碼上快樂

相關內容    簡體    繁體

centos7.6 openssh升級至8.2

本文轉載自   查看原文   2020-06-15 17:30   941    運維筆記/ openssh 
一、安裝telnet-server以及xinetd,防止openssh升級失敗導致無法遠程連接服務器
yum install xinetd telnet-server telnet -y
配置telnet登錄的終端類型,在/etc/securetty文件末尾增加一些pts終端,如下
vi /etc/securetty
pts/0
pts/1
pts/2
pts/3
啟動telnet服務,並使用telnet連接至服務器
systemctl start telnet.socket
systemctl start xinetd
telnet 127.0.0.1 
輸入服務器用戶名和密碼
二、環境准備:檢查操作系統版本是否為以下版本
cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core)
核實操作系統版本無誤,執行安裝以下所有依賴包
yum install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
三、開始進行升級安裝步驟:
1、上傳openssh升級包至/tmp目錄下,並執行解壓
cd /tmp
tar -xf openssh-8.2p1.tar.gz
tar -xf openssl-1.1.1g.tar.gz
tar -xf zlib-1.2.11.tar.gz
2、編譯安裝zlib
cd zlib-1.2.11
./configure
make
make install
ll /usr/local/lib
3、編譯安裝openssl-1.1.1g
cd openssl-1.1.1g
檢查環境
./config shared zlib  --prefix=/usr/local/ssl
./config -t
編譯安裝
make -j 4 && make install
執行echo $?返回0說明安裝正常
echo $?
查看openssl默認安裝路徑
which openssl
備份原來的文件,以實際路徑為准
mv /usr/bin/openssl /usr/bin/openssl.BAK
更新函數庫
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
檢查是否升級成功
openssl version -a


查詢openssl版本輸出信息如下表示安裝成功:
OpenSSL 1.1.1g  21 Apr 2020
built on: Mon May 25 02:31:46 2020 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr) 
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl"
ENGINESDIR: "/usr/local/lib64/engines-1.1"
Seeding source: os-specific
4、編譯安裝openssh
cd openssh-8.2p1
備份原來的ssh目錄
mv /etc/ssh/ /etc/ssh_bak
檢查環境
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers  --with-ssl-dir=/usr/local/ssl --without-hardening
正常情況下,初始化成功最后可以看到如下內容輸出,如果輸出為其他報錯信息,一般情況是openssl配置不正確導致


檢查環境若無報錯提示,則執行以下步驟進行編譯
make -j 4
安裝
make install
install -v -m755    contrib/ssh-copy-id /usr/bin
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -v -m755 -d /usr/share/doc/openssh-8.2p1
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.2p1
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod u+x /etc/init.d/sshd
備份原來的啟動腳本
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
加入開機啟動項
chkconfig --add sshd
chkconfig sshd on
允許root登錄
sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
重啟驗證sshd服務是否正常
/etc/init.d/sshd restart
systemctl restart sshd
5、檢查sshd服務狀態
systemctl status sshd
6、測試沒問題后可以把telnet服務關閉了
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket

常見問題:
1.服務器不能訪問外網怎么安裝依賴包,找一台可以訪問外網的服務器,要求和需要升級的服務器操作系統版本一致,執行下以下命令,將rpm下載到/tmp/openssh目錄下

yum install --downloadonly --downloaddir=/tmp/openssh gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
執行僅下載不安裝命令后可以在/tmp/openssh目錄下看到下載的rpm,將openssh目錄打包上傳到內網服務器上執行yum localinstall *.rpm命令即可

2、升級openssh后,執行ulimit -n查看到的打開文件數被重置為1024,過小
如圖所示:

啟用PAM驗證
sed -i "83a UsePAM yes" /etc/ssh/sshd_config
編輯並添加vi /etc/pam.d/sshd配置信息
auth       include      system-auth
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
session    required     pam_limits.so
重啟sshd服務后,重新連接服務器即可
systemctl restart sshd

附上:openssh升級腳本,僅供參考.可以根據實際場景進行修改

#!/bin/bash

oldversion=`ssh -V 2>&1`
echo "開始執行 OpenSSH 版本升級腳本"
echo -e "現在的ssh版本是:\033[36m $oldversion \033[0m"


# 安裝telnet-server和telnent
echo "檢查是否已安裝telnet 服務..."
if [ `rpm -qa|grep telnet|wc -l` == 2 ]
then
	echo -e "\033[36m已安裝telnet-server和telnet服務!\033[0m"
else
	yum install xinetd telnet-server telnet -y>>install_telnet.log
	if [ `echo $?` == 0 ]
	then
		echo -e "\033[36mtelnet-server和telnet安裝成功!\033[0m"
	fi
fi

# 配置telnet-server
if [ `grep pts /etc/securetty|wc -l` -lt 4 ]
then
cat>>/etc/securetty<<EOF
pts/0
pts/1
pts/2
pts/3
EOF
else
	echo -e "/etc/securetty已存在\033[36mpts/0,pts/1,pts/2,pts/3\033[0m"
fi

echo "正在啟動telnet服務..."
systemctl start telnet.socket
systemctl start xinetd

if [ `rpm -qa|grep net-tools|wc -l` == 1 ]
then
	if [ `netstat -tuanp|grep -E ":::23"|wc -l` == 1 ]
	then
		echo -e "\033[36mtelnet-server服務已開啟!\033[0m"
	fi
else
	yum -y install net-tools>>install_net-tools.log
	if [ `netstat -anp|grep 23|wc -l` == 1 ]
        then
                echo -e "\033[36mtelnet-server服務已開啟!\033[0m"
        fi
fi	

