最近客户处有一些linux操作系统安装了较旧的SSH,存在版本漏洞,小研究了一下,安装最新版本的OPENSSH,可以平滑升级。
ssh登录到要安装的服务器上,查看当前版本
[[email protected] ~]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
在/目录下创建/tools目录,通过FTP工具上传安装文件到该目录下(文件可以到官网去下载)
mkdir /tools
[[email protected] tools]# ls -ltrh
total 9.2M
-rw-r--r--. 1 root root 1.5M Jun 28 09:14 openssh-7.2p2.tar.gz
-rw-r--r--. 1 root root 5.1M Jun 28 09:14 openssl-1.0.2h.tar.gz
-rw-r--r--. 1 root root 2.7M Jun 28 09:14 zlib-1.2.8.tar.gz
-----------------------------------------配置YUM---------------------------------------------------------
插入系统安装光盘,配置yum源。(也可以上传ISO到服务器,然后mount –o loop <ISO文件路径> /mnt)
[[email protected] ~]# mount /dev/cdrom1 /mnt/
mount: block device /dev/sr0 is write-protected, mounting read-only
[[email protected] ~]# cd /etc/yum.repos.d/
[[email protected] yum.repos.d]# ls
CentOS-Base.repo CentOS-Debuginfo.repo CentOS-Media.repo CentOS-Vault.repo
[[email protected] yum.repos.d]# rm -rf *
[[email protected] yum.repos.d]# touch local.repo
[[email protected] yum.repos.d]# vi local.repo
[[email protected] yum.repos.d]# cat local.repo
[local]
name=centos
gpgcheck=0
enable=1
baseurl=file:///mnt
[[email protected] yum.repos.d]# yum makecache
Loaded plugins: fastestmirror, refresh-packagekit, security
local | 4.0 kB 00:00 ...
local/group_gz | 220 kB 00:00 ...
local/filelists_db | 5.8 MB 00:00 ...
local/primary_db | 4.4 MB 00:00 ...
local/other_db | 2.7 MB 00:00 ...
Metadata Cache Created
-------------------升级前先安装好TELNET服务器,以防止SSH重启无法登录------------------
使用yum安装Telnet服务
yum install telnet-server
进入到/etc/xinetd.d,修改telnet文件disable=no(原有值为yes)
[[email protected] xinetd.d]# cat telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
配置允许root用户远程登录,然后重启服务
[[email protected] xinetd.d]# echo ‘pts/0‘ >>/etc/securetty
[[email protected] xinetd.d]# echo ‘pts/1‘ >>/etc/securetty
[[email protected] xinetd.d]# service xinetd restart
Stopping xinetd: [FAILED]
Starting xinetd: [ OK ]
-----------------------使用telnet登录系统---------------------------------------------------------------------
用ROOT账户使用telnet登录系统执行修改OPENSSH操作
-----------------------使用yum移除openssh-----------------------------------------------------------------
yum remove openssh
------------------------安装zlib-----------------------------------------------------------------------------------
cd /tools
tar -xvf zlib-1.2.8.tar.gz
cd zlib-1.2.8
./configure --prefix=/usr/local/zlib && make && make install
-------------------------安装openssl----------------------------------------------------------------------------
tar -xvf openssl-1.0.2h.tar.gz
cd openssl-1.0.2h
./config --prefix=/usr/local/openssl
make depend
make
make install
-----------------------安装openssh-----------------------------------------------------------------------------
tar -xvf openssh-7.2p2.tar.gz
cd openssh-7.2p2
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-md5-passwords --without-hardening && make && make install
-------------------------拷贝SSHD服务文件-----------------------------------------------------------------
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
--------------------------修改SSHD服务文件----------------------------------------------------------------
修改SSHD文件
vi /etc/init.d/sshd
修改以下内容
SSHD=/usr/sbin/sshd 为 SSHD=/usr/local/openssh/sbin/sshd
/usr/bin/ssh-keygen -A 为 /usr/local/openssh/bin/ssh-keygen -A
保存退出
加入到系统服务
[[email protected] openssh-7.2p2]# chkconfig --add sshd
查看系统启动服务是否增加改项
[[email protected] openssh-7.2p2]# chkconfig --list |grep sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
重新启动SSHD服务。
service sshd start
---------------------------修改/etc/profile------------------------------------------------------------------------
编辑/etc/profile文件,在末尾增加下面这行
export PATH=$PATH:/usr/local/openssh/bin
然后exit退出登录,重新登录后生效,再执行ssh -V查看安装的OPENSSH版本
[[email protected] ~]# ssh -V
OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016
升级到新版本后,默认不允许root用户远程登录
升级完毕后删除telnet服务