查看当前版本
# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
使用telnet服务进行安装升级
查看telnet服务状态:
root@localhost ~]# service xinetd status
/etc/sysconfig/network: line 3: hl-tyapp1: command not found
xinetd (pid 21601) is running...
重启telnet服务
[root@localhost ~]# service xinetd restart
/etc/sysconfig/network: line 3: hl-tyapp1: command not found
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
telnet服务默认不支持root账户登录,要先新建账户,升级时切换到root账户进行操作。新建一个账户test,密码123,执行命令
[root@localhost ~]# useradd test
[root@localhost ~]# passwd test
Changing password for user test.
New UNIX password: #输入test账户的密码
BAD PASSWORD: it is WAY too short
Retype new UNIX password: #重复输入test账户密码
passwd: all authentication tokens updated successfully. #完成test账户建立
telnet默认采用的端口是TCP的23号端口,校验端口是否正常,正常则配置成功,不正常则配置失败,如下:
# telnet 127.0.0.1 #若本地连接正常,网络无法连接,则查看防火墙是否放行telnet
[root@localhost ~]# telnet 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
ONLY Authorized users only! All accesses logged
login: test
Password: 输入密码
Last login: Mon Dec 24 10:31:47 from VM000003114
ONLY Authorized users only! All accesses logged
-bash: /var/log/audit/audit.log: Permission denied
[test@localhost ~]$
切换到root权限
[test@localhost ~]$ su root
Password: 输入密码
[root@localhost test]# cd 回到root目录
[root@localhost ~]#
接下来把要升级的三个安装包上传到root目录下,
准备升级之前要做好备份
备份OpenSSH相关文件:
# cp -r /etc/ssh/ /etc/ssh_bak #备份配置文件目录
# cp /etc/init.d/sshd /etc/init.d/sshd_bak #备份启动脚本
# cp /usr/sbin/sshd /usr/sbin/sshd_bak #备份启动关联文件
咱们这边不做原版本的卸载。
安装OpenSSH
安装OpenSSH需先安装其所依赖的zlib和OpenSSL服务。
源码编译zlib
# tar -xvzf zlib-1.2.8.tar #解压缩
# cd zlib-1.2.8
[zlib-1.2.8]# ./configure --prefix=/usr/local/zlib #检查配置
[zlib-1.2.8]Bash ./configure --prefix=/usr/local/zlib
[zlib-1.2.8]# make #编译
[zlib-1.2.8]# make install #编译安装
源码编译OpenSSL
# tar -xvzf openssl-1.0.1h.tar.gz #解压缩
# cd openssl-1.0.1h #进入目录
[openssl-1.0.1h]# ./config --prefix=/usr/local/openssl #检查配置
[openssl-1.0.1h]# make #编译
[openssl-1.0.1h]# make install #编译安装
源码编译OpenSSH
# tar -xvzf openssh-6.5p1.tar.gz #解压缩
# cd openssh-6.5p1 #进入目录
[openssh-6.5p1]# ./configure \ #检查配置
> --sysconfdir=/etc/ssh \
> --with-zlib=/usr/local/zlib/ \
> --with-ssl-dir=/usr/local/openssl
[openssh-6.5p1]#make #编译
[openssh-6.5p1]#make install #编译安装
安装完成之后,OpenSSH释放文件的情况如下:
范畴 |
路径 |
例子 |
客户端命令 |
/usr/local/bin |
ssh、ssh-add、ssh-agent、scp等 |
服务器守护进程 |
/usr/local/sbin |
sshd |
其他额外命令 |
/usr/local/libexec |
sftp-server、ssh-pkcs11-helper |
配置文件和公钥 |
/etc/ssh |
sshd_config、ssh_host_* |
帮助文档 |
/usr/local/openssh/share |
share/{man1,man5,man8} |
启动openssh
# /usr/local/sbin/sshd –d #调试OpenSSH
# /usr/local/sbin/sshd -f /etc/ssh/sshd_config
开机管理OpenSSH
# vi /etc/init.d/sshd
SSHD=/usr/local/sbin/sshd #默认为SSHD=/usr/sbin/sshd
start()
{
# Create keys if necessary
/usr/local/bin/ssh-keygen –A #默认为/usr/bin/ssh-keygen –A
# chkconfig sshd on #开机启动设置
# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# service sshd restart
Stopping sshd:[ OK ]
Starting sshd:[ OK ]
OpenSSH版本验证
# /usr/local/bin/ssh -V
OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
设置openssh服务
# cp /usr/local/openssh/bin/ssh /usr/bin/
验证升级后的版本
[root@localhost ~]# ssh -V
OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
重启openssh
[root@localhost ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 97: Unsupported option UsePAM
[ OK ]
[root@localhost ~]#
设置root可以远程访问:
[root@localhost ~]# vim /etc/ssh/sshd_config
#LoginGraceTime 2m
PermitRootLogin yes 放开root权限
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
遇到的问题
配置OpenSSH时出现缺少OpenSSL library
在完成OpenSSL配置后
#vi Makefile
修改 gcc下面的参数,添加-fPIC
之后正常安装OpenSSL
在安装OpenSSH之前,进行如下操作
#setenforce 0
#vi /etc/selinux/config
注释SELINUX=enforcing
添加行:SELINUX=disabled
保存退出
之后正常安装即可。
不源码安装OpenSSL的情况下安装OpenSSH
在编译[openssh-6.5p1]# ./configure \ #检查配置
> --sysconfdir=/etc/ssh \
> --with-zlib=/usr/local/zlib/ \
> --with-ssl-dir=/usr/local/openssl
时报错
OpenSSL headers missing - please install first or check config.log ***"的错误,这是缺少openssl-devel所致,只需安装openssl-devel即可,执行命令:yum install openssl-devel
rpm或yum安装openssl-devel即可满足OpenSSH的安装条件
#yum install openssl-devel
OpenSSH无法make install
#make install
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
make: *** [host-key] Error 127
[root@localhost openssh-6.5p1]# /usr/sbin/setenforce 0
之后正常安装即可