#echo "安裝依賴包..."
#echo -e "\033[36mgcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel\033[0m"
#yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel>>install_lib.log

#echo -e "\033[36mpam* zlib*\033[0m"
#yum install  -y pam* zlib*>>install_lib.log
echo "正在准備安裝openssl"
echo "檢查是否存在/tmp 目錄,及軟件安裝包"
if [ -d "/tmp/" ]
then
	echo "目錄已存在,檢查是否在安裝包"
	if [ -e "/tmp/openssl-1.1.1g.tar.gz" -a -e "/tmp/openssh-8.3p1.tar.gz" ]
	then
		echo "已存在安裝包...開始安裝..."
	else
		echo "請上傳安裝包到/tmp/目錄"
		exit
	fi
else
	mkdir -p /tmp
	echo "請上傳安裝包到/tmp/目錄"
	exit
fi

if [ `openssl version|grep "1.1.1g"|wc -l` -eq "1" ]
then
	echo -e "\033[36m已經安裝所需版本的openssl\033[0m"
else
	echo -e "\033[36m開始安裝openssl!\033[0m"
	cd /tmp
	tar xfz openssl-1.1.1g.tar.gz
	if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
	then
		mv /usr/bin/openssl /usr/bin/openssl_bak
		mv /usr/include/openssl /usr/include/openssl_bak
		if [ -e "/usr/bin/openssl_bak" -a -d "/usr/include/openssl_bak" ]
		then
			echo "備份完成!"
		fi
	fi
	echo -e "\033[36m配置、編譯、安裝!\033[0m"
	cd /tmp/openssl-1.1.1g/
	./config shared zlib --prefix=/usr/local/ssl && make -j 2 && make install>>install_openssl.log

	if [ `echo $?` == 0 ]
	then
		ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
		ln -s /usr/local/ssl/include/openssl /usr/include/openssl
		echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
		/usr/sbin/ldconfig
		if [ -e "/usr/bin/openssl" -a -d "/usr/include/openssl" ]
		then
			version_ssl=`openssl version`
			echo -e "\033[36mopenssl安裝成功!當前版本為:$version_ssl\033[0m"
		fi
                else
                echo "openssl環境檢查失敗,請重新檢查安裝"
	fi
fi



echo "檢查是否存在/tmp 目錄,及軟件安裝包"
echo "正在准備安裝openssh......"
if [ -d "/tmp/" ]
then
	echo "目錄已存在,檢查是否在安裝包"
	if [ -e "/tmp/openssh-8.3p1.tar.gz" -a -e "/tmp/openssh-8.3p1.tar.gz" ]
	then
		echo "已存在安裝包...開始安裝..."
	else
		echo "請上傳安裝包到/tmp/目錄"
		exit
	fi
else
	mkdir -p /tmp
	echo "請上傳安裝包到/tmp/目錄"
	exit
fi

sshversion=`ssh -V 2>&1`
if [[ $sshversion = "OpenSSH_8.3p1, OpenSSL 1.1.1g  21 Apr 2020" ]]
then
        echo -e "\033[36mopenssh已是8.3p1版本\033[0m"
else

	echo -e "\033[36m開始安裝openssh!\033[0m"
	cd /tmp/
	tar xfz openssh-8.3p1.tar.gz
	cd /tmp/openssh-8.3p1
	mv /etc/ssh/ /etc/ssh_bak
	cd /tmp/openssh-8.3p1
	./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers  --with-ssl-dir=/usr/local/ssl --without-hardenin
g && make -j 4 && make install && install -v -m755 contrib/ssh-copy-id /usr/bin && install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 && install -v -
m755 -d /usr/share/doc/openssh-8.3p1 && install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.3p1

	if [ `echo $?`==0 ]
	then
                        sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
                        sed -i "83a UsePAM yes" /etc/ssh/sshd_config
			cd /tmp/openssh-8.3p1
			\cp -a ./contrib/redhat/sshd.init /etc/init.d/sshd
			\cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
			chmod u+x /etc/init.d/sshd
			mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
	                chkconfig --add sshd
                        chkconfig sshd on
			/etc/init.d/sshd restart
                        sleep 2s
			newversion=`ssh -V 2>&1`
			echo -e "安裝完成,當前SSH版本為: \033[32m $newversion \033[0m"
	fi
fi


echo -e "\033[36m是否關閉或卸載telnet-server?\033[0m"""
echo "1. 關閉telnet-server"
echo "2. 卸載telnet-server"
echo "3. 跳過並退出"
read -p "請輸入選項:" choice
case $choice in
1)
command
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
echo -e "\033[36mtelnet-server已關閉\033[0m"""
;;
2)
rpm -qa|grep telnet
rpm -e telnet-server-0.17-64.el7.x86_64
if [ `rpm -qa|grep telnet|wc -l` == 1 ]
then
	echo -e "\033[36mtelnet-server已關閉\033[0m"""
fi
;;
*)
exit;;
esac


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 CentOS7.6 升級 openssh 升級為 8.0 centos7.6 升級openssh8.8 centos7.6 升級openssh openssl Centos7.6內核升級 centos 7 升級OpenSSH-8.2p1 CentOS升級Openssh8.2版本 openssh 8.2 升級 8.3 Centos7.4升級到Centos7.6 CentOS6.9下升級默認的OpenSSH操作記錄(升級到OpenSSH_7.6p1) centos7升級openssh至8.2包含openssl升級)源碼
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM