Openss*较低版本;随时会带来安全隐患;及时更新做好安全防护。
1. 下载Openssl软件包
# wget https://ftp.openssl.org/source/openssl-1.1.1m.tar.gz
2. 提前安装所需要的依赖包
# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib*
# mv /usr/bin/openssl /usr/bin/openssl.bak
# tar xf openssl-1.1.1m.tar.gz
# cd ./openssl-1.1.1m
# ./config --prefix=/usr/local/openssl && make && make install
# ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
# ldconfig -v ##设置生效
# openssl version ##查看版本是否生效 OpenSSL 1.1.1m 14 Dec 2021
# wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
# mv /etc/ssh /etc/ssh.20220308bak
3. 解压、编译、配置。
# tar xf openssh-8.6p1.tar.gz
# chown -R root.root openssh-8.6p1
# cd ./openssh-8.6p1
# vim version.h ##可以隐藏Openssh版本号
/* $OpenBSD: version.h,v 1.90 2021/04/16 03:42:00 djm Exp $ */
#define SSH_VERSION "Leave now" ##自定义
#define SSH_PORTABLE "! ! !" ##自定义
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh/ -with-openssl-includes=/usr/include/openssl --with-ssl-dir=/usr/local/openssl/ --with-zlib --with-md5-passwords --with-pam
# make && make install
# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
# vim /etc/ssh/sshd_config
PermitRootLogin yes ##使能root远程登录
PasswordAuthentication yes ##使能密码验证
UsePam yes ##开启认证模块
# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd
# vim /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
# chmod +x /etc/init.d/sshd # chkconfig --add sshd # chkconfig sshd on
# mv /usr/lib/systemd/system/sshd.service /tmp ##升级版本后的sshd归sysv管理;systemd管理不了,(我是这么理解的);如果不移走;会出现sshd在无限重启。记得看日志。 # systemctl enable sshd ## 命令输人后,会反馈一下情况;对照理解。就需要将原先归systemd管理的sshd服务;交给sysv来管理。
sshd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig sshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.
# systemctl restart sshd # ssh -V ##查看版本, Leave now! ! !, OpenSSL 1.1.1m 14 Dec 2021
感谢以下这几位的文章:
https://developpaper.com/upgrade-centos7-openssh-to-the-latest-version/
https://programmer.group/ssh-upgrade-version-8.2p1.html
https://blog.csdn.net/tladagio/article/details/117083270