从一个全新的centos7虚拟机到手,走一个升级openssh&openssl的流程
更新一下:
yum update
安装gcc编译器:
yum install gcc
安装zlib依赖库:
yum install zlib-devel
安装openssl依赖库
yum install openssl-devel
ifconfig,如果输入“bash: ifconfig: 未找到命令”**
yum install -y net-tools.x86_64
Operating system: x86_64-whatever-linux2 You need Perl 5.
下载perl5链接:
https://www.cpan.org/src/5.0/perl-5.30.1.tar.gz
解压:
tar -xzf perl-5.30.1.tar.gz
预编译:
./Configure -des -Dprefix=$HOME/localperl
编译:
make
测试:
make test
安装:
make install
安装openssl
下载:
https://www.openssl.org/source/openssl-1.1.1c.tar.gz
解压:
tar -zxvf openssl-1.1.1c.tar.gz
预编译&配置:
./config --prefix=/usr/local/openssl \#如果报错,按照需要安装perl以及gcc包
编译&安装:
make && make install
备份:
mv /usr/bin/openssl /usr/bin/openssl.bak
建立软链接:
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
更新动态链接库数据:
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
设置生效:
ldconfig
查看版本:
openssl version
安装openssh8.2
下载:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz
解压:tar –zxvf openssh-8.2p1.tar.gz
修改源码:解压主目录下,找到sshd.c文件,vim sshd.c
找到:
server_accept_loop(&sock_in,&sock_out,
&newsock,config_s);c
修改为:
sd_notify(0, "READY=1");
server_accept_loop(&sock_in, &sock_out,
&newsock, config_s);
并加上引用头文件:
#include
预编译:
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam
修改Makefile文件:
原来是:
LIBS=-lcrypto -ldl -lutil -lz -lcrypt -lresolv
修改后:
LIBS=-lcrypto -ldl -lutil -lz -lcrypt -lresolv -lsystemd
configure: error: *** zlib.h missing - please install first or check config.log
yum -y install zlib-devel
configure: error: *** working libcrypto not found, check config.log
yum install -y openssl-devel
configure: error: PAM headers not found
yum-yinstallpam-devel
编译:make
sshd.c:44:31: 致命错误:systemd/sd-daemon.h:没有那个文件或目录
yum install systemd-devel
安装:
make install
检查:
sshd -t
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
修改权限:
cd /etc/ssh/
chmod 600 ssh_host_ecdsa_key
chmod 600 ssh_host_rsa_key
chmod 600 ssh_host_ed25519_key
检查版本:
ssh -V
修改端口:
vim /etc/ssh/sshd_config
Port 2222 #修改端口为2222
PermitRootLogin yes #允许root远程登录
#GSSAPIAuthentication yes #只管禁掉
#GSSAPICleanupCredentials no #只管禁掉
重启服务:
service sshd restart
报错:
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
查看日志:
journalctl -xe
报错日志:
5月 20 16:36:58 localhost.localdomain sshd[129668]: error: Bind to port 2222 on 0.0.0.0 failed: Permission denied.
5月 20 16:36:58 localhost.localdomain sshd[129668]: fatal: Cannot bind any address.
5月 20 16:36:58 localhost.localdomain systemd[1]: sshd.service: main process exited, code=exited, status=255/n/a
5月 20 16:36:58 localhost.localdomain systemd[1]: Failed to start OpenSSH server daemon.
关闭selinux:
setenforce 0
重启服务:
service sshd restart
永久关闭selinx:
vim /etc/sysconfig/selinux
将SELINUX=enforcing改为SELINUX=disabled
重启后生效
对了,千万不要在正式环境这么操作,因为这样很危险。
正确的步骤是先把服务器telnet打开,再远程连上telnet,使用telnet操作这一切,不然要是升级过程中出了问题,只能跑到机房去搞了。
于是便有了下面的telnet踩坑:
检查是不是安装了telnet:
rpm -qa | grep telnet # 安装了telnet和telnet-server
rpm -qa xinetd #是否安装了xinetd,telnet的自启动依赖它
安装:
yum install telnet-server
yum install telnet
yum install -y xinetd
启动:
systemctl start telnet.socket #启动telent服务
systemctl start xinetd.service #启动守护进程
远程连接telnet,输入正确账户密码报错:
Login incorrect
执行:
mv /etc/securetty /etc/securettyold
再次远程登录,成功。
最后插一句:一般来说,服务器的防火墙和selinux是不开的。因为遇到很多问题,找不到答案,最后发现是这两东西捣的鬼,真是气人。