openssh升級到8.x版本

CentOS通過yum升級Openssh8.x

制作 RPM 包#

安裝相關依賴

yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -y

創建所需目錄

mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES

下載源碼包#

http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
https://src.fedoraproject.org/repo/pkgs/openssh/

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

tar -xvzf openssh-8.4p1.tar.gz
tar -xvzf x11-ssh-askpass-1.2.4.1.tar.gz

修改配置文件#

cp openssh-8.4p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/

sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec

構建rpmbuild#

rpmbuild -ba openssh.spec

構建成功結果如下：
Wrote: /root/rpmbuild/SRPMS/openssh-8.4p1-1.el7.src.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-clients-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-server-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.4p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.4p1-1.el7.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.pshj6r
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-8.4p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.4p1-1.el7.x86_64
+ exit 0

驗證軟件包#

ls /root/rpmbuild/RPMS/x86_64/
openssh-8.4p1-1.el7.x86_64.rpm                openssh-clients-8.4p1-1.el7.x86_64.rpm
openssh-askpass-8.4p1-1.el7.x86_64.rpm        openssh-debuginfo-8.4p1-1.el7.x86_64.rpm
openssh-askpass-gnome-8.4p1-1.el7.x86_64.rpm  openssh-server-8.4p1-1.el7.x86_64.rpm

構建過程報錯解決#

錯誤1：
error: Failed build dependencies: openssl-devel < 1.1 is needed by openssh-8.4p1-1.el7.x86_64

解決辦法：
注釋BuildRequires: openssl-devel < 1.1這一行
sed -i 's/BuildRequires: openssl-devel < 1.1/#&/' openssh.spec

錯誤2：
error: Failed build dependencies: /usr/include/X11/Xlib.h is needed by openssh-8.4p1-1.el7.x86_64

解決辦法：
安裝libXt-devel imake gtk2-devel openssl-libs
yum install libXt-devel imake gtk2-devel openssl-libs -y

開始升級#

備份配置文件

# cp /etc/pam.d/{sshd,sshd.bck}
# cp /etc/ssh/{sshd_config,sshd_config.bck}

安裝telnet

避免 openssh 升級識別無法登陸，安裝telnet（同時開啟兩個窗口）

# yum install telnet-server xinetd -y
# systemctl enable --now xinetd.service
# systemctl enable --now telnet.socket

配置 telnet 登陸

//注釋auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so這一行

sed -i 's/^auth \[user_unknown=/#&/' /etc/pam.d/login

cat >> /etc/securetty <<EOF
pts/1
pts/2
EOF

//測試登陸
[C:\~]$ telnet 192.168.3.179
Trying 192.168.3.179...
Connected to 192.168.3.179.
Escape character is '^]'.

Kernel 3.10.0-957.27.2.el7.x86_64 on an x86_64
localhost0 login: root
Password: 
Last login: Thu Dec 31 15:28:23 from 192.168.3.144

安裝新版本

更新openssh版本

yum update ./openssh* -y 

啟動ssh服務#

恢復備份的配置文件，並重啟sshd

# \mv /etc/ssh/sshd_config.bck /etc/ssh/sshd_config
# \mv /etc/pam.d/sshd.bck /etc/pam.d/sshd

# sed -i '/.*PermitRootLogin.*/d' /etc/ssh/sshd_config
# echo -e '\nPermitRootLogin yes' >> /etc/ssh/sshd_config
# sed -i '/.*PasswordAuthentication.*/d' /etc/ssh/sshd_config
# echo -e '\nPasswordAuthentication yes' >> /etc/ssh/sshd_config

# chmod 600 /etc/ssh/*
# systemctl restart sshd

驗證登陸#

新開窗口連接登陸測試，沒有問題后再進行下面的關閉telnet步驟。

注意：請勿關閉當前窗口，另外新開窗口連接沒問題，再關閉。

關閉 telnet#

注意：開啟telnet的root遠程登錄極度不安全，賬號密碼都是明文傳輸，尤其在公網，所以一般只限於在某些情況下內網中ssh無法使用時，臨時調測，使用完后，將相關配置復原，徹底關閉telnet服務！

