AnolisOS 8升级openSSH 到9.0p1步骤记录

升级需要关闭防火墙服务；关闭selinux服务；
升级过程中需要刷新lib库：ldconfig -v；
升级顺序：顺序是zlib库-> libressl -> openssh；
升级需要gcc、make、perl、zlib、zlib-devel、pam、pam-devel依赖包；

一、安装包准备：

软件	版本	下载地址
openssh	9.0p1	https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
zlib	1.2.12	https://zlib.net/zlib-1.2.12.tar.gz
libressl	3.5.3	https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.3.tar.gz

二、升级前环境准备

1、将上文下载的三个文件上传至服务器，目录可自行设定，方便即可。

zlib-1.2.12.tar.gz
libressl-3.5.3.tar.gz
openssh-9.0p1.tar.gz

2、关闭系统防火墙

systemctl stop firewalld.service

3、关闭SElinux

检查是否关闭：
getenforce
如果未关闭，关闭之
setenforce 0
上面只是临时关闭了，重启后不生效。下面改配置文件，使永久生效。

vi /etc/selinux/config
修改：
　　SELINUX=disabled
保存退出。

image.png

4、安装相关依赖包

yum install -y wget gcc libselinux-devel openssl-devel make perl zlib zlib-devel pam pam-devel

安装完毕后执行下面命令，确保所有依赖包正常安装

rpm -qa | egrep "gcc|make|perl|zlib|zlib-devel|pam|pam-devel"

image.png

二、升级前环境准备

1、停止ssh服务，备份ssh配置文件

systemctl stop sshd
cp -r /etc/ssh /etc/ssh.old

备份sshd.service文件

cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target

[Service]
Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

备份opensshserver.config配置文件

cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'

备份sshd 配置文件

cat /etc/sysconfig/sshd
# Configuration file for the sshd service.

# The server keys are automatically generated if they are missing.
# To change the automatic creation, adjust sshd.service options for
# example using  systemctl enable [email protected]  to allow creation
# of DSA key or  systemctl mask [email protected]  to disable RSA key
# creation.

# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing

SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1

# System-wide crypto policy:
# To opt-out, uncomment the following line
# CRYPTO_POLICY=

这个时候千万不能断开链接

2、查看系统原有openssh包

rpm -qa | grep openssh
openssh-8.0p1-5.an8.x86_64
openssh-server-8.0p1-5.an8.x86_64
openssh-clients-8.0p1-5.an8.x86_64
根据上面查询出的结果，卸载系统里原有Openssh（一般有三个包，全部卸载）
rpm -e --nodeps  xxxxxxxxxx
rpm -e --nodeps openssh-8.0p1-5.an8.x86_64
rpm -e --nodeps openssh-server-8.0p1-5.an8.x86_64
rpm -e --nodeps openssh-clients-8.0p1-5.an8.x86_64
卸载完成后执行rpm -qa | grep openssh，确保没有回显
rpm -qa | grep openssh

image.png

卸载openssh-8.0p1 后检查sshd.service 文件，已删除。

systemctl status sshd
Unit sshd.service could not be found.
[root@anolis8 ~]# ll /usr/lib/systemd/system/sshd.service
ls: 无法访问'/usr/lib/systemd/system/sshd.service': 没有那个文件或目录
[root@anolis8 ~]# ll /etc/sysconfig/sshd
ls: 无法访问'/etc/sysconfig/sshd': 没有那个文件或目录
[root@anolis8 ~]# ll /etc/crypto-policies/back-ends/opensshserver.config
lrwxrwxrwx. 1 root root 52 9月  26 17:54 /etc/crypto-policies/back-ends/opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
[root@anolis8 ~]# ll /usr/share/crypto-policies/DEFAULT/opensshserver.txt
-rw-r--r--. 2 root root 1663 6月  24 2021 /usr/share/crypto-policies/DEFAULT/opensshserver.txt
[root@anolis8 ~]# cat /usr/share/crypto-policies/DEFAULT/opensshserver.txt
CRYPTO_POLICY='[email protected],[email protected],aes256-ctr,aes256-cbc,[email protected],aes128-ctr,aes128-cbc [email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha1,[email protected],hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,[email protected],ecdsa-sha2-nistp384,[email protected],ecdsa-sha2-nistp521,[email protected],ssh-ed25519,[email protected],rsa-sha2-256,[email protected],rsa-sha2-512,[email protected],ssh-rsa,[email protected] -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'

3、编译安装zlib

tar xzvf zlib-1.2.12.tar.gz
cd zlib-1.2.12/
./configure --prefix=/usr/local/zlib
make
make install

验证zlib安装是否成功，要包含include、lib、share三个目录。

# ll /usr/local/zlib/
总用量 0
drwxr-xr-x 2 root root 35 9月  26 15:05 include
drwxr-xr-x 3 root root 91 9月  26 15:05 lib
drwxr-xr-x 3 root root 17 9月  26 15:05 share

新建并编辑配置文件：
vi /etc/ld.so.conf.d/zlib.conf 
加入如下内容后保存退出
/usr/local/zlib/lib 
刷新库文件，加载刚才编译安装的zlib生成的库文件
ldconfig -v

4、编译安装libressl

tar xzvf libressl-3.5.3.tar.gz
cd libressl-3.5.3/
./configure --prefix=/usr/local/libressl
make
make install
echo '/usr/local/libressl/lib' > /etc/ld.so.conf.d/libressl.conf
ldconfig -v

如下libressl库可以被系统找到

# ldconfig -p|grep /usr/local/libressl
    libtls.so.25 (libc6,x86-64) => /usr/local/libressl/lib/libtls.so.25
    libtls.so (libc6,x86-64) => /usr/local/libressl/lib/libtls.so
    libssl.so.52 (libc6,x86-64) => /usr/local/libressl/lib/libssl.so.52
    libssl.so (libc6,x86-64) => /usr/local/libressl/lib/libssl.so
    libcrypto.so.49 (libc6,x86-64) => /usr/local/libressl/lib/libcrypto.so.49
    libcrypto.so (libc6,x86-64) => /usr/local/libressl/lib/libcrypto.so

重命名现有文件目录
mv /usr/bin/openssl /usr/bin/openssl.bak
创建ssl相关软连接
ln -s /usr/local/libressl/bin/openssl /usr/bin/openssl
ln -s /usr/local/libressl/include/openssl /usr/include/openssl
编辑配置文件
vi /etc/ld.so.conf.d/ssl.conf
加入如下内容后保存退出
/usr/local/ssl/lib
刷新库文件，加载刚才编译安装的ssl生成的库文件
ldconfig -v
查看openssl版本
openssl version -a

image.png

5、编译安装openssh

tar xzvf openssh-9.0p1.tar.gz
cd openssh-9.0p1
./configure --prefix=/usr --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/libressl
make
修改文件权限
ll /etc/ssh
总用量 24
-rw-r-----. 1 root ssh_keys  480 6月  20 17:38 ssh_host_ecdsa_key
-rw-r--r--. 1 root root      162 6月  20 17:38 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys  387 6月  20 17:38 ssh_host_ed25519_key
-rw-r--r--. 1 root root       82 6月  20 17:38 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 2578 6月  20 17:38 ssh_host_rsa_key
-rw-r--r--. 1 root root      554 6月  20 17:38 ssh_host_rsa_key.pub

chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

ll /etc/ssh
总用量 24
-rw-------. 1 root ssh_keys  480 6月  20 17:38 ssh_host_ecdsa_key
-rw-r--r--. 1 root root      162 6月  20 17:38 ssh_host_ecdsa_key.pub
-rw-------. 1 root ssh_keys  387 6月  20 17:38 ssh_host_ed25519_key
-rw-r--r--. 1 root root       82 6月  20 17:38 ssh_host_ed25519_key.pub
-rw-------. 1 root ssh_keys 2578 6月  20 17:38 ssh_host_rsa_key
-rw-r--r--. 1 root root      554 6月  20 17:38 ssh_host_rsa_key.pub

make install

.......
/usr/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /usr/etc
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 
/usr/sbin/sshd -t -f /usr/etc/sshd_config


修改配置文件/usr/etc/sshd_config，允许root直接登录
开放22端口
#Port 22
Port 22

允许root登录
PermitRootLogin yes

#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_ecdsa_key
#HostKey /etc/ssh_host_ed25519_key
改为
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
保存后退出

ssh服务必须开机自启动，因此要进行一些设置
如果是centos7就需要先备份就的service
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.serviceold
AnolisOS 8系统则可以直接新建
新建配置文件/etc/sysconfig/sshd

vim /etc/sysconfig/sshd
填写如下内容

# Configuration file for the sshd service.

# The server keys are automatically generated if they are missing.
# To change the automatic creation uncomment and change the appropriate
# line. Accepted key types are: DSA RSA ECDSA ED25519.
# The default is "RSA ECDSA ED25519"

# AUTOCREATE_SERVER_KEYS=""
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"

# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing

SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1

保存后退出

新建sshd.service

vim /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH 9 server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
 
[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
 
[Install]
WantedBy=multi-user.target

systemctl daemon-reload
启动sshd服务
systemctl start sshd 
设置开机自动启动
systemctl enable sshd.service
查看sshd服务状态
systemctl status sshd -l



● sshd.service - OpenSSH 9 server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: enabled)
   Active: active (running) since Mon 2022-09-26 16:34:09 CST; 4s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 68932 (sshd)
    Tasks: 1 (limit: 23576)
   Memory: 764.0K
   CGroup: /system.slice/sshd.service
           └─68932 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups

9月 26 16:34:09 anolis systemd[1]: Started OpenSSH 9 server daemon.
9月 26 16:34:09 anolis sshd[68932]: Server listening on 0.0.0.0 port 22.
9月 26 16:34:09 anolis sshd[68932]: Server listening on :: port 22.

验证ssh版本
ssh -V

AnolisOS 8升级openSSH 到9.0p1步骤记录

一、安装包准备：

二、升级前环境准备

1、将上文下载的三个文件上传至服务器，目录可自行设定，方便即可。

2、关闭系统防火墙

3、关闭SElinux

4、安装相关依赖包

二、升级前环境准备

1、停止ssh服务，备份ssh配置文件

这个时候千万不能断开链接

2、查看系统原有openssh包

3、编译安装zlib

4、编译安装libressl

5、编译安装openssh

你可能感兴趣的:(AnolisOS 8升级openSSH 到9.0p1步骤记录)