通过rpm方式手动升级linux的ssh版本
前沿:
此处以centos6.5为例进行升级
使用ssh -V查看当前版本,默认centos6.5的ssh版本为5.3
在附件中下载rpm包
rpm安装:
- 安装telnet并开启(防止ssh升级失败后无法连接服务器,可通过telnet方式连接服务器默认端口是23)
rpm -ivh xinetd-2.3.14-39.el6_4.x86_64.rpm
rpm -ivh telnet-server-0.17-47.el6_3.1.x86_64.rpm
service iptables stop
chkconfig iptables off
将其中disable字段的yes改为no以启用telnet服务
sed -i 's/\(.*\)disable\(.*\)/\ \ \ \ \ \ \ \ disable\ \ \ \ \ \ \ \ \ =\ no/g' /etc/xinetd.d/telnet
允许root用户通过telnet登录
mv /etc/securetty /etc/securetty.old
service xinetd start
chkconfig xinetd on
检查环境
openssl version
- gcc-c++安装步骤(顺序不能颠倒,否则会报错)
rpm -ivh ppl-0.10.2-11.el6.x86_64.rpm
rpm -ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm
rpm -ivh mpfr-2.4.1-6.el6.x86_64.rpm
rpm -ivh cpp-4.4.7-17.el6.x86_64.rpm
rpm -Uvh kernel-headers-2.6.32-642.el6.x86_64.rpm
rpm -Uvh tzdata-2016c-1.el6.noarch.rpm
rpm -Uvh glibc-devel-2.12-1.192.el6.x86_64.rpm glibc-2.12-1.192.el6.x86_64.rpm glibc-2.12-1.192.el6.i686.rpm glibc-headers-2.12-1.192.el6.x86_64.rpm glibc-common-2.12-1.192.el6.x86_64.rpm
rpm -Uvh libgcc-4.4.7-17.el6.x86_64.rpm
rpm -Uvh libgomp-4.4.7-17.el6.x86_64.rpm
rpm -ivh gcc-4.4.7-17.el6.x86_64.rpm
rpm -Uvh libstdc++-4.4.7-17.el6.x86_64.rpm
rpm -ivh libstdc++-devel-4.4.7-17.el6.x86_64.rpm
rpm -ivh gcc-c++-4.4.7-17.el6.x86_64.rpm
- zlib安装步骤
rpm -ivh zlib-devel-1.2.3-29.el6.x86_64.rpm
- OpenSSL安装步骤(顺序不能颠倒,否则会报错)
rpm -Uvh keyutils-1.4-5.el6.x86_64.rpm keyutils-libs-1.4-5.el6.x86_64.rpm keyutils-libs-devel-1.4-5.el6.x86_64.rpm
rpm -Uvh krb5-libs-1.10.3-57.el6.x86_64.rpm krb5-workstation-1.10.3-57.el6.x86_64.rpm
rpm -Uvh libselinux-2.0.94-7.el6.x86_64.rpm libselinux-utils-2.0.94-7.el6.x86_64.rpm libselinux-python-2.0.94-7.el6.x86_64.rpm
rpm -ivh libsepol-devel-2.0.41-4.el6.x86_64.rpm
rpm -ivh libselinux-devel-2.0.94-7.el6.x86_64.rpm
rpm -Uvh e2fsprogs-libs-1.41.12-22.el6.x86_64.rpm e2fsprogs-1.41.12-22.el6.x86_64.rpm libss-1.41.12-22.el6.x86_64.rpm libcom_err-1.41.12-22.el6.x86_64.rpm
rpm -ivh krb5-devel-1.10.3-57.el6.x86_64.rpm libcom_err-devel-1.41.12-22.el6.x86_64.rpm
rpm -Uvh openssl-devel-1.0.1e-48.el6.x86_64.rpm openssl-1.0.1e-48.el6.x86_64.rpm
- pam安装步骤
rpm -Uvh pam-devel-1.1.1-22.el6.x86_64.rpm pam-1.1.1-22.el6.x86_64.rpm
- OpenSSL源码安装(暂时不升级)
tar zxf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h
./config --prefix=/usr/local/openssl --shared
make depend
make
make test
make install
备份当前openssl
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
配置使用新版本
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
更新动态链接库数据
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
重新加载动态链接库
ldconfig -v
重新查看版本号
openssl version
- 源码安装OpenSSH
rpm -qa | grep openssh
删除低版本的openssh
rpm -e `rpm -qa | grep openssh` --nodeps
cd /usr/local/src/
tar zxvf openssh-7.9p1.tar.gz
cd openssh-7.9p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make
make install
手动修改PermitRootLogin no 修改为 PermitRootLogin yes 允许root远程登陆
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin\ yes/g' /etc/ssh/sshd_config
禁止空密码
sed -i 's/#PermitEmptyPasswords\(.*\)/PermitEmptyPasswords\ no/g' /etc/ssh/sshd_config
重点:禁止selinux 否则重启后会登录失败
sed -i 's/^SELINUX\(.*\)/SELINUX=disabled/g' /etc/selinux/config
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
service sshd start
service sshd restart
chkconfig --list sshd
ssh -V
关闭telnet
禁止root用户通过telnet登录
mv /etc/securetty.old /etc/securetty
service xinetd stop
chkconfig xinetd off
service iptables start
chkconfig iptables on
将之前的disable字段的no改为yes
vi /etc/xinetd.d/telnet
随后再将修改iptables将23端口关闭,并重启iptables服务
至此,可以再开ssh登录,用ssh -V查看版本号