由于升级OpenSSH涉及到安全性问题,为保险起见,在升级前最好安装telnet服务作为备用方案,然后在升级成功后再停止telnet即可。
一、OpenSSH升级相关源码包下载地址:
zlib http://www.zlib.net/zlib-1.2.11.tar.gz
zlib其他版本下载地址 http://www.zlib.net/fossils/
openssl-fips https://www.openssl.org/source/old/fips/openssl-fips-2.0.12.tar.gz
OpenSSL https://www.openssl.org/source/openssl-1.0.2k.tar.gz
OpenSSH http://openbsd.hk/pub/OpenBSD/OpenSSH/portable/ openssh-7.4p1.tar.gz
二、RHEL7配置yum源
1.新建iso存放目录
#mkdir iso
用winscp上传rhel-server-7.1-x86_64-dvd.iso 上传至 /iso 目录
2.新建iso挂载目录 /yum
#mkdir /yum
3.上传到rhel-server-7.1-x86_64-dvd.iso 至 /iso目录,然后挂载到/yum目录下
#mount -o loop /rhel-server-7.1-x86_64-dvd.iso /yum
4、在目录/etc/yum.repos.d/创建文件文件名.repo
5、配置本地yum源
#cd /etc/yum.repos.d/ #进入yum配置目录
#touch rhel7.repo #建立yum配置文件
#vi rhel7.repo #编辑配置文件,添加以下内容:
[media]
name=RHEL7.1
baseurl=file:///yum
enabled=1
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
~
:wq! #保存退出
说明:
[media]
name=rhel7 #自定义名称
baseurl=file:///mnt #本地光盘挂载路径
enabled=1 #启用yum源,0为不启用,1为启用
gpgcheck=0 #检查GPG-KEY,0为不检查,1为检查
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
#yum clean all
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Cleaning repos: rhel-source
Cleaning up Everything
#yum update
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
rhel-source | 4.0 kB 00:00 ...
rhel-source/primary_db | 3.1 MB 00:00 ...
Setting up Update Process
No Packages marked for Update
#yum makecache
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
rhel-source | 4.0 kB 00:00 ...
rhel-source/filelists_db | 3.7 MB 00:00 ...
rhel-source/other_db | 1.6 MB 00:00 ...
rhel-source/group_gz | 204 kB 00:00 ...
Metadata Cache Created
三、安装telnet服务
先检查RHEL7是否已经安装以下两个安装包:telnet-server、xinetd。命令如下:
#rpm -qa telnet-server
#rpm -qa xinetd
如果没有安装,则先安装。安装命令:
1. 使用yum安装telnet
#yum list |grep telnet
telnet-server.x86_64 1:0.17-59.el7 @media
telnet.x86_64 1:0.17-59.el7 media
#yum install telnet-server.x86_64
#yum install telnet.x86_64
或
#yum -y install telnet-server
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package telnet-server.x86_64 1:0.17-59.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================
Package Arch Version Repository Size
==================================================================================
Installing:
telnet-server x86_64 1:0.17-59.el7 media 40 k
Transaction Summary
==================================================================================
Install 1 Package
Total download size: 40 k
Installed size: 55 k
Downloading packages:
warning: /yum/Packages/telnet-server-0.17-59.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Public key for telnet-server-0.17-59.el7.x86_64.rpm is not installed
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0xFD431D51:
Userid : "Red Hat, Inc. (release key 2)
Fingerprint: 567e 347a d004 4ade 55ba 8a5f 199e 2f91 fd43 1d51
Package : redhat-release-server-7.1-1.el7.x86_64 (@anaconda/7.1)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Importing GPG key 0x2FA658E0:
Userid : "Red Hat, Inc. (auxiliary key)
Fingerprint: 43a6 e49c 4a38 f4be 9abf 2a53 4568 9c88 2fa6 58e0
Package : redhat-release-server-7.1-1.el7.x86_64 (@anaconda/7.1)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 1:telnet-server-0.17-59.el7.x86_64 1/1
Verifying : 1:telnet-server-0.17-59.el7.x86_64 1/1
Installed:
telnet-server.x86_64 1:0.17-59.el7
#####################################################################################
2.使用yum安装xinetd
#yum list |grep xinetd
xinetd.x86_64 2:2.3.15-12.el7 @media
#yum install xinetd.x86_64
或
#yum install xinetd
Loaded plugins: langpacks, product-id, subscription-manager
This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.
Resolving Dependencies
--> Running transaction check
---> Package xinetd.x86_64 2:2.3.15-12.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================
Package Arch Version Repository Size
==================================================================================
Installing:
xinetd x86_64 2:2.3.15-12.el7 media 128 k
Transaction Summary
==================================================================================
Install 1 Package
Total download size: 128 k
Installed size: 261 k
Is this ok [y/d/N]: y
Downloading packages:
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:xinetd-2.3.15-12.el7.x86_64 1/1
Verifying : 2:xinetd-2.3.15-12.el7.x86_64 1/1
Installed:
xinetd.x86_64 2:2.3.15-12.el7
Complete!
2. 启动telnet服务
安装完成后,将xinetd服务加入开机自启动:
#systemctl enable xinetd.service
#将telnet服务加入开机自启动:
#systemctl enable telnet.socket
最后,启动以上两个服务即可:
#systemctl start telnet.socket
#systemctl status telnet.socket
telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; enabled)
Active: active (listening) since Sun 2017-04-09 01:52:57 PDT; 1min 38s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
#systemctl start xinetd(或service xinetd start)
#systemctl status xinetd.service
xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled)
Active: active (running) since Sun 2017-04-09 01:53:37 PDT; 4min 5s ago
Process: 3296 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
Main PID: 3297 (xinetd)
CGroup: /system.slice/xinetd.service
└─3297 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: removing discard
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: removing discard
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: removing echo
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: removing echo
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: removing tcpmux
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: removing time
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: removing time
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: xinetd Version 2.3.15 start...
Apr 09 01:53:37 localhost.localdomain xinetd[3297]: Started working: 0 availabl...
Apr 09 01:53:37 localhost.localdomain systemd[1]: Started Xinetd A Powerful Re....
Hint: Some lines were ellipsized, use -l to show in full.
#查看防火墙状态
#systemctl status firewalld
#添加防火墙规则(telnet加入防火墙)
$ sudo firewall-cmd --zone=public --add-port=23/tcp --permanent
success
$ sudo firewall-cmd --reload
success
如果不使用“--permanent”标记,把么防火墙规则在重启后会失效
五、安装依赖包
#yum -y install gcc pam-devel zlib-devel openssl-devel
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Install Process
Package gcc-4.4.6-4.el6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.0-20.el6_2.5 will be installed
--> Processing Dependency: krb5-devel for package: openssl-devel-1.0.0-20.el6_2.5.x86_64
---> Package pam-devel.x86_64 0:1.1.1-10.el6_2.1 will be installed
---> Package zlib-devel.x86_64 0:1.2.3-27.el6 will be installed
--> Running transaction check
---> Package krb5-devel.x86_64 0:1.9-33.el6 will be installed
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.9-33.el6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.9-33.el6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.9-33.el6.x86_64
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 0:1.4-4.el6 will be installed
---> Package libcom_err-devel.x86_64 0:1.41.12-12.el6 will be installed
---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6 will be installed
--> Processing Dependency: libsepol-devel >= 2.0.32-1 for package: libselinux-devel-2.0.94-5.3.el6.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.0.94-5.3.el6.x86_64
--> Running transaction check
---> Package libsepol-devel.x86_64 0:2.0.41-4.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
openssl-devel x86_64 1.0.0-20.el6_2.5 rhel-source 1.1 M
pam-devel x86_64 1.1.1-10.el6_2.1 rhel-source 204 k
zlib-devel x86_64 1.2.3-27.el6 rhel-source 44 k
Installing for dependencies:
keyutils-libs-devel x86_64 1.4-4.el6 rhel-source 28 k
krb5-devel x86_64 1.9-33.el6 rhel-source 1.2 M
libcom_err-devel x86_64 1.41.12-12.el6 rhel-source 31 k
libselinux-devel x86_64 2.0.94-5.3.el6 rhel-source 136 k
libsepol-devel x86_64 2.0.41-4.el6 rhel-source 64 k
Transaction Summary
================================================================================
Install 8 Package(s)
Total download size: 2.8 M
Installed size: 6.1 M
Downloading Packages:
--------------------------------------------------------------------------------
Total 23 MB/s | 2.8 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libsepol-devel-2.0.41-4.el6.x86_64 1/8
Installing : libselinux-devel-2.0.94-5.3.el6.x86_64 2/8
Installing : libcom_err-devel-1.41.12-12.el6.x86_64 3/8
Installing : zlib-devel-1.2.3-27.el6.x86_64 4/8
Installing : keyutils-libs-devel-1.4-4.el6.x86_64 5/8
Installing : krb5-devel-1.9-33.el6.x86_64 6/8
Installing : openssl-devel-1.0.0-20.el6_2.5.x86_64 7/8
Installing : pam-devel-1.1.1-10.el6_2.1.x86_64 8/8
Installed products updated.
