CentOS7 openssh升级方案

ZFIREH 2020年07月09日 228次浏览

注意事项

升级所需依赖

gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib*

升级openssh步骤

  1. 挂载yum源(如openssh相关依赖完整,可忽略此步骤)
  2. 安装telnet-server 以及 xinetd
  3. 如开启防火墙请发行23端口,确保通过telnet能连接登录上服务器后再进行升级openssh相关操作
  4. 升级openssl
  5. 升级openssh

原环境相关信息(未升级前)

1. 系统版本

# 查看命令
cat /etc/redhat-release 
# 版本信息
CentOS Linux release 7.5.1804 (Core)

2. 原 openssl 版本

# 查看命令
openssl version
# 版本信息
OpenSSL 1.0.2k-fips  26 Jan 2017

3. 原 openssh 版本

# 查看命令
ssh -V 
# 版本信息   
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

挂载yum源

​ 当服务器无法连接外网时,通过挂载yum源处理rpm依赖问题。挂载yum源分为两种方式,一种是挂载本地yum源,另外一种是挂载局域网yum源(当同一网段存在多台服务器需要挂载yum源时)

挂载本地yum源

  1. 上传系统镜像文件到服务器

    本文以CentOS-7.5-x86_64-DVD-1804.iso为例,上传文件到/data目录

  2. 挂载镜像文件

    # 创建挂载目录
    mkdir -p /media/CentOS
    # 挂载镜像文件到此目录
    mount -o loop CentOS-7.5-x86_64-DVD-1804.iso /media/CentOS
    
  3. 修改yum.repo配置

    cd /etc/yum.repos.d
    # 创建备份目录
    mkdir backup
    # 备份yum.repo
    mv CentOS-* backup
    # 配置yum.repo
    vi CentOS-Media.repo
    

    CentOS-Media.repo内容如下:

    [c7-media]
    name=CentOS-$releasever - Media
    baseurl=file:///media/CentOS
    gpgcheck=1
    enabled=1
    #gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
    
  4. 测试yum

    # 清除缓存
    yum clean all
    # 安装gcc测试
    yum install gcc
    

挂载局域网内yum源

​ 挂载局域网需部署web服务器,本文以nginx为例,安装nginx的服务器IP为192.168.0.144;

​ 如已部署局域网yum源,忽略步骤1~4

  1. 上传系统镜像文件到服务器

    本文以CentOS-7.5-x86_64-DVD-1804.iso为例,上传文件到/data目录

  2. 挂载镜像文件

    # 创建挂载目录
    mkdir -p /media/CentOS
    # 挂载镜像文件到此目录
    mount -o loop CentOS-7.5-x86_64-DVD-1804.iso /media/CentOS
    
  3. 安装nginx

    《nginx自行安装》

  4. 配置nginx

    nginx主要配置内容如下

    server {
        listen	8888;
        charset utf-8;
        location / {
            root   /media/CentOS;
            autoindex on;
        }
    }
    
  5. 配置局域网内yum.repo

    cd /etc/yum.repos.d
    # 创建备份目录
    mkdir backup
    # 备份yum.repo
    mv CentOS-* backup
    # 配置yum.repo
    vi Nginx-yum.repo 
    

    Nginx-yum.repo内容如

    [Nginx-yum]
    name=Nginx-yum
    #mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os&infra=$infra
    baseurl=http://192.168.0.144:8888
    enabled=1
    gpgcheck=1
    gpgkey=http://192.168.0.144:8888/RPM-GPG-KEY-CentOS-7
    
  6. 测试yum

    # 清除缓存
    yum clean all
    # 安装gcc测试
    yum install gcc
    

安装telnet-server 以及 xinetd

​ 由于升级openssh过程中,升级失败或重启ssh服务失败会导致无法远程连接服务器,所以我们需要先安装telnet-server服务,以便在ssh方式无法连接时通过此方式连接服务器恢复ssh服务

