Openssh升级遇到的坑

升级参考文章：

https://www.cnblogs.com/nmap/p/10779658.html（centos7 升级openssh到openssh-8.0p1版本）

https://blog.csdn.net/qq_38000902/article/details/80969769（Linux Centos7 OpenSSH版本低导致的安全漏洞 升级OpenSSH和OpenSSl来修复漏洞）

https://jingyan.baidu.com/article/08b6a5916ecc5214a9092244.html（最全CentOS7升级OpenSSH方案）

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/（ssh下载）

https://oomake.com/download/openssl （openssl下载）

http://www.zlib.net/fossils/ （zlib下载）

http://rpm.pbone.net/index.php3?stat=26&dist=77&size=167208&name=libcurl-7.19.7-35.el6.x86_64.rpm （pam可以从ios里面拿对应版本）

https://blog.csdn.net/weixin_34301307/article/details/89692821（记一次离线RHEL7，Openssh7.7p1的RPM方式升级）

https://www.cnblogs.com/xun0523/p/9804953.html（Centos 6.x 升级openssh版本）

自己碰到的问题：

1、缺少gcc

[root@credit_elsearch zlib-1.2.8]# gcc -v
bash: gcc: command not found...
[root@credit_elsearch zlib-1.2.8]# ./configure
Checking for gcc...
Compiler error reporting is too harsh for ./configure (perhaps remove -Werror).
** ./configure aborting.

安装参考：https://www.imooc.com/article/17780?block_id=tuijian_wz%20yum%20-y%20install%20gcc%20gcc-c++%20kernel-devel%20//

下载参考：http://rpmfind.net/linux/rpm2html/search.php?query=ntp

rpm -ivh mpfr-3.1.1-4.el7.x86_64.rpm
rpm -ivh libmpc-1.0.1-3.el7.x86_64.rpm
rpm -ivh kernel-headers-3.10.0-123.el7.x86_64.rpm
rpm -ivh glibc-headers-2.17-55.el7.x86_64.rpm
rpm -ivh glibc-devel-2.17-55.el7.x86_64.rpm
rpm -ivh cpp-4.8.2-16.el7.x86_64.rpm
rpm -ivh gcc-4.8.2-16.el7.x86_64.rpm

2、编译安装openssl报错：POD document had syntax errors at /usr/bin/pod2man line 69. make: *** [install_docs]

错误如下：

1 2 3 4 5 6 7

cms.pod around line 457: Expected text after =item, not a number cms.pod around line 461: Expected text after =item, not a number cms.pod around line 465: Expected text after =item, not a number cms.pod around line 470: Expected text after =item, not a number cms.pod around line 474: Expected text after =item, not a number POD document had syntax errors at /usr/bin/pod2man line 69. make: *** [install_docs] Error 1

解决方法： 

执行：

rm -f /usr/bin/pod2man 

重新编译安装即可。

3、openssh安装好默认是不执行sshd_config文件的

vim /etc/init.d/sshd
在 ‘$SSHD $OPTIONS && success || failure’这一行上面加上一行 ‘OPTIONS="-f /etc/ssh/sshd_config"’
保存退出

4、root用户无法登陆

解决：vim /etc/ssh/sshd_config

#PermitRootLogin prohibit-password改成PermitRootLogin yes

5、升级openssh后Xshell、SecureCRT等工具无法连接xftp和不能上传文件

解决：vim  /etc/ssh/sshd_config

# override default of no subsystems
#Subsystem      sftp    /usr/local/openssh/libexec/sftp-server改成下面那句
Subsystem      sftp    internal-sftp
6、PAM报错

Jul  1 13:11:19 credit_elsearch sshd[6027]: PAM unable to dlopen(/usr/lib64/security/pam_stack.so): /usr/lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
Jul  1 13:11:19 credit_elsearch sshd[6027]: PAM adding faulty module: /usr/lib64/security/pam_stack.so
Jul  1 13:11:19 credit_elsearch sshd[6027]: Failed password for root from 10.23.181.28 port 60094 ssh2
 

经过排查发现是ssh rpm 升级后会修改/etc/pam.d/sshd 文件，如下：

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

修改为之前的即可。修改后的文件如下：

 

 

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

7、编译和安装openssl时出错，POD document had syntax errors

installing man1/smime.1
　　smime.pod around line 272： Expected text after =item， not a number
　　smime.pod around line 276： Expected text after =item， not a number
　　smime.pod around line 280： Expected text after =item， not a number
　　smime.pod around line 285： Expected text after =item， not a number
　　smime.pod around line 289： Expected text after =item， not a number
　　POD document had syntax errors at /usr/bin/pod2man line 71.
　　make： *** ［install_docs］ 错误 255
　　原因分析：这是由于OpenSSL 1.0.1e 与 perl5.18 不兼容。
　　解决方法：
　　1、有人验证 安装perl 5.16 可以兼容，安排低版本perl 5.16可以解决问题。
　　2、删除 pod2man文件：
　　sudo rm /usr/bin/pod2man

8、升级Openssh高版本后，为了安全，默认不采用低等级的加密算法，低等级加密算法 pshell工具无法远程连接。（支持高等级加密算法的工具有xshell）。升级Openssh高版本后，为了安全，默认不采用低等级的加密算法，低等级加密算法 pshell工具无法远程连接。（支持高等级加密算法的工具有xshell）。

 解决方法：修改sshd的配置文件 /etc/ssh/sshd_config，在最后面添加以下三行内容：添加完后重启sshd服务则生效。

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

 

MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96