1. 关闭selinux
if [[ ! -z `getenforce` ]];then sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux && setenforce 0 ;fi
2. 备份旧版ssh配置
cp -rf /etc/ssh /etc/ssh.bak
3. 安装配置新版本openssh
3.1: 安装编译依赖
yum install -y gcc openssl-devel pam-devel rpm-build
3.2: 编译安装openssh8.1
mkdir -pv /data/pkgs/ 把安装包也拷贝到这个路径下
if [[ ! -f /data/pkgs/openssh-8.1p1.tar.gz ]];then echo "Not 8.1 install packages";fi
tar zxf /data/pkgs/openssh-8.1p1.tar.gz -C /usr/local/src/
cd /usr/local/src/openssh-8.1p1/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make -j 4
make install
包下载地址: wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz
3.3: 用户登录设置
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
grep RootLogin /etc/ssh/sshd_config
4. 重启ssh
[root@nock-test openssh-8.1p1]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
[ OK ]
报错解决方 , 只需把提示错误的行加#号注释掉即可
[root@nock-test openssh-8.1p1]# vim /etc/ssh/sshd_config
[root@nock-test openssh-8.1p1]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
5. 查看SSH服务版本
[root@nock-test openssh-8.1p1]# ssh -V
OpenSSH_8.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
在升级SSH时你的SSH是不会因为升级或重启服务而断掉的
注意 :
OpenSSH升级后,一定要修改/etc/ssh/sshd_config的 PermitRootLogin no 改为 PermitRootLogin yes ,然后再重启OpenSSH服务
否则,再另开一个终端窗口,使用root用户ssh登录该机器就会失败了,因为此时ssh已经禁止root用户登录了
6. 另开终端登录测试
nock:work nock$ ssh nock@42.159.88.51
Password:
Last login: Wed Dec 4 10:48:37 2019 from 219.148.158.41
[nock@nock-test ~]$ sudo su
[sudo] password for nock:
[root@nock-test nock]# ssh -V
OpenSSH_8.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
到这里OpenSSH版本升级成功, 参考:https://www.cnblogs.com/bigdevilking/p/9532664.html
一键安装脚本参考:
#!/bin/bash
#关闭iptables防火墙和selinux
/etc/init.d/iptables stop
/bin/sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/sysconfig/selinux
/usr/sbin/setenforce 0
#备份ssh原来配置
cp -rf /etc/ssh /etc/ssh.bak
#安装配置telnet,暂时允许root用户远程telnet,以防ssh升级后远程登录不了
echo "Y"|/usr/bin/yum install telnet-server
/bin/sed -i 's/= yes/= no/g' /etc/xinetd.d/telnet
/etc/init.d/xinetd start
/etc/init.d/xinetd restart
mv /etc/securetty /etc/securetty.bak
#安装配置新版本openssh
echo "Y"|/usr/bin/yum install -y gcc openssl-devel pam-devel rpm-build
cd /usr/local/src
/usr/bin/wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz
/bin/tar -xf openssh-8.1p1.tar.gz
cd /usr/local/src/openssh-8.1p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make -j 4 && make install
/bin/sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
/bin/sed -i 's_#PermitRootLogin yes_PermitRootLogin yes_g' /etc/ssh/sshd_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
service sshd start
service sshd restart
/usr/bin/ssh -V
# 关闭telnet远程登录
NUM=$(/usr/sbin/lsof -i:23|wc -l)
if [ $NUM -ne 0 ];then
mv /etc/securetty.bak /etc/securetty
fi
本文由 fsb 创作,采用 知识共享署名4.0 国际许可协议进行许可
本站文章除注明转载/出处外,均为本站原创或翻译,转载前请务必署名
最后编辑时间为: Dec 4, 2019 at 12:30 pm