Home >Operation and Maintenance >Linux Operation and Maintenance >Detailed example of upgrading openssh

Detailed example of upgrading openssh

零下一度
零下一度Original
2017-06-27 10:09:038820browse

1. Download the latest openssh package


##2. Before upgrading openssh, you must first open the server telnet and log in to the server through telnet, because the upgrade process will cause ssh to be temporarily unavailable

Open the linux telnet service:

Check whether telnet has been installed:

rpm -qa|grep telnet

telnet-0.17-48.el6.x86_64

telnet-server-0.17-48.el6.x86_64

If it is not installed, install it through yum

[root@leotest ~]# yum install telnet

[root@leotest ~]# yum install telnet-server

Start the telnet service:

Edit the telnet file and change disable to no

[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses \

# unencrypted username/password pairs for authentication.

service telnet

{

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

##                                                                                                                                                                                                    disable    

no}

Restart the xinetd service:

service xinetd restart

or:

/etc/rc.d/init.d/xinetd restart

Connect to the server via telnet:

[c:\~]$ telnet 192.168.5.5

Connecting to 192.168.5.5:23...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642.el6. x86_64 on an x86_64

login: test

Password:

[test@leotest ~]$

due to defaulttelnet can only connect to ordinary users, so you need to log in as an ordinary user and jump to rootuser

3. Back up the original openssh related files: cp /usr/sbin/sshd /usr/ sbin/sshd.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

Note: Delete the following three files, otherwise an error will be reported during installation:

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh /moduli already exists, install will not overwrite

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/moduli -fr

yum install pam-devel

yum install zlib-devel

yum install openssl-devel

4. Unzip and install openssh##[root@ leotest softs]# tar -zxvf openssh-7.4p1.tar.gz

[root@leotest softs]# ls

openssh-7.4p1 openssh-7.4p1.tar.gz openssh-7.4 p1-vs-openbsd.diff.gz

[root@leotest softs]# cd openssh-7.4p1

[root@leotest openssh-7.4p1]#./configure --prefix= /usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man

configure: error: * ** zlib.h missing – please install first or check config.log

#yum install zlib-devel

configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***

#yum install openssl openssl-devel

Recompile:

Before recompiling Clean up the previous compilation information:

make clean

ldconfig

[root@leotest openssh-7.4p1]

#./configure --prefix= /usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man

OpenSSH has been configured with the following options :

                     User binaries: /usr/bin

                   System binaries: /usr/sbin

               Configuration files: /etc/ssh

                   Askpass program: /usr/libexec/ssh-askpass

                      Manual pages: /usr/share/man/manX

                          PID file: /var/run

  Privilege separation chroot path: /var/empty

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

                    Manpage format: doc

                       PAM support: no

                   OSF SIA support: no

                 KerberosV support: no

                   SELinux support: no

                 Smartcard support:

                     S/KEY support: no

              MD5 password support: no

                   libedit support: no

  Solaris process contract support: no

           Solaris project support: no

         Solaris privilege support: no

       IP address in $DISPLAY hack: no

           Translate v4 in v6 hack: yes

                  BSD Auth support: no

              Random number source: OpenSSL internal ONLY

             Privsep sandbox style: rlimit

 

              Host: x86_64-pc-linux-gnu

          Compiler: gcc

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE

Preprocessor flags:

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

 

make && make install

/etc/init.d/sshd restart

 

5.覆盖旧的文件

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

chmod u+x /etc/init.d/sshd

chkconfig --add sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

cp: overwrite `/usr/sbin/sshd'? y

cp: cannot create regular file `/usr/sbin/sshd': Text file busy

文件正在被使用

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     14111     1  0 10:05 ?        00:00:00 sshd: root@pts/0

root     14865     1  0 10:22 ?        00:00:00 sshd: root@notty

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

[root@pttlstydb openssh-7.4p1]# kill -9 14865

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

 

重新覆盖:

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

 

[root@leotest openssh-7.4p1]# service sshd restart

Stopping sshd:                                             [  OK  ]

ssh-keygen: illegal option -- A

usage: ssh-keygen [options]

Options:

 

cat /etc/init.d/sshd

start()

{

# Create keys if necessary

/usr/bin/ssh-keygen -A

if [ -x /sbin/restorecon ]; then

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

fi

 

echo -n $"Starting $prog:"

$SSHD $OPTIONS && success || failure

RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

echo

}

 

因为默认低版本的ssh-keygen没有-A参数

解决方法:

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

 

 

重启sshd服务:

[root@leotest ssh]# service sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication

/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials

 

原因:新版本的openssh不支持以上参数,需要修改sshd的配置文件

 

[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config

##去掉前面的注释,允许root通过ssh登录

PermitRootLogin yes

 

##注释掉下面三个参数

#GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

#UsePAM yes

 

 

##在文件末尾加上如下信息,否则还是无法通过ssh登录linux:

导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

 

 

6.重启sshd服务,测试ssh连接服务器

service sshd restart

[c:\~]$ ssh 192.168.5.5

 

Connecting to 192.168.5.5:22...

Connection established.

To escape to local shell, press 'Ctrl+Alt+]'.

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[root@leotest ~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

7.禁用telnet

[root@leotest ~]# vi /etc/xinetd.d/telnet

 

# default: on

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

service telnet

{

flags = REUSE

socket_type = stream

wait = no

user = root

server = /usr/sbin/in.telnetd

log_on_failure += USERID

disable = yes

}

StopxinetdService:

[root@leotest ~]# service xinetd stop

Stopping xinetd:                                                             

stop Stopping and starting. :off --list xinetd

xinetd 0:off 1:off 2:off

3:off 4:off 5:off

6:off

## After the upgrade, the problem is solved:

An error is reported when logging into Linux through winscp. The solution is as follows:

[root@leotest ~]# vi /etc/ssh/sshd_config

# override default of no subsystems#Subsystem sftp /usr/libexec/openssh/sftp-server

Subsystem sftp internal-sftp

Comment out the original and change it to the following internal-sftp

Restart the sshd service:

service sshd restart

The above is the detailed content of Detailed example of upgrading openssh. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn