Openssh 8.4p1及Openssl 1.1.1h升级

**

Openssh 8.4p1及Openssl 1.1.1h升级

查看当前Openssh/Openssl版本
ssh -V

配置yum源
vi /etc/yum.conf
[centosdvd]
name=centosdvd
baseurl=file:///mnt
enabled=1
gpgcheck=0

挂接系统镜像
mount -o loop /soft/rhel-server-7.7-x86_64-dvd.iso /mnt/

安装telnet服务并启用
因升级OpenSSH过程中需要卸载现有OpenSSH, 因此为了保持服务器的远程连接可用,需
要启用telnet服务作为替代,如升级出现问题,也可通过telnet登录服务器进行回退。
同时安装telnet守护进程:xinetd
安装配置telnet服务
yum install -y telnet-*
yum install -y xinetd

systemctl enable xinetd.service

systemctl enable telnet.socket

systemctl restart telnet.socket
systemctl restart xinetd

配置telnet root用户访问
方法一:
linux默认情况下root用户使用telnet是登录不了的,需要修改/etc/secrueety文件末尾加入pts/1、pts/2、pts/3或者可以把secrueety文件重命名均可;
echo ‘pts/0’ >> /etc/securetty
echo ‘pts/1’ >> /etc/securetty
echo ‘pts/2’ >> /etc/securetty
echo ‘pts/3’ >> /etc/securetty
cat /etc/securetty

方法二:
mv /etc/securetty /etc/securetty.bak 这样ROOT就可以用ROOT登陆了

验证telnet
telnet 192.168.174.141 或 telnet 192.168.174.141 23
连接不上则reboot系统

禁用Selinux
sed -e ‘s/^SELINUX=enforcing$/SELINUX=disabled/’ -i /etc/selinux/config
cat /etc/selinux/config

安装Openssh/Openssl安装编译所需组件工具包
mount -o loop /soft/rhel-server-7.7-x86_64-dvd.iso /mnt/
yum -y install gcc pam­devel zlib­devel unzip perl
yum -y install perl-Module-Load-Conditional perl-core perl-CPAN perl-devel

安装zlib
解压zlib_1.2.11源码-配置检查zlib-编译zlib库-安装zlib库
cd /soft
tar -xvzf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr
make&&make install

卸载当前zlib
注意:此步骤必须在步骤A执行完毕后再执行,否则先卸载zlib后,/lib64/目录下的zlib相
关库文件会被删除,步骤A编译zlib会失败。(补救措施:从其他相同系统的服务器上复
制/lib64、/usr/lib和/usr/lib64目录下的libcrypto.so.10、libssl.so.10、libz.so.1、libz.so.1.2.3
四个文件到相应目录即可。可通过whereis、locate或find命令找到这些文件的位置)
rpm -qa|grep zlib
rpm -e --nodeps zlib
rpm -qa|grep zlib

共享库注册
zlib安装完成后,会在/usr/lib目录中生产zlib相关库文件,需要将这些共享库文件注册到系统
echo ‘/usr/lib’ >> /etc/ld.so.conf
cat /etc/ld.so.conf
ll /usr/lib/libz.so.1
ll /usr/lib/libz.so
ll /usr/lib/libz.so.1
ldconfig

升级OpenSSL
官方升级文档
Openssl下载地址:http://distfiles.macports.org/openssl/
Openssl官网:https://www.openssl.org/
备份当前openssl-卸载当前openssl
mv /usr/lib64/openssl /usr/lib64/openssl.old
mv /usr/bin/openssl /usr/bin/openssl.old
mv /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
rpm -qa|grep openssl |xargs
rpm -qa|grep openssl|xargs -i rpm -e --nodeps {}
rpm -qa|grep openssl |xargs

Openssl升级
解压openssl源码-编译Openssl-测试Openssl-安装Openssl-验证Openssl升级是否成功
cd /soft/
tar -xvzf openssl-1.1.1h.tar.gz
cd openssl-1.1.1h
./config --prefix=/usr --openssldir=/etc/ssl --shared zlib #必须加上­­shared,否则编译时会找不到新安装的openssl的库而报错
make&&make test #为了确保升级安全,test必须是:PASS通过才OK

make install
openssl version

恢复共享库
由于OpenSSL不提供libcrypto.so.10和libssl.so.10这两个库,而yum、wget等工具又依赖此库,因此需要将先前备份的这两个库进行恢复,其他的可视情况考虑是否恢复。
mv /usr/lib64/libcrypto.so.10.old /usr/lib64/libcrypto.so.10
y
mv /usr/lib64/libssl.so.10.old /usr/lib64/libssl.so.10
y

升级OpenSSH
10.1官方升级文档
Openssh官方地址:http://www.openssh.com/
Openssh软件地址:https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
备份当前openssh-卸载当前openssh
mv /etc/ssh /etc/ssh.old

rpm -qa|grep openssh
rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}
rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}

Openssh升级前环境配置
install -v -m700 -d /var/lib/sshd
chown -v root:sys /var/lib/sshd
groupadd -g 50 sshd
useradd -c ‘sshd PrivSep’ -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd

Openssh升级
解压openssh­8.4p1.tar.gz源码-配置Openssh-编译Openssh-安装Openssh
cd /soft
tar -xvzf openssh-8.4p1.tar.gz
cd openssh-8.4p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam–with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd
make&&make install

Openssh安装后环境配置-验证Openssh
在openssh编译目录执行如下命令
install -v -m755 contrib/ssh-copy-id /usr/bin
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -v -m755 -d /usr/share/doc/openssh-8.4p1
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.4p1
ssh -V

低加密算法配置
注:Openssh8.2—8.4版本由于加密安全算法升级,因此需要续用以前的加密算法工具则需要sshd配置在etc/ssh/sshd_conf末尾加入加密算法字段;
否则低算法远程工具登录时报错,如下:
Key exchange failed.
No compatible key exchange method. The server supports these methods: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

vi /etc/ssh/sshd_config
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,[email protected]

设置root用户可登录
echo ‘X11Forwarding yes’ >> /etc/ssh/sshd_config
echo “PermitRootLogin yes” >> /etc/ssh/sshd_config
cat /etc/ssh/sshd_config

启用OpenSSH服务
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd

Linux7版本以下查看ssh状态-重启-启用
systemctl status sshd
systemctl restart sshd
systemctl enable sshd
systemctl status sshd
reboot

查看Openssh、Openssl升级情况
ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1g 21 Apr 2020

卸载telnet
–根据自己需求选择是否卸载;
mount -o loop /soft/rhel-server-7.7-x86_64-dvd.iso /mnt/
yum remove telnet* -y
reboot

你可能感兴趣的:(Linux,linux)