redhat linux6.5升级openssh
1.下载最新的openssh包
http://www.openssh.com/portable.html#http
2.升级openssh之前要先打开服务器telnet,通过telnet登录服务器,因为升级过程中会导致ssh暂时不能用
打开linux telnet服务:
查看telnet是否已经安装:
rpm -qa|grep telnet
telnet-0.17-48.el6.x86_64
telnet-server-0.17-48.el6.x86_64
如果没有安装,通过yum安装
[root@leotest ~]# yum install telnet
[root@leotest ~]# yum install telnet-server
启动telnet服务:
编辑telnet文件,将disable改成no
[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
重启xinetd服务:
service xinetd restart
or:
/etc/rc.d/init.d/xinetd restart
通过telnet连接服务器:
[c:\~]$ telnet 192.168.5.5
Connecting to 192.168.5.5:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Red Hat Enterprise Linux Server release 6.8 (Santiago)
Kernel 2.6.32-642.el6.x86_64 on an x86_64
login: test
Password:
[test@leotest ~]$
由于默认telnet只能连接普通用户,所以需要登录普通用户之后跳转到root用户
3.备份原openssh相关文件:
cp /usr/sbin/sshd /usr/sbin/sshd.bak
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /etc/ssh/moduli /etc/ssh/moduli.bak
Note:删除掉下面三个文件,否则安装的时候会报错:
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
rm /etc/ssh/ssh_config -fr
rm /etc/ssh/sshd_config -fr
rm /etc/ssh/moduli -fr
yum install pam-devel
yum install zlib-devel
yum install openssl-devel
4.解压并安装openssh
[root@leotest softs]# tar -zxvf openssh-7.4p1.tar.gz
[root@leotest softs]# ls
openssh-7.4p1 openssh-7.4p1.tar.gz openssh-7.4p1-vs-openbsd.diff.gz
[root@leotest softs]# cd openssh-7.4p1
[root@leotest openssh-7.4p1]#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
### configure: error: *** zlib.h missing – please install first or check config.log
#yum install zlib-devel
###configure: error: *** Can’t find recent OpenSSL libcrypto (see config.log for details) ***
#yum install openssl openssl-devel
重新编译:
重新编译前要先清理之前的编译信息:
make clean
ldconfig
[root@leotest openssh-7.4p1]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE
Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie
Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv
make && make install
/etc/init.d/sshd restart
5.覆盖旧的文件
cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp: overwrite `/usr/sbin/sshd'? y
cp: cannot create regular file `/usr/sbin/sshd': Text file busy
文件正在被使用
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 14111 1 0 10:05 ? 00:00:00 sshd: root@pts/0
root 14865 1 0 10:22 ? 00:00:00 sshd: root@notty
root 24182 14779 0 10:30 pts/1 00:00:00 grep sshd
[root@pttlstydb openssh-7.4p1]# kill -9 14865
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 24227 14779 0 10:31 pts/1 00:00:00 grep sshd
重新覆盖:
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
[root@leotest openssh-7.4p1]# service sshd restart
Stopping sshd: [ OK ]
ssh-keygen: illegal option -- A
usage: ssh-keygen [options]
Options:
cat /etc/init.d/sshd
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
因为默认低版本的ssh-keygen没有-A参数
解决方法:
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
重启sshd服务:
[root@leotest ssh]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
原因:新版本的openssh不支持以上参数,需要修改sshd的配置文件
[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config
##去掉前面的注释,允许root通过ssh登录
PermitRootLogin yes
##注释掉下面三个参数
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes
##在文件末尾加上如下信息,否则还是无法通过ssh登录linux:
导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
6.重启sshd服务,测试ssh连接服务器
service sshd restart
[c:\~]$ ssh 192.168.5.5
Connecting to 192.168.5.5:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2
[root@leotest ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
7.禁用telnet
[root@leotest ~]# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
停掉xinetd服务:
[root@leotest ~]# service xinetd stop
Stopping xinetd: [ OK ]
停掉开机自启动:
[root@leotest ~]# chkconfig --list xinetd
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@leotest ~]# chkconfig xinetd off
[root@leotest ~]# chkconfig --list xinetd
xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
升级后问题解决:
通过winscp登录linux报错,解决方法如下:
[root@leotest ~]# vi /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
将原来的注释掉,改成下面的internal-sftp
重启sshd服务:
service sshd restart
redhat linux6.5升级openssh的更多相关文章
- redhat6.4升级openssh至6.7
1:简介 最近浙江电信对线上服务器进行漏洞扫描,暴露出原有的openssh有漏洞,建议升级openssh版本: 2:操作环境 Red Hat Enterprise Linux Server relea ...
