openssh-7.8p1.tar.gz(从7.4升级到7.8) openssl-1.0.1l.tar.gz zlib-1.2.13.tar.gz
7.8安装包下载地址:
https://download.csdn.net/download/qq_29431123/87815016
8.4 安装包下载地址
https://download.csdn.net/download/qq_29431123/87815020
为防止ssh升级失败导致无法远程连接服务器,还需要安装telnet telnet可以使用操作系统安装镜像里的rpm包,yum安装。
1.RPM安装
yum install -y telnet* xinetd
2.启动服务
systemctl restart xinetd systemctl restart telnet.socket
3.防火墙策略修改
telnet默认端口为23,如果有防火墙需要提前放开23端口
firewalld: firewall-cmd --zone=public --add-port=23/tcp --permanent ----加载配置生效 firewall-cmd --reload
4.测试连接 telnet -l test 192.168.18.66
1.解压安装包
tar -zxf zlib-1.2.13.tar.gz tar -zxf openssh-7.8p1.tar.gz tar -zxf openssl-1.0.2l.tar.gz
2.编译安装zlib
cd zlib-1.2.13/ ./configure --prefix=/usr/local/zlib make && make install
3.编译安装openssl
cd openssl-1.0.2l/ ./config --prefix=/usr/local/ssl -d shared make && make install echo '/usr/local/ssl/lib' >> /etc/ld.so.conf #将ssl的lib库注册到系统的lib库 ldconfig -v
4.编译安装openssh
cd openssh-7.8p1/ ./configure --prefix=/usr/local/openssh7.8p1 --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl make && make install
5.配置文件修改和替换
修改配置文件:
echo 'PermitRootLogin yes' >>/usr/local/openssh7.8p1/etc/sshd_config echo 'PubkeyAuthentication yes' >>/usr/local/openssh7.8p1/etc/sshd_config echo 'PasswordAuthentication yes' >>/usr/local/openssh7.8p1/etc/sshd_config
替换文件
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak cp /usr/local/openssh7.8p1/etc/sshd_config /etc/ssh/sshd_config mv /usr/sbin/sshd /usr/sbin/sshd.bak cp /usr/local/openssh7.8p1/sbin/sshd /usr/sbin/sshd mv /usr/bin/ssh /usr/bin/ssh.bak cp /usr/local/openssh7.8p1/bin/ssh /usr/bin/ssh mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak cp /usr/local/openssh7.8p1/bin/ssh-keygen /usr/bin/ssh-keygen mv /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub.bak cp /usr/local/openssh7.8p1/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub mv /bin/openssl /bin/opensslold cp /usr/local/ssl/bin/openssl /bin/openssl
6.系统服务和自启动配置
配置到上一步ssh就升级完成了,但是由于操作系统安装的旧的system 服务,升级后systemctl管理sshd会卡顿和报错,可以使用下面步骤处理
替换sshd系统服务
systemctl stop sshd.service mv /lib/systemd/system/sshd.service /lib/systemd/system/sshd.service.bak systemctl daemon-reload cp /opt/openssh-7.8p1/contrib/redhat/sshd.init /etc/init.d/sshd /etc/init.d/sshd restart systemctl daemon-reload
添加sshd自启动配置
chkconfig --add sshd chkconfig --list sshd
7.停止telne和卸载
systemctl restart xinetd systemctl restart telnet.socket
yum removed xined telnet*
1.SecureCRT 连接报Key exchange错误
这是由于openssh版本过高,SercureCRT没有支持的密钥交换算法
解决办法:
/etc/ssh/ssh_config 配置文件这两行注释取消: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
/etc/ssh/sshd_config 配置文件增加这一行: KexAlgorithms curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
如果SecureCRT版本太低,而openssh版本很高,就需要替换SecureCRT为高版本了。
2.systemctl 重启sshd服务卡顿和报错
Apr 13 17:38:02 node1 systemd[1]: Unit sshd.service entered failed state. Apr 13 17:38:02 node1 systemd[1]: sshd.service failed. Apr 13 17:38:02 node1 polkitd[2859]: Unregistered Authentication Agent for unix-process:29278:23942011 (system bus name :1.1508, object path /or
这是旧版本的system服务调用新版本的sshd的文件,可以修改源码解决,也可以替换sshd.service解决,参考上面第三章 第6小节步骤。