CentOS openssh升级到openssh-7.2版本

前端之家收集整理的这篇文章主要介绍了CentOS openssh升级到openssh-7.2版本前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

安全部门漏洞检查,让升级openssh版本,升级操作不复杂,但毕竟是线上环境,主要注意如果你是通过ssh远程升级ssh版本,万一失败了,ssh不上去,是否可以到现场处理。

环境:

cat /etc/issue

CentOS release 6.5 (Final)


ssh -V
OpenSSH_5.3p1,OpenSSL 1.0.1e-fips 11 Feb 2013

openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013

一、准备
备份ssh目录(重要)
cp -rf /etc/ssh /etc/ssh.bak
【 可以现场处理的,不用设置
安装telnet,避免ssh升级出现问题,导致无法远程管理
yum install telnet-server
vi /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
默认不允许root登录
vi /etc/securetty
增加
pts/0
pts/1
pts/2
如果登录用户较多,需要更多的pts/*
/etc/init.d/xinetd restart
这样root可以telnet登录
ssh升级后建议再修改回还原设置

二、安装
升级需要几个组件
yum install -y gcc openssl-devel pam-devel rpm-build
现在新版本,目前是openssh-7.3最新,但刚刚出来,为保险,我选用7.2版本
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p1.tar.gz
解压升级包,并安装
tar -zxvf openssh-7.2p1.tar.gz
cd openssh-7.2p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make && make install
安装后提示
/etc/ssh/ssh_config already exists,install will not overwrite
/etc/ssh/sshd_config already exists,85); font-family:'microsoft yahei'; font-size:15px; line-height:35px">/etc/ssh/moduli already exists,85); font-family:'microsoft yahei'; font-size:15px; line-height:35px">ssh-keygen: generating new host keys: ECDSA ED25519
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
修改配置文件,允许root登录
vi /etc/ssh/sshd_config
#PermitRootLogin yes
修改
PermitRootLogin yes
命令:
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
重启openSSH
service sshd restart
升级后版本
OpenSSH_7.2p1,OpenSSL 1.0.1e-fips 11 Feb 2013

如果之前你将原ssh目录修改名字
mv /etc/ssh /etc/ssh_bak
需要修改下配置:
禁止root登录
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
可以不操作,禁止dns解析
sed -i '/^#UseDNS yes/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
可以不操作默认是22,修改ssh端口至6022
echo "Port 6022" >> /etc/ssh/sshd_config
注:在升级SSH时你的SSH是不会因为升级或重启服务而断掉的.

问题1:
[root@testserver2 tmp]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials [ OK ]

解决
将/etc/ssh/sshd_config文件中以上行数内容注释下即可

sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config

问题2:
更新后ssh有如下提示,但不影响使用:
[root@testserver2 tmp]# ssh 10.111.32.51
/etc/ssh/ssh_config line 50: Unsupported option "gssapiauthentication"

解决
可以注释/etc/ssh/ssh_config的gssapiauthentication内容

------------------------------------------------------------------------------------------

CentOS7升级openssh参考这里的内容

本次使用源码安装(系统需要gcc),各软件版本如下:

zlib-1.2.8
openssl-1.0.2h
openssh-7.3p1

安装步骤如下:

1、安装zlib
[root@CentOS7test ~]# cd zlib-1.2.8/
[root@CentOS7test zlib-1.2.8]# ./configure
[root@CentOS7test zlib-1.2.8]# make
[root@CentOS7test zlib-1.2.8]# make install

2、安装openssl
[root@CentOS7test ~]# cd openssl-1.0.2h/
[root@CentOS7test openssl-1.0.2h]# ./config --prefix=/usr/ --shared
[root@CentOS7test openssl-1.0.2h]# make
[root@CentOS7test openssl-1.0.2h]# make install

3、安装openssh
[root@CentOS7test ~]# cd openssh-7.3p1/
[root@CentOS7test openssh-7.3p1]# ./configure --prefix=/usr/local --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
[root@CentOS7test openssh-7.3p1]# make
[root@CentOS7test openssh-7.3p1]# make install

4、查看版本是否已更新
[root@CentOS7test openssh-7.3p1]# ssh -V
OpenSSH_7.3p1,OpenSSL 1.0.2h 3 May 2016

