系统:centos6.4 64位
先解析下openssl 不是协议,而是对协议的实现,SSL/TLS 才是协议。
升级openssl:
wget http://www.openssl.org/source/openssl-1.0.1g.tar.gz
yum -y update zlib
./config --prefix=/usr --shared(需带上–shared参数 否则会出现头文件和库文件不匹配)
make && make install
升级openssh:
wget http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-6.6p1.tar.gz
备份原ssh配置
mv /etc/ssh /etc/ssh_bak
yum install pam-krb5 krb5-devel krb5-libs pam-devel
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr --with-md5-passwords --mandir=/usr/share/man --with-kerberos5=/usr/lib64/libkrb5.so(防止出现Unsupported option GSSAPIAuthentication 和 Unsupported option GSSAPICleanupCredentials)
make && make install
注意的问题:
1、如果提示libcrypto.so.1.0.0没有权限加载 执行setenforce 0 再升级
2、提示:PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail.Example PAM control files can be found in the contrib/ subdirectory
# 就是如果启用PAM,需要有一个控制文件,否则认证失败
cp /etc/init.d/sshd /etc/init.d/sshd_old
cp /etc/pam.d/sshd /etc/pam.d/sshd_old
cd openssh-6.6p1/contrib/redhat
cp sshd.init /etc/init.d/sshd
cp sshd.pam /etc/pam.d/sshd
修改/etc/ssh/sshd_config中 UsePAM yes
3、登录的时候使用密码登录提示:Access denied;使用key登录时‘Server unexpectedly closed network connection’,这时候在日志里面可以看到下面的提示信息
sshd[15721]: PAM unable to dlopen(/lib/security/pam_stack.so): /lib/security/pam_stack.so: cannot open shared object file: No such file or directory(这个是配置文件错误,这个so已经不用了)
这时候需修改 /etc/pam.d/sshd 文件
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth