由于升级OpenSSH涉及到安全性问题,为保险起见,在升级前最好安装telnet服务作为备用方案,然后在升级成功后再停止telnet即可。
一、OpenSSH升级相关源码包下载地址:
zlib http://www.zlib.net/zlib-1.2.11.tar.gz
zlib其他版本下载地址 http://www.zlib.net/fossils/
openssl-fips https://www.openssl.org/source/old/fips/openssl-fips-2.0.12.tar.gz
OpenSSL https://www.openssl.org/source/openssl-1.0.2k.tar.gz
OpenSSH http://openbsd.hk/pub/OpenBSD/OpenSSH/portable/ openssh-7.4p1.tar.gz
二、配置yum源
1.新建光盘挂载目录/yum
mkdir /yum
2.上传光盘到机器的某个目录,然后挂载到/yum目录下
mount -o loop rhel-server-6.3-x86_64-dvd.iso /yum
3.配置local.repo
#cd /etc/yum.repos.d/ #为防止其他repo文件干扰,可将其他repo文件进行重命名或删除
#vi rhel-source.repo
输入如下内容
[Redhat6.5]
name=rhel6.5
baseurl=file:///yum
enabled=1
gpgcheck=0
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
#########################################################
#yum clean all
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Cleaning repos: rhel-source
Cleaning up Everything
#yum update
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
rhel-source | 4.0 kB 00:00 ...
rhel-source/primary_db | 3.1 MB 00:00 ...
Setting up Update Process
No Packages marked for Update
#yum makecache
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
rhel-source | 4.0 kB 00:00 ...
rhel-source/filelists_db | 3.7 MB 00:00 ...
rhel-source/other_db | 1.6 MB 00:00 ...
rhel-source/group_gz | 204 kB 00:00 ...
Metadata Cache Created
三、安装telnet服务
1. 使用yum安装telnet
#yum -y install telnet-server*
2. 启动telnet服务
打开vi /etc/xinetd.d/telnet文件,将disable字段改为no
3.启动telnet服务
#/etc/init.d/xinetd start
#service xinetd start
Starting xinetd: [ OK ]
4.查看telnet服务是否启动
#netstat -tnlp | grep :23
tcp 0 0 :::23 :::* LISTEN 5013/xinetd
5.关闭防火墙后,telnet才可以使用
#service iptables stop #关闭防火墙
#chkconfig iptables off #设置防火墙开机不启动
#chkconfig xinetd on #设置telnet服务开机启动
四、查看当前selinux的状态
#getenforce #查看selinux状态
#setenforce 0 #设置selinux为关闭
为防止OpenSSH升级后通过远程终端无法连接机器,建议将其关闭,方法如下:
#vi /etc/selinux/config
将SELINUX=enforcing修改为SELINUX=disabled
五、安装依赖包
#yum -y install gcc pam-devel zlib-devel openssl-devel
Loaded plugins: product-id, refresh-packagekit, security, subscription-manager
Updating certificate-based repositories.
Unable to read consumer identity
Setting up Install Process
Package gcc-4.4.6-4.el6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package openssl-devel.x86_64 0:1.0.0-20.el6_2.5 will be installed
--> Processing Dependency: krb5-devel for package: openssl-devel-1.0.0-20.el6_2.5.x86_64
---> Package pam-devel.x86_64 0:1.1.1-10.el6_2.1 will be installed
---> Package zlib-devel.x86_64 0:1.2.3-27.el6 will be installed
--> Running transaction check
---> Package krb5-devel.x86_64 0:1.9-33.el6 will be installed
--> Processing Dependency: libselinux-devel for package: krb5-devel-1.9-33.el6.x86_64
--> Processing Dependency: libcom_err-devel for package: krb5-devel-1.9-33.el6.x86_64
--> Processing Dependency: keyutils-libs-devel for package: krb5-devel-1.9-33.el6.x86_64
--> Running transaction check
---> Package keyutils-libs-devel.x86_64 0:1.4-4.el6 will be installed
---> Package libcom_err-devel.x86_64 0:1.41.12-12.el6 will be installed
---> Package libselinux-devel.x86_64 0:2.0.94-5.3.el6 will be installed
--> Processing Dependency: libsepol-devel >= 2.0.32-1 for package: libselinux-devel-2.0.94-5.3.el6.x86_64
--> Processing Dependency: pkgconfig(libsepol) for package: libselinux-devel-2.0.94-5.3.el6.x86_64
--> Running transaction check
---> Package libsepol-devel.x86_64 0:2.0.41-4.el6 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
openssl-devel x86_64 1.0.0-20.el6_2.5 rhel-source 1.1 M
pam-devel x86_64 1.1.1-10.el6_2.1 rhel-source 204 k
zlib-devel x86_64 1.2.3-27.el6 rhel-source 44 k
Installing for dependencies:
keyutils-libs-devel x86_64 1.4-4.el6 rhel-source 28 k
krb5-devel x86_64 1.9-33.el6 rhel-source 1.2 M
libcom_err-devel x86_64 1.41.12-12.el6 rhel-source 31 k
libselinux-devel x86_64 2.0.94-5.3.el6 rhel-source 136 k
libsepol-devel x86_64 2.0.41-4.el6 rhel-source 64 k
Transaction Summary
================================================================================
Install 8 Package(s)
Total download size: 2.8 M
Installed size: 6.1 M
Downloading Packages:
--------------------------------------------------------------------------------
Total 23 MB/s | 2.8 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : libsepol-devel-2.0.41-4.el6.x86_64 1/8
Installing : libselinux-devel-2.0.94-5.3.el6.x86_64 2/8
Installing : libcom_err-devel-1.41.12-12.el6.x86_64 3/8
Installing : zlib-devel-1.2.3-27.el6.x86_64 4/8
Installing : keyutils-libs-devel-1.4-4.el6.x86_64 5/8
Installing : krb5-devel-1.9-33.el6.x86_64 6/8
Installing : openssl-devel-1.0.0-20.el6_2.5.x86_64 7/8
Installing : pam-devel-1.1.1-10.el6_2.1.x86_64 8/8
Installed products updated.