安装

yum install xinetd telnet-server -y

配置 telnet

现在很多 CentOS7 版本安装 telnet-server 以及 xinetd 之后没有一个叫 telnet 的配置文件了。

如果下面 telnet 文件不存在的话,可以跳过这部分的更改(我所测试的时候并没有此项文件)。

ll /etc/xinetd.d/telnet
ls: 无法访问/etc/xinetd.d/telnet: 没有那个文件或目录

如果文件存在,请更改配置 telnet 可以 root 登录,把 disable = no 改成 disable = yes

# 将 disable 改为 yes
vi /etc/xinetd.d/telnet

1. 配置 telnet 登录的终端类型

/etc/securetty 文件末尾增加一些 pts 终端,如下

pts/0
pts/1
pts/2
pts/3

2. 启动 telnet 服务,并设置开机自动启动

# 启动
systemctl start telnet.socket
# 设置开机自启
systemctl enable telnet.socket
# 查看状态
systemctl status  telnet.socket

3. 查看端口监听状态、确认 telnet 工作状态

# 查看端口监听状态 需安装net-tools 安装命令: yum -y install net-tools
netstat -lntp | grep 23

4. 设置防火墙策略

​ 如已开启防火墙可开放23端口,或者暂时关闭防火墙

# 关闭防火墙
systemctl stop firewalld
# 关闭防火墙开机自己
systemctl disable firewalld
# 如选择不关闭防火墙则需开放23端口
firewall-cmd --zone=public --add-port=23/tcp --permanent
# 重新载入防火墙规则
firewall-cmd --reload

5. 测试telnet连通性

  • xshell连接,协议选择telnet,端口23

  • 通过命令行连接

    telnet Ip地址
    

安装openssl及openssh所需依赖包

yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel pam* zlib*

下载openssl 及openssh 二进制包

openssl ftp站点
openssh ftp站点

本文以openssl-1.1.1g.tar.gzopenssh-8.0p1.tar.gz为例

安装openssl

以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作

1. 解压缩

tar -zxvf openssl-1.1.1g.tar.gz

2. 备份原文件

mv /usr/bin/openssl /usr/bin/openssl_bak
mv /usr/include/openssl /usr/include/openssl_bak

3. 开始编译安装

cd openssl-1.1.1g/
./config shared && make && make install

4. 后续配置

查看编译安装后的 openssl 的目录结构、默认安装到 /usr/local 目录下

5. 软连接 openssl 目录

ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl/ /usr/include/openssl

6. 加载新配置

echo "/usr/local/lib64"   >> /etc/ld.so.conf
/sbin/ldconfig

7. 查看确认版本

openssl version
# 输出内容如下
# OpenSSL 1.1.1d  10 Sep 2019

8. 删除备份文件(选做)

当openssl安装成功后,当openssl安装成功后,当openssl安装成功后;可删除之前备份文件

rm -rf /usr/bin/openssl_bak
rm -rf /usr/include/openssl_bak

安装openssh

以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作,以下操作以TELNET方式登录操作

1. 解压缩

tar -zxvf openssh-8.0p1.tar.gz

2. 备份原文件

mv /etc/ssh /etc/ssh_bak
mkdir /etc/ssh -p

3. 配置、编译、安装

3.1. 查看编译参数,根据需要选择

查看命令

./configure -h

输出内容如下:

`configure' configures OpenSSH Portable to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/openssh]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --disable-largefile     omit support for large files
  --disable-pkcs11        disable PKCS#11 support code [no]
  --disable-strip         Disable calling strip(1) on install
  --disable-etc-default-login Disable using PATH from /etc/default/login no
  --disable-lastlog       disable use of lastlog even if detected no
  --disable-utmp          disable use of utmp even if detected no
  --disable-utmpx         disable use of utmpx even if detected no
  --disable-wtmp          disable use of wtmp even if detected no
  --disable-wtmpx         disable use of wtmpx even if detected no
  --disable-libutil       disable use of libutil (login() etc.) no
  --disable-pututline     disable use of pututline() etc. (uwtmp) no
  --disable-pututxline    disable use of pututxline() etc. (uwtmpx) no

