因服务器被扫描出漏洞,需要对OpenSSH升级,遇到一些波折,记录如下。
安装配置telnet服务
OpenSSH用于远程登录,一旦升级失败用不了,将无法远程登录,安装telnet-server备用。
yum install telnet-server -y
配置类型:
cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
pts/5
EOF
开启自启动:
systemctl enable telnet.socket
启动telnet:
systemctl start telnet.socket
添加防火墙例外:
firewall-cmd –zone=public –add-port=23/tcp –permanent
firewall-cmd –reload
安装引用库:
yum install openssl-devel pam-devel -y
下载OpenSSH:
cd /opt/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz
解压:
tar -xvf openssh-9.1p1.tar.gz
备份:
cp -r /etc/ssh/ /etc/ssh_old/
卸载旧OpenSSH:
yum remove openssh -y
rm -rf /etc/ssh/*
进入
cd openssh-9.1p1
开始编译安装:
./configure –prefix=/usr/ –sysconfdir=/etc/ssh –with-zlib –with-md5-passwords –with-pam && make && make install
如果顺利,你将看到最后2行:
ssh-keygen:……ECDSA ED25519
/usr/sbin/sshd……
至此一切顺利,接下来的操作:
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig –add sshd
chkconfig sshd on
修改配置,允许root登录和证书登录:
vi /etc/ssh/sshd_config
将 PasswordAuthentication yes 注释打开
配置 PermitRootLogin yes
重启服务完成
service sshd restart
以上顺利的情况,
不顺利的情况,如配置编译OpenSSH遇到报错:OpenSSH configure: error: OpenSSL library not found.
可尝试下面命令:
./configure –prefix=/usr/ –sysconfdir=/etc/ssh –with-ssl-dir=/usr/local/lib64/ –with-zlib –with-md5-passwords –with-pam –with-ssl-engine && make && make install
也可以下载OpenSSL编译
wget https://www.openssl.org/source/openssl-1.1.1j.tar.gz
tar -xf openssl-1.1.1j.tar.gz
cd openssl-1.1.1j
./config –prefix=/usr/local/openssl shared
make
make install
安装OpenSSL成功
vi /etc/ld.so.conf
添加一行:
/usr/local/openssl/lib
保存后执行:
ldconfig
回到OpenSSH目录执行:
./configure –prefix=/usr/ –sysconfdir=/etc/ssh –with-ssl-dir=/usr/local/openssl –with-zlib –with-md5-passwords –with-pam && make && make install
安装成功后,重复配置步骤(上述cp -a 开始)
原文地址:http://www.cnblogs.com/scotcn/p/OpenSSH-update-on-CentOS7.html