centos7 升级openssh 到 8.5

1. yum升级到最新可用版本(openssh7.4p1)

yum update openssh

2. 安装telnet-server 以及 xinetd

yum install xinetd telnet-server -y

3. 配置telnet登录的终端类型，在/etc/securetty 文件末尾增加一些pts终端，如下

cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
EOF

4.启动telnet服务，并设置开机自动启动

systemctl enable xinetd 
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd

5.使用telnet 登陆,以后操作都是通过telnet

6.备份并移除老文件 ( 这些配置可能影响装完以后的登陆 所以备份)

mkdir /root/update
cd /root/update
cp /etc/ssh/sshd_config sshd_config
cp /etc/pam.d/sshd sshd

yum remove openssl-devel
rm -rf /etc/ssl

7.安装依赖包

yum install  -y gcc gcc-c++ glibc make autoconf pcre-devel  pam-devel
yum install  -y pam* zlib*

8.下载openssh包和openssl的包

# https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
# https://ftp.openssl.org/source/
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz
wget https://ftp.openssl.org/source/openssl-1.1.1k.tar.gz

9.安装 openssl

tar xfz openssl-1.1.1k.tar.gz
openssl version
mv /usr/bin/openssl /usr/bin/openssl_bak
cd openssl-1.1.1k
./config  --prefix=/usr/local --openssldir=/usr/local/ssl
make && make install
./config shared --prefix=/usr/local --openssldir=/usr/local/ssl
make clean
make && make install
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl /usr/include/openssl
echo "/usr/local/lib" >> /etc/ld.so.conf
echo "/usr/local/lib64" >> /etc/ld.so.conf
/sbin/ldconfig
openssl version

10.安装openssh

rm -rf /etc/ssh
cd /root/update
tar xfz openssh-8.5p1.tar.gz
cd openssh-8.5p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam
make clean
make && make install
cp -af contrib/redhat/sshd.init /etc/init.d/sshd
cp -af contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd

cat >> /etc/ssh/sshd_config <<EOF
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
UsePAM yes
X11Forwarding yes
KexAlgorithms +diffie-hellman-group1-sha1
EOF

chkconfig --add sshd
mv /usr/lib/systemd/system/sshd.service /root/update/sshd.service
chkconfig sshd on
systemctl enable sshd
systemctl restart sshd
ssh -V

11.检测ssh 可以正常登陆,使用ssh登陆,然后 停止telnet服务 并 移除

systemctl stop telnet.socket
systemctl stop xinetd
systemctl disable xinetd 
systemctl disable telnet.socket

 

遇到的坑：

mv /usr/lib/systemd/system/sshd.service /root/update/sshd.service 

这一步会导致sshd重启后无法自启动,解决办法先卸载openssh 

for  i   in  $(rpm  -qa  |grep  openssh);do  rpm  -e  $i  --nodeps ;done

再重新安装openssh 安装后后需要还原/etc/pam.d/sshd 文件，原文件卸载时会被删除
cat /etc/pam.d/sshd

#%PAM-1.0
auth       required    pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare