centos7.6升级OpenSSH 9.0
业务需要需要将openssh升级到最新,来弥补部分漏洞,服务器环境不能连接外网。
参考博客 :这位大哥的博客借用一下。
(14条消息) Centos7.9 升级OpenSSH 9.0_xxp8811的博客-CSDN博客_centos7.9 升级openssh
查看系统版本
[root@localhost ~]# cat /etc/redhat-release CentOS Linux release 7.6.1810 (Core) [root@localhost ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 [root@localhost ~]# uname -a Linux localhost.localdomain 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux [root@localhost ~]#
经测试升级中ssh不会断开,不退出session ,建议保险起见安装telnet远程登陆
升级包下载
https://www.zlib.net/zlib-1.2.12.tar.gz
https://www.openssl.org/source/openssl-1.1.1d.tar.gz
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz
备用链接:OpenSSH: Portable Release
下载后上传到需要升级的服务器上(我这里window 安装了ssh插件,可以使用sftp命令)
C:\Users\wenxi>sftp root@192.168.10.112
root@192.168.10.112's password:
Connected to 192.168.10.112.
sftp> lpwd
Local working directory: c:\users\wenxi
sftp> pwd
Remote working directory: /root
sftp> lcd D:\openssh9\
sftp> lls
Volume in drive D is 新加卷
Volume Serial Number is D26A-B1FA
Directory of D:\openssh9
2022-07-15 13:28 <DIR> .
2022-07-15 13:28 <DIR> ..
2022-07-15 09:25 1,822,183 openssh-9.0p1.tar.gz
2022-07-15 09:24 8,845,861 openssl-1.1.1d.tar.gz
2022-07-15 09:27 1,490,071 zlib-1.2.12.tar.gz
3 File(s) 12,158,115 bytes
2 Dir(s) 28,574,048,256 bytes free
sftp> put *.gz
Uploading openssh-9.0p1.tar.gz to /root/openssh-9.0p1.tar.gz
openssh-9.0p1.tar.gz 100% 1779KB 66.2MB/s 00:00
Uploading openssl-1.1.1d.tar.gz to /root/openssl-1.1.1d.tar.gz
openssl-1.1.1d.tar.gz 100% 8639KB 75.0MB/s 00:00
Uploading zlib-1.2.12.tar.gz to /root/zlib-1.2.12.tar.gz
zlib-1.2.12.tar.gz 100% 1455KB 99.3MB/s 00:00
sftp>
挂载光盘配置本地源用于安装telnet gcc 和相关依赖
[root@localhost ~]# pwd
/root
[root@localhost ~]# ls
openssh-9.0p1.tar.gz openssl-1.1.1d.tar.gz zlib-1.2.12.tar.gz
[root@localhost ~]# tar -zxf openssl-1.1.1d.tar.gz && tar -zxf openssh-9.0p1.tar.gz && tar -zxf zlib-1.2.12.tar.gz
[root@localhost ~]# ls
openssh-9.0p1 openssh-9.0p1.tar.gz openssl-1.1.1d openssl-1.1.1d.tar.gz zlib-1.2.12 zlib-1.2.12.tar.gz
[root@localhost ~]# vi /etc/yum.repos.d/CentOS-CR.repo
[root@localhost ~]# cat /etc/yum.repos.d/CentOS-CR.repo
[cr]
name=CentOS-7.4
baseurl=file:///mnt/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
enabled=1
[root@localhost ~]# mount /dev/cdrom /mnt
mount: /dev/sr0 is write-protected, mounting read-only
mount: /dev/sr0 is already mounted or /mnt busy
/dev/sr0 is already mounted on /mnt
[root@localhost ~]# ls /mnt
CentOS_BuildTag EFI EULA GPL images isolinux LiveOS Packages repodata RPM-GPG-KEY-CentOS-7 RPM-GPG-KEY-CentOS-Testing-7 TRANS.TBL
[root@localhost ~]#
[root@localhost ~]# yum install gcc make perl telnet-server xinetd -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
cr | 3.6 kB 00:00:00
Package gcc-4.8.5-36.el7.x86_64 already installed and latest version
Package 1:make-3.82-23.el7.x86_64 already installed and latest version
Package 4:perl-5.16.3-293.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package telnet-server.x86_64 1:0.17-64.el7 will be installed
---> Package xinetd.x86_64 2:2.3.15-13.el7 will be installed
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================================================================================================
Package Arch Version Repository Size
==================================================================================================================================================
Installing:
telnet-server x86_64 1:0.17-64.el7 cr 41 k
xinetd x86_64 2:2.3.15-13.el7 cr 128 k
Transaction Summary
==================================================================================================================================================
Install 2 Packages
Total download size: 169 k
Installed size: 316 k
Downloading packages:
--------------------------------------------------------------------------------------------------------------------------------------------------
Total 15 MB/s | 169 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 2:xinetd-2.3.15-13.el7.x86_64 1/2
Installing : 1:telnet-server-0.17-64.el7.x86_64 2/2
Verifying : 1:telnet-server-0.17-64.el7.x86_64 1/2
Verifying : 2:xinetd-2.3.15-13.el7.x86_64 2/2
Installed:
telnet-server.x86_64 1:0.17-64.el7 xinetd.x86_64 2:2.3.15-13.el7
Complete!
