作者:Heike07 版权所有
升级前准备
登陆SSH需要升级的机器
# 登陆ssh
λ ssh root@192.168.30.174
The authenticity of host '192.168.30.174 (192.168.30.174)' can't be established.
ECDSA key fingerprint is SHA256:Mw70Sv5uqPlHxhZbWb8JXcE8ckge4cMIw/CsHMZmAL4.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.30.174' (ECDSA) to the list of known hosts.
root@192.168.30.174's password:
Last login: Tue Nov 1 16:13:34 2022
[root@localhost ~]#
准备Telnet方式使用防止SSH中断无法操作
# 安装telnet xinetd
yum -y install telnet* xinetd*
root@localhost ~]# cat /etc/securetty | grep pts
pts/1
pts/2
pts/3
pts/4
pts/5
[root@localhost ~]#
# 启动tlenet
[root@localhost ~]# systemctl start telnet.socket
[root@localhost ~]# systemctl status telnet.socket
# 测试连接作为网络中断后的第二连接方式(非常重要)
S:\cmder
λ telnet 192.168.7.177
Kernel 3.10.0-1127.el7.x86_64 on an x86_64
localhost login: root
Password:
Last login: Fri Nov 4 10:20:51 from ::ffff:192.168.7.1
[root@localhost ~]#
升级中
准备编译环境
# 查看ssh版本
[root@localhost ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
# 安装编译相关资源
[root@localhost openssh-9.0p1]# yum install wget tar make gcc openssl-devel zlib-devel
# 查看sshrpm安装情况
[root@localhost ~]# rpm -qa | grep ssh
openssh-server-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-clients-7.4p1-21.el7.x86_64
libssh2-1.8.0-3.el7.x86_64
# 将原有进行备份
[root@localhost ~]# mv /etc/ssh /etc/ssh.bak
# 删除ssh
[root@localhost ~]# yum remove openssh-7.4p1
# 查看删除结果
[root@localhost ~]# rpm -qa | grep ssh
libssh2-1.8.0-3.el7.x86_64
# 下载最新版本openssh 9.0p1
[root@localhost etc]# cd ~
[root@localhost ~]# wget https://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz --no-check-cert ificate
# 解压缩
[root@localhost ~]# tar xzf openssh-9.0p1.tar.gz
[root@localhost ~]# cd openssh-9.0p1
[root@localhost openssh-9.0p1]#
编译过程
# 进行预编译生成make文件
[root@localhost openssh-9.0p1]# ./configure --sysconfdir=/etc/ssh
# 查看编译结果
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
# 编译
make
# 安装
make install
# 查看安装结果
(cd openbsd-compat && make)
make[1]: Entering directory `/root/openssh-9.0p1/openbsd-compat'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/root/openssh-9.0p1/openbsd-compat'
/usr/bin/mkdir -p /usr/local/bin
/usr/bin/mkdir -p /usr/local/sbin
/usr/bin/mkdir -p /usr/local/share/man/man1
/usr/bin/mkdir -p /usr/local/share/man/man5
/usr/bin/mkdir -p /usr/local/share/man/man8
/usr/bin/mkdir -p /usr/local/libexec
/usr/bin/mkdir -p -m 0755 /var/empty
/usr/bin/install -c -m 0755 -s ssh /usr/local/bin/ssh
/usr/bin/install -c -m 0755 -s scp /usr/local/bin/scp
/usr/bin/install -c -m 0755 -s ssh-add /usr/local/bin/ssh-add
/usr/bin/install -c -m 0755 -s ssh-agent /usr/local/bin/ssh-agent
/usr/bin/install -c -m 0755 -s ssh-keygen /usr/local/bin/ssh-keygen
/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/local/bin/ssh-keyscan
/usr/bin/install -c -m 0755 -s sshd /usr/local/sbin/sshd
/usr/bin/install -c -m 4711 -s ssh-keysign /usr/local/libexec/ssh-keysign
/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/local/libexec/ssh-pkcs11-helper
/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/local/libexec/ssh-sk-helper
/usr/bin/install -c -m 0755 -s sftp /usr/local/bin/sftp
/usr/bin/install -c -m 0755 -s sftp-server /usr/local/libexec/sftp-server
