /usr/local/openssl/include/openssl/ /usr/include/openssl

更新动态链接库数据：

1 2	# vim /etc/ld.so.conf.d/openssl.conf /usr/local/openssl/lib64/

1	# ldconfig

检查更新：

1 2	# openssl version OpenSSL 3.0.11 19 Sep 2023 (Library: OpenSSL 3.0.11 19 Sep 2023)

查看ssh版本：

1 2	# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

卸载旧版本openssh，多开几个窗口：

# rpm -qa | grep openssh
openssh-clients-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
# rpm -e --nodeps openssh-clients-7.4p1-21.el7.x86_64
# rpm -e --nodeps openssh-7.4p1-21.el7.x86_64
# rpm -e --nodeps openssh-server-7.4p1-21.el7.x86_64
# mv /etc/ssh /etc/ssh.bak

下载安装openssh：

下载地址：https://www.openssh.com/releasenotes.html

# yum install -y pcre pcre-devel perl perl-devel perl-Test-Simple pam pam-devel
# cd /usr/local/src/
# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz
# tar -xzvf openssh-9.5p1.tar.gz
# cd openssh-9.5p1
# ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --sysconfdir=/etc/ssh --with-zlib --with-pam
# make -j 4 && make -j 4 install

复制启动脚本和配置文件：

# cp contrib/redhat/sshd.init /etc/init.d/sshd
# cp contrib/redhat/sshd.pam /etc/pam.d/
# ln -s /usr/local/openssh/sbin/sshd /usr/sbin/
# ln -s /usr/local/openssh/bin/* /usr/bin/

新版本ssh默认禁止root登录，修改配置文件：

1
2
3

# vim /etc/ssh/sshd_config
# 32行，修改配置
PermitRootLogin yes

启动sshd：

# systemctl daemon-reload
# systemctl restart sshd
# systemctl enable sshd
# systemctl status sshd

检查更新：

1 2	# ssh -V OpenSSH_9.5p1, OpenSSL 3.0.11 19 Sep 2023

开启pam模块，可以不开启：

1
2
3

# vim /etc/ssh/sshd_config
# 82行，修改配置
UsePAM yes

修改pam配置：

# vim /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

1 2	# systemctl restart sshd # systemctl status sshd