注意事项
升级所需依赖
gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib*
升级openssh步骤
- 挂载yum源(如openssh相关依赖完整,可忽略此步骤)
- 安装telnet-server 以及 xinetd
- 如开启防火墙请发行23端口,确保通过telnet能连接登录上服务器后再进行升级openssh相关操作
- 升级openssl
- 升级openssh
原环境相关信息(未升级前)
1. 系统版本
# 查看命令
cat /etc/redhat-release
# 版本信息
CentOS Linux release 7.5.1804 (Core)
2. 原 openssl 版本
# 查看命令
openssl version
# 版本信息
OpenSSL 1.0.2k-fips 26 Jan 2017
3. 原 openssh 版本
# 查看命令
ssh -V
# 版本信息
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
挂载yum源
当服务器无法连接外网时,通过挂载yum源处理rpm依赖问题。挂载yum源分为两种方式,一种是挂载本地yum源,另外一种是挂载局域网yum源(当同一网段存在多台服务器需要挂载yum源时)
挂载本地yum源
-
上传系统镜像文件到服务器
本文以CentOS-7.5-x86_64-DVD-1804.iso为例,上传文件到/data目录
-
挂载镜像文件
# 创建挂载目录 mkdir -p /media/CentOS # 挂载镜像文件到此目录 mount -o loop CentOS-7.5-x86_64-DVD-1804.iso /media/CentOS -
修改yum.repo配置
cd /etc/yum.repos.d # 创建备份目录 mkdir backup # 备份yum.repo mv CentOS-* backup # 配置yum.repo vi CentOS-Media.repoCentOS-Media.repo内容如下:
[c7-media] name=CentOS-$releasever - Media baseurl=file:///media/CentOS gpgcheck=1 enabled=1 #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7 -
测试yum
# 清除缓存 yum clean all # 安装gcc测试 yum install gcc
挂载局域网内yum源
挂载局域网需部署web服务器,本文以nginx为例,安装nginx的服务器IP为192.168.0.144;
如已部署局域网yum源,忽略步骤1~4
-
上传系统镜像文件到服务器
本文以CentOS-7.5-x86_64-DVD-1804.iso为例,上传文件到/data目录
-
挂载镜像文件
# 创建挂载目录 mkdir -p /media/CentOS # 挂载镜像文件到此目录 mount -o loop CentOS-7.5-x86_64-DVD-1804.iso /media/CentOS -
安装nginx
《nginx自行安装》
-
配置nginx
nginx主要配置内容如下
server { listen 8888; charset utf-8; location / { root /media/CentOS; autoindex on; } } -
配置局域网内yum.repo
cd /etc/yum.repos.d # 创建备份目录 mkdir backup # 备份yum.repo mv CentOS-* backup # 配置yum.repo vi Nginx-yum.repoNginx-yum.repo内容如
[Nginx-yum] name=Nginx-yum #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra baseurl=http://192.168.0.144:8888 enabled=1 gpgcheck=1 gpgkey=http://192.168.0.144:8888/RPM-GPG-KEY-CentOS-7 -
测试yum
# 清除缓存 yum clean all # 安装gcc测试 yum install gcc
安装telnet-server 以及 xinetd
由于升级openssh过程中,升级失败或重启ssh服务失败会导致无法远程连接服务器,所以我们需要先安装telnet-server服务,以便在ssh方式无法连接时通过此方式连接服务器恢复ssh服务
安装
yum install xinetd telnet-server -y
配置 telnet
现在很多 CentOS7 版本安装 telnet-server 以及 xinetd 之后没有一个叫 telnet 的配置文件了。
如果下面 telnet 文件不存在的话,可以跳过这部分的更改(我所测试的时候并没有此项文件)。
ll /etc/xinetd.d/telnet
ls: 无法访问/etc/xinetd.d/telnet: 没有那个文件或目录
如果文件存在,请更改配置 telnet 可以 root 登录,把 disable = no 改成 disable = yes
# 将 disable 改为 yes
vi /etc/xinetd.d/telnet
1. 配置 telnet 登录的终端类型
在 /etc/securetty 文件末尾增加一些 pts 终端,如下
pts/0
pts/1
pts/2
pts/3
2. 启动 telnet 服务,并设置开机自动启动
# 启动
systemctl start telnet.socket
# 设置开机自启
systemctl enable telnet.socket
# 查看状态
systemctl status telnet.socket
3. 查看端口监听状态、确认 telnet 工作状态
# 查看端口监听状态 需安装net-tools 安装命令: yum -y install net-tools
netstat -lntp | grep 23
4. 设置防火墙策略
如已开启防火墙可开放23端口,或者暂时关闭防火墙
# 关闭防火墙
systemctl stop firewalld
# 关闭防火墙开机自己
systemctl disable firewalld
# 如选择不关闭防火墙则需开放23端口
firewall-cmd --zone=public --add-port=23/tcp --permanent
# 重新载入防火墙规则
firewall-cmd --reload
5. 测试telnet连通性
-
xshell连接,协议选择telnet,端口23
-
通过命令行连接
telnet Ip地址
安装openssl及openssh所需依赖包
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib*
下载openssl 及openssh 二进制包
本文以openssl-1.1.1g.tar.gz 及 openssh-8.0p1.tar.gz为例
安装openssl
以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作
1. 解压缩
tar -zxvf openssl-1.1.1g.tar.gz
2. 备份原文件
mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak
3. 开始编译安装
cd openssl-1.1.1g/
./config shared && make && make install
4. 后续配置
查看编译安装后的 openssl 的目录结构、默认安装到 /usr/local 目录下
5. 软连接 openssl 目录
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl/ /usr/include/openssl
6. 加载新配置
echo "/usr/local/lib64" >> /etc/ld.so.conf
/sbin/ldconfig
7. 查看确认版本
openssl version
# 输出内容如下
# OpenSSL 1.1.1d 10 Sep 2019
8. 删除备份文件(选做)
当openssl安装成功后,当openssl安装成功后,当openssl安装成功后;可删除之前备份文件
rm -rf /usr/bin/openssl_bak
rm -rf /usr/include/openssl_bak
安装openssh
以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作
1. 解压缩
tar -zxvf openssh-8.0p1.tar.gz
2. 备份原文件
mv /etc/ssh /etc/ssh_bak
mkdir /etc/ssh -p
3. 配置、编译、安装
3.1. 查看编译参数,根据需要选择
查看命令
./configure -h
输出内容如下:
`configure' configures OpenSSH Portable to adapt to many kinds of systems.
Usage: ./configure [OPTION]... [VAR=VALUE]...
