CentOS7升级openssh

查看openssh和openssl版本

# ssh -V
# openssl version -a

一、升级openssl

1.下载openssl二进制安装包

# wget https://ftp.openssl.org/source/openssl-1.0.2t.tar.gz -P /opt/software
# wget https://ftp.riken.jp/pub/OpenBSD/OpenSSH/portable/openssl-fips-2.0.16.tar.gz -P /opt/software

2.安装依赖包

# yum install -y gcc gcc-c++ glibc make autoconf perl perl-devel pcre-devel pam-devel zlib-devel

3.备份openssl文件

# mv /usr/bin/openssl /usr/bin/openssl-old
# mv /usr/include/openssl /usr/include/openssl-old   //如报mv: cannot stat ‘/usr/include/openssl’: No such file or directory可忽略此步

4.编制安装openssl-fips

# cd /opt/software
# tar -zxvf openssl-fips-2.0.16.tar.gz
# cd openssl-fips-2.0.16
# ./config
# make && make install

5.编译安装新版openssl

# cd /opt/software
# tar -xf openssl-1.0.2t.tar.gz
# cd openssl-1.0.2t
# ./config -fPIC --prefix=/usr/local/openssl/ --with-fipslibdir=/usr/local/ssl/fips-2.0/lib/ enable-shared
# make depend && make install
注：使用echo $? 命令查看make install是否有报错，0表示没有问题

# mkdir -p /usr/local/ssl/lib
# cp lib* /usr/local/ssl/lib/

# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
# ln -s /usr/local/openssl/include/openssl /usr/include/openssl

# echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
# echo "include /usr/local/openssl/lib" >> /etc/ld.so.conf
# ldconfig

# openssl version -a
OpenSSL 1.0.2t  10 Sep 2019
built on: reproducible build, date unspecified
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx) 
compiler: gcc -I. -I.. -I../include  -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -fPIC -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: "/usr/local/openssl/ssl"

二、安装配置telnet服务

# yum install -y telnet-server xinetd

# systemctl start telnet.socket
# systemctl start xinetd
# systemctl enable xinetd.service
# systemctl enable telnet.socket

允许root用户直接登录telnet
echo -e 'pts/0\npts/1\npts/2'  >>/etc/securetty

注：如有防火墙要开启23端口并关闭selinx，开启telnet服务后使用telnet登录

三、升级openssh

1.下载openssh二进制安装包

# wget https://ftp.riken.jp/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz -P /opt/software

2.备份ssh文件并删除原openssh程序

# systemctl stop sshd.service

# cp -r /etc/ssh /etc/ssh-old
# cp /etc/pam.d/sshd /etc/pam.d/sshd-old

# rpm -e --nodeps `rpm -qa |grep openssh`
# rm -rf /etc/ssh

3.编译新版本安装openssh

# cd /opt/software
# tar -zxvf openssh-8.0p1.tar.gz
# cd openssh-8.0p1
# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam --with-tcp-wrappers
# make && make install

# cp -a /opt/software/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
# cp -a /opt/software/openssh-8.0p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
# chmod +x /etc/init.d/sshd
# chkconfig --add sshd
# chkconfig sshd on

4.配置sshd_config文件

# vi /etc/ssh/sshd_config修改内容如下：
  ＃Port 22
  Port 22

  #PermitRootLogin prohibit-password
  PermitRootLogin yes

  #UseDNS yes
  UseDNS no

5.验证配置

# service sshd start
# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2t  28 May 2019