CentOS7 升级 OpenSSH9.8 和 OpenSSL3.3.1

2024-08-07 13:42:42 浏览数 (3)

确认系统版本

代码语言:javascript复制
openssl version
ssh -V

升级openssl

OpenSSL官方下载地址

下载最新版openssl,编译安装

代码语言:javascript复制
tar xf openssl-3.3.1g.tar.gz
 
cd openssl-3.3.1g
 
./config shared zlib --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
 
make && make install

替换旧版的openssl

代码语言:javascript复制
# 备份旧的openssl
mv /usr/bin/openssl /usr/bin/openssl.old
# mv /usr/include/openssl /usr/include/openssl.old


# 创建新版本链接
ln -s /usr/local/openssl/bin/openssl /usr/bin/

ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/

ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/

# ln -s /usr/local/openssl/include/openssl /usr/include/openssl

echo "/usr/local/openssl/lib64" >> /etc/ld.so.conf.d/ssl.conf

ldconfig -v

查看openssl版本

代码语言:javascript复制
openssl version

升级openssh

OpenSSH官方下载地址

安装依赖包

代码语言:javascript复制
yum -y install pam-devel tcp_wrappers tcp-wrappers-devel gcc gcc-c   glibc make autoconf openssl-devel zlib-devel

卸载旧的软件包

代码语言:javascript复制
yum remove openssh

备份配置文件

代码语言:javascript复制
mv /etc/ssh /etc/ssh.old

编译安装openssh

代码语言:javascript复制
tar xf openssh-9.8p1.tar.gz
 
cd openssh-9.8p1
 
install -v -m 700 -d /var/lib/sshd
 
chown -v root.sys /var/lib/sshd
 
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl/ --without-hardening --with-zlib
 
make && make install
 
install -v -m 755 contrib/ssh-copy-id /usr/bin/
 
install -v -m 644 contrib/ssh-copy-id.1 /usr/share/man/man1
 
install -v -m 755 -d /usr/share/doc/openssh-9.8p1
 
install -v -m 644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-9.8p1/
 
#sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd
 
#chmod 644 /etc/pam.d/sshd

创建启动脚本

代码语言:javascript复制
cp contrib/redhat/sshd.init /etc/init.d/sshd

mv /etc/pam.d/sshd /etc/pam.d/sshd.bak

配置 PAM 模块

代码语言:javascript复制
vim /etc/pam.d/sshd

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

启动服务

代码语言:javascript复制
chkconfig --add sshd
 
chkconfig sshd on
 
systemctl enable sshd
 
systemctl restart sshd

查看版本

代码语言:javascript复制
ssh -V

修改配置文件,启用root登录

vim /etc/ssh/sshd_config

代码语言:javascript复制
PermitRootLogin yes
PasswordAuthentication yes
UsePAM yes

0 人点赞