5、新介质替换原有内容
[root@CentOS7test openssh-7.3p1]# mv /usr/bin/ssh /usr/bin/ssh_bak
[root@CentOS7test openssh-7.3p1]# cp /usr/local/bin/ssh /usr/bin/ssh
[root@CentOS7test openssh-7.3p1]# mv /usr/sbin/sshd /usr/sbin/sshd_bak
[root@CentOS7test openssh-7.3p1]# cp /usr/local/sbin/sshd /usr/sbin/sshd

6-加载ssh配置重启ssh服务
[root@CentOS7test ~]# systemctl daemon-reload
[root@CentOS7test ~]# systemctl restart sshd.service

7、遇到的问题解决

问题1:
安装完成后,telnet 22端口不通,通过systemctl status sshd.service查看发现有警告信息
部分信息如Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open

修正:
修改相关提示文件的权限为600,并重启sshd服务(systemctl restart sshd.service)
查看服务状态(systemctl status sshd.service)
例:chmod 600 /etc/ssh/ssh_host_ecdsa_key

问题2:
安装完成后,如需root直接登录

修正:
修改/etc/ssh/sshd_config文件,将文件中#PermitRootLogin yes改为PermitRootLogin yes
并重启sshd服务
升级后验证

问题3:

如果你使用了jenkins进行部署,升级后会影响jenkins部署,测试连接web端会报错 Algorithm negotiation fail

修正:

在web端修改sshd_config文件最后一行增加以下内容

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

参考:http://stackoverflow.com/questions/32627998/algorithm-negotiation-fail-in-jenkins

--------------------------------------------------------------

临时修改版本号,运行很久的线上环境升级存在风险,如果可以的话只修改版本号吧(后期经过验证,这种修改版本号的方法无效,ssh -v IP可以查看版本)
查询
ssh -V
sshd -V

备份

cp /usr/bin/ssh /usr/bin/ssh.bak.version_edit
cp /usr/sbin/sshd /usr/sbin/sshd.bak.version_edit

修改

sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/bin/ssh
sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/sbin/sshd

补充汇总下:

centos7.X主机升级ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
mv /etc/ssh /etc/ssh.bak
---下载包、安装gcc 、编译等中间步骤参上边内容---
make && make install
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config

cp /etc/ssh.bak/sshd_config/etc/ssh/sshd_config 将原来的文件覆盖下这个新生成内容

/bin/systemctl restart sshd.service


centos6.X升级ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
cp -rf /etc/ssh /etc/ssh.bak
---下载包、安装gcc 、编译等中间步骤参上边内容---
make && make install
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^UsePAM/s/UsePAM yes/#UsePAM yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
service sshd restart

附录:

