记一次centos7的ssh升级到8.1p

1、升级脚本命令

请注意 升级openssh之后可能对线上的ulimit -n 造成影响,小伙伴们要注意。
请注意 升级openssh之后可能对线上的ulimit -n 造成影响,小伙伴们要注意。
请注意 升级openssh之后可能对线上的ulimit -n 造成影响,小伙伴们要注意。

sudo -s
#或者 sudo su

ulimit -n

#查看openssl、ssh版本
openssl version
ssh -V

cd /app
mkdir ssh
cd ssh

##安装依赖
yum update openssh -y
yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel
yum install  -y pam* zlib*
 
ls
##下载安装包 
wget -c https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz
ls
 
wget -c https://ftp.openssl.org/source/openssl-1.0.2r.tar.gz


ll

##解压包
tar xfz openssh-8.1p1.tar.gz 
tar xfz openssl-1.0.2r.tar.gz 

ll
##修改权限
chown root:root openssh-8.1p1
ll  /usr/bin/openssl
ll /usr/include/openssl

##备份openssl旧版本
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
ll /usr/bin/openssl
ll /usr/include/openssl
 
ls
cd openssl-1.0.2r/
ls
##编译安装openssl 
./config shared
echo $?
 
make -j4
echo $? 

make install
echo $?

ll /usr/local/ssl/bin/openssl
 
ll /usr/local/ssl/include/openssl
cat /etc/ld.so.conf
ll /etc/ld.so.conf

##建立软链接
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
cat /etc/ld.so.conf
/sbin/ldconfig

##查看新版本
openssl version
 
/usr/bin/openssl_bak version
 
ll /etc/ssh
ll -d /etc/ssh
##备份ssh旧版本
cp -r  /etc/ssh /tmp/
mv /etc/ssh /etc/ssh_bak
 
cd ../openssh-8.1p1/
ls
ll -d

##安装新版本
chown -R root:root /app/ssh/openssh-8.1p1
ll
 
##chown -R root.root /app/ssh/openssh-8.0p1
 
./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam 
 echo $? 

make -j4 
 echo $?
  
make install
 echo $?
ll /etc/ssh

/etc/ssh_bak
##查看旧版本配置参数
cat /etc/ssh_bak/sshd_config|grep -v "#"|grep -v "^$"
cat /etc/ssh/sshd_config|grep -v "#"|grep -v "^$"

##将旧版本原有参数写入配置文件
vi /etc/ssh/sshd_config
##begin
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
#AuthorizedKeysFile	.ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
ClientAliveInterval 600
ClientAliveCountMax 0
Banner /etc/issue
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#Subsystem	sftp	/usr/libexec/openssh/sftp-server
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,aes192-cbc,aes256-cbc
PermitRootLogin no
UseDNS no
##end
 

grep "^PermitRootLogin"  /etc/ssh/sshd_config

cat /etc/ssh/sshd_config|grep -v "#"|grep -v "^$"
systemctl status sshd

##备份sshd
ll /etc/pam.d/sshd.pam
ll /etc/init.d/sshd
mv /etc/init.d/sshd /etc/init.d/sshd_bak

##生成新的sshd.pam,sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
cp -a contrib/redhat/sshd.init /etc/init.d/sshd

ll /etc/pam.d/sshd.pam
ll /etc/init.d/sshd

##添加开机启动
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
systemctl enable sshd

##如果下面两个文件存在,则移除
ll /usr/lib/systemd/system/sshd.service
ll /usr/lib/systemd/system/sshd.socket

##mv  /usr/lib/systemd/system/sshd.service  /opt
##mv  /usr/lib/systemd/system/sshd.socket  /opt
mv  /usr/lib/systemd/system/sshd.service  /app/ssh
mv  /usr/lib/systemd/system/sshd.socket  /app/ssh

##重启sshd服务
service sshd status
service sshd restart
service sshd status
openssl version
ssh -V

ulimit -n

#重新ssh登录测试


##限制ip只允许堡垒机ssh登录
vi /etc/ssh/sshd_config 
allowusers [email protected]

##添加参数后重启sshd
service sshd restart

	

2、遇到的问题

2.1、升级ssh后无法登录,SSH远程服务器时报错 /bin/bash : Permission denied

解决办法:

关闭selinux

关闭selinux的命令如下:


-----------------------------------------------------------------------------------
#####----------------------------
临时关闭:

[root@localhost ~]# getenforce
Enforcing

[root@localhost ~]# setenforce 0
[root@localhost ~]# getenforce
Permissive

永久关闭:

[root@localhost ~]# vi /etc/sysconfig/selinux

SELINUX=enforcing 改为 SELINUX=disabled

重启服务reboot

##########-------------------------------

参考网址:https://www.liangzl.com/get-article-detail-137917.html

你可能感兴趣的:(linux,centos,linux,ssh)