redhat linux6.5升级openssh
1.下载最新的openssh包
http://www.openssh.com/portable.html#http
2.升级openssh之前要先打开服务器telnet,通过telnet登录服务器,因为升级过程中会导致ssh暂时不能用
打开linux telnet服务:
查看telnet是否已经安装:
rpm -qa|grep telnet
telnet-0.17-48.el6.x86_64
telnet-server-0.17-48.el6.x86_64
如果没有安装,通过yum安装
[root@leotest ~]# yum install telnet
[root@leotest ~]# yum install telnet-server
启动telnet服务:
编辑telnet文件,将disable改成no
[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
重启xinetd服务:
service xinetd restart
or:
/etc/rc.d/init.d/xinetd restart
通过telnet连接服务器:
[c:\~]$ telnet 192.168.5.5
Connecting to 192.168.5.5:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Red Hat Enterprise Linux Server release 6.8 (Santiago)
Kernel 2.6.32-642.el6.x86_64 on an x86_64
login: test
Password:
[test@leotest ~]$
由于默认telnet只能连接普通用户,所以需要登录普通用户之后跳转到root用户
3.备份原openssh相关文件:
cp /usr/sbin/sshd /usr/sbin/sshd.bak
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /etc/ssh/moduli /etc/ssh/moduli.bak
Note:删除掉下面三个文件,否则安装的时候会报错:
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
rm /etc/ssh/ssh_config -fr
rm /etc/ssh/sshd_config -fr
rm /etc/ssh/moduli -fr
yum install pam-devel
yum install zlib-devel
yum install openssl-devel
4.解压并安装openssh
[root@leotest softs]# tar -zxvf openssh-7.4p1.tar.gz
[root@leotest softs]# ls
openssh-7.4p1 openssh-7.4p1.tar.gz openssh-7.4p1-vs-openbsd.diff.gz
[root@leotest softs]# cd openssh-7.4p1
[root@leotest openssh-7.4p1]#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
### configure: error: *** zlib.h missing – please install first or check config.log
#yum install zlib-devel
###configure: error: *** Can’t find recent OpenSSL libcrypto (see config.log for details) ***
#yum install openssl openssl-devel
重新编译:
重新编译前要先清理之前的编译信息:
make clean
ldconfig
[root@leotest openssh-7.4p1]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE
Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie
Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv
make && make install
/etc/init.d/sshd restart
5.覆盖旧的文件
cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chkconfig --add sshd
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp: overwrite `/usr/sbin/sshd'? y
cp: cannot create regular file `/usr/sbin/sshd': Text file busy
文件正在被使用
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 14111 1 0 10:05 ? 00:00:00 sshd: root@pts/0
root 14865 1 0 10:22 ? 00:00:00 sshd: root@notty
root 24182 14779 0 10:30 pts/1 00:00:00 grep sshd
[root@pttlstydb openssh-7.4p1]# kill -9 14865
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 24227 14779 0 10:31 pts/1 00:00:00 grep sshd
重新覆盖:
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
[root@leotest openssh-7.4p1]# service sshd restart
Stopping sshd: [ OK ]
ssh-keygen: illegal option -- A
usage: ssh-keygen [options]
Options:
cat /etc/init.d/sshd
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
因为默认低版本的ssh-keygen没有-A参数
解决方法:
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
重启sshd服务:
[root@leotest ssh]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
原因:新版本的openssh不支持以上参数,需要修改sshd的配置文件
[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config
##去掉前面的注释,允许root通过ssh登录
PermitRootLogin yes
##注释掉下面三个参数
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes
##在文件末尾加上如下信息,否则还是无法通过ssh登录linux:
导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
6.重启sshd服务,测试ssh连接服务器
service sshd restart
[c:\~]$ ssh 192.168.5.5
Connecting to 192.168.5.5:22...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2
[root@leotest ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
7.禁用telnet
[root@leotest ~]# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}
停掉xinetd服务:
[root@leotest ~]# service xinetd stop
Stopping xinetd: [ OK ]
停掉开机自启动:
[root@leotest ~]# chkconfig --list xinetd
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@leotest ~]# chkconfig xinetd off
[root@leotest ~]# chkconfig --list xinetd
xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
升级后问题解决:
通过winscp登录linux报错,解决方法如下:
[root@leotest ~]# vi /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
将原来的注释掉,改成下面的internal-sftp
重启sshd服务:
service sshd restart
redhat linux6.5升级openssh的更多相关文章
- redhat6.4升级openssh至6.7
1:简介 最近浙江电信对线上服务器进行漏洞扫描,暴露出原有的openssh有漏洞,建议升级openssh版本: 2:操作环境 Red Hat Enterprise Linux Server relea ...
