centos7.3和centos7.6升级完毕测试登录ssh以及重启后登录ssh均无问题。

前期请自行配置好yum源(如果不会请百度)

整个过程不需要卸载原先的openssl包和openssh的rpm包。不影响我们的操作

本文的环境都是系统自带的openssh,没有经历过手动编译安装方式。如果之前有手动编译安装过openssh,请参照本文自行测试是否能成功。

如果严格参照本文操作,我保证你升级没问题

centos7.6升级后的效果

[root@testssh ~]# ssh -V

OpenSSH_8.0p1, OpenSSL 1.0.2r   Feb

[root@testssh ~]# openssl version

OpenSSL 1.0.2r   Feb 

[root@testssh ~]# cat /etc/redhat-release

CentOS Linux release 7.6. (Core)

[root@testssh ~]#

 安装依赖包

升级需要几个组件,有些是和编译相关的等

[root@linux-node3 ~]# yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: mirrors..com

 * epel: mirrors.aliyun.com

 * extras: mirrors.cn99.com

 * updates: mirrors.cn99.com

Package gcc-4.8.-.el7_6..x86_64 already installed and latest version

Package gcc-c++-4.8.-.el7_6..x86_64 already installed and latest version

Package glibc-2.17-.el7_6..x86_64 already installed and latest version

Package :make-3.82-.el7.x86_64 already installed and latest version

Package autoconf-2.69-.el7.noarch already installed and latest version

Package :openssl-1.0.2k-.el7_6..x86_64 already installed and latest version

Package :openssl-devel-1.0.2k-.el7_6..x86_64 already installed and latest version

Package pcre-devel-8.32-.el7.x86_64 already installed and latest version

Package pam-devel-1.1.-.el7.x86_64 already installed and latest version

Nothing to do

[root@linux-node3 ~]#

安装pam和zlib等(后面的升级操作可能没用到pam,安装上也没啥影响,如果不想安装pam请自行测试)

[root@linux-node3 ~]# yum install  -y pam* zlib*

Loaded plugins: fastestmirror

Loading mirror speeds from cached hostfile

 * base: mirrors..com

 * epel: mirrors.aliyun.com

 * extras: mirrors.cn99.com

 * updates: mirrors.cn99.com

Package pam_yubico-2.26-.el7.x86_64 already installed and latest version

Package pam_script-1.1.-.el7.x86_64 already installed and latest version

Package pam_oath-2.4.-.el7.x86_64 already installed and latest version

Package pam_snapper-0.2.-.el7.x86_64 already installed and latest version

Package pam_ssh_agent_auth-0.10.-2.16.el7.x86_64 already installed and latest version

Package pam_2fa-1.0-.el7.x86_64 already installed and latest version

Package pam_mapi-0.3.-.el7.x86_64 already installed and latest version

Package pam_ssh_user_auth-1.0-.el7.x86_64 already installed and latest version

Package pam_mount-2.16-.el7.x86_64 already installed and latest version

Package pam_radius-1.4.-.el7.x86_64 already installed and latest version

Package pamtester-0.1.-.el7.x86_64 already installed and latest version

Package pam_afs_session-2.6-.el7.x86_64 already installed and latest version

Package pam_pkcs11-0.6.-.el7.x86_64 already installed and latest version

Package pam-1.1.-.el7.x86_64 already installed and latest version

Package pam_ssh-2.3-.el7.x86_64 already installed and latest version

Package :pam_url-0.3.-.el7.x86_64 already installed and latest version

Package pam_wrapper-1.0.-.el7.x86_64 already installed and latest version

Package pam-kwallet-5.5.-.el7.x86_64 already installed and latest version

Package pam-devel-1.1.-.el7.x86_64 already installed and latest version

Package pam_krb5-2.4.-.el7.x86_64 already installed and latest version

Package zlib-devel-1.2.-.el7.x86_64 already installed and latest version

Package zlib-static-1.2.-.el7.x86_64 already installed and latest version

Package zlib-1.2.-.el7.x86_64 already installed and latest version

Package zlib-ada-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version

Package zlib-ada-devel-1.4-0.5.20120830CVS.el7.x86_64 already installed and latest version

Nothing to do

[root@linux-node3 ~]#

下载openssh包和openssl的包

我们都下载最新版本,下载箭头指的包

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

https://ftp.openssl.org/source

/

 开始安装openssl

个人习惯把安装包或者工具之类的放下面目录。根据个人喜好随便放,不影响安装

[root@linux-node3 ~]# mkdir /data/tools -p

[root@linux-node3 ~]# cd /data/tools/

[root@linux-node3 /data/tools]# rz -E

rz waiting to receive.