[root@localhost ~]#
关闭防火墙和selinux
新建用户admin,用于telnet 登陆,默认root是禁止telnet登陆的
[root@localhost ~]# vi /etc/selinux/config [root@localhost ~]# cat /etc/selinux/config # This file controls the state of SELinux on the system. # SELINUX= can take one of these three values: # enforcing - SELinux security policy is enforced. # permissive - SELinux prints warnings instead of enforcing. # disabled - No SELinux policy is loaded. SELINUX=disabled # SELINUXTYPE= can take one of three values: # targeted - Targeted processes are protected, # minimum - Modification of targeted policy. Only selected processes are protected. # mls - Multi Level Security protection. SELINUXTYPE=targeted [root@localhost ~]# systemctl disable firewall Failed to execute operation: No such file or directory [root@localhost ~]# systemctl disable firewalld Removed symlink /etc/systemd/system/multi-user.target.wants/firewalld.service. Removed symlink /etc/systemd/system/dbus-org.fedoraproject.FirewallD1.service. [root@localhost ~]# systemctl stop firewalld [root@localhost ~]# systemctl start xinetd [root@localhost ~]# systemctl start telnet Failed to start telnet.service: Unit not found. [root@localhost ~]# systemctl start telnet.socket [root@localhost ~]# netstat -tunlp -bash: netstat: command not found [root@localhost ~]# yum install net-tools -y Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile Resolving Dependencies --> Running transaction check ---> Package net-tools.x86_64 0:2.0-0.24.20131004git.el7 will be installed --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================================== Installing: net-tools x86_64 2.0-0.24.20131004git.el7 cr 306 k Transaction Summary ================================================================================================================================================== Install 1 Package Total download size: 306 k Installed size: 918 k Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Installing : net-tools-2.0-0.24.20131004git.el7.x86_64 1/1 Verifying : net-tools-2.0-0.24.20131004git.el7.x86_64 1/1 Installed: net-tools.x86_64 0:2.0-0.24.20131004git.el7 Complete! [root@localhost ~]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 3115/sshd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::22 :::* LISTEN 3115/sshd tcp6 0 0 :::23 :::* LISTEN 1/systemd tcp6 0 0 ::1:25 :::* LISTEN 3439/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd udp6 0 0 :::111 :::* 1/systemd udp6 0 0 ::1:323 :::* 2701/chronyd [root@localhost ~]# useradd admin [root@localhost ~]# passwd admin Changing password for user admin. New password: BAD PASSWORD: The password is shorter than 8 characters Retype new password: passwd: all authentication tokens updated successfully. [root@localhost ~]#
配置telnet并登陆验证。
使用新建的admin用户登陆成功
安装zlib
[root@localhost zlib-1.2.12]# ./configure --prefix=/usr/local/zlib Checking for gcc... Checking for shared library support... Building shared library libz.so.1.2.12 with gcc. Checking for size_t... Yes. Checking for off64_t... Yes. Checking for fseeko... Yes. Checking for strerror... Yes. Checking for unistd.h... Yes. Checking for stdarg.h... Yes. Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf(). Checking for vsnprintf() in stdio.h... Yes. Checking for return value of vsnprintf()... Yes. Checking for attribute(visibility) support... Yes. [root@localhost zlib-1.2.12]# make && make install gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o example.o test/example.c gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.c gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.c gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.c gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c ...............................................................................................输出部分省略........................................ [root@localhost zlib-1.2.12]#
安装openssl
[root@localhost openssl-1.1.1d]# ./config --prefix=/usr/local/ssl -d shared
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1d (0x1010104fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
[root@localhost openssl-1.1.1d]#make && make install
省略部分代码
...........................................................................................................