CentOS7 sshd_config配置内容

[python] view plain copy
  1. #$OpenBSD:sshd_config,v1.932014/01/1005:59:19djmExp$
  2. #Thisisthesshdserversystem-wideconfigurationfile.See
  3. #sshd_config(5)formoreinformation.
  4. #ThissshdwascompiledwithPATH=/usr/local/bin:/usr/bin
  5. #Thestrategyusedforoptionsinthedefaultsshd_configshippedwith
  6. #OpenSSHistospecifyoptionswiththeirdefaultvaluewhere
  7. #possible,butleavethemcommented.Uncommentedoptionsoverridethe
  8. #defaultvalue.
  9. #IfyouwanttochangetheportonaSELinuxsystem,youhavetotell
  10. #SELinuxaboutthischange.
  11. #semanageport-a-tssh_port_t-ptcp#PORTNUMBER
  12. #
  13. #Port22
  14. #AddressFamilyany
  15. #ListenAddress0.0.0.0
  16. #ListenAddress::
  17. #Thedefaultrequiresexplicitactivationofprotocol1
  18. #Protocol2
  19. #HostKeyforprotocolversion1
  20. #HostKey/etc/ssh/ssh_host_key
  21. #HostKeysforprotocolversion2
  22. HostKey/etc/ssh/ssh_host_rsa_key
  23. #HostKey/etc/ssh/ssh_host_dsa_key
  24. HostKey/etc/ssh/ssh_host_ecdsa_key
  25. HostKey/etc/ssh/ssh_host_ed25519_key
  26. #Lifetimeandsizeofephemeralversion1serverkey
  27. #KeyRegenerationInterval1h
  28. #ServerKeyBits1024
  29. #Ciphersandkeying
  30. #RekeyLimitdefaultnone
  31. #Logging
  32. #obsoletesQuietModeandFascistLogging
  33. #SyslogFacilityAUTH
  34. SyslogFacilityAUTHPRIV
  35. #LogLevelINFO
  36. #Authentication:
  37. #LoginGraceTime2m
  38. PermitRootLoginyes
  39. #StrictModesyes
  40. #MaxAuthTries6
  41. #MaxSessions10
  42. #RSAAuthenticationyes
  43. #PubkeyAuthenticationyes
  44. #Thedefaultistocheckboth.ssh/authorized_keysand.ssh/authorized_keys2
  45. #butthisisoverriddensoinstallationswillonlycheck.ssh/authorized_keys
  46. AuthorizedKeysFile.ssh/authorized_keys
  47. #AuthorizedPrincipalsFilenone
  48. #AuthorizedKeysCommandnone
  49. #AuthorizedKeysCommandUsernobody
  50. #Forthistoworkyouwillalsoneedhostkeysin/etc/ssh/ssh_known_hosts
  51. #RhostsRSAAuthenticationno
  52. #similarforprotocolversion2
  53. #HostbasedAuthenticationno
  54. #Changetoyesifyoudon'ttrust~/.ssh/known_hostsfor
  55. #RhostsRSAAuthenticationandHostbasedAuthentication
  56. #IgnoreUserKnownHostsno
  57. #Don'treadtheuser's~/.rhostsand~/.shostsfiles
  58. #IgnoreRhostsyes
  59. #Todisabletunneledcleartextpasswords,changetonohere!
  60. #PasswordAuthenticationyes
  61. #PermitEmptyPasswordsno
  62. PasswordAuthenticationyes
  63. #Changetonotodisables/keypasswords
  64. #ChallengeResponseAuthenticationyes
  65. ChallengeResponseAuthenticationno
  66. #Kerberosoptions
  67. #KerberosAuthenticationno
  68. #KerberosOrLocalPasswdyes
  69. #KerberosTicketCleanupyes
  70. #KerberosGetAFSTokenno
  71. #KerberosUseKuserokyes
  72. #GSSAPIoptions
  73. GSSAPIAuthenticationyes
  74. GSSAPICleanupCredentialsno
  75. #GSSAPIStrictAcceptorCheckyes
  76. #GSSAPIKeyExchangeno
  77. #GSSAPIEnablek5usersno
  78. #Setthisto'yes'toenablePAMauthentication,accountprocessing,
  79. #andsessionprocessing.Ifthisisenabled,PAMauthenticationwill
  80. #beallowedthroughtheChallengeResponseAuthenticationand
  81. #PasswordAuthentication.DependingonyourPAMconfiguration,
  82. #PAMauthenticationviaChallengeResponseAuthenticationmaybypass
  83. #thesettingof"PermitRootLoginwithout-password".
  84. #IfyoujustwantthePAMaccountandsessioncheckstorunwithout
  85. #PAMauthentication,thenenablethisbutsetPasswordAuthentication
  86. #andChallengeResponseAuthenticationto'no'.
  87. #WARNING:'UsePAMno'isnotsupportedinRedHatEnterpriseLinuxandmaycauseseveral
  88. #problems.
  89. UsePAMyes
  90. #AllowAgentForwardingyes
  91. #AllowTcpForwardingyes
  92. #GatewayPortsno
  93. X11Forwardingyes
  94. #X11DisplayOffset10
  95. #X11UseLocalhostyes
  96. #PermitTTYyes
  97. #PrintMotdyes
  98. #PrintLastLogyes
  99. #TCPKeepAliveyes
  100. #UseLoginno
  101. UsePrivilegeSeparationsandBox#Defaultfornewinstallations.
  102. #PermitUserEnvironmentno
  103. #Compressiondelayed
  104. #ClientAliveInterval0
  105. #ClientAliveCountMax3
  106. #ShowPatchLevelno
  107. #UseDNSyes
  108. UseDNSno
  109. #PidFile/var/run/sshd.pid
  110. #MaxStartups10:30:100
  111. #PermitTunnelno
  112. #ChrootDirectorynone
  113. #VersionAddendumnone
  114. #nodefaultbannerpath
  115. #Bannernone
  116. #Acceptlocale-relatedenvironmentvariables
  117. AcceptEnvLANGLC_CTYPELC_NUMERICLC_TIMELC_COLLATELC_MONETARYLC_MESSAGES
  118. AcceptEnvLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENT
  119. AcceptEnvLC_IDENTIFICATIONLC_ALLLANGUAGE
  120. AcceptEnvXMODIFIERS
  121. #overridedefaultofnosubsystems
  122. Subsystemsftp/usr/libexec/openssh/sftp-server
  123. #Exampleofoverridingsettingsonaper-userbasis
  124. #MatchUseranoncvs
  125. #X11Forwardingno
  126. #AllowTcpForwardingno
  127. #PermitTTYno
  128. #ForceCommandcvsserver

CentOS6 sshd_config配置内容

copy
  • #ThissshdwascompiledwithPATH=/usr/local/bin:/bin:/usr/bin
  • #Disablelegacy(protocolversion1)supportintheserverfornew
  • #installations.Infuturethedefaultwillchangetorequireexplicit
  • #activationofprotocol1
  • Protocol2
  • #HostKey/etc/ssh/ssh_host_rsa_key
  • #Logging
  • #obsoletesQuietModeandFascistLogging
  • #SyslogFacilityAUTH
  • SyslogFacilityAUTHPRIV
  • #LogLevelINFO
  • #Authentication:
  • #LoginGraceTime2m
  • PermitRootLoginyes
  • #StrictModesyes
  • #MaxAuthTries6
  • #MaxSessions10
  • #RSAAuthenticationyes
  • #PubkeyAuthenticationyes
  • #AuthorizedKeysFile.ssh/authorized_keys
  • #AuthorizedKeysCommandnone
  • #AuthorizedKeysCommandRunAsnobody
  • #Forthistoworkyouwillalsoneedhostkeysin/etc/ssh/ssh_known_hosts
  • #RhostsRSAAuthenticationno
  • #similarforprotocolversion2
  • #HostbasedAuthenticationno
  • #Changetoyesifyoudon'ttrust~/.ssh/known_hostsfor
  • #RhostsRSAAuthenticationandHostbasedAuthentication
  • #IgnoreUserKnownHostsno
  • #Don'treadtheuser's~/.rhostsand~/.shostsfiles
  • #IgnoreRhostsyes
  • #PasswordAuthenticationyes
  • #PermitEmptyPasswordsno
  • PasswordAuthenticationyes
  • #Changetonotodisables/keypasswords
  • #ChallengeResponseAuthenticationyes
  • ChallengeResponseAuthenticationno
  • #Kerberosoptions
  • #KerberosAuthenticationno
  • #KerberosOrLocalPasswdyes
  • #KerberosTicketCleanupyes
  • #KerberosGetAFSTokenno
  • #KerberosUseKuserokyes
  • #GSSAPIoptions
  • #GSSAPICleanupCredentialsyes
  • #GSSAPICleanupCredentialsyes
  • #GSSAPIStrictAcceptorCheckyes
  • #GSSAPIKeyExchangeno
  • #UsePAMno
  • UsePAMyes
  • #Acceptlocale-relatedenvironmentvariables
  • AcceptEnvLANGLC_CTYPELC_NUMERICLC_TIMELC_COLLATELC_MONETARYLC_MESSAGES
  • AcceptEnvLC_PAPERLC_NAMELC_ADDRESSLC_TELEPHONELC_MEASUREMENT
  • AcceptEnvLC_IDENTIFICATIONLC_ALLLANGUAGE
  • AcceptEnvXMODIFIERS
  • #AllowAgentForwardingyes
  • #AllowTcpForwardingyes
  • #GatewayPortsno
  • #X11Forwardingno
  • #PrintMotdyes
  • #PrintLastLogyes
  • #TCPKeepAliveyes
  • #UseLoginno
  • UseLoginno
  • #UsePrivilegeSeparationyes
  • #MaxStartups10
  • #nodefaultbannerpath
  • #Bannernone
  • #overridedefaultofnosubsystems
  • Subsystemsftp/usr/libexec/openssh/sftp-server
  • #Exampleofoverridingsettingsonaper-userbasis
  • #MatchUseranoncvs
  • #AllowTcpForwardingno
  • #ForceCommandcvsserver
  • UseDNSno
  • #GSSAPIAuthenticationno
  • #GSSAPIAuthenticationyes

  • 20161205补充:

    实际使用中发现ansible和jenkins使用时有些问题,网上查询了下,需要在/etc/ssh/sshd_config文件中最后增加两行:

    copy

    CipherSAEs128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
  • KexAlgorithmsdiffie-hellman-group1-sha1,diffie-hellman-group14-sha1
  • 因为升级了openssh太新导致通信时加密算法出现问题,加上后重启就可以了。 原文链接:https://www.f2er.com/centos/378390.html

    猜你在找的CentOS相关文章