openssh编译升级_openssh8.5升级
文章标签:
linux 7.0
openssh下载链接:
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz
1.备份原来的pam.d下的sshd文件
mv /etc/pam.d/sshd /etc/pam.d/sshd-bak && ls -l /etc/pam.d/sshd* && cp -r /etc/ssh /etc/ssh-bak当备份pam.d下的sshd文件时,发现该路径下没有此文件,可以从其他服务器拷贝一个过来,或是执行vi /etc/pam.d/sshd,输入如下内容
cat <<EOF> /etc/pam.d/sshd
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
EOF2.解决依赖关系
Linux7.x
yum -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel tar net-tools telnet \
telnet-server xinetd make cmake Linux8.x
dnf -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel tar net-tools telnet \
telnet-server xinetd make cmake Linux9.x
dnf -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel tar net-tools telnet \
telnet-server make cmake 3.设置telnet开机启动,是为了防止在卸载旧版ssh的时候出现中断后无法连接服务器
Linux9.x系统,需要下载一个Linux7.0或Linux8.x的xinetd文件安装
wget https://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/Packages/x/xinetd-2.3.15-25.el8.x86_64.rpm && \
dnf -y localinstall xinetd-2.3.15-25.el8.x86_64.rpm修改xientd配置文件
touch /etc/xinetd.d/telnet && \
cat <<EOF> /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
EOF加入开机自启并启动telnet服务
systemctl daemon-reload && systemctl enable xinetd && systemctl start xinetd4.卸载原来的openssh
rpm -e --nodeps `rpm -qa | grep openssh`5.解决在编译的时候提示权限过高
chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key6.下载并解压最新的openssh
cd /tmp && wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz && \
tar xf openssh-9.7p1.tar.gz && \
cd openssh-9.7p1 && \
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam \
--with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib \
--without-hardening && make && make install7.复制配置文件并设置允许root用户远程登录
Linux7.x 或 Linux8.x添加如下内容
#Linux7.x 或 Linux8.x添加如下内容
cd /tmp/openssh-9.7p1 && \
cp -a contrib/redhat/sshd.init /etc/init.d/sshd && \
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam && \
chown -R root.root /etc/init.d/sshd && \
chmod u+x /etc/init.d/sshd
Linux9.x系统添加如下内容
cat <<EOF>/usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
After=network.target
[Service]
Type=forcking
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecStop=/bin/kill-s QUIT $MAINPID
ExecReload=/usr/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
EOF8.修改配置文件/etc/ssh/sshd_config
#1.修改#PermitRootLogin prohibit-password项,去掉注释#并把prohibit-password改为yes,修改后即为PermitRootLogin yes
#2.去掉注释#PasswordAuthentication yes变为PasswordAuthentication yes
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config && \
sed -i "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config9.添加添加自启服务ssh到开机启动项
Linux7.x或Linux8.x
chkconfig --add sshd && chkconfig sshd onLinux9.x
systemctl daemon-reload && systemctl enable sshd && systemctl restart sshd10.验证结果
ssh -V如果重启发现sshd无法启动,如下图所示
解决:
是因为selinux开启的原因,只要将selinux关闭,重启下即可
#临时关闭
setenforce 0
#永久关闭需要修改/etc/selinux/config文件,将SELINUX=enforcing或者SELINUX=permissive修改为如下
SELINUX=disabled
systemctl restart sshd在linux9.x环境下,记得一定要把selinux关闭,不然,输入用户名后会被一直提示密码错误
11.重启服务器
reboot12.卸载telnet
dnf -y remove telnet telnet-server xinetd