Verifying : openssl-devel-1.0.0-20.el6_2.5.x86_64 1/8
Verifying : keyutils-libs-devel-1.4-4.el6.x86_64 2/8
Verifying : zlib-devel-1.2.3-27.el6.x86_64 3/8
Verifying : libselinux-devel-2.0.94-5.3.el6.x86_64 4/8
Verifying : libcom_err-devel-1.41.12-12.el6.x86_64 5/8
Verifying : libsepol-devel-2.0.41-4.el6.x86_64 6/8
Verifying : krb5-devel-1.9-33.el6.x86_64 7/8
Verifying : pam-devel-1.1.1-10.el6_2.1.x86_64 8/8
Installed:
openssl-devel.x86_64 0:1.0.0-20.el6_2.5 pam-devel.x86_64 0:1.1.1-10.el6_2.1
zlib-devel.x86_64 0:1.2.3-27.el6
Dependency Installed:
keyutils-libs-devel.x86_64 0:1.4-4.el6
krb5-devel.x86_64 0:1.9-33.el6
libcom_err-devel.x86_64 0:1.41.12-12.el6
libselinux-devel.x86_64 0:2.0.94-5.3.el6
libsepol-devel.x86_64 0:2.0.41-4.el6
Complete!
启动一个服务:systemctl start postfix.service
关闭一个服务:systemctl stop postfix.service
重启一个服务:systemctl restart postfix.service
显示一个服务的状态:systemctl status postfix.service
在开机时启用一个服务:systemctl enable postfix.service
在开机时禁用一个服务:systemctl disable postfix.service
查看服务是否开机启动:systemctl is-enabled postfix.service
查看已启动的服务列表:systemctl list-unit-files|grep enabled
查看启动失败的服务列表:systemctl --failed
PS:使用命令 systemctl is-enabled postfix.service 得到的值可以是enable、disable或static,这里的 static 它是指对应的 Unit 文件中没有定义[Install]区域,因此无法配置为开机启动服务。
说明:启用服务就是在当前“runlevel”的配置文件目录/etc/systemd/system/multi-user.target.wants/里,建立/usr/lib/systemd/system里面对应服务配置文件的软链接;禁用服务就是删除此软链接,添加服务就是添加软连接
# systemctl enable telnet.socket
ln -s '/usr/lib/systemd/system/telnet.socket' '/etc/systemd/system/sockets.target.wants/telnet.socket'
六、安装zlib
1.解压
#tar -xvf zlib-1.2.11.tar.gz
#cd zlib-1.2.11
2.配置
#./configure
3.编译安装
#make
#make install
4.查看
#ll /usr/local/lib
total 240
-rw-r--r--. 1 root root 135146 Apr 8 07:59 libz.a
lrwxrwxrwx. 1 root root 14 Apr 8 07:59 libz.so -> libz.so.1.2.11
lrwxrwxrwx. 1 root root 14 Apr 8 07:59 libz.so.1 -> libz.so.1.2.11
-rwxr-xr-x. 1 root root 106088 Apr 8 07:59 libz.so.1.2.11
drwxr-xr-x. 2 root root 4096 Apr 8 07:59 pkgconfig
七、安装openssl-fips-2.0.14
1.解压
#tar -xzvf openssl-fips-2.0.14.tar.gz
#cd openssl-fips-2.0.14
2.配置
#./config
3.编译安装
#make
#make install
八、安装openssl-1.0.2k
1.解压
#tar -xzvf openssl-1.0.2k.tar.gz
#cd openssl-1.0.2k
2.配置
#./config
3.编译安装
#make
#make test
#make install
4.设置软连接
#ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl #设置软连接,如果提示已存在,则无需再设置
ln: creating symbolic link `/usr/bin/openssl': File exists
5.查看新安装的openssl版本
#openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
九、安装openssh-7.4p1
1.解压
#tar -xzvf openssh-7.4p1.tar.gz
#cd openssh-7.4p1
2.编译
#./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
3.编译安装
#make
#make install
!!!警告,升级完openssh-7.4p1后,在未修改以下权限前,禁止断开连接,否则连不上ssh
就麻烦了
#chown :root ssh_host_rsa_key
#chmod 600 ssh_host_rsa_key
#systemctl status sshd.service
#chown :root ssh_host_ecdsa_key
#chmod 600 ssh_host_ecdsa_key
#systemctl status sshd.service
#chown :root ssh_host_ed25519_key
#chmod 600 ssh_host_ed25519_key
#system status sshd.service
#启动服务:
#systemctl start sshd.service
#查看服务状态
#systemctl status sshd.service
#添加开机启动
#systemctl enable sshd.service
enable
#验证是否开机启动
#systemctl is-enabled sshd.service
enabled
#验证openssh版本是否升级成功
#ssh -V
查看所有已启动的服务
#systemctl list-units --type=service