/usr/local/ssl/share/doc/openssl/html/man7/SM2.html
/usr/local/ssl/share/doc/openssl/html/man7/X25519.html
/usr/local/ssl/share/doc/openssl/html/man7/X448.html -> /usr/local/ssl/share/doc/openssl/html/man7/X25519.html
/usr/local/ssl/share/doc/openssl/html/man7/bio.html
/usr/local/ssl/share/doc/openssl/html/man7/crypto.html
/usr/local/ssl/share/doc/openssl/html/man7/ct.html
/usr/local/ssl/share/doc/openssl/html/man7/des_modes.html
/usr/local/ssl/share/doc/openssl/html/man7/evp.html
/usr/local/ssl/share/doc/openssl/html/man7/ossl_store-file.html
/usr/local/ssl/share/doc/openssl/html/man7/ossl_store.html
/usr/local/ssl/share/doc/openssl/html/man7/passphrase-encoding.html
/usr/local/ssl/share/doc/openssl/html/man7/scrypt.html
/usr/local/ssl/share/doc/openssl/html/man7/ssl.html
/usr/local/ssl/share/doc/openssl/html/man7/x509.html
[root@localhost openssl-1.1.1d]#
[root@localhost openssl-1.1.1d]# echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
[root@localhost openssl-1.1.1d]# ldconfig -v
ldconfig: Path `/usr/local/ssl/lib' given more than once
ldconfig: Can't stat /libx32: No such file or directory
ldconfig: Path `/usr/lib' given more than once
ldconfig: Path `/usr/lib64' given more than once
ldconfig: Can't stat /usr/libx32: No such file or directory
/usr/lib64/iscsi:
libiscsi.so.2 -> libiscsi.so.2.0.10900
/usr/lib64/mysql:
libmysqlclient.so.18 -> libmysqlclient.so.18.0.0
/usr/local/ssl/lib:
libssl.so.1.1 -> libssl.so.1.1
libcrypto.so.1.1 -> libcrypto.so.1.1
/lib:
/lib64:
libini_config.so.3 -> libini_config.so.3.2.1
libpath_utils.so.1 -> libpath_utils.so.1.0.1
libpulse.so.0 -> libpulse.so.0.20.1
libpulse-simple.so.0 -> libpulse-simple.so.0.1.0
libsndfile.so.1 -> libsndfile.so.1.0.25
libgsm.so.1 -> libgsm.so.1.0.12
libXtst.so.6 -> libXtst.so.6.1.0
libnfsidmap.so.0 -> libnfsidmap.so.0.3.0
libxcb-screensaver.so.0 -> libxcb-screensaver.so.0.0.0
libXi.so.6 -> libXi.so.6.1.0
.........................................................................................................
libfreeblpriv3.so -> libfreeblpriv3.so
libmenu.so.5 -> libmenu.so.5.9
libfreebl3.so -> libfreebl3.so
libformw.so.5 -> libformw.so.5.9
libform.so.5 -> libform.so.5.9
libgcc_s.so.1 -> libgcc_s-4.8.5-20150702.so.1
libutil.so.1 -> libutil-2.17.so
/lib/sse2: (hwcap: 0x0000000004000000)
/lib64/sse2: (hwcap: 0x0000000004000000)
/lib64/tls: (hwcap: 0x8000000000000000)
[root@localhost openssl-1.1.1d]#
安装openssh
[root@localhost openssh-9.0p1]# ./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
checking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether cc accepts -g... yes
checking for cc option to accept ISO C89... none needed
checking if cc supports C99-style variadic macros... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking how to run the C preprocessor... cc -E
checking for grep that handles long lines and -e... /usr/bin/grep
..............................................................................................................
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h
OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /usr/local/openssh/etc
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/zlib/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -L/usr/local/ssl/lib -L/usr/local/zlib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
[root@localhost openssh-9.0p1]#
[root@localhost openssh-9.0p1]# make && make install
conffile=`echo sshd_config.out | sed 's/.out$//'`; \
/usr/bin/sed -e 's|/etc/ssh/ssh_config|/usr/local/openssh/etc/ssh_config|g' -e 's|/etc/ssh/ssh_known_hosts|/usr/local/openssh/etc/ssh_known_hosts|g' -e 's|/etc/ssh/sshd_config|/usr/local/openssh/etc/sshd_config|g' -e
.......................................................................................................