- 升级OpenSSH详细步骤
由于系统扫描到OpenSSH版本太低,所以需要将其升级到高版本.网上搜罗数个文章,都多多少少有点疏漏.加上自己之前没升级过SSH,参考好几个文章查缺补漏才升级成功,着实废了不少劲儿.所以综合一下前辈们 ...
- 升级OPENSSH 和 OPENSSL
升级OPENSSH 和 OPENSSL 首先安装telnet服务,防止在操作过程中导致ssh远程中断 # 安装Telnetyum install telnet-server -y chkcon ...
- Centos6.5升级openssh至7.4版本
一,备份配置文件,以备升级失败进行回退 二,下载安装包 wget http://www.zlib.net/zlib-1.2.11.tar.gz wget https://openbsd.mirror. ...
- CentOS 升级 openSSH
openSSH作为linux远程连接工具,容易受到攻击,必须更新版本来解决,低版本有如下等漏洞: a. OpenSSH 远程代码执行漏洞(CVE-2016-10009) b. OpenSSH aut ...
- 升级openssh踩得坑
升级背景: 项目中使用的系统为CentOS6.8,经过漏洞扫描后发现openssh高危漏洞,具体描述如下:OpenSSH 7.2p2之前版本, sshd/ session.c/ do_setup_en ...
- centos6升级openssh至7.9
1.为了防止升级失败登陆不了,所以需要安装telnet mkdir /root/ssh_updateyum install -y telnet-serveryum install -y xinetd ...
- 升级openssh漏洞
升级openssl和openssh 最近接收到客户的漏洞提醒,openssl和openssh的漏洞,解决办法就只有升级. 升级前环境 ~]# ssh -V OpenSSH_5.3p1, OpenSSL ...
- centos7升级openssh
注意: openssl版本(openssl版本要大于1.0.1,zlib版本要大于1.1.4) 一.安装依赖包 yum -y install gcc make perl # zlib zlib-dev ...
随机推荐
- 项目 08 WebSocket
项目班 08 WebSocket app.py 更新 添加两个路由 handlers = [ ('/', main.IndexHandler), ('/explore', main.ExploreHa ...
- BZOJ 4892 [Tjoi2017]dna 哈希+二分
自己简直是傻死了...对于位置想错了... 二分出来的是LCP长度$+1$,即每一次二分出来的最后一个点都是失配的,而就算失配也会跳过这个点:所以当$k<=3$且模式串$s2$的指针$>l ...
- Helvetic Coding Contest 2016 online mirror C2
Description Further research on zombie thought processes yielded interesting results. As we know fro ...
- Siverlight5 3D 中文环境搭建
一.测试环境 vs2010旗舰版 win7 64位旗舰版 二.必备工具 1.vs2010 旗舰版 2.vs2010 sp1 补丁 3.silverlight5 tools 也可以去silverligh ...
- 023 Merge k Sorted Lists 合并K个有序链表
合并K个有序链表,并且作为一个有序链表的形式返回.分析并描述它的复杂度. 详见:https://leetcode.com/problems/merge-k-sorted-lists/descripti ...
- #define 只是字符替换
可以使用 #define MAX 100 int main (int argc, char *argv[]) { printf("MAX is %d\n", MAX); ; } g ...
- centos6安装lnmp
CentOS 6 默认仓库不包含nginx,我们可以手动添加nginx的仓库. 访问nginx官网获取repo文件 我们需要先访问nginx的官方网站,获取官方的仓库地址.点击这里访问nginx官方文 ...
- WPF动画的几种模式
最近在用WPF做简单动画,以下是几点经验总结: 1. 使用DispatcherTimer做动画 VB6的年代大家就用Timer做动画了,不用多解释,这个DispatcherTimer和本身的Timer ...
- win10+asp+access 父路径开启无效
如题: 在win10环境下,布署asp+access,发现在用到"../website/"时就出错,提示不能使用父路径 可是我在IIS 的asp中明明打开了父路径的 如下 但是偏偏 ...
- jQuery的parent和parents和closest区别
1.parent是指取得一个包含着所有匹配元素的唯一父元素的元素集合.2.parents则是取得一个包含着所有匹配元素的祖先元素的元素集合(不包含根元素).可以通过一个可选的表达式进行筛选.3.clo ...