问题描述

近期因centos 6.x 默认openssh扫描存在大量漏洞,基于安全考虑,需要将openssh_5.3p1升级为最新版,网上查了很多教程,发现openssh存在大量依赖,不解决依赖问题很难保证其他服务。

准备好与原环境相同的openssh的rpm包,以便失败回退

操作步骤

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz

1、      确定操作系统版本

[root@update-ssh ~]# cat /etc/issue

CentOS release 6.10 (Final)

Kernel \r on an \m

[root@update-ssh ~]# ssh -V


2、    环境检查

[root@update-ssh ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@update-ssh ~]# rpm -q zlib
zlib-1.2.3-29.el6.x86_64
[root@update-ssh ~]# rpm -q zlib-devel
zlib-devel-1.2.3-29.el6.x86_64
[root@update-ssh ~]# yum -y install gcc

         服务备份,暂时不需要卸载rpm

[root@update-ssh ~]# cp -R /etc/ssh/ /tmp/ssh.old
[root@update-ssh ~]# cp /etc/init.d/sshd /tmp/sshd_bak
[root@update-ssh ~]# cp /usr/sbin/sshd /tmp/sbin_sshd
[root@mode-01-0003 ~]# mv /etc/securetty /tmp/securetty.bak  ##允许telnet使用root用户登陆


3、           开启telnet

[root@update-ssh ~]# yum -y install xinetd telnet-server
[root@update-ssh ~]# service xinetd restart
[root@update-ssh ~]# chkconfig –list


xinetd based services:
         chargen-dgram:  off
         chargen-stream: off
         daytime-dgram:  off
         daytime-stream: off
         discard-dgram:   off
         discard-stream:  off
         echo-dgram:             off
         echo-stream:    off
         rsync:          off
         tcpmux-server:   off
         telnet:         off
         time-dgram:             off
         time-stream:    off


[root@update-ssh ~]# chkconfig telnet on
[root@update-ssh ~]# chkconfig –list

xinetd based services:
         chargen-dgram:  off
         chargen-stream: off
         daytime-dgram:  off
         daytime-stream: off
         discard-dgram:   off
         discard-stream:  off
         echo-dgram:             off
         echo-stream:    off
         rsync:          off
         tcpmux-server:   off
         telnet:         on
         time-dgram:             off
         time-stream:    off


测试telnet是否能登陆:

[root@update-ssh ~]# telnet localhost

Trying ::1...
Connected to localhost.
Escape character is '^]'.
CentOS release 6.10 (Final)
Kernel 2.6.32-754.6.3.el6.x86_64 on an x86_64
update-ssh login:root
Password:


4、           编译安装openssh

[root@update-ssh ~]# tar fx openssh-7.9p1.tar.gz
[root@update-ssh ~]# cd openssh-7.9p1

[root@update-ssh ~]# ./configure --prefix=/usr                     \
            --sysconfdir=/etc/ssh             \
            --with-md5-passwords              \
            --with-privsep-path=/var/lib/sshd &&
make
[root@update-ssh ~]# make install &&
install -v -m755    contrib/ssh-copy-id /usr/bin     &&
install -v -m644    contrib/ssh-copy-id.1 \
                    /usr/share/man/man1              &&
install -v -m755 -d /usr/share/doc/openssh-7.9p1     &&
install -v -m644    INSTALL LICENCE OVERVIEW README* \
                    /usr/share/doc/openssh-7.9p1

[root@update-ssh ~]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
[root@update-ssh ~]# ssh-keygen &&
ssh-copy-id -i ~/.ssh/id_rsa.pub REMOTE_USERNAME@REMOTE_HOSTNAME
[root@update-ssh ~]# echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config &&
echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
[root@update-ssh ~]# sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd &&
chmod 644 /etc/pam.d/sshd &&
echo "UsePAM yes" >> /etc/ssh/sshd_config

5、           加入系统服务

[root@update-ssh openssh-7.9p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@update-ssh ~]# chkconfig --add sshd
[root@update-ssh ~]# chkconfig sshd on
[root@update-ssh ~]# rpm -e `rpm -qa | grep openssh`
[root@update-ssh ~]# service sshd restart

6、           断连重试

使用shell工具或者同网段服务器使用ssh连接,可以连接即可