服务器安装openssh9.9p1
11.81.2.19更新 SSL
[*]备份原有设置
1.1 查看 openssl 版本
openssl version
OpenSSL 1.0.2k-fips26 Jan 2017
1.2 查看 openssl 路径
whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz
1.3 备份 openssl 文件
cp /usr/bin/openssl /usr/bin/openssl_old
cp -r /usr/include/openssl /usr/include/openssl_old
[*]下载新 openssl 文件
下载地点:https://openssl-library.org/source/index.html
选择的版本是 openssl-3.0.15.tar.gz,恒久支持版本,支持到 2026年 7月
上传到服务器: /data/soft
[*]升级 openssl
3.1 解压并进入
tar -zxvf openssl-3.0.15.tar.gz
cd openssl-3.0.15.tar.gz
3.2 设置 openssl 安装目录
./config --prefix=/usr/local/openssl
Can't locate IPC/Cmd.pm in @INC (@INC contains: /data/soft/openssl-3.0.15/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /data/soft/openssl-3.0.15/external/perl/Text-Template-1.56/lib) at /data/soft/openssl-3.0.15/util/perl/OpenSSL/config.pm line 19.
BEGIN failed--compilation aborted at /data/soft/openssl-3.0.15/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /data/soft/openssl-3.0.15/Configure line 23.
BEGIN failed--compilation aborted at /data/soft/openssl-3.0.15/Configure line 23.
报错解决方案:
方案一:利用 perl-CPAN 安装依靠【不保举】
1)安装perl-CPAN
yum install -y perl-CPAN
2)进入CPAN的shell模式
注意:首次进入需要设置shell,按照提示操作即可,我这里是一路回车,安装需要肯定时间
perl -MCPAN -e shell
【日志见附1】
3)在shell中安装缺少的模块
cpan> install IPC/Cmd.pm
【日志见附2,未完成,换yum直接安装方式】
方案二:利用 yum 安装依靠
或者yum下令安装perl-IPC/Cmd 【更快】:
yum -y install zlib* perl pam* gcc* perl-IPC-Cmd
【日志见附3】
安装成功后,再次编译OpenSSL就成功啦
./config --prefix=/usr/local/openssl
Configuring OpenSSL version 3.0.15 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues>***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************
3.3 编译&&安装
make && make install
需要肯定的时间
3.4 创建软连接
说明:创建的软链接和之前没升级通过whereis openssl保持一致即可。
mv /usr/bin/openssl /usr/bin/openssl_bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
mv /usr/include/openssl /usr/include/openssl_bak
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
3.5 添加动态链接库数据
cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
echo “/usr/local/openssl/lib64/” >> /etc/ld.so.conf
cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/openssl/lib64/ 3.6 更新动态链接库
ldconfig -v
4 验证 openssl 版本
说明:-a参数能表现更完整的信息
openssl version -a
更新完成
升级 openSSH
[*]查抄版本
ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[*] 下载新版本
下载地点:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
选择版本 openssh-9.9p1.tar.gz
上传到服务器: /data/soft
[*] 解压并进入
tar -zxvf openssh-9.9p1.tar.gz
cd openssh-9.9p1
[*]安装依靠
yum -y install gcc pam-devel zlib-devel openssl-devel net-tools
Package gcc-4.8.5-39.el7.ns7.01.x86_64 already installed and latest version
Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version
Package zlib-devel-1.2.7-18.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-21.el7_9.ns7.01.x86_64 already installed and latest version
Package net-tools-2.0-0.24.20131004git.el7.ns7.01.x86_64 already installed and latest version
Nothing to do
[*]备份原始文件
cp -r -a /etc/ssh/ /etc/ssh.bak
cp -r -a /etc/pam.d/ /etc/pam.d.bak
cp -r -a /usr/sbin/sshd /usr/sbin/sshd.bak
cp -r -a /usr/bin/ssh /usr/bin/ssh.bak
cp -r -a /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
[*]卸载原体系的openssh包
rpm -e --nodeps rpm -qa | grep openssh
[*]编译安装openssh【注意,此步调之后不能断开连接,直到设置完成才气建立新连接】
注意修改 ssl 目录为先前设置的目录
./configure --prefix=/usr/local/openssh-9.9p1 --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --with-zlib
make && make install
cc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib64-Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie-lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil-lresolv-lcrypto-lz
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/bin
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/sbin
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man1
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man5
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man8
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/libexec