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
  --without-stackprotect  Don't use compiler's stack protection
  --without-hardening     Don't use toolchain hardening flags
  --without-rpath         Disable auto-added -R linker paths
  --with-cflags           Specify additional flags to pass to compiler
  --with-cflags-after     Specify additional flags to pass to compiler after configure
  --with-cppflags         Specify additional flags to pass to preprocessor
  --with-ldflags          Specify additional flags to pass to linker
  --with-ldflags-after    Specify additional flags to pass to linker after configure
  --with-libs             Specify additional libraries to link with
  --with-Werror           Build main code with -Werror
  --with-solaris-contracts Enable Solaris process contracts (experimental)
  --with-solaris-projects Enable Solaris projects (experimental)
  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)
  --with-osfsia           Enable Digital Unix SIA
  --with-zlib=PATH        Use zlib in PATH
  --without-zlib-version-check Disable zlib version check
  --with-ldns[=PATH]      Use ldns for DNSSEC support (optionally in PATH)
  --with-libedit[=PATH]   Enable libedit support for sftp
  --with-audit=module     Enable audit support (modules=debug,bsm,linux)
  --with-pie              Build Position Independent Executables if possible
  --with-ssl-dir=PATH     Specify path to OpenSSL installation
  --without-openssl-header-check Disable OpenSSL version consistency check
  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support
  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT
  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
  --with-pam              Enable PAM support
  --with-pam-service=name Specify PAM service name
  --with-privsep-user=user Specify non-privileged user for privilege separation
  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)
  --with-selinux          Enable SELinux support
  --with-kerberos5=PATH   Enable Kerberos 5 support
  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
  --with-xauth=PATH       Specify path to xauth program
  --with-maildir=/path/to/mail    Specify your system mail directory
  --with-mantype=man|cat|doc  Set man page type
  --with-md5-passwords    Enable use of MD5 passwords
  --without-shadow        Disable shadow password support
  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY
  --with-default-path=    Specify default $PATH environment for server
  --with-superuser-path=  Specify different path for super-user
  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses
  --with-bsd-auth         Enable BSD auth support
  --with-pid-dir=PATH     Specify location of sshd.pid file
  --with-lastlog=FILE|DIR specify lastlog location common locations

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Report bugs to <openssh-unix-dev@mindrot.org>.

3.2. configure

cd openssh-8.0p1
# configure
./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-ssl-dir=/usr/local/lib64 --with-zlib   --with-md5-passwords   --with-pam --with-ssl-engine --with-selinux --with-ipaddr-display

3.3. 安装

make && make install

4. 配置验证(最后)

4.1. 查看相应的配置文件

ls /etc/ssh/
# 输出内容如下:
moduli  ssh_config  sshd_config  ssh_host_dsa_key  ssh_host_dsa_key.pub  ssh_host_ecdsa_key  ssh_host_ecdsa_key.pub  ssh_host_ed25519_key  ssh_host_ed25519_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub

4.2. 修改 sshd 配置文件

vi /etc/ssh/sshd_config

UsePAM 设置为no

X11Forwarding 设置为yes

PasswordAuthentication 设置为yes,允许密码登录

PermitRootLogin 设置为yes,允许root登录

4.3. 配置启动文件

从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)

cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
 
chkconfig --add sshd
systemctl enable sshd

把原先的 systemd 管理的 sshd 文件删除或者移走或者删除,不移走的话影响我们重启 sshd 服务

rm  /usr/lib/systemd/system/sshd.service

4.4. 配置开机启动

chkconfig sshd on

4.5. 启动ssh服务

# 重启sshd服务
/etc/init.d/sshd restart
# 查看端口监听
netstat -lntp | grep 22

# 以下命令为补充说明命令(视情况执行)
## 停止服务
/etc/init.d/sshd stop
## 启动服务
/etc/init.d/sshd start
## 查看服务状态
systemctl status sshd

4.6. 关闭selinux

不方便重启服务器时,可先修改配置文件关闭selinux,再执行setenforce 0 临时关闭

# 查看selinux状态
## 如果SELinux status参数为enabled即为开启状态
/usr/sbin/sestatus -v
# 关闭selinxu
## 临时关闭
setenforce 0
## 永久关闭 将SELINUX=enforcing改为SELINUX=disabled  需重启
vi /etc/selinux/config

5. 验证版本

ssh -V
# 以下内容为输出内容
OpenSSH_8.0p1, OpenSSL 1.1.1g  21 Apr 2020

6. SSH 连接测试

ssh 用户名@Ip地址

7. 服务器重启测试(选做 视情况选择是否重启)

视情况选择是否重启,视情况选择是否重启,视情况选择是否重启,重要的事说三遍

reboot now

8. 删除备份文件(选作)

rm -rf /etc/ssh_bak

卸载telnet-server及xinetd

待openssh升级成功且可正常远程连接,并且开启开机自启后,待openssh升级成功且可正常远程连接,并且开启开机自启后,待openssh升级成功且可正常远程连接,并且开启开机自启后;可卸载telnet-server及xinetd,开启防火墙或者将端口23从防火墙允许列表移除

## 关闭xinetd
systemctl stop xinetd.service
## 移除开机自启
systemctl disable xinetd.service
## 卸载telnet
yum remove telnet-server xinetd -y
## 移除23开放端口
firewall-cmd --zone=public --remove-port=23/tcp --permanent
## 重新载入防火墙策略
firewall-cmd --reload