To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE. See below for descriptions of some of the useful variables.
Defaults for the options are specified in brackets.
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root [DATAROOTDIR/doc/openssh]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--disable-largefile omit support for large files
--disable-pkcs11 disable PKCS#11 support code [no]
--disable-strip Disable calling strip(1) on install
--disable-etc-default-login Disable using PATH from /etc/default/login no
--disable-lastlog disable use of lastlog even if detected no
--disable-utmp disable use of utmp even if detected no
--disable-utmpx disable use of utmpx even if detected no
--disable-wtmp disable use of wtmp even if detected no
--disable-wtmpx disable use of wtmpx even if detected no
--disable-libutil disable use of libutil (login() etc.) no
--disable-pututline disable use of pututline() etc. (uwtmp) no
--disable-pututxline disable use of pututxline() etc. (uwtmpx) no
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
--without-stackprotect Don't use compiler's stack protection
--without-hardening Don't use toolchain hardening flags
--without-rpath Disable auto-added -R linker paths
--with-cflags Specify additional flags to pass to compiler
--with-cflags-after Specify additional flags to pass to compiler after configure
--with-cppflags Specify additional flags to pass to preprocessor
--with-ldflags Specify additional flags to pass to linker
--with-ldflags-after Specify additional flags to pass to linker after configure
--with-libs Specify additional libraries to link with
--with-Werror Build main code with -Werror
--with-solaris-contracts Enable Solaris process contracts (experimental)
--with-solaris-projects Enable Solaris projects (experimental)
--with-solaris-privs Enable Solaris/Illumos privileges (experimental)
--with-osfsia Enable Digital Unix SIA
--with-zlib=PATH Use zlib in PATH
--without-zlib-version-check Disable zlib version check
--with-ldns[=PATH] Use ldns for DNSSEC support (optionally in PATH)
--with-libedit[=PATH] Enable libedit support for sftp
--with-audit=module Enable audit support (modules=debug,bsm,linux)
--with-pie Build Position Independent Executables if possible
--with-ssl-dir=PATH Specify path to OpenSSL installation
--without-openssl-header-check Disable OpenSSL version consistency check
--with-ssl-engine Enable OpenSSL (hardware) ENGINE support
--with-prngd-port=PORT read entropy from PRNGD/EGD TCP localhost:PORT
--with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
--with-pam Enable PAM support
--with-pam-service=name Specify PAM service name
--with-privsep-user=user Specify non-privileged user for privilege separation
--with-sandbox=style Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)
--with-selinux Enable SELinux support
--with-kerberos5=PATH Enable Kerberos 5 support
--with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
--with-xauth=PATH Specify path to xauth program
--with-maildir=/path/to/mail Specify your system mail directory
--with-mantype=man|cat|doc Set man page type
--with-md5-passwords Enable use of MD5 passwords
--without-shadow Disable shadow password support
--with-ipaddr-display Use ip address instead of hostname in $DISPLAY
--with-default-path= Specify default $PATH environment for server
--with-superuser-path= Specify different path for super-user
--with-4in6 Check for and convert IPv4 in IPv6 mapped addresses
--with-bsd-auth Enable BSD auth support
--with-pid-dir=PATH Specify location of sshd.pid file
--with-lastlog=FILE|DIR specify lastlog location common locations
Some influential environment variables:
CC C compiler command
CFLAGS C compiler flags
LDFLAGS linker flags, e.g. -L<lib dir> if you have libraries in a
nonstandard directory <lib dir>
LIBS libraries to pass to the linker, e.g. -l<library>
CPPFLAGS (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
you have headers in a nonstandard directory <include dir>
CPP C preprocessor
Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.
