系统相关
首页 > 系统相关> > centos7.4升级openssh7.4p1到openssh8.5p1

centos7.4升级openssh7.4p1到openssh8.5p1

作者:互联网


1、安装并开启telnet服务(安装telnet ,预防更新ssh失败)

先检查CentOS是否已经安装以下两个安装包:telnet-server、xinetd。

命令如下: 

[root@localhost ~]# rpm -qa telnet-server

[root@localhost ~]#  rpm -qa xinetd

默认系统没有安装

配置本地yum源

[root@localhost ~]# mkdir -p /mnt/cdrom

[root@localhost ~]# mount /dev/sr0 /mnt/cdrom

mount: /dev/sr0 写保护,将以只读方式挂载

[root@localhost ~]# mkdir -p /etc/yum.repos.d/bak

[root@localhost ~]# mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/


[root@localhost ~]# vi /etc/yum.repos.d/system-iso.repo

编辑yum配置文件,添加以下内容

[system-iso]

name=This is centos7.4 system iso repo

baseurl=file:///mnt/cdrom/

enabled=1

gpgcheck=0


[root@localhost ~]# yum clean all

[root@localhost ~]# yum list


安装命令: 

# yum -y install telnet-server

# yum -y install xinetd

安装完成后,将xinetd服务加入开机自启动:


[root@localhost ~]# systemctl enable xinetd.service

将telnet服务加入开机自启动: 

[root@localhost ~]# systemctl enable telnet.socket

最后,启动以上两个服务即可:

[root@localhost ~]# systemctl start telnet.socket

[root@localhost ~]# systemctl start xinetd.service


检查服务是否开启

[root@localhost ~]# systemctl status telnet.socket

[root@localhost ~]# systemctl status xinetd.service


开启root用户远程登陆,开启root在telnet登陆


mv /etc/securetty /etc/securetty.bak 这样root用户就可以用telnet登陆了!


SSH协议中root开启登陆的设置

编辑/etc/ssh/sshd_config将#PermitRootLogin yes这一行的“#”去掉,


然后重启SSH服务

systemctl restart sshd

关闭selinux、关闭防火墙

[root@localhost ~]# setenforce 0

[root@localhost ~]# systemctl stop firewalld.service



若系统不能关闭防火墙,需要Telnet开启端口

CentOS 7 采用了 firewalld 防火墙,查询是否开启23端口

[root@localhost ~]# firewall-cmd --query-port=23/tcp

no

显示23端口没有开启使用下面命令开启23端口

[root@localhost ~]# firewall-cmd --zone=public --add-port=23/tcp --permanent

success


重新加载firewall-cmd

[root@localhost ~]# firewall-cmd --complete-reload

success


重新查询23端口是否开放

[root@localhost ~]#  firewall-cmd --query-port=23/tcp

yes


success表示已开启!现在可以用telnet命令远程登陆CentOS7.4系统了!

注:telnet使用的是文明密码,为安全建议使用SSH加密登陆!



2、查看现在的版本

[root@localhost ~]# rpm -qa|grep ssh

openssh-clients-7.4p1-11.el7.x86_64

openssh-7.4p1-11.el7.x86_64

openssh-server-7.4p1-11.el7.x86_64

libssh2-1.4.3-10.el7_2.1.x86_64



3、下载新版本的openssh

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

下载openssh-8.5p1.tar.gz

上传安装包至/root目录


或者

wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz


4、使用本地yum源,安装依赖包

yum install rpm-build gcc make wget openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel  gtk2-devel


5.创建对应目录并修改openssh.spec文件

[root@localhost ~]# tar -xf openssh-8.5p1.tar.gz

[root@localhost ~]# mkdir -p /root/rpmbuild/{SOURCES,SPECS}

[root@localhost ~]# cp openssh-8.5p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/

