CentOS 7.2离线升级openssh-8.0p1、openssl-1.1.1c

CentOS 7.2离线升级openssh-8.0p1、openssl-1.1.1c安装包下载:
1、openssl: https://www.openssl.org/source/openssl-1.1.1c.tar.gz
2、openssh:http://ftp5.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
3、telnet: https://mirrors.aliyun.com/centos/7/os/x86_64/Packages/telnet-0.17-64.el7.x86_64.rpm
4、telnet-server: https://mirrors.aliyun.com/centos/7/os/x86_64/Packages/telnet-server-0.17-64.el7.x86_64.rpm
5、 xinetd:https://mirrors.aliyun.com/centos/7/os/x86_64/Packages/xinetd-2.3.15-13.el7.x86_64.rpm
6、pam-devel: http://rpm.pbone.net/index.php3?stat=26&dist=95&size=186740&name=pam-devel-1.1.8-12.el7_1.1.x86_64.rpm

一、准备工作:

1.1 整个过程不需要卸载原先的openssl包和openssh的rpm包

# 备份配置文件和目录
$ cp -rp /etc/ssh{,.backup`date "+%Y%m%d"`}

# 检查iptables selinux是否关闭
$ getenforce
$ iptables -L
$ sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
$ systemctl stop firewalld
$ systemctl disable firewalld

1.2 可以开启tenlet服务,避免openssh服务因故障中断

#如果yum源可以直接使用则使用yum命令直接安装依赖包
$ yum install telnet telnet-server xinetd -y
# 如果没有yum源则下载rpm安装包
$ rpm -ivh telnet-server-0.17-64.el7.x86_64.rpm
$ rpm -ivh telnet-0.17-64.el7.x86_64.rpm 
$ rpm -ivh xinetd-2.3.15-13.el7.x86_64.rpm 

#启动相关服务
$ systemctl start telnet.socket
$ systemctl start xinetd
$ systemctl enable telnet.socket
$ systemctl enable xinetd
$ netstat -lntp|grep 23

# 创建一个临时账号test用户,配置为可以用telnet登录 (密码:Test@123)
$ useradd test
$ passwd test
配置/etc/sudoers里test账号的sudo权限
$ visudo
添加test  ALL=(ALL)  NOPASSWD: ALL

测试下通过其他服务器的telnet能否正常登录

二、升级openssh (以下升级操作前先用其他服务器telnet登录,以免openssh升级失败导致连接中断!!!)

2.1 安装依赖包

# 如果yum源可以直接使用则使用yum命令直接安装依赖包
$ yum install gcc zlib zlib-devel openssl-devel pam-devel -y
# 如果没有yum源则下载rpm安装包
$ rpm -ivh pam-devel-1.1.8-12.el7_1.1.x86_64.rpm

2.2 源码升级openssl

$ cd /usr/local/src
$ wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz
$ tar -zxf openssl-1.1.1c.tar.gz
$ cd openssl-1.1.1c
$ ./config --prefix=/usr/local/ssl --shared
$ perl configdata.pm --dump #显示配置数据
$ make
$ make test
$ make install

#*************************************************
#****************************************
【报错处理1】如果make的时候出现报错:
make: *** [configdata.pm] Error 1
问题原因为虚拟机时间与实际时间不对,虚拟机的时间是2018年,而该版本是2019年5月28号发布的,因此系统检测出时间异常,导致这个报错异常,将时间重新设置之后,问题解决,可以继续正常make下去。 
解决过程:
[root@localhost ~]# date -s "2019-08-09 10:35:00"
[root@localhost ~]# hwclock -w
然后再运行make && make test && make install
#*****************************************
【报错处理2】
[root@localhost openssl-1.1.1c]# cd /usr/local/ssl/bin/
[root@localhost bin]# ./openssl version #此处显示错误,说明找到不libssl.so.1.1库
./openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
[root@localhost bin]# ldd openssl  #查看新版本openssl关联的动态库
	linux-vdso.so.1 =>  (0x00007ffe6e3ba000)
	libssl.so.1.1 => not found
	libcrypto.so.1.1 => not found
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f76823de000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f76821c2000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f7681df4000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f76825ec000)
#*******************************************
#*************************************************

$ echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
$ ldconfig
# 恢复正常:
[root@localhost bin]# ldd openssl
	linux-vdso.so.1 =>  (0x00007ffce4de0000)
	libssl.so.1.1 => /usr/local/ssl/lib/libssl.so.1.1 (0x00007f241a417000)
	libcrypto.so.1.1 => /usr/local/ssl/lib/libcrypto.so.1.1 (0x00007f2419f30000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f2419d2c000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2419b10000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f2419743000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f241a6b2000)
# 查看当前openssl版本:
[root@localhost bin]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
mv /usr/bin/openssl{,.old}
mv /usr/include/openssl{,.old}
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

#*************************************************
#****************************************
【报错处理3】其他用户使用出现报错:
error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No
执行:
$ ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib/libssl.so.1.1      
$ ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib/libcrypto.so.1.1
$ chmod -R o+rx /usr/local/ssl  #保证其他用户有权限
$ openssl version
OpenSSL 1.1.1c  28 May 2019
#*************************************************
#************************************************************

三、源码升级openssh-8.0p1

# 源码安装openssh
[root@localhost ~]# mv /etc/ssh{,.old}
[root@localhost ~]# cd /usr/local/src 
[root@localhost src]# wget http://ftp5.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz   
[root@localhost src]# tar zxvf openssh-8.0p1.tar.gz
[root@localhost src]# cd openssh-8.0p1
[root@localhost openssh-8.0p1]# ./configure --prefix=/usr/local --with-zlib --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-md5-passwords --with-pam
[root@localhost openssh-8.0p1]# make
[root@localhost openssh-8.0p1]# make install

#更改配置文件
[root@localhost ~]# cp /etc/ssh/sshd_config{,.backup`date "+%Y%m%d"`}
[root@localhost ~]# sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
[root@localhost ~]# sed -i 's/#PasswordAuthentication yes/PasswordAuthentication\ yes/g' /etc/ssh/sshd_config
[root@localhost ~]# sed -i 's/#UseDNS no/UseDNS no/g' /etc/ssh/sshd_config

**************************************************************
【说明】检查/etc/ssh/sshd_config
PermitRootLogin yes  (如果需要root ssh登录,配置为yes;否则配置为no)
PasswordAuthentication yes (如果需要密码登录,配置为yes;否则不用配置)
Port 22 (如果原来ssh是22端口,不用修改,否则修改为ssh的特定监听端口)
UseDNS no
如果公钥无法登录,添加UsePAM yes
如果sftp无法登录,修改/etc/ssh/sshd_config
#Subsystem      sftp    /usr/local/libexec/sftp-server
Subsystem sftp internal-sftp
********************************************************************

[root@localhost ~]# cp -p /usr/bin/ssh /usr/bin/ssh.`date "+%Y%m%d"`
[root@localhost ~]# cp -p /usr/sbin/sshd /usr/sbin/sshd.`date "+%Y%m%d"`
[root@localhost ~]# cp -p /usr/local/bin/ssh /usr/bin/ssh
[root@localhost ~]# cp -pf /usr/local/sbin/sshd /usr/sbin/sshd

[root@localhost ~]# chkconfig --add sshd
[root@localhost ~]# chkconfig sshd on
[root@localhost ~]# systemctl daemon-reload
[root@localhost ~]# systemctl restart sshd.service
[root@localhost ~]# systemctl enable sshd
[root@localhost ~]# systemctl status sshd
[root@localhost ~]# ssh -V  #升级成功
OpenSSH_8.0p1, OpenSSL 1.1.1c  28 May 2019

四、升级后相关处理

如果ssh升级后,能够ssh远程登录,关闭tenet服务

systemctl disable telnet.socket
systemctl disable xinetd
systemctl stop telnet.socket
systemctl stop xinetd

rpm -e telnet-server-0.17-64.el7.x86_64
rpm -e telnet-0.17-64.el7.x86_64
rpm -e xinetd-2.3.15-13.el7.x86_64

删除临时账号test

[root@localhost ~]# userdel test

删除/etc/sudoers里面关于test的配置:

[root@localhost ~]# visudo
#删除test  ALL=(ALL)  NOPASSWD: ALL

你可能感兴趣的:(Linux)