CentOS7升級openssh

查看openssh和openssl版本

# ssh -V
# openssl version -a

一、升級openssl

1.下載openssl二進制安裝包

# wget https://ftp.openssl.org/source/openssl-1.0.2t.tar.gz -P /opt/software
# wget https://ftp.riken.jp/pub/OpenBSD/OpenSSH/portable/openssl-fips-2.0.16.tar.gz -P /opt/software

2.安裝依賴包

# yum install -y gcc gcc-c++ glibc make autoconf perl perl-devel pcre-devel pam-devel zlib-devel

3.備份openssl文件

# mv /usr/bin/openssl /usr/bin/openssl-old
# mv /usr/include/openssl /usr/include/openssl-old   //如報mv: cannot stat ‘/usr/include/openssl’: No such file or directory可忽略此步

4.編制安裝openssl-fips

# cd /opt/software
# tar -zxvf openssl-fips-2.0.16.tar.gz
# cd openssl-fips-2.0.16
# ./config
# make && make install

5.編譯安裝新版openssl

# cd /opt/software
# tar -xf openssl-1.0.2t.tar.gz
# cd openssl-1.0.2t
# ./config -fPIC --prefix=/usr/local/openssl/ --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ enable-shared
# make depend && make install
注：使用echo $? 命令查看make install是否有報錯，0表示沒有問題

# mkdir -p /usr/local/ssl/lib
# cp lib* /usr/local/ssl/lib/

# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
# ln -s /usr/local/openssl/include/openssl /usr/include/openssl

# echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
# echo "include /usr/local/openssl/lib" >> /etc/ld.so.conf
# ldconfig

# openssl version -a
OpenSSL 1.0.2t  10 Sep 2019
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl/ssl"

二、安裝配置telnet服務

# yum install -y telnet-server xinetd

# systemctl start telnet.socket
# systemctl start xinetd
# systemctl enable xinetd.service
# systemctl enable telnet.socket

允許root用戶直接登錄telnet
echo -e 'pts/0\npts/1\npts/2'  >>/etc/securetty

注：如有防火牆要開啓23端口並關閉selinx，開啓telnet服務後使用telnet登錄

三、升級openssh

1.下載openssh二進制安裝包

# wget https://ftp.riken.jp/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz -P /opt/software

2.備份ssh文件並刪除原openssh程序

# systemctl stop sshd.service

# cp -r /etc/ssh /etc/ssh-old
# cp /etc/pam.d/sshd /etc/pam.d/sshd-old

# rpm -e --nodeps `rpm -qa |grep openssh`
# rm -rf /etc/ssh

3.編譯新版本安裝openssh

# cd /opt/software
# tar -zxvf openssh-8.0p1.tar.gz
# cd openssh-8.0p1
# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam --with-tcp-wrappers
# make && make install

# cp -a /opt/software/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
# cp -a /opt/software/openssh-8.0p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
# chmod +x /etc/init.d/sshd
# chkconfig --add sshd
# chkconfig sshd on

4.配置sshd_config文件

# vi /etc/ssh/sshd_config修改內容如下：
  ＃Port 22
  Port 22

  #PermitRootLogin prohibit-password
  PermitRootLogin yes

  #UseDNS yes
  UseDNS no

5.驗證配置

# service sshd start
# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2t  28 May 2019