Centos7.2升級OpenSSH_7.4p1至OpenSSH_7.9p1

如果擔心升級失敗，請打開服務器telnet ！
上傳openssh-7.9p1.tar.gz 包至 /usr/local/src/目錄
更新依賴環境

# yum install zlib zlib-devel gcc openssl-devel pam-devel rpm-build pam-devel

檢查環境

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
# rpm -q zlib
zlib-1.2.7-18.el7.x86_64
# rpm -q zlib-devel
zlib-devel-1.2.7-18.el7.x86_64

# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

備份配置文件

# mv /etc/ssh /etc/ssh_bak
# cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.bak
# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

卸載老版本openssh

# rpm -e `rpm -qa | grep openssh` --nodeps
# rpm -qa | grep openssh  

configure配置

# cd /usr/local/src/
# tar zxf openssh-7.9p1.tar.gz  &&  cd openssh-7.9p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers 
 

make && make install
# make && make install

修改sshd_config 配置文件
# vim /etc/ssh/sshd_config

添加一行：
KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

**配置服務啓動項**
# cp contrib/redhat/sshd.init /etc/init.d/sshd
# chkconfig --add sshd
# chkconfig sshd on
# chkconfig --list sshd

啓動sshd服務

# systemctl restart sshd.service
# systemctl status sshd.service 

# ssh -V
OpenSSH_7.9p1, OpenSSL 1.0.2k-fips  26 Jan 2017

此時沒有問題，能夠通過ssh登錄服務器
如果有問題，可能會是下列問題：

1、Permission denied, please try again.

type=USER_AUTH msg=audit(1563447853.337:3879638): pid=38929 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg=‘op=PAM:authentication grantors=? acct=“username” exe="/usr/sbin/sshd" hostname=xx.xx.xx.xx addr=xx.xx.xx.xx terminal=ssh res=failed’

原因在於本機開啓了selinux，需要修改Pam.d配置：

# cd /etc/pam.d
# vim  system-auth-ac

auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth sufficient pam_smb_auth.so use_first_pass nolocal
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so

#vim sshd

auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session include system-auth
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke

2、Permission denied, please try again.

sshd[31254]: error: Could not get shadow information for <username>

原因在於sshd配置UsePAM沒有啓用，檢查/etc/ssh/sshd_config

# UseAPM no
UsePAM yes

參考鏈接：
SSH Server unexpectedly closed network connection：
https://linuxadmin.melberi.com/ssh/server-unexpectedly-closed-network
升級OpenSSH7.9：
https://segmentfault.com/a/1190000018629266?utm_source=tag-newest
vsftpd fails pam authentication：
https://unix.stackexchange.com/questions/37539/vsftpd-fails-pam-authentication
理解Selinux：
https://www.cnblogs.com/yaohong/p/7344343.html