• CentOS 7 下升级 OpenSSL + OpenSSH【在线 yum 安装依赖】


    CentOS 7 下升级 OpenSSL + OpenSSH【在线 yum 安装依赖】

    当前版本查看

    OpenSSH
    [root@localhost ~]# ssh -V
    OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
    
    • 1
    • 2
    OpenSSL
    [root@localhost ~]# openssl version
    OpenSSL 1.0.2k-fips  26 Jan 2017
    
    • 1
    • 2

    安装 Telnet 防止 ssh 无法登录【yum 安装 && 配置】

    安装 telnet-server
    [root@localhost ~]# yum -y install telnet-server
    
    Installed:
      telnet-server.x86_64 1:0.17-66.el7                                                           
    Complete!
    
    • 1
    • 2
    • 3
    • 4
    • 5
    启动 telnet 服务
    [root@localhost ~]# systemctl start telnet.socket
    
    • 1
    配置 SELinux && Firewalld 服务
    • firewalld
    # 增加 23 端口通信
    [root@localhost ~]# firewall-cmd --permanent --add-port=23/tcp --zone=public
    
    # 更新 firewalld 策略
    [root@localhost ~]# firewall-cmd --reload
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • selinux
    [root@localhost ~]# setenforce 0
    
    • 1
    • 关闭 securetty
    # 默认情况下,linux 不允许 root 用户以 telnet 方式登录 linux 主机,移除 securetty 文件
    [root@localhost ~]# mv /etc/securetty{,.bak}
    
    • 1
    • 2
    测试 Telnet 登录
    [C:\~]$ telnet 192.168.68.129
    
    
    Connecting to 192.168.68.129:23...
    Connection established.
    To escape to local shell, press 'Ctrl+Alt+]'.
    
    Kernel 3.10.0-1127.el7.x86_64 on an x86_64
    localhost login: root
    Password: 
    Last login: Wed Nov  2 19:48:24 from 192.168.68.1
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11

    升级 OpenSSL

    卸载老版本安装包
    [root@localhost ~]# rpm -e openssh --nodeps && rpm -e openssh-clients --nodeps && rpm -e openssh-server --nodeps
    
    • 1
    安装编译依赖包
    [root@localhost ~]# yum install -y pam* zlib*
    
    Installed:
      pam-devel.x86_64 0:1.1.8-23.el7                     pam_krb5.x86_64 0:2.4.8-6.el7           
      pam_pkcs11.x86_64 0:0.6.2-30.el7                    pam_snapper.x86_64 0:0.2.8-4.el7        
      pam_ssh_agent_auth.x86_64 0:0.10.3-2.22.el7_9       zlib-devel.x86_64 0:1.2.7-20.el7_9      
      zlib-static.x86_64 0:1.2.7-20.el7_9                
    
    Dependency Installed:
      boost-serialization.x86_64 0:1.53.0-28.el7        pcsc-lite-libs.x86_64 0:1.8.8-8.el7       
      snapper.x86_64 0:0.2.8-4.el7                      snapper-libs.x86_64 0:0.2.8-4.el7         
    
    Updated:
      zlib.x86_64 0:1.2.7-20.el7_9                                                                 
    
    Complete!
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    备份 ssh 目录
    [root@localhost ~]# mv /etc/ssh /etc/ssh_bak
    
    • 1
    下载 OpenSSL 新版本安装包
    # 官网 -- https://www.openssl.org -- 【根据需要下载指定版本】
    [root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz --no-check-certificate
    
    • 1
    • 2
    编译 && 安装 OpenSSL
    • 解压安装包
    [root@localhost ~]# tar zxf openssl-1.1.1s.tar.gz
    
    • 1
    • 预编译
    # 进入目录
    [root@localhost ~]# tar zxf openssl-1.1.1s.tar.gz
    
    # 预编译
    [root@localhost openssl-1.1.1s]# ./config --prefix=/usr/ --openssldir=/usr/ shared
    Operating system: x86_64-whatever-linux2
    Configuring OpenSSL version 1.1.1s (0x1010113fL) for linux-x86_64
    Using os-specific seed configuration
    Creating configdata.pm
    Creating Makefile
    
    **********************************************************************
    ***                                                                ***
    ***   OpenSSL has been successfully configured                     ***
    ***                                                                ***
    ***   If you encounter a problem while building, please open an    ***
    ***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
    ***   and include the output from the following command:           ***
    ***                                                                ***
    ***       perl configdata.pm --dump                                ***
    ***                                                                ***
    ***   (If you are new to OpenSSL, you might want to consult the    ***
    ***   'Troubleshooting' section in the INSTALL file first)         ***
    ***                                                                ***
    **********************************************************************
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    • 13
    • 14
    • 15
    • 16
    • 17
    • 18
    • 19
    • 20
    • 21
    • 22
    • 23
    • 24
    • 25
    • 编译 && 安装
    [root@localhost openssl-1.1.1s]# make && make install
    
    • 1
    验证安装结果
    [root@localhost ~]# openssl version
    OpenSSL 1.1.1s  1 Nov 2022
    
    • 1
    • 2

    升级 OpenSSH

    下载 OpenSSH 新版本安装包
    # https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable 【根据需要下载指定版本】
    [root@localhost ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz --no-check-certificate
    
    • 1
    • 2
    解压安装包
    [root@localhost ~]# tar zxf openssh-9.1p1.tar.gz
    
    • 1
    编译 && 安装 OpenSSH
    • 进入目录
    [root@localhost ~]# cd openssh-9.1p1
    
    • 1
    • 预编译
    [root@localhost openssh-9.1p1]# ./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
    
    • 1
    • 编译 && 安装
    [root@localhost openssh-9.1p1]# make && make install
    
    /bin/mkdir -p /etc/ssh
    ssh-keygen: generating new host keys: RSA ECDSA ED25519 
    /usr/sbin/sshd -t -f /etc/ssh/sshd_config
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 分发 sshd 程序包
    [root@localhost openssh-9.1p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
    
    • 1
    验证安装结果
    [root@localhost ~]# ssh -V
    OpenSSH_9.1p1, OpenSSL 1.1.1s  1 Nov 2022
    
    • 1
    • 2

    启动 && 验证 ssh 服务

    启动服务
    [root@localhost ~]# service sshd start
    Reloading systemd:                                         [  OK  ]
    Starting sshd (via systemctl):                             [  OK  ]
    
    • 1
    • 2
    • 3
    配置开机启动
    [root@localhost ~]# chkconfig sshd on
    # 或者
    [root@localhost ~]# chkconfig --add sshd
    
    • 1
    • 2
    • 3
    验证 sshd 开机启动
    # chkconfig --list sshd
    [root@localhost ~]# chkconfig --list sshd
    
    Note: This output shows SysV services only and does not include native
          systemd services. SysV configuration data might be overridden by native
          systemd configuration.
    
          If you want to list systemd services use 'systemctl list-unit-files'.
          To see services enabled on particular target use
          'systemctl list-dependencies [target]'.
    
    sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
    
    • 1
    • 2
    • 3
    • 4
    • 5
    • 6
    • 7
    • 8
    • 9
    • 10
    • 11
    • 12
    配置 ssh 允许 root 远程登录
    • 修改 sshd_config 配置文件
    [root@localhost ~]# grep -E "^PermitRootLogin|^PubkeyAuthentication|^PasswordAuthentication" /etc/ssh/sshd_config 
    PermitRootLogin yes
    PubkeyAuthentication yes
    PasswordAuthentication yes
    
    • 1
    • 2
    • 3
    • 4
    • 重启 sshd 服务
    [root@localhost ~]# systemctl restart sshd
    
    • 1

    遇到问题

    未关闭 SELinux 导致 ssh 无法登录
    • messages 日志
    Nov  2 23:22:45 localhost sshd[1895]: error: Could not get shadow information for root
    Nov  2 23:22:45 localhost sshd[1895]: Failed password for root from 192.168.68.1 port 53566 ssh2
    Nov  2 23:22:46 localhost sshd[1895]: error: Received disconnect from 192.168.68.1 port 53566:0:  [preauth]
    Nov  2 23:22:46 localhost sshd[1895]: Disconnected from authenticating user root 192.168.68.1 port 53566 [preauth]
    
    • 1
    • 2
    • 3
    • 4
    • 解决办法
    # 关闭 SELinux
    [root@localhost ~]# setenforce 0
    
    • 1
    • 2

    参考

  • 相关阅读:
    python subprocess 起来的进程怎么查看是否正在运行
    Spring如何使用环境变量控制配置文件加载呢?
    Tomcat的安装配置及相关问题解决
    位运算理解与常用场景
    LeetCode·每日一题·654.最大二叉树·递归·单调栈
    spring异步线程任务Async,自定义配置线程池,Java
    Java的接口以及接口与抽象类区别
    局域网上IP多播与IP单播关于MAC地址的区别
    wireshark测试tcp三次握手与四次挥手
    基于Java+SpringBoot+Vue+协同过滤算法的电影推荐系统(亮点:智能推荐、协同过滤算法、在线支付、视频观看)
  • 原文地址:https://blog.csdn.net/u010766726/article/details/127652511