[root@linux-node3 /data/tools]# ll

total

-rw-r--r--  root root  Apr  : openssl-1.0.2r.tar.gz

解压文件

[root@linux-node3 /data/tools]# tar xfz openssl-1.0.2r.tar.gz

[root@linux-node3 /data/tools]# ll

total

drwxr-xr-x  root root     Apr  : openssl-1.0.2r

-rw-r--r--   root root  Apr  : openssl-1.0.2r.tar.gz

[root@linux-node3 /data/tools]# cd

[root@linux-node3 ~]#

现在是系统默认的版本,等会升级完毕对比下

[root@linux-node3 ~]# openssl version

OpenSSL 1.0.2k-fips   Jan

[root@linux-node3 ~]#

备份下面2个文件或目录(如果存在的话就执行)

[root@linux-node3 ~]# mv /usr/bin/openssl  /usr/bin/openssl_bak

[root@linux-node3 ~]# ll /usr/include/openssl

total

-rw-r--r--  root root    Mar  : aes.h

-rw-r--r--  root root   Mar  : asn1.h

-rw-r--r--  root root   Mar  : asn1_mac.h

-rw-r--r--  root root   Mar  : asn1t.h

-rw-r--r--  root root   Mar  : bio.h

-rw-r--r--  root root    Mar  : blowfish.h

......

[root@linux-node3 ~]# mv /usr/include/openssl /usr/include/openssl_bak

  

编译安装新版本的openssl

配置、编译、安装3个命令一起执行

&&符号表示前面的执行成功才会执行后面的

[root@linux-node3 ~]# cd /data/tools/openssl-1.0.2r/

[root@linux-node3 /data/tools/openssl-1.0.2r]# ./config shared && make && make install

下面2个文件或者目录做软链接 (刚才前面的步骤mv备份过原来的)

[root@linux-node3 ~]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

[root@linux-node3 ~]# ln -s /usr/local/ssl/include/openssl /usr/include/openssl

[root@linux-node3 ~]# ll /usr/bin/openssl

lrwxrwxrwx  root root  Apr  : /usr/bin/openssl -> /usr/local/ssl/bin/openssl

[root@linux-node3 ~]# ll /usr/include/openssl -ld

lrwxrwxrwx  root root  Apr  : /usr/include/openssl -> /usr/local/ssl/include/openssl

[root@linux-node3 ~]#

命令行执行下面2个命令加载新配置

echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

/sbin/ldconfig

查看确认版本。没问题

[root@testssh ~]# openssl version

OpenSSL 1.0.2s   May

 安装openssh 

上传openssh的tar包并解压

[root@testssh ~]# cd /data/tools/

[root@testssh tools]# ll

total

-rw-r--r--   root root  Apr  : openssh-.0p1.tar.gz

drwxr-xr-x  root root     Apr  : openssl-1.0.2r

-rw-r--r--   root root  Feb  : openssl-1.0.2r.tar.gz

-rwxr-xr-x   root root   Apr    sshd

[root@testssh tools]# tar xfz openssh-.0p1.tar.gz

[root@testssh tools]# cd openssh-.0p1

可能文件默认显示uid和gid数组都是1000,这里重新授权下。不授权可能也不影响安装(请自行测试)

[root@testssh tools]# chown -R root.root /data/tools/openssh-.0p1
 安全隐藏 SSH版本号:
telnet  172.16.230.21

Connecting to 172.16.230.21:...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

SSH-2.0-OpenSSH_7.4

修改

[root@node1 openssh-.0p1]# vim version.h

#define SSH_VERSION     "SenyintSSH"

#define SSH_PORTABLE    ""

#define SSH_RELEASE     SSH_VERSION SSH_PORTABLE

编译后,显示结果

telnet 172.16.230.21 

Connecting to 172.16.230.21:...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

SSH-2.0-SenyintSSH

  

命令行删除原先ssh的配置文件和目录

然后配置、编译、安装

注意下面编译安装的命令是一行,请把第一行末尾的 \ 去掉,然后在文本里弄成一行之后放命令行执行

rm -rf /etc/ssh/*

./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include \

 --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam  && make && make install

参考下我的截图

修改配置文件最终为如下内容,其他的不要动

[root@linux-node3 ~]# grep "^PermitRootLogin"  /etc/ssh/sshd_config

PermitRootLogin yes

[root@linux-node3 ~]# grep  "UseDNS"  /etc/ssh/sshd_config

UseDNS no

[root@linux-node3 ~]#

从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)

(可能下面的ssh.pam文件都没用到,因为sshd_config配置文件貌似没使用它,请自行测试。我这边是拷贝了)

[root@linux-node3 /data/tools/openssh-.0p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd

[root@linux-node3 /data/tools/openssh-.0p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

[root@linux-node3 /data/tools/openssh-.0p1]# chmod +x /etc/init.d/sshd

[root@linux-node3 /data/tools/openssh-.0p1]# chkconfig --add sshd

[root@linux-node3 /data/tools/openssh-.0p1]# systemctl enable sshd

[root@linux-node3 /data/tools/openssh-.0p1]#

 把原先的systemd管理的sshd文件删除或者移走或者删除,不移走的话影响我们重启sshd服务

[root@linux-node3 ~]# mv  /usr/lib/systemd/system/sshd.service  /data/

设置sshd服务开机启动

[root@linux-node3 ~]# chkconfig sshd on

Note: Forwarding request to 'systemctl enable sshd.socket'.

Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.

接下来测试启停服务。都正常

以后管理sshd通过下面方式了

[root@linux-node3 ~]# /etc/init.d/sshd restart

Restarting sshd (via systemctl):                           [  OK  ]

[root@linux-node3 ~]#

[root@linux-node3 ~]#

[root@linux-node3 ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp               0.0.0.0:              0.0.0.0:*               LISTEN      /sshd

tcp6              :::                   :::*                    LISTEN      /sshd

tcp6              :::                   :::*                    LISTEN      /systemd

[root@linux-node3 ~]# /etc/init.d/sshd stop

Stopping sshd (via systemctl):                             [  OK  ]

[root@linux-node3 ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp6              :::                   :::*                    LISTEN      /systemd

[root@linux-node3 ~]# /etc/init.d/sshd start

Starting sshd (via systemctl):                            [  OK  ]

[root@linux-node3 ~]#

[root@linux-node3 ~]#

使用systemd方式也行

[root@linux-node3 ~]# systemctl stop sshd

[root@linux-node3 ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp6              :::                   :::*                    LISTEN      /systemd

[root@linux-node3 ~]# systemctl start sshd

[root@linux-node3 ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp               0.0.0.0:              0.0.0.0:*               LISTEN      /sshd

tcp6              :::                   :::*                    LISTEN      /sshd

tcp6              :::                   :::*                    LISTEN      /systemd

[root@linux-node3 ~]# systemctl restart sshd

[root@linux-node3 ~]# netstat -lntp

Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name

tcp               0.0.0.0:              0.0.0.0:*               LISTEN      /sshd

tcp6              :::                   :::*                    LISTEN      /sshd

tcp6              :::                   :::*                    LISTEN      /systemd

[root@linux-node3 ~]#

测试版本。都正常

[root@linux-node3 ~]# ssh -V

OpenSSH_8.0p1, OpenSSL 1.0.2r   Feb

[root@linux-node3 ~]#

[root@linux-node3 ~]# telnet 127.0.0.1

Trying 127.0.0.1...

Connected to 127.0.0.1.

Escape character is '^]'.

SSH-2.0-OpenSSH_8.

引用: https://www.cnblogs.com/nmap/p/10779658.html

centos7.6 升级openssh openssl的更多相关文章

  1. CentOS7.5升级OpenSSH

    实验环境 OS:CentOS 7.5 当前openssh版本:OpenSSH_7.4p1 升级后的openssh版本:OpenSSH_8.0p1 开通telnet 为了防止升级过程中ssh断连,保险起 ...