Report bugs to <openssh-unix-dev@mindrot.org>.
3.2. configure
cd openssh-8.0p1
# configure
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/lib64 --with-zlib --with-md5-passwords --with-pam --with-ssl-engine --with-selinux --with-ipaddr-display
3.3. 安装
make && make install
4. 配置验证(最后)
4.1. 查看相应的配置文件
ls /etc/ssh/
# 输出内容如下:
moduli ssh_config sshd_config ssh_host_dsa_key ssh_host_dsa_key.pub ssh_host_ecdsa_key ssh_host_ecdsa_key.pub ssh_host_ed25519_key ssh_host_ed25519_key.pub ssh_host_rsa_key ssh_host_rsa_key.pub
4.2. 修改 sshd 配置文件
vi /etc/ssh/sshd_config
UsePAM 设置为no
X11Forwarding 设置为yes
PasswordAuthentication 设置为yes,允许密码登录
PermitRootLogin 设置为yes,允许root登录
4.3. 配置启动文件
从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd
把原先的 systemd 管理的 sshd 文件删除或者移走或者删除,不移走的话影响我们重启 sshd 服务
rm /usr/lib/systemd/system/sshd.service
4.4. 配置开机启动
chkconfig sshd on
4.5. 启动ssh服务
# 重启sshd服务
/etc/init.d/sshd restart
# 查看端口监听
netstat -lntp | grep 22
# 以下命令为补充说明命令(视情况执行)
## 停止服务
/etc/init.d/sshd stop
## 启动服务
/etc/init.d/sshd start
## 查看服务状态
systemctl status sshd
4.6. 关闭selinux
不方便重启服务器时,可先修改配置文件关闭selinux,再执行setenforce 0 临时关闭
# 查看selinux状态
## 如果SELinux status参数为enabled即为开启状态
/usr/sbin/sestatus -v
# 关闭selinxu
## 临时关闭
setenforce 0
## 永久关闭 将SELINUX=enforcing改为SELINUX=disabled 需重启
vi /etc/selinux/config
5. 验证版本
ssh -V
# 以下内容为输出内容
OpenSSH_8.0p1, OpenSSL 1.1.1g 21 Apr 2020
6. SSH 连接测试
ssh 用户名@Ip地址
7. 服务器重启测试(选做 视情况选择是否重启)
视情况选择是否重启,视情况选择是否重启,视情况选择是否重启,重要的事说三遍
reboot now
8. 删除备份文件(选作)
rm -rf /etc/ssh_bak
卸载telnet-server及xinetd
待openssh升级成功且可正常远程连接,并且开启开机自启后,待openssh升级成功且可正常远程连接,并且开启开机自启后,待openssh升级成功且可正常远程连接,并且开启开机自启后;可卸载telnet-server及xinetd,开启防火墙或者将端口23从防火墙允许列表移除
## 关闭xinetd
systemctl stop xinetd.service
## 移除开机自启
systemctl disable xinetd.service
## 卸载telnet
yum remove telnet-server xinetd -y
## 移除23开放端口
firewall-cmd --zone=public --remove-port=23/tcp --permanent
## 重新载入防火墙策略
firewall-cmd --reload
评论区