一、升级原因
官网发布了7.4以下openssh版本存在严重漏洞例如:
1.OpenSSH 远程权限提升漏洞(CVE-2016-10010)  
2.OpenSSH J-PAKE授权问题漏洞(CVE-2010-4478)  
3.Openssh MaxAuthTries限制绕过漏洞(CVE-2015-5600)  
OpenSSL>=1.0.1可以不用升级OpenSSL,可直接升级openssh。

二、安装telnet服务(防止突然断网,导致无法远程)

实验环境rhel 6.5(版本过低可能会出现RSA算法文件无法找到报错。这个问题可以修改/etc/init.d/sshd ,在if找到找到相应的路劲进行注释,问题可以解决。)
1.安装软件
# yum -y install telnet-server* telnet(服务器可上网情况下可用,若不能需要挂载ISO镜像,或者搭建本地源进行RPM安装)
本地源搭建:
# mkdir /mnt/cdrom
# mount /dev/cdrom /mnt/cdrom/
# cp -p rhel-source.repo rhel-source.repo.bak        #将多余的.repo文件进行mv 使其不生效留一个就好
# vim rhel-source.repo
[Server]


name=RHELServer

baseurl=file:///mnt/cdrom/Server

enabled=1

gpgcheck=0

[ResilientStorage]

name=RHELResilientStorage

baseurl=file:///mnt/cdrom/ResilientStorage

enabled=1

gpgcheck=0

[ScalableFileSystem]

name=RHELScalableFileSystem

baseurl=file:///mnt/cdrom/ScalableFileSystem

enabled=1

gpgcheck=0

[HighAvailability]

name=RHELHighAvailability

baseurl=file:///mnt/cdrom/HighAvailability

enabled=1

gpgcheck=0

[LoadBalancer]

name=RHELLoadBalancer

baseurl=file:///mnt/cdrom/LoadBalancer

enabled=1

gpgcheck=0
# yum clean all(清理yum缓存)

# yum lsit(检测yum配置是否成功,出现以下信息说明配置成功)

sblim-cmpi-samba.i686                  1.0-1.el6                        Server         

sblim-cmpi-samba.x86_64                1.0-1.el6                        Server         

sblim-cmpi-sysfs.i686                  1.2.0-1.el6                      Server         

sblim-cmpi-sysfs.x86_64                1.2.0-1.el6                      Server         

sblim-cmpi-syslog.i686                 0.8.0-1.el6                      Server         

sblim-cmpi-syslog.x86_64               0.8.0-1.el6                      Server         

sblim-gather.i686                      2.2.3-3.el6                      Server         

sblim-gather.x86_64                    2.2.3-3.el6                      Server         

sblim-gather-provider.x86_64           2.2.3-3.el6                      Server         

sblim-indication_helper.i686           0.5.0-1.el6                      Server         

sblim-indication_helper.x86_64         0.5.0-1.el6                      Server         

sblim-sfcb.x86_64                      1.3.11-2.el6                     Server         

# yum -y install telnet-* (安装telnet服务)

2.启用telnet服务
# vi /etc/xinetd.d/telnet 
将其中disable字段的yes改为no以启用telnet服务 
# mv /etc/securetty /etc/securetty.old    #允许root用户通过telnet登录 
# service xinetd start                    #启动telnet服务 
# chkconfig xinetd on                    #使telnet服务开机启动,避免升级过程中服务器意外重启后无法远程登录系统

3.测试telnet能否正常登入系统
#telnet x.x.x.x
三、升级OpenSSH
1.备份当前openssh
mv /etc/ssh /etc/ssh.old 
mv /etc/init.d/sshd /etc/init.d/sshd.old

2.卸载当前openssh
[root@localhost ~]# rpm -qa |grep openssl       #检查openssl是否>=1.0.1如果不是需要重新安装openssl
openssl-1.0.1e-15.el6.x86_64
openssl-devel-1.0.1e-15.el6.x86_64
# rpm -qa | grep openssh 
openssh-clients-5.3p1-104.el6.x86_64 
openssh-server-5.3p1-104.el6.x86_64 
openssh-5.3p1-104.el6.x86_64 
openssh-askpass-5.3p1-104.el6.x86_64 
# rpm -e --nodeps openssh-5.3p1-104.el6.x86_64 
# rpm -e --nodeps openssh-clients-5.3p1-104.el6.x86_64 
# rpm -e --nodeps openssh-askpass-5.3p1-104.el6.x86_64 
# rpm -e --nodeps openssh-server-5.3p1-104.el6.x86_64 
(这样的卸载顺序不会出现卸载server时报错,顺序不对就会出现以下报错。) 
注意:卸载过程中如果出现以下错误 


# rpm -e --nodeps openssh-server-5.3p1-104.el6.x86_64  
error reading information on service sshd: No such file or directory 
error: %preun(openssh-server-5.3p1-104.el6.x86_64) scriptlet failed, exit status 1 
解决方法: 
# rpm -e --noscripts openssh-server-5.3p1-104.el6.x86_64


3.解压openssh_7.5p1源码并编译安装
# mkdir /usr/local/openssh (创建安装路径)
# tar -zxvf openssh-7.5p1.tar.gz 
# cd openssh-7.5p1 
[openssh-7.5p1]#./configure --prefix=
/usr/local/openssh/ --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd 
# make 
# make install

5.修改配置文件与启用OpenSSH服务
# 在openssh编译目录执行如下目录 
[root@localhost openssh-7.5p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-7.5p1]# chmod +x /etc/init.d/sshd
[root@localhost openssh-7.5p1]# chkconfig --add sshd
[root@localhost openssh-7.5p1]# cp sshd_config /etc/ssh/sshd_config
[root@localhost openssh-7.5p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@localhost openssh-7.5p1]# cp ssh-keygen /usr/bin/
[root@localhost openssh-7.5p1]# vim /etc/init.d/sshd
修改第25、41和50行将(/usr/local/openssh/为openssh安装目录)
SSHD=/usr/sbin/sshd 为 SSHD=/usr/local/openssh/sbin/sshd
/usr/sbin/ssh-keygen -A 为 /usr/local/openssh/bin/ssh-keygen -A
$SSHD $OPTIONS && success || failure在上面加上OPTIONS="-f /etc/ssh/sshd_config"(“=”后面不能有空格否则ssh无法启动)
[root@localhost ~]# vim /etc/ssh/sshd_config
在最后添加PermitRootLogin yes
Subsystem       sftp    /usr/libexec/sftp-server修改为
Subsystem       sftp    /usr/local/openssh/libexec/sftp-server   #如果需要使用winSCP上传文件的话,必须修改要不然软件不能连接服务器
# service sshd restart
注意:如果升级操作一直是在ssh远程会话中进行的,上述sshd服务重启命令可能导致会话断开并无法使用ssh再行登入(即ssh未能成功重启),此时需要通过telnet登入再执行sshd服务重启命令。

 

 


注意:如果使用的SSH工具是F-Secure SSH那么需要在最后加入下面这段代码,才能正常连接。
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group1-sha1,[email protected]

6.重启系统验证没问题后关闭telnet服务
# mv /etc/securetty.old /etc/securetty 
# chkconfig  xinetd off 
# service xinetd stop 
如需还原之前的ssh配置信息,可直接删除升级后的配置信息,恢复备份。 
# rm -rf /etc/ssh 
# mv /etc/ssh.old /etc/ssh