/usr/bin/mkdir -p -m 0755 /var/empty
/usr/bin/install -c -m 0755 -s ssh /usr/local/openssh-9.9p1/bin/ssh
/usr/bin/install -c -m 0755 -s scp /usr/local/openssh-9.9p1/bin/scp
/usr/bin/install -c -m 0755 -s ssh-add /usr/local/openssh-9.9p1/bin/ssh-add
/usr/bin/install -c -m 0755 -s ssh-agent /usr/local/openssh-9.9p1/bin/ssh-agent
/usr/bin/install -c -m 0755 -s ssh-keygen /usr/local/openssh-9.9p1/bin/ssh-keygen
/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/local/openssh-9.9p1/bin/ssh-keyscan
/usr/bin/install -c -m 0755 -s sshd /usr/local/openssh-9.9p1/sbin/sshd
/usr/bin/install -c -m 0755 -s sshd-session /usr/local/openssh-9.9p1/libexec/sshd-session
/usr/bin/install -c -m 4711 -s ssh-keysign /usr/local/openssh-9.9p1/libexec/ssh-keysign
/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/local/openssh-9.9p1/libexec/ssh-pkcs11-helper
/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/local/openssh-9.9p1/libexec/ssh-sk-helper
/usr/bin/install -c -m 0755 -s sftp /usr/local/openssh-9.9p1/bin/sftp
/usr/bin/install -c -m 0755 -s sftp-server /usr/local/openssh-9.9p1/libexec/sftp-server
/usr/bin/install -c -m 644 ssh.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/local/openssh-9.9p1/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/local/openssh-9.9p1/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/local/openssh-9.9p1/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/local/openssh-9.9p1/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/local/openssh-9.9p1/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/openssh-9.9p1/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/openssh-9.9p1/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/openssh-9.9p1/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_key
sshd: no hostkeys available -- exiting.
make: Error 1 (ignored)
make: warning:Clock skew detected.Your build may be incomplete.
[*]复制新设置到原来的目录
cp /usr/local/openssh-9.9p1/sbin/sshd /usr/sbin/sshd
会报 cp: cannot create regular file ‘/usr/sbin/sshd’: Text file busy
可以先 > mv /usr/sbin/sshd /usr/sbin/sshd.bak 然后再实行
cp /usr/local/openssh-9.9p1/bin/ssh /usr/bin/ssh
cp /usr/local/openssh-9.9p1/bin/ssh-keygen /usr/bin/ssh-keygen
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
我装完这个已经在里面了,假如没有则复制一下
cp /usr/local/openssh-9.9p1/etc/sshd_config /etc/ssh/sshd_config
[*]修改设置(重要)
chmod +x /etc/init.d/sshd
vim /etc/ssh/sshd_config
将设置文件中这几个改为yes:
[*]PermitRootLogin yes
[*]PubkeyAuthentication yes
[*]PasswordAuthentication yes
说明:
PermitRootLogin yes:答应root用户通过SSH登录到体系(最最最重要这个肯定要设置,否则你重启sshd服务之后就不能远程连接了)
PubkeyAuthentication yes:启用公钥身份验证
PasswordAuthentication yes:启用暗码身份验证
[*]开机自启
systemctl enable sshd
[*]重启 sshd
systemctl restart sshd
报错
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
查看错误
systemctl status sshd.service
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Fri 2024-09-20 03:49:26 CST; 16s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 83036 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 83036 (code=exited, status=1/FAILURE)
Sep 20 03:49:26sshd: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Sep 20 03:49:26sshd: Permissions 0640 for '/etc/ssh/ssh_host_key' are too open.
Sep 20 03:49:26sshd: It is required that your private key files are NOT accessible by others.
Sep 20 03:49:26sshd: This private key will be ignored.
Sep 20 03:49:26sshd: Unable to load host key "/etc/ssh/ssh_host_key": bad permissions
Sep 20 03:49:26sshd: Unable to load host key: /etc/ssh/ssh_host_key
Sep 20 03:49:26sshd: sshd: no hostkeys available -- exiting.
Sep 20 03:49:26systemd: Failed to start OpenSSH server daemon.
Sep 20 03:49:26systemd: Unit sshd.service entered failed state.
Sep 20 03:49:26systemd: sshd.service failed.
解决方案
修改目录权限
chmod -R 600 /etc/ssh
再次重启服务
systemctl restart sshd
[*]查抄版本
sshd -V
另建立一个新会话,查看连接是否正常。
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。
页:
[1]