Centos7 升级 OpenSSH¶
更换yum源为阿里源¶
cd /etc/yum.repos.d/
mkdir repo_bak
mv *.repo repo_bak/
wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.repo
yum makecache
查看ssh版本¶
rpm -qa | grep openssh
ssh -V
升级ssh依赖库¶
yum -y install gcc gcc-c++ zlib zlib-devel openssl openssl-devel pam-devel libselinux-devel
将openssh-9.1p1.tar.gz 、openssl-1.1.1q.tar.gz 上传到 /data/tools/¶
备份原来ssh的配置,备用¶
cp -r /etc/sysconfig/sshd /etc/sysconfig/sshd.bak
cp -r /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
cp -r /usr/lib/systemd/system/sshd.socket /usr/lib/systemd/system/sshd.socket.bak
cp -r /usr/lib/systemd/system/sshd@.service /usr/lib/systemd/system/sshd@.service.bak
cp -r /usr/lib/systemd/system/sshd-keygen.service /usr/lib/systemd/system/sshd-keygen.service.bak
cp -r /etc/ssh /etc/ssh.bak
# 卸载系统预装的openssh,先查询,然后卸载,再查询
rpm -qa | grep openssh
rpm -e --nodeps openssh-7.4p1-22.el7_9.x86_64
rpm -e --nodeps openssh-clients-7.4p1-22.el7_9.x86_64
rpm -e --nodeps openssh-server-7.4p1-22.el7_9.x86_64
rpm -qa | grep openssh
安装openssl¶
cd /data/tools/
# 安装openssl(非必要),报错时在安装
tar -zxvf openssl-1.1.1q.tar.gz
cd openssl-1.1.1q
mkdir /usr/local/openssl
./config --prefix=/usr/local/openssl/ && make && make install
#这时查看 OpenSSL 版本会报错:
/usr/local/openssl/bin/openssl version
# /usr/local/openssl/bin/openssl: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
#链接 libssl
sudo ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/
sudo ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/
#备份旧的并启用新的 OpenSSL
mv /usr/bin/openssl /root/
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
安装openssh¶
# 安装openssh
mkdir /opt/sshbak && mv /etc/ssh/* /opt/sshbak/
mkdir /usr/local/sshd
tar xf openssh-9.1p1.tar.gz -C /usr/local/src/ && cd /usr/local/src/openssh-9.1p1/
./configure --prefix=/usr/local/openssh --without-openssl-header-check --with-md5-passwords --with-pam --with-privsep-path=/usr/local/sshd/ --sysconfdir=/etc/ssh && make -j4 && make install
# 如果有提示 openssh configure: error: OpenSSL library not found
./configure --prefix=/usr/local/openssh --without-openssl-header-check --with-md5-passwords --with-pam --with-privsep-path=/usr/local/sshd/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl && make -j4 && make install
# cp /usr/local/bin/ssh /usr/local/sbin/
# 如果有限制端口之类的ssh配置,把原有的配置文件拷回来
# cp /opt/sshbak/sshd_config /etc/ssh/
# 创建软链接
ln -s /usr/local/openssh/sbin/sshd /sbin/sshd
ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
ln -s /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add
ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
# 恢复刚刚备份的配置文件
mv /etc/sysconfig/sshd.bak /etc/sysconfig/sshd
mv /usr/lib/systemd/system/sshd.service.bak /usr/lib/systemd/system/sshd.service
mv /usr/lib/systemd/system/sshd.socket.bak /usr/lib/systemd/system/sshd.socket
mv /usr/lib/systemd/system/sshd@.service.bak /usr/lib/systemd/system/sshd@.service
mv /usr/lib/systemd/system/sshd-keygen.service.bak /usr/lib/systemd/system/sshd-keygen.service
# 检查现在的ssh版本
ssh -V
# 修改默认配置,允许root登录
vi /etc/ssh/sshd_config
#将 #PermitRootLogin prohibit-password 修改为 PermitRootLogin yes
# 将sshd服务设为开机启动
chkconfig sshd on
systemctl enable sshd
遇到的问题¶
在使用systemctl start sshd 命令启动sshd服务会卡住,过一会显示启动超时,查询状态发现sshd服务启动失败。 但是,通过源码包自带的sshd.init 脚本文件可以正常的管理sshd服务的启停。
# 将源码安装包中的opensshd.init文件复制到/etc/init.d/目录下
cp opensshd.init /etc/init.d/sshd.init
# 授予可执行权限
chmod +x /etc/init.d/sshd.init
# 然后修改sshd.service管理配置文件
vim /usr/lib/systemd/system/sshd.service
#如果里面有内容的那将内容清空,没有的直接附上下面的配置即可
[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/rc.d/init.d/sshd.init
Description=SYSV: OpenSSH server daemon
[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=no
PIDFile=/var/run/sshd.pid
ExecStart=/etc/rc.d/init.d/sshd.init start
ExecStop=/etc/rc.d/init.d/sshd.init stop
ExecReload=/etc/rc.d/init.d/sshd.init reload
#保存退出,然后运行下面的命令
systemctl daemon-reload
systemctl enable sshd
systemctl restart sshd
systemctl status sshd -l
在升级openssh编译报错“configure: error: *** working libcrypto not found, check config.log”
# 出现上面的报错,是因为缺少openssl-devel包或者libcrypto相关库不正确,我们直接安装openssl-devel即可解决问题
yum install -y openssl-devel
更新ssh后会造成原先的免密登录失效¶
ssh-keygen -R lyricn.com