导航
导航
文章目录
  1. 一、查看当前版本
    1. 查看已安装的RPM包 (可选,仅参考)
  2. 二、安装依赖
    1. 安装Perl (可选,仅参考)
  3. 三、安装 OpenSSL
    1. 3.1 卸载现有版本 (仅参考,不需要卸载)
    2. 3.2 安装 OpenSSL
    3. 3.3 替换旧版 OpenSSL
  4. 四、安装 OpenSSH
    1. 4.1 卸载 OpenSSH 旧版本
    2. 4.2 安装 OpenSSH
    3. 4.3 替换旧版 OpenSSH
    4. 4.4 开机自启动(方法1,不推荐)
    5. 4.5 开机自启动(systemd,推荐)
      1. 4.5.1 方法一:使用 sshd.socket 套接字
      2. 4.5.2 方法二:使用 sshd.service 服务
  5. 五、安装 Telnet (可选,仅参考)

CentOS 升级 OpenSSL 和 OpenSSH

一、查看当前版本

ssh -V
#OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 (7.4.1708)

openssl version
#OpenSSL 1.0.2k-fips  26 Jan 2017 (7.4.1708)

查看已安装的RPM包 (可选,仅参考)

rpm -qa | grep openssl
#openssl-libs-1.0.2k-16.el7.x86_64
#openssl-1.0.2k-16.el7.x86_64
#openssl-devel-1.0.2k-16.el7.x86_64

rpm -qa | grep openssh
#openssh-7.4p1-16.el7.x86_64
#openssh-server-7.4p1-16.el7.x86_64
#openssh-clients-7.4p1-16.el7.x86_64

二、安装依赖

yum install -y wget curl gcc gcc-c++ make zlib-devel pam-devel tcp_wrappers tcp_wrappers-devel

安装Perl (可选,仅参考)

via http://www.cpan.org/src/

wget https://www.cpan.org/src/5.0/perl-5.28.1.tar.gz && \
tar -xzf perl-5.28.1.tar.gz && \
cd perl-5.28.1 && \
./Configure -des -Dprefix=/usr/local/perl && \
make && \
make install
perl -v

三、安装 OpenSSL

OpenSSL 默认安装在 /usr/local/ssl,与旧版不冲突,建议不要去卸载旧版,很多软件都依赖旧版的 SSL 库,否则你得要花更多时间去处理相关错误。

3.1 卸载现有版本 (仅参考,不需要卸载)

rpm -e `rpm -qa | grep openssh`
rpm -e `rpm -qa | grep openssl` --nodeps

若误卸载了,可将下面文件复制到 /usr/lib64/

libcrypto.so.10 libcrypto.so.1.0.1e libssl.so.10 libssl.so.1.0.1e

3.2 安装 OpenSSL

注意 openssl-1.1.x 新版不兼容 openssh ,请用回最新的的 1.0.x 版本

wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz && \
tar -zxf openssl-1.0.2q.tar.gz && \
cd openssl-1.0.2q && \
./config shared zlib && \
make depend && \
make install

3.3 替换旧版 OpenSSL

mv /usr/bin/openssl /usr/bin/openssl.backup && \
mv /usr/include/openssl /usr/include/openssl.backup

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl && \
ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl

echo '/usr/local/ssl/lib' >> /etc/ld.so.conf && ldconfig && \
/sbin/restorecon -v /usr/local/ssl/lib/libcrypto.so.1.0.0

四、安装 OpenSSH

4.1 卸载 OpenSSH 旧版本

OpenSSH 建议卸载旧版本,卸载前也可以备份一下。

# 备份
cp -r /usr/bin/ssh /usr/bin/ssh.bak && \
cp -r /usr/sbin/sshd /usr/sbin/sshd.bak && \
cp -r /usr/libexec/openssh/sftp-server /usr/libexec/openssh/sftp-server.bak && \
cp -r /etc/ssh /etc/ssh.bak

# 卸载
# yum remove -y openssh openssh-server openssh-clients
rpm -e `rpm -qa | grep openssh` --nodeps

4.2 安装 OpenSSH

wget http://ftp.eu.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz && \
tar -zxf openssh-7.9p1.tar.gz && \
cd openssh-7.9p1 && \
./configure --prefix=/usr/local/ssh \
            --sysconfdir=/etc/ssh \
            --with-ssl-dir=/usr/local/ssl \
            --with-pam \
            --with-tcp-wrappers \
            --with-md5-passwords \
            --with-zlib=zlib && \
make && make install

echo "/usr/local/ssl/lib/" >> /etc/ld.so.conf.d/openssl.conf
ldconfig

如果出现“Your OpenSSL headers do not match your library. ”
配置以下三个变量,让其指向新版本的opnessl库文件:

DEFAULT_LIBPATH=/usr/local/ssl/include/openssl:/usr/local/ssl/lib/ && \
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}  && \
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} && \
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} && \
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH

更新系统库文件(选做)

yum -y install mlocate
updatedb

4.3 替换旧版 OpenSSH

ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh && \
ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd && \
mkdir -p /usr/libexec/openssh/ && \
ln -s /usr/local/ssh/libexec/sftp-server /usr/libexec/openssh/sftp-server

4.4 开机自启动(方法1,不推荐)

cp contrib/redhat/sshd.init /etc/init.d/sshd
sed -i 's/usr\/sbin/usr\/local\/ssh\/sbin/g' /etc/init.d/sshd
sed -i 's/usr\/bin/usr\/local\/ssh\/bin/g' /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd

systemctl reload sshd
systemctl enable sshd
systemctl restart sshd.service

4.5 开机自启动(systemd,推荐)

4.5.1 方法一:使用 sshd.socket 套接字

/usr/lib/systemd/system/sshd.socket

[Unit]
Description=OpenSSH Server Socket
Documentation=man:sshd(8) man:sshd_config(5)
Conflicts=sshd.service
Wants=sshd-keygen.service

[Socket]
ListenStream=0.0.0.0:22
Accept=yes

[Install]
WantedBy=sockets.target

/usr/lib/systemd/system/sshd-keygen.service

[Unit]
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
PartOf=sshd.service sshd.socket

[Service]
ExecStart=/usr/local/ssh/bin/ssh-keygen
Type=oneshot
RemainAfterExit=yes

/usr/lib/systemd/system/sshd@.service

配置文件,定义服务如何启动

[Unit]
Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5)

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=-/usr/local/ssh/sbin/sshd -i $OPTIONS
StandardInput=socket

/etc/sysconfig/sshd

# Configuration file for the sshd service.

# The server keys are automatically generated if they are missing.
# To change the automatic creation uncomment and change the appropriate
# line. Accepted key types are: DSA RSA ECDSA ED25519.
# The default is "RSA ECDSA ED25519"

# AUTOCREATE_SERVER_KEYS=""
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"

# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing

# SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1

切换至 sshd.socket 自启动服务

systemctl stop sshd.service
systemctl disable sshd.service

#systemctl daemon-reload
#cat /etc/systemd/system/sockets.target.wants/sshd.socket
systemctl enable sshd.socket
systemctl start sshd.socket

4.5.2 方法二:使用 sshd.service 服务

/usr/lib/systemd/system/sshd.service

[Unit]
Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5)

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=-/usr/local/ssh/sbin/sshd -i $OPTIONS
StandardInput=socket

切换

systemctl mask --now sshd.socket
systemctl restart sshd.service

参考文档:

五、安装 Telnet (可选,仅参考)

yum -y install xinetd telnet telnet-server

配置

vi /etc/securetty
pts/0
pts/1

关闭 selinux

vim /etc/selinux/config
SELINUX=disabled

防火墙

#默认zone为public 可以使用firewall-cmd --get-default-zone 来获取默认zone
firewall-cmd --permanent --zone=public --add-port=23/tcp
firewall-cmd --reload

自启动

systemctl enable telnet.socket && \
systemctl start telnet.socket && \
systemctl enable xinetd && \
systemctl start xinetd
telnet dmfy@192.168.10.251

最后更新:2019.02.13

支持一下
扫一扫,支持一下