- 升级OpenSSH详细步骤
由于系统扫描到OpenSSH版本太低,所以需要将其升级到高版本.网上搜罗数个文章,都多多少少有点疏漏.加上自己之前没升级过SSH,参考好几个文章查缺补漏才升级成功,着实废了不少劲儿.所以综合一下前辈们 ...
- 升级OPENSSH 和 OPENSSL
升级OPENSSH 和 OPENSSL 首先安装telnet服务,防止在操作过程中导致ssh远程中断 # 安装Telnetyum install telnet-server -y chkcon ...
- Centos6.5升级openssh至7.4版本
一,备份配置文件,以备升级失败进行回退 二,下载安装包 wget http://www.zlib.net/zlib-1.2.11.tar.gz wget https://openbsd.mirror. ...
- CentOS 升级 openSSH
openSSH作为linux远程连接工具,容易受到攻击,必须更新版本来解决,低版本有如下等漏洞: a. OpenSSH 远程代码执行漏洞(CVE-2016-10009) b. OpenSSH aut ...
- 升级openssh踩得坑
升级背景: 项目中使用的系统为CentOS6.8,经过漏洞扫描后发现openssh高危漏洞,具体描述如下:OpenSSH 7.2p2之前版本, sshd/ session.c/ do_setup_en ...
- centos6升级openssh至7.9
1.为了防止升级失败登陆不了,所以需要安装telnet mkdir /root/ssh_updateyum install -y telnet-serveryum install -y xinetd ...
- 升级openssh漏洞
升级openssl和openssh 最近接收到客户的漏洞提醒,openssl和openssh的漏洞,解决办法就只有升级. 升级前环境 ~]# ssh -V OpenSSH_5.3p1, OpenSSL ...
- centos7升级openssh
注意: openssl版本(openssl版本要大于1.0.1,zlib版本要大于1.1.4) 一.安装依赖包 yum -y install gcc make perl # zlib zlib-dev ...
随机推荐
- 长春理工大学第十四届程序设计竞赛(重现赛)M.Orx Zone
链接:https://ac.nowcoder.com/acm/contest/912/M 题意: Daenerys Stormborn, 风暴中出生的丹尼莉丝,the Unburnt, 烧不死的,Qu ...
- ReflectionUtil
import java.lang.reflect.Field; import java.lang.reflect.InvocationTargetException; import java.lang ...
- jdbc取出表名 名称
package com.dataconnect.test.util; import java.sql.Connection; import java.sql.DatabaseMetaData; imp ...
- python入门之paramiko模块
paramiko用于实现ssh远程连接服务器执行相关操作. paramiko与之依赖模块cryptography最好版本相同,不然可能执行程序会出错. 一.ssh连接服务器执行命令 import pa ...
- QQ的全国地址编码
D:\Program Files (x86)\Tencent\QQ\I18N\2052\LocList.xml
- Sqoop架构
Sqoop 架构 Sqoop 架构是非常简单的,它主要由三个部分组成:Sqoop client.HDFS/HBase/Hive.Database.下面我们来看一下 Sqoop 的架构图. 用户向 Sq ...
- Hadoop文件压缩
1. Hadoop的文件压缩需求 文件压缩对于大容量的分布式存储系统而言是必须的,它能带来两个好处: 1)减少了文件所需的存储空间: 2)加快了文件在网络上或磁盘间的传输速度. 2. Hadoop支持 ...
- Linux安装配置相关
1.常用汇总 useradd usertemp //添加用户 passwd usertemp //修改/设置密码 userdel usertemp //删除用户 2. profile/baserc等配 ...
- Linux下安装软件遇见的问题汇总
1.安装monodevelop 安装环境Linux Mint17.1 在软件在中心直接安装monodevelop,安装完成后直接启动界面“一闪而过”,解决办法: 软件中心安装 mono-complet ...
- 多个activity之间的数据共享
Activity之间的数据共享问题起初一看并没有那么纠结,原因在于两点,一来两个Activity之间可以通过回传的方式进行数据的共享,而哪怕是多个Activity之间,也可以通过静态类进行数据的共享. ...