[root@localhost ~]# cp /root/openssh-8.5p1.tar.gz /root/rpmbuild/SOURCES/

[root@localhost ~]# cd /root/rpmbuild/SPECS/


修改openssh.spec文件

[root@localhost SPECS]# sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec

[root@localhost SPECS]# sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec

[root@localhost SPECS]# sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec


6.rpmbuild创建openssh rpm包

[root@localhost SPECS]# rpmbuild -bb openssh.spec


--告警1处理方法:

[root@localhost SPECS]# rpmbuild -bb openssh.spec

错误:文件 /root/rpmbuild/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz:没有那个文件或目录


解决方法:下载x11-ssh-askpass-1.2.4.1.tar.gz包并上传至/root/rpmbuild/SOURCES/目录


--告警2处理方法:

[root@localhost SPECS]# rpmbuild -bb openssh.spec

错误:构建依赖失败:

        openssl-devel < 1.1 被 openssh-8.5p1-1.el7.centos.x86_64 需要


构建依赖失败:openssl-devel < 1.1 被 openssh-8.3p1-1.el7.x86_64 需要 解决方法:

vi openssh.spec 注释掉 BuildRequires: openssl-devel < 1.1 这一行

........................

写道:/root/rpmbuild/RPMS/x86_64/openssh-8.5p1-1.el7.centos.x86_64.rpm

写道:/root/rpmbuild/RPMS/x86_64/openssh-clients-8.5p1-1.el7.centos.x86_64.rpm

写道:/root/rpmbuild/RPMS/x86_64/openssh-server-8.5p1-1.el7.centos.x86_64.rpm

写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-8.5p1-1.el7.centos.x86_64.rpm

写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.5p1-1.el7.centos.x86_64.rpm

写道:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.5p1-1.el7.centos.x86_64.rpm

执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.qsk2AE

+ umask 022

+ cd /root/rpmbuild/BUILD

+ cd openssh-8.5p1

+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.5p1-1.el7.centos.x86_64

+ exit 0


7.查看生成的rpm


[root@localhost SPECS]# ls -l /root/rpmbuild/RPMS/x86_64/

总用量 4836

-rw-r--r--. 1 root root  663112 5月  10 06:03 openssh-8.5p1-1.el7.centos.x86_64.rpm

-rw-r--r--. 1 root root   44340 5月  10 06:03 openssh-askpass-8.5p1-1.el7.centos.x86_64.rpm

-rw-r--r--. 1 root root   25596 5月  10 06:03 openssh-askpass-gnome-8.5p1-1.el7.centos.x86_64.rpm

-rw-r--r--. 1 root root  632680 5月  10 06:03 openssh-clients-8.5p1-1.el7.centos.x86_64.rpm

-rw-r--r--. 1 root root 3113920 5月  10 06:03 openssh-debuginfo-8.5p1-1.el7.centos.x86_64.rpm

-rw-r--r--. 1 root root  459308 5月  10 06:03 openssh-server-8.5p1-1.el7.centos.x86_64.rpm


8.升级openssh

[root@localhost SPECS]# rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm

准备中...                          ################################# [100%]

正在升级/安装...

   1:openssh-8.5p1-1.el7.centos       ################################# [ 11%]

   2:openssh-askpass-8.5p1-1.el7.cento################################# [ 22%]

   3:openssh-askpass-gnome-8.5p1-1.el7################################# [ 33%]

   4:openssh-clients-8.5p1-1.el7.cento################################# [ 44%]

   5:openssh-server-8.5p1-1.el7.centos警告:/etc/ssh/sshd_config 已建立为 /etc/ssh/sshd_config.rpmnew

################################# [ 56%]

   6:openssh-debuginfo-8.5p1-1.el7.cen################################# [ 67%]

正在清理/删除...

