1.下載要升級到的openssl包
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz
2.升級openssh前開通telnet
1)查看telnet包
rpm -qa|grep telnet
--如未安裝,則yum安裝
# yum install telnet
# yum install telnet-server
2)啟動telnet
--編輯telnet文件,將disable改成no
# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
--重啟xinetd服務
service xinetd restart
or
/etc/rc.d/init.d/xinetd restart
--通過telnet連接服務器
c:\> telnet 192.168.5.5
--默認telnet只能連接普通用戶,然后,跳轉到root用戶
3.備份原openssh相關文件
# cp /usr/sbin/sshd /usr/sbin/sshd.bak
# cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# cp /etc/ssh/moduli /etc/ssh/moduli.bak
--刪除掉下面三個文件,否則安裝的時候會報錯.
rm -rf /etc/ssh/ssh_config
rm -rf /etc/ssh/sshd_config
rm -rf /etc/ssh/moduli
--安裝編譯所需包
yum install gcc
yum install pam-devel
yum install zlib-devel
yum install openssl-devel
4.解壓並安裝新版本openssh
# tar -zxvf openssh-7.4p1.tar.gz
# cd openssh-7.4p1
#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
--configure報錯終止,重新編譯前先清理之前的編譯信息.
# make clean
# ldconfig
# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
# make && make install
# /etc/init.d/sshd restart
5.覆蓋舊的文件
# cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
# hmod u+x /etc/init.d/sshd
# chkconfig --add sshd
# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp: overwrite `/usr/sbin/sshd'? y
cp: cannot create regular file `/usr/sbin/sshd': Text file busy
文件正在被使用
# ps -ef|grep sshd
# kill -9 77777
# ps -ef|grep sshd
--重新覆蓋:
# cp /usr/local/openssh/bin/ssh /usr/bin/ssh
# service sshd restart
Stopping sshd: [ OK ]
ssh-keygen: illegal option -- A
usage: ssh-keygen [options]
Options:
...
# cat /etc/init.d/sshd
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
--因低版本的ssh-keygen沒有-A參數,因此,如下解決。
# cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
--重啟sshd服務:
# service sshd restart
# vi /etc/ssh/sshd_config
--去掉如下條目注釋,允許root通過ssh登錄
PermitRootLogin yes
--注釋掉下面三個參數
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes
6.重啟sshd服務,並通過ssh連接服務器
# service sshd restart
c:\> ssh 192.168.5.5
# ssh -V
7.禁用telnet
# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
--停止xinetd服務
# service xinetd stop
# chkconfig --list xinetd
# chkconfig xinetd off
# chkconfig --list xinetd
--如winscp登錄linux報錯,可如下解決
# vi /etc/ssh/sshd_config
--注釋掉如下條目
#Subsystem sftp /usr/libexec/openssh/sftp-server
--添加如下條目
Subsystem sftp internal-sftp
--重啟sshd服務:
# service sshd restart