# systemctl stop telnet.socket && systemctl disable telnet.socket
# systemctl stop xinetd.service && systemctl disable xinetd.service

驗證當前版本#

# ssh -V
OpenSSH_8.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

build腳本#

該腳本用於制作openssh rpm包

使用方法：rpmbuild_openssh.sh 8.4

#!/usr/bin/env bash
# @Date   :2021/1/1 15:13
# @Author :ives
# @Email  :381347268@qq.com
# @File   :rpmbuild_openssh.sh
# @Desc   :制作openssh rpm軟件包，通過tar包build

openssh_version=$1
#判斷是否傳入正確的軟件包
if [ "${openssh_version}" ] ;then
    echo -e "\033[41;37m當前build的openssh版本為: ${openssh_version}\033[0m"
else
    echo "常用版本有：8.0, 8.1, 8.2, 8.3, 8.4"
    echo
    echo -e "   請輸入需要build的openssh版本號  示例: \033[36;1m$0 8.4\033[0m"
    exit 1
fi

# 安裝依賴
function install_dependency() {
    yum install -y wget rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel openssl-libs >> /dev/null && sleep 3
}

# 下載軟件包
function download_package() {
    mkdir -p /root/rpmbuild/{SOURCES,SPECS}
    cd /root/rpmbuild/SOURCES
    echo -e "\033[34;1m開始下載軟件包：openssh-${openssh_version}p1.tar.gz  \033[0m"
    wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${openssh_version}p1.tar.gz >> /dev/null && echo "openssh-${version}p1.tar.gz下載成功..."
    if [ $? -ne 0 ]; then
        echo "openssh-${openssh_version}p1.tar.gz下載失敗...請檢查網絡環境或版本是否存在"
         exit 2
    else
        echo -e "\033[34;1m開始下載軟件包：x11-ssh-askpass-1.2.4.1.tar.gz  \033[0m"
        wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz >> /dev/null && echo "x11-ssh-askpass-1.2.4.1.tar.gz下載成功..." && sleep 3
        if [ $? -ne 0 ]; then
            echo "x11-ssh-askpass-1.2.4.1.tar.gz下載失敗...請檢查網絡環境是否正常"
            exit 2
        else
            tar -xf openssh-8.4p1.tar.gz && tar -xf x11-ssh-askpass-1.2.4.1.tar.gz
        fi
    fi
}

# 修改配置文件和build
function config_and_build() {
    cp openssh-8.4p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
    sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
    sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
    sed -i 's/BuildRequires: openssl-devel < 1.1/#&/' /root/rpmbuild/SPECS/openssh.spec
    cd /root/rpmbuild/SPECS
    echo -e "\033[34;1m開始制作 openssh${openssh_version} 相關rpm軟件包  \033[0m"
    rpmbuild -ba openssh.spec
    if [ $? -eq 0 ]; then
        echo -e "\033[34;1mopenssh${openssh_version} 相關rpm軟件包制作成功，生成的軟件包信息如下：  \033[0m"
        echo
        echo -e "\033[33;1m軟件包存放路徑：/root/rpmbuild/RPMS/x86_64/ \033[0m" && ls /root/rpmbuild/RPMS/x86_64/
    else
        echo -e "\033[33;1mopenssh${openssh_version} 相關rpm軟件包制作失敗，請根據報錯信息進行解決，再重新進行編譯 \033[0m"
    fi
}

function main() {
    install_dependency
    download_package
    config_and_build
}
main

 xshell連接時顯示“服務器發送了一個意外的數據包。received:3,expected:20“問題的解決方法

發現是新版的sshd可能與xshell存在兼容性問題。因為我在其他unix系統下通過ssh是可以正常連上的。

解決方法：在/etc/ssh/sshd_config最后增加以下一行

KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1

 然后重啟sshd服務或者重載服務配置文件

 

 

原文： https://www.cnblogs.com/yanjieli/p/14220914.html