• CentOS 7 下升级 OpenSSL + OpenSSH【在线 yum 安装依赖】


    CentOS 7 下升级 OpenSSL + OpenSSH【在线 yum 安装依赖】

    当前版本查看

    OpenSSH
    [root@localhost ~]# ssh -V
    OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
    
    • 1
    • 2
    OpenSSL
    [root@localhost ~]# openssl version
    OpenSSL 1.0.2k-fips  26 Jan 2017
    
    • 1
    • 2

    安装 Telnet 防止 ssh 无法登录【yum 安装 && 配置】

    安装 telnet-server
    [root@localhost ~]# yum -y install telnet-server
    
    Installed:
      telnet-server.x86_64 1:0.17-66.el7                                                           
    Complete!
    
    • 1
    • 2
    • 3
    • 4
    • 5
    启动 telnet 服务
    [root@localhost ~]# systemctl start telnet.socket
    
    • 1
    配置 SELinux && Firewalld 服务
    • firewalld
    # 增加 23 端口通信
    [root@localhost ~]# firewall-cmd --permanent --add-port=23/tcp --zone=public
    
    # 更新 firewalld 策略
    [root@localhost ~]# firewall-cmd --reload
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • selinux
    [root@localhost ~]# setenforce 0
    
    • 1
    • 关闭 securetty
    # 默认情况下,linux 不允许 root 用户以 telnet 方式登录 linux 主机,移除 securetty 文件
    [root@localhost ~]# mv /etc/securetty{,.bak}
    
    • 1
    • 2
    测试 Telnet 登录
    [C:\~]$ telnet 192.168.68.129
    
    
    Connecting to 192.168.68.129:23...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    
    Kernel 3.10.0-1127.el7.x86_64 on an x86_64
    localhost login: root
    Password: 
    Last login: Wed Nov  2 19:48:24 from 192.168.68.1
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11

    升级 OpenSSL

    卸载老版本安装包
    [root@localhost ~]# rpm -e openssh --nodeps && rpm -e openssh-clients --nodeps && rpm -e openssh-server --nodeps
    
    • 1
    安装编译依赖包
    [root@localhost ~]# yum install -y pam* zlib*
    
    Installed:
      pam-devel.x86_64 0:1.1.8-23.el7                     pam_krb5.x86_64 0:2.4.8-6.el7           
      pam_pkcs11.x86_64 0:0.6.2-30.el7                    pam_snapper.x86_64 0:0.2.8-4.el7        
      pam_ssh_agent_auth.x86_64 0:0.10.3-2.22.el7_9       zlib-devel.x86_64 0:1.2.7-20.el7_9      
      zlib-static.x86_64 0:1.2.7-20.el7_9                
    
    Dependency Installed:
      boost-serialization.x86_64 0:1.53.0-28.el7        pcsc-lite-libs.x86_64 0:1.8.8-8.el7       
      snapper.x86_64 0:0.2.8-4.el7                      snapper-libs.x86_64 0:0.2.8-4.el7         
    
    Updated:
      zlib.x86_64 0:1.2.7-20.el7_9                                                                 
    
    Complete!
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    备份 ssh 目录
    [root@localhost ~]# mv /etc/ssh /etc/ssh_bak
    
    • 1
    下载 OpenSSL 新版本安装包
    # 官网 -- https://www.openssl.org -- 【根据需要下载指定版本】
    [root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz --no-check-certificate
    
    • 1
    • 2
    编译 && 安装 OpenSSL
    • 解压安装包
    [root@localhost ~]# tar zxf openssl-1.1.1s.tar.gz
    
    • 1
    • 预编译
    # 进入目录
    [root@localhost ~]# tar zxf openssl-1.1.1s.tar.gz
    
    # 预编译
    [root@localhost openssl-1.1.1s]# ./config --prefix=/usr/ --openssldir=/usr/ shared
    Operating system: x86_64-whatever-linux2
    Configuring OpenSSL version 1.1.1s (0x1010113fL) for linux-x86_64
    Using os-specific seed configuration
    Creating configdata.pm
    Creating Makefile
    