   7:openssh-server-7.4p1-11.el7      ################################# [ 78%]

   8:openssh-clients-7.4p1-11.el7     ################################# [ 89%]

   9:openssh-7.4p1-11.el7             ################################# [100%]

[root@localhost SPECS]#


9.检查升级后openssh版本

[root@localhost SPECS]# ssh -V

OpenSSH_8.5p1, OpenSSL 1.0.2k-fips  26 Jan 2017


[root@localhost SPECS]# rpm -qa|grep ssh

openssh-8.5p1-1.el7.centos.x86_64

openssh-debuginfo-8.5p1-1.el7.centos.x86_64

openssh-askpass-gnome-8.5p1-1.el7.centos.x86_64

openssh-clients-8.5p1-1.el7.centos.x86_64

openssh-server-8.5p1-1.el7.centos.x86_64

libssh2-1.4.3-10.el7_2.1.x86_64

openssh-askpass-8.5p1-1.el7.centos.x86_64



10、修改ssh配置文件参数,测试ssh登录

设置/etc/ssh/sshd_config,看看PermitRootLogin 项   改为yes

检查/etc/ssh/sshd_config文件中的PasswordAuthentication 值改为yes

在文件最后添加

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org


--设置参数后,重启sshd服务告警1处理方法:

[root@localhost SPECS]# systemctl restart sshd

Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.


[root@localhost SPECS]# journalctl -xe

5月 10 06:12:07 localhost.localdomain sshd[56090]: It is required that your private key files are NOT accessible by others.

5月 10 06:12:07 localhost.localdomain sshd[56090]: This private key will be ignored.

5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions

5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key: /etc/ssh/ssh_host_ecdsa_key

5月 10 06:12:07 localhost.localdomain sshd[56090]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

5月 10 06:12:07 localhost.localdomain sshd[56090]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @

5月 10 06:12:07 localhost.localdomain sshd[56090]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

5月 10 06:12:07 localhost.localdomain sshd[56090]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.

5月 10 06:12:07 localhost.localdomain sshd[56090]: It is required that your private key files are NOT accessible by others.

5月 10 06:12:07 localhost.localdomain sshd[56090]: This private key will be ignored.

5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions

5月 10 06:12:07 localhost.localdomain sshd[56090]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key

5月 10 06:12:07 localhost.localdomain sshd[56090]: sshd: no hostkeys available -- exiting.

5月 10 06:12:07 localhost.localdomain sshd[56090]: [失败]


从告警信息看,提示/etc/ssh/ssh_host_ecdsa_key、/etc/ssh/ssh_host_ed25519_key 文件权限有问题


修改文件权限

[root@localhost SPECS]# chmod 600 /etc/ssh/ssh_host_ecdsa_key

[root@localhost SPECS]# chmod 600 /etc/ssh/ssh_host_ed25519_key

[root@localhost SPECS]# chmod 600 /etc/ssh/ssh_host_rsa_key


重启sshd服务

[root@localhost SPECS]# systemctl restart sshd


测试ssh登录,无法登陆处理方法。

(坑一):

vi /etc/selinux/config---SELINUX=disabled 或者临时关闭setenforce 0

最后修改了/etc/selinux将SELINUX=enforcing修改成SELINUX=disabled


(坑二):

设置/etc/ssh/sshd_config,看看PermitRootLogin 项   改为yes

检查/etc/ssh/sshd_config文件中的PasswordAuthentication 值改为yes

在文件最后添加

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org


(坑三):

# 不修改这个文件,会出现密码是对的,却无法登陆。

cat <

#%PAM-1.0

auth       required     pam_sepermit.so

auth       include      password-auth

account    required     pam_nologin.so

account    include      password-auth

password   include      password-auth

## pam_selinux.so close should be the first session rule

session    required     pam_selinux.so close

session    required     pam_loginuid.so

## pam_selinux.so open should only be followed by sessions to be executed in the user context

session    required     pam_selinux.so open env_params

session    optional     pam_keyinit.so force revoke

session    include      password-auth

EOF


# 重启服务

systemctl restart sshd


ssh测试可以正常登录!


标签:p1,centos7.4,openssh7.4,openssh,root,el7,localhost,ssh
来源: https://blog.51cto.com/cherryqi/2764235