Cenos 7.2 升级OpenSSH 8.0

1.获取OpenSSH 8.0

wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz

2.安装依赖并解压

yum install openssl-devel -y
tar xvf openssh-8.0p1.tar.gz

3.编译

#删除原先ssh的配置文件和目录
rm -rf /etc/ssh/*
cd openssh-8.0p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam && make && make install

4.处理报错

没有删除 /etc/ssh/*出现以下错误

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
make: [check-config] 错误 1 (忽略)

4.1 删除对应的KEY

rm -rf /etc/ssh/ssh_host_ed25519_key /etc/ssh/ssh_host_ed25519_key.pub /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_rsa_key.pub

创建新的KEY

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key

重新编译

make install

修改配置文件最终为如下内容，其他的不要动

[root@localhost njyjy]# grep  "UseDNS"  /etc/ssh/sshd_config
UseDNS no
[root@localhost njyjy]# grep "^PermitRootLogin"  /etc/ssh/sshd_config
PermitRootLogin yes

若有错误可注释后重启

[root@localhost ~]# systemctl status sshd
.....
8月 13 16:21:50 localhost.localdomain sshd[19652]: Server listening on :: port 22.
8月 13 16:22:12 localhost.localdomain sshd[19653]: rexec line 96: Unsupported option UsePAM
8月 13 16:22:12 localhost.localdomain sshd[19653]: rexec line 109: Deprecated option UsePrivilegeSeparation
8月 13 16:22:12 localhost.localdomain sshd[19653]: Accepted publickey for root from 10.226.123.107 port 38918 ssh2: RSA SHA256:dIqLMZ11D3zLvkJS7LpnA8i60wProsbUTyvjWP7fU2I

注释掉UsePAM和UsePrivilegeSeparation重启

[root@localhost njyjy]# vim /etc/ssh/sshd_config
[root@localhost njyjy]# systemctl restart sshd

5.查看版本并启动服务

#查看ssh的版本
ssh -V

#开机启动sshd
systemctl enable sshd

#重启sshd刷新配置
systemctl restart sshd

启动失败查看日志

方法1
[root@localhost njyjy]# tail -n 100 /var/log/messages
方法2
[root@localhost njyjy]# tail -n 100 /var/log/secure
方法3
[root@localhost njyjy]# journalctl -xe

6.远程连接失败

[root@localhost ~]# ssh 192.168.10.17
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:a38bCmSrjtm49JHFZbPomEnAEUZ9UwgXOBAcF4vW8co.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:1
ECDSA host key for 192.168.10.17 has changed and you have requested strict checking.
Host key verification failed.
[root@localhost ~]# vim /root/.ssh/known_hosts 

删除/root/.ssh/known_hosts 中192.168.10.17的信息即可

7.安装telnet并开起来，防止意外导致ssh无法连接

1、检测telnet-server的rpm包是否安装：

rpm -qa telnet-server 

如没有输出就要安装，安装命令：

yum install telnet-server

2、检测xinetd 的rpm包是否安装：

rpm -qa xinetd

如没有输出就要安装，安装命令：

yum install xinetd

安装完成后，将xinetd服务和telnet加入开机自启动:

systemctl enable xinetd.service
systemctl enable telnet.socket

由于telnet服务也是由xinetd守护的，所以安装完telnet-server，要启动telnet服务就必须重新启动xinetd

systemctl start telnet.socket
systemctl start xinetd

默认情况下，系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录，需设置如下内容

echo  'pts/0'  >>/etc/securetty
echo 'pts/1' >>/etc/securetty

以上命令需要root权限才能执行，最后才重启服务

重启服务：service  xinetd  restart

而且还开通相对应的23端口,接下来在你计算机上打开telnet客户端：

然后测试打开cmd.exe看看能不能登录，telnet+IP,回车