  2. centos7 升级openssh到openssh-8.0p1版本

    环境介绍 centos7.3和centos7.6升级完毕测试登录ssh以及重启后登录ssh均无问题. 前期请自行配置好yum源(如果不会请百度) 整个过程不需要卸载原先的openssl包和openss ...

  3. openssh/openssl升级到7.4和1.0.2j 源码方式

    #!/bin/bashtar -xvf openssh-7.4p1.tar.gztar -xvf openssl-1.0.2j.tar.gz 升级 openssl 到1.0.2jcd openssl- ...

  4. 升级openssh基于openssl

    OpenSSH is the premier connectivity tool for remote login with the SSH protocol. It encrypts all tra ...

  5. 升级OPENSSH 和 OPENSSL

    升级OPENSSH 和 OPENSSL   首先安装telnet服务,防止在操作过程中导致ssh远程中断   # 安装Telnetyum install telnet-server -y chkcon ...

  6. centos7升级openssh

    注意: openssl版本(openssl版本要大于1.0.1,zlib版本要大于1.1.4) 一.安装依赖包 yum -y install gcc make perl # zlib zlib-dev ...

  7. CentOS 6.9 升级OpenSSH版本 关闭ssh服务后门

    最近用低版本的OpenSSH(5.9p1版本) 的漏洞给系统留了个后门 , 可以劫持root密码或者给root开启后门密码 : 利用Openssh后门 劫持root密码 如果公司还在用CentOS6的 ...

  8. CentOS 升级 openSSH

    openSSH作为linux远程连接工具,容易受到攻击,必须更新版本来解决,低版本有如下等漏洞: a. OpenSSH 远程代码执行漏洞(CVE-2016-10009) b.  OpenSSH aut ...

  9. centos6升级openssh至7.9

    1.为了防止升级失败登陆不了,所以需要安装telnet mkdir /root/ssh_updateyum install -y telnet-serveryum install -y xinetd ...

随机推荐

  1. b/s实现大文件上传分片上传断点续传

    关键部分 前端用file.slice()分块 前端用FileReader获取每一分块的md5值 后端用MultipartFile接受分块文件 后端用FileOutputStream拼装分块文件 话不多 ...

  2. linux 安装gcc 和 g++

    以CentOS为例,安装后是没有C语言和C++编译环境的,需要手动安装,最简单的是用yum的方式安装,过程如下: 1.安装gcc yum install gcc 询问是否,按y键回车即可,或者 yum ...

  3. GSS3 C - Can you answer these queries III

    //在gss1的基础上加了修改操作,一样的做法,加一个modify函数就可以了 #include<iostream> #include<cstdio> #include< ...

  4. makefile通用模板(二)

    DIR_INC = ./include DIR_SRC = ./src DIR_OBJ = ./obj DIR_BIN = ./bin DIR_LIB = /home/exbot/lib LIBS = ...

  5. React.createElement 与 JSX

    DOM 向JSX的演进 网页由 DOM 元素构成.React DOM 并不是浏览器的 DOM,而React DOM 只是用来告诉浏览器如何创建 DOM 的方法.通常情况下,我们并不需要 React 就 ...

  6. Kestrel: System.Exception: Error -4092 EACCES permission denied

    字面理解:  权限问题.. 这种情况往往是因为运行的端口被占用.. 可能是iis上有些站点使用了这个端口.. 也可能是其他原因.. 但大部分是端口问题..

  7. 基于Redis的分布式锁到底安全吗(上)?

    基于Redis的分布式锁到底安全吗(上)?  2017-02-11 网上有关Redis分布式锁的文章可谓多如牛毛了,不信的话你可以拿关键词“Redis 分布式锁”随便到哪个搜索引擎上去搜索一下就知道了 ...

  8. Laravel中的Storage::disk

    Laravel中的Storage::disk 一.总结 一句话总结: Storage的disk的路径和file的路径都是一回事,都是config/filesystems.php配置文件中disks 比 ...

  9. JVM 初始化阶段例子 final常量

    1.创建FinalTest类,里面有一个final常量x class FinalTest{ public static final int x = 3; static { System.out.pri ...

  10. Tosca : 扩展dll动态语言 识别点击下拉, 识别成table

    放到这 配置 重启 tosca  command