Home > Article > Operation and Maintenance > Detailed example of upgrading openssh
1. Download the latest openssh package
##2. Before upgrading openssh, you must first open the server telnet and log in to the server through telnet, because the upgrade process will cause ssh to be temporarily unavailable
Open the linux telnet service: Check whether telnet has been installed: rpm -qa|grep telnettelnet-0.17-48.el6.x86_64telnet-server-0.17-48.el6.x86_64 If it is not installed, install it through yum[root@leotest ~]# yum install telnet[root@leotest ~]# yum install telnet-server Start the telnet service: Edit the telnet file and change disable to no[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet# default: on# description: The telnet server serves telnet sessions; it uses \ # unencrypted username/password pairs for authentication.service telnet{ flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID
## disable
no}
Restart the xinetd service:
service xinetd restart
or:
/etc/rc.d/init.d/xinetd restart
Connect to the server via telnet:
[c:\~]$ telnet 192.168.5.5
Connecting to 192.168.5.5:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Red Hat Enterprise Linux Server release 6.8 (Santiago)
Kernel 2.6.32-642.el6. x86_64 on an x86_64
login: test
Password:
[test@leotest ~]$
due to defaulttelnet can only connect to ordinary users, so you need to log in as an ordinary user and jump to rootuser
3. Back up the original openssh related files: cp /usr/sbin/sshd /usr/ sbin/sshd.bak
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /etc/ssh/moduli /etc/ssh/moduli.bak
Note: Delete the following three files, otherwise an error will be reported during installation:
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh /moduli already exists, install will not overwrite
rm /etc/ssh/ssh_config -fr
rm /etc/ssh/sshd_config -fr
rm /etc/ssh/moduli -fr
yum install pam-devel
yum install zlib-devel
yum install openssl-devel
4. Unzip and install openssh##[root@ leotest softs]# tar -zxvf openssh-7.4p1.tar.gz
[root@leotest softs]# lsopenssh-7.4p1 openssh-7.4p1.tar.gz openssh-7.4 p1-vs-openbsd.diff.gz[root@leotest softs]# cd openssh-7.4p1[root@leotest openssh-7.4p1]#./configure --prefix= /usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/manconfigure: error: * ** zlib.h missing – please install first or check config.log
#yum install zlib-devel
configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***#yum install openssl openssl-devel Recompile:Before recompiling Clean up the previous compilation information: make cleanldconfig[root@leotest openssh-7.4p1]#./configure --prefix= /usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
OpenSSH has been configured with the following options :User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE
Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie
Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv
make && make install
/etc/init.d/sshd restart
5.覆盖旧的文件
cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp: overwrite `/usr/sbin/sshd'? y
cp: cannot create regular file `/usr/sbin/sshd': Text file busy
文件正在被使用
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 14111 1 0 10:05 ? 00:00:00 sshd: root@pts/0
root 14865 1 0 10:22 ? 00:00:00 sshd: root@notty
root 24182 14779 0 10:30 pts/1 00:00:00 grep sshd
[root@pttlstydb openssh-7.4p1]# kill -9 14865
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 24227 14779 0 10:31 pts/1 00:00:00 grep sshd
重新覆盖:
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
[root@leotest openssh-7.4p1]# service sshd restart
Stopping sshd: [ OK ]
ssh-keygen: illegal option -- A
usage: ssh-keygen [options]
Options:
cat /etc/init.d/sshd
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
因为默认低版本的ssh-keygen没有-A参数
解决方法:
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
重启sshd服务:
[root@leotest ssh]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
原因:新版本的openssh不支持以上参数,需要修改sshd的配置文件
[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config
##去掉前面的注释,允许root通过ssh登录
PermitRootLogin yes
##注释掉下面三个参数
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes
##在文件末尾加上如下信息,否则还是无法通过ssh登录linux:
导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
6.重启sshd服务,测试ssh连接服务器
service sshd restart
[c:\~]$ ssh 192.168.5.5
Connecting to 192.168.5.5:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2
[root@leotest ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
7.禁用telnet
[root@leotest ~]# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
StopxinetdService:
[root@leotest ~]# service xinetd stop
Stopping xinetd:
stop Stopping and starting. :off --list xinetd
xinetd 0:off 1:off 2:off3:off 4:off 5:off
6:off## After the upgrade, the problem is solved:
An error is reported when logging into Linux through winscp. The solution is as follows:
[root@leotest ~]# vi /etc/ssh/sshd_config
# override default of no subsystems#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftpComment out the original and change it to the following internal-sftp
Restart the sshd service:
service sshd restart
The above is the detailed content of Detailed example of upgrading openssh. For more information, please follow other related articles on the PHP Chinese website!