Verifying : openssl-devel-1.0.0-20.el6_2.5.x86_64 1/8
Verifying : keyutils-libs-devel-1.4-4.el6.x86_64 2/8
Verifying : zlib-devel-1.2.3-27.el6.x86_64 3/8
Verifying : libselinux-devel-2.0.94-5.3.el6.x86_64 4/8
Verifying : libcom_err-devel-1.41.12-12.el6.x86_64 5/8
Verifying : libsepol-devel-2.0.41-4.el6.x86_64 6/8
Verifying : krb5-devel-1.9-33.el6.x86_64 7/8
Verifying : pam-devel-1.1.1-10.el6_2.1.x86_64 8/8
Installed:
openssl-devel.x86_64 0:1.0.0-20.el6_2.5 pam-devel.x86_64 0:1.1.1-10.el6_2.1
zlib-devel.x86_64 0:1.2.3-27.el6
Dependency Installed:
keyutils-libs-devel.x86_64 0:1.4-4.el6
krb5-devel.x86_64 0:1.9-33.el6
libcom_err-devel.x86_64 0:1.41.12-12.el6
libselinux-devel.x86_64 0:2.0.94-5.3.el6
libsepol-devel.x86_64 0:2.0.41-4.el6
Complete!
六、安装zlib
1.解压
#tar -xvf zlib-1.2.11.tar.gz
#cd zlib-1.2.11
2.配置
#./configure
3.编译安装
#make
#make install
4.查看
#ll /usr/local/lib
total 240
-rw-r--r--. 1 root root 135146 Apr 8 07:59 libz.a
lrwxrwxrwx. 1 root root 14 Apr 8 07:59 libz.so -> libz.so.1.2.11
lrwxrwxrwx. 1 root root 14 Apr 8 07:59 libz.so.1 -> libz.so.1.2.11
-rwxr-xr-x. 1 root root 106088 Apr 8 07:59 libz.so.1.2.11
drwxr-xr-x. 2 root root 4096 Apr 8 07:59 pkgconfig
七、安装openssl-fips-2.0.14
1.解压
#tar –xf openssl-fips-2.0.14.tar.gz
#cd openssl-fips-2.0.14
2.配置
#./config
3.编译安装
#make
#make install
八、安装openssl-1.0.2k
1.解压
#tar –xf openssl-1.0.2k.tar.gz
#cd openssl-1.0.2k
2.配置
#./config
3.编译安装
#make
#make test
#make install
4.设置软连接
#ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl #设置软连接,如果提示已存在,则无需再设置
ln: creating symbolic link `/usr/bin/openssl': File exists
5.查看新安装的openssl版本
#openssl version -a
OpenSSL 1.0.0-fips 29 Mar 2010
九、安装openssh-7.4p1
1.解压
#tar –xf openssh-7.4p1.tar.gz
#cd openssh-7.4p1
2.编译
#./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
3.编译安装
#make
#make install
4.修改配置文件
(1)备份sshd文件,重命名为sshd_20170409_old
#mv /etc/init.d/sshd /etc/init.d/sshd_20170409_old
(2)复制配置文件、赋权、添加到开机启动项
#cd /openssh-7.4p1/contrib/redhat
#cp sshd.init /etc/init.d/sshd
#chmod u+x /etc/init.d/sshd
#chkconfig --add sshd
#chkconfig sshd on
#备份原文件
#mv /etc/ssh/ssh_config /etc/ssh/ssh_config_20170409_old
#mv /etc/ssh/sshd_config /etc/ssh/sshd_config_20170409_old
#cd /root/openssh-7.4p1
#cp ssh_config /etc/ssh/ssh_config #根据提示,输入y进行覆盖(若对原文件重命名,则无需覆盖)
#cp -p sshd_config /etc/ssh/sshd_config #根据提示,输入y进行覆盖(若对原文件重命名,则无需覆盖)
(3)查看安装后openssh版本
#ssh –V
OpenSSH_7.4p1, OpenSSL 1.0.2k 26 Jan 2017
(4)设置允许root用户登录(openssh升级后,root默认被禁用)
打开vi /etc/ssh/sshd_config文件,将PermitRootLogin设置为yes
(5)重启SSH
#service sshd restart
(6)重启机器
十、停止telnet服务
待确认新升级的OpenSSH版本可以正常使用时,然后停止telnet服务
1.修改配置文件
将vi /etc/xinetd.d/telnet文件中的disable = no修改为disable = yes
2.设置telnet开机不启动
#chkconfig xinetd off
3.关闭telnet服务
#/etc/init.d/xinetd stop
4.开启防火墙并设置开机自动启动
#service iptables start
#chkconfig iptables on