實驗環境
- OS:CentOS 7.5
- 當前openssh版本:OpenSSH_7.4p1
- 升級后的openssh版本:OpenSSH_8.0p1
開通telnet
為了防止升級過程中ssh斷連,保險起見,先安裝telnet並啟動。
安裝telnet-server及telnet服務
yum install -y telnet-server* telnet
安裝xinetd服務
yum install -y xinetd
啟動xinetd及telnet並做開機自啟動
systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd.service
修改/etc/securetty文件
默認情況下,系統是不允許root用戶telnet遠程登錄的。如果要使用root用戶直接登錄,需向/etc/securetty中追加pts/0等內容,執行命令如下:
echo 'pts/0' >>/etc/securetty
echo 'pts/1' >>/etc/securetty
echo 'pts/2' >>/etc/securetty
測試telnet能否登錄
測試能否通過telnet正常登陸到主機,檢查開機自啟是否生效(!!!生產環境中不能隨意重啟主機!!!)。
升級OpenSSH
因為設備一般都是不能通過外網下載文件,並且yum下載的openssh版本都較落后,所以需要通過下載包來編譯安裝。
備份原先的ssh
cp -r /etc/ssh /etc/ssh.bak`date +%Y%m%d`
准備安裝包
OpenSSH_8.0下載地址:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
下載相關依賴包
yum install -y gcc zlib zlib-devel openssl-devel
解壓安裝
- 將安裝包上傳到/usr/local/src下
- 解壓
cd /usr/local/src
tar -zxvf openssh-8.0p1.tar.gz
- 編譯安裝
cd openssh-8.0p1/
# 需要指定openssh的安裝路徑
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --without-openssl-header-check --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd
make
- 卸載舊版本
make完成后先不着急執行make install,先卸載舊版的openssh;注意:卸載后ssh不能登錄,最好不要退出當前終端,否則只能通過telnet登錄做配置了。
rpm -e --nodeps `rpm -qa | grep openssh`
- 執行
make install
make install
- 報錯或告警解決
- 編譯安裝報依賴包錯誤
如果在編譯安裝的過程中發現有關於依賴包的報錯,就通過yum安裝相關依賴包 - 告警信息
- 編譯安裝報依賴包錯誤
[root@kvm /usr/local/src/openssh-8.0p1]# systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Tue 2019-05-21 00:05:31 CST; 6s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 12325 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 12325 (code=exited, status=1/FAILURE)
May 21 00:05:31 kvm systemd[1]: sshd.service: main process exited, code=exited, status=1/FAILURE
May 21 00:05:31 kvm systemd[1]: Failed to start OpenSSH server daemon.
May 21 00:05:31 kvm systemd[1]: Unit sshd.service entered failed state.
May 21 00:05:31 kvm systemd[1]: sshd.service failed.
[root@kvm /usr/local/src/openssh-8.0p1]# systemctl status sshd.service
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: failed (Result: exit-code) since Tue 2019-05-21 00:21:06 CST; 9s ago
Docs: man:systemd-sysv-generator(8)
Process: 22813 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=1/FAILURE)
Main PID: 22560 (code=exited, status=1/FAILURE)
May 21 00:21:06 kvm sshd[22813]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
May 21 00:21:06 kvm sshd[22813]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
May 21 00:21:06 kvm sshd[22813]: It is required that your private key files are NOT accessible by others.
May 21 00:21:06 kvm sshd[22813]: This private key will be ignored.
May 21 00:21:06 kvm sshd[22813]: sshd: no hostkeys available -- exiting.
May 21 00:21:06 kvm systemd[1]: sshd.service: control process exited, code=exited status=1
May 21 00:21:06 kvm sshd[22813]: [FAILED]
May 21 00:21:06 kvm systemd[1]: Failed to start SYSV: OpenSSH server daemon.
May 21 00:21:06 kvm systemd[1]: Unit sshd.service entered failed state.
May 21 00:21:06 kvm systemd[1]: sshd.service failed.
[root@kvm /usr/local/src/openssh-8.0p1]# sshd -t
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
sshd: no hostkeys available -- exiting.
[root@kvm /usr/local/src/openssh-8.0p1]#
- 解決辦法
在執行完make install命令后可能就會有關於key文件的警告信息,這個時候需要將涉及到的key文件的權限改成600,如果沒修改,則重啟sshd服務時將報錯。
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
- 配置sshd服務
# 復制啟動文件到/etc/init.d/下並命名為sshd
cp -p /usr/local/src/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
# 添加執行權限
chmod +x /etc/init.d/sshd
# 添加到開啟自啟服務中
systemctl enable sshd
/sbin/chkconfig sshd on
# 允許root遠程登錄
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
# 配置selinux服務
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
sed -i 's/SELINUX=permissive/SELINUX=disabled/g' /etc/selinux/config
setenforce 0
# 重啟sshd服務
systemctl restart sshd
- 查看當前ssh版本
[root@kvm ~]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@kvm ~]#
收尾工作
重啟主機測試ssh是否可用
關閉並disable telnet服務
systemctl disable xinetd
systemctl disable telnet.socket
systemctl stop xinetd.service
systemctl stop telnet.socket