/usr/bin/install -c -m 644 ssh.1.out /usr/local/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/local/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/local/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/local/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/local/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/local/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/local/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/local/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/local/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/local/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
/usr/local/sbin/sshd -t -f /etc/ssh/sshd_config
[root@localhost openssh-9.0p1]#
操作相关文件参数调整
# 复制生成SSHD服务文件 [root@localhost openssh-9.0p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd # 复制生成ssh-keygen到/usr/bin下 [root@localhost openssh-9.0p1]# cp -a /usr/local/bin/ssh-keygen /usr/bin/ssh-keygen # 查看安装结果 [root@localhost openssh-9.0p1]# ll /usr/local/sbin/sshd -rwxr-xr-x 1 root root 904160 Nov 4 10:32 /usr/local/sbin/sshd [root@localhost openssh-9.0p1]# # 修改主程序位置 [root@localhost openssh-9.0p1]# cat /etc/init.d/sshd | grep SSHD= SSHD=/usr/local/sbin/sshd [root@localhost openssh-9.0p1]# # 设置开机启动 [root@localhost openssh-9.0p1]# chkconfig --add sshd [root@localhost openssh-9.0p1]# chkconfig sshd on [root@localhost openssh-9.0p1]# systemctl daemon-reload [root@localhost openssh-9.0p1]# systemctl restart sshd [root@localhost openssh-9.0p1]# systemctl status sshd # 设置root可以远程登陆 [root@localhost openssh-9.0p1]# cat /etc/ssh/sshd_config | grep PermitRootLogin PermitRootLogin yes # 重启sshd服务 [root@localhost openssh-9.0p1]# systemctl restart sshd [root@localhost openssh-9.0p1]# systemctl status sshd
升级后处理
测试SSH
# 测试ssh连接情况
λ ssh root@192.168.30.174
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:jK6UYZCyzit0vG6RWF3Bta9pPRabEdc3zdDDtnmp3Pk.
Please contact your system administrator.
Add correct host key in C:\\Users\\ASUS/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in C:\\Users\\ASUS/.ssh/known_hosts:48
ECDSA host key for 192.168.30.174 has changed and you have requested strict checking.
Host key verification failed.
# 删除原有ssh记录公钥删除方式见常见错误
S:\cmder
λ vim C:\\Users\\ASUS/.ssh/known_hosts
# 测试登陆(必须测试,有问题看常见错误)
S:\cmder
λ ssh root@192.168.30.174
The authenticity of host '192.168.30.174 (192.168.30.174)' can't be established.
ECDSA key fingerprint is SHA256:jK6UYZCyzit0vG6RWF3Bta9pPRabEdc3zdDDtnmp3Pk.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.30.174' (ECDSA) to the list of known hosts.
root@192.168.30.174's password:
Last login: Fri Nov 4 10:21:34 2022 from ::ffff:192.168.7.1
[root@localhost ~]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@localhost ~]#
telnet服务停用(便于其他情况处理)
# telnet服务停用
[root@localhost openssh-9.0p1]# systemctl status telnet.socket
[root@localhost openssh-9.0p1]# systemctl stop telnet.socket
[root@localhost openssh-9.0p1]# systemctl status telnet.socket
# 测试telnet
S:\cmder
λ telnet 192.168.7.177
Connecting To 192.168.7.177...Could not open connection to the host, on port 23: Connect failed
常见错误
WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
登陆时如果提示这个是因为SSH加密算法失效了,因为升级了以后根的SSH加密是不一样删除客户端记录的公钥即可重新连接。
# 删除相关IP地址一整行的公钥记录即可
λ vim C:\\Users\\ASUS/.ssh/known_hosts
192.168.30.174 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5qEg9PfFt8/5WFUHIrjDPJJLptw9oFZrUfl4ommrzbjFESVQhdAvAmhJcDd5mRKv5GZcTFU4Sd72TRck6ngdQ=
密码正确但是登陆不上
查看编译时是否将–sysconfdir=/etc/ssh参数进行添加,查看服务文件定义,可以看到当前为/etc/ssh
# 查看服务文件指定配置文件位置
[root@localhost openssh-9.0p1]# cat /etc/init.d/sshd | grep restorecon
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
[root@localhost openssh-9.0p1]#
作者:Heike07 版权所有