    **********************************************************************
    ***                                                                ***
    ***   OpenSSL has been successfully configured                     ***
    ***                                                                ***
    ***   If you encounter a problem while building, please open an    ***
    ***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
    ***   and include the output from the following command:           ***
    ***                                                                ***
    ***       perl configdata.pm --dump                                ***
    ***                                                                ***
    ***   (If you are new to OpenSSL, you might want to consult the    ***
    ***   'Troubleshooting' section in the INSTALL file first)         ***
    ***                                                                ***
    **********************************************************************
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 编译 && 安装
    [root@localhost openssl-1.1.1s]# make && make install
    
    • 1
    验证安装结果
    [root@localhost ~]# openssl version
    OpenSSL 1.1.1s  1 Nov 2022
    
    • 1
    • 2

    升级 OpenSSH

    下载 OpenSSH 新版本安装包
    # https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable 【根据需要下载指定版本】
    [root@localhost ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz --no-check-certificate
    
    • 1
    • 2
    解压安装包
    [root@localhost ~]# tar zxf openssh-9.1p1.tar.gz
    
    • 1
    编译 && 安装 OpenSSH
    • 进入目录
    [root@localhost ~]# cd openssh-9.1p1
    
    • 1
    • 预编译
    [root@localhost openssh-9.1p1]# ./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
    
    • 1
    • 编译 && 安装
    [root@localhost openssh-9.1p1]# make && make install
    
    /bin/mkdir -p /etc/ssh
    ssh-keygen: generating new host keys: RSA ECDSA ED25519 
    /usr/sbin/sshd -t -f /etc/ssh/sshd_config
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 分发 sshd 程序包
    [root@localhost openssh-9.1p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
    
    • 1
    验证安装结果
    [root@localhost ~]# ssh -V
    OpenSSH_9.1p1, OpenSSL 1.1.1s  1 Nov 2022
    
    • 1
    • 2

    启动 && 验证 ssh 服务

    启动服务
    [root@localhost ~]# service sshd start
    Reloading systemd:                                         [  OK  ]
    Starting sshd (via systemctl):                             [  OK  ]
    
    • 1
    • 2
    • 3
    配置开机启动
    [root@localhost ~]# chkconfig sshd on
    # 或者
    [root@localhost ~]# chkconfig --add sshd
    
    • 1
    • 2
    • 3
    验证 sshd 开机启动
    # chkconfig --list sshd
    [root@localhost ~]# chkconfig --list sshd
    
    Note: This output shows SysV services only and does not include native
          systemd services. SysV configuration data might be overridden by native
          systemd configuration.
    
          If you want to list systemd services use 'systemctl list-unit-files'.
          To see services enabled on particular target use
          'systemctl list-dependencies [target]'.
    
    sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    配置 ssh 允许 root 远程登录
    • 修改 sshd_config 配置文件
    [root@localhost ~]# grep -E "^PermitRootLogin|^PubkeyAuthentication|^PasswordAuthentication" /etc/ssh/sshd_config 
    PermitRootLogin yes
    PubkeyAuthentication yes
    PasswordAuthentication yes
    
    • 1
    • 2
    • 3
    • 4
    • 重启 sshd 服务
    [root@localhost ~]# systemctl restart sshd
    
    • 1

    遇到问题

    未关闭 SELinux 导致 ssh 无法登录
    • messages 日志
    Nov  2 23:22:45 localhost sshd[1895]: error: Could not get shadow information for root
    Nov  2 23:22:45 localhost sshd[1895]: Failed password for root from 192.168.68.1 port 53566 ssh2
    Nov  2 23:22:46 localhost sshd[1895]: error: Received disconnect from 192.168.68.1 port 53566:0:  [preauth]
    Nov  2 23:22:46 localhost sshd[1895]: Disconnected from authenticating user root 192.168.68.1 port 53566 [preauth]
    
    • 1
    • 2
    • 3
    • 4
    • 解决办法
    # 关闭 SELinux
    [root@localhost ~]# setenforce 0
    
    • 1
    • 2

    参考

  • 相关阅读:
    PCIE-Malformed tlp,UR,UC,CA
    mac上的python2安装
    代码随想录训练营结营总结
    详解欧拉计划第395题:毕达哥拉斯树
    Jetson AGX Orin L4T35.1.0 源码环境搭建 & SDKmanager刷机以及第三方定制版厂家刷机教程的区别
    MySQ 学习笔记
    Python基础学习019--跳过
    深度剖析堆及代码实现
    Leetcode -2
    SpringCloud-Bus
  • 原文地址:https://blog.csdn.net/u010766726/article/details/127652511