/usr/local/openssh/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /usr/local/openssh/etc
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
/usr/local/openssh/sbin/sshd -t -f /usr/local/openssh/etc/sshd_config
[root@localhost openssh-9.0p1]#
用yum 卸载原有旧的openssh
[root@localhost openssh-9.0p1]# yum remove openssh -y Loaded plugins: fastestmirror Resolving Dependencies --> Running transaction check ---> Package openssh.x86_64 0:7.4p1-16.el7 will be erased --> Processing Dependency: openssh = 7.4p1-16.el7 for package: openssh-server-7.4p1-16.el7.x86_64 --> Processing Dependency: openssh = 7.4p1-16.el7 for package: openssh-clients-7.4p1-16.el7.x86_64 --> Running transaction check ---> Package openssh-clients.x86_64 0:7.4p1-16.el7 will be erased ---> Package openssh-server.x86_64 0:7.4p1-16.el7 will be erased --> Finished Dependency Resolution Dependencies Resolved ================================================================================================================================================== Package Arch Version Repository Size ================================================================================================================================================== Removing: openssh x86_64 7.4p1-16.el7 @anaconda 1.9 M Removing for dependencies: openssh-clients x86_64 7.4p1-16.el7 @anaconda 2.5 M openssh-server x86_64 7.4p1-16.el7 @anaconda 971 k Transaction Summary ================================================================================================================================================== Remove 1 Package (+2 Dependent packages) Installed size: 5.4 M Downloading packages: Running transaction check Running transaction test Transaction test succeeded Running transaction Erasing : openssh-server-7.4p1-16.el7.x86_64 1/3 Erasing : openssh-clients-7.4p1-16.el7.x86_64 2/3 Erasing : openssh-7.4p1-16.el7.x86_64 3/3 Verifying : openssh-clients-7.4p1-16.el7.x86_64 1/3 Verifying : openssh-7.4p1-16.el7.x86_64 2/3 Verifying : openssh-server-7.4p1-16.el7.x86_64 3/3 Removed: openssh.x86_64 0:7.4p1-16.el7 Dependency Removed: openssh-clients.x86_64 0:7.4p1-16.el7 openssh-server.x86_64 0:7.4p1-16.el7 Complete! [root@localhost openssh-9.0p1]# [root@localhost openssh-9.0p1]# ps aux | grep ssh root 3347 0.0 0.5 158752 5620 ? Ss 05:08 0:00 sshd: root@pts/0 root 31409 0.0 0.0 112708 976 pts/0 R+ 05:38 0:00 grep --color=auto ssh [root@localhost openssh-9.0p1]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::23 :::* LISTEN 1/systemd tcp6 0 0 ::1:25 :::* LISTEN 3439/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd udp6 0 0 :::111 :::* 1/systemd udp6 0 0 ::1:323 :::* 2701/chronyd [root@localhost openssh-9.0p1]#
此时已经没有22端口在监听状态,但是远程此时还没断开,配置新的ssh 并设置自启动
[root@localhost openssh-9.0p1]#
[root@localhost openssh-9.0p1]# ssh
-bash: /usr/bin/ssh: No such file or directory
[root@localhost openssh-9.0p1]# sftp
-bash: sftp: command not found
[root@localhost openssh-9.0p1]# ssh -^C
[root@localhost openssh-9.0p1]#
[root@localhost openssh-9.0p1]#
[root@localhost openssh-9.0p1]# ssh -V
-bash: /usr/bin/ssh: No such file or directory
[root@localhost openssh-9.0p1]# sftp
-bash: sftp: command not found
[root@localhost openssh-9.0p1]# cp /usr/local/openss
openssh/ openssl/
[root@localhost openssh-9.0p1]# cp /usr/local/openssh/
bin/ etc/ libexec/ sbin/ share/
[root@localhost openssh-9.0p1]# cp /usr/local/openssh/bin/ssh
ssh ssh-add ssh-agent ssh-keygen ssh-keyscan
[root@localhost openssh-9.0p1]# cp /usr/local/openssh/bin/ssh
ssh ssh-add ssh-agent ssh-keygen ssh-keyscan
[root@localhost openssh-9.0p1]# cp /usr/local/openssh/bin/ssh* /usr/bin/
[root@localhost openssh-9.0p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-9.0p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@localhost openssh-9.0p1]#
[root@localhost openssh-9.0p1]# systemctl start sshd
Failed to start sshd.service: Unit not found.
[root@localhost openssh-9.0p1]# systemctl start sshd.service
Failed to start sshd.service: Unit not found.
[root@localhost openssh-9.0p1]# chkconfig --add sshd
[root@localhost openssh-9.0p1]# systemctl start sshd.service
[root@localhost openssh-9.0p1]# systemctl start sshd
[root@localhost openssh-9.0p1]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Thu 2022-07-07 05:49:57 EDT; 15s ago
Docs: man:systemd-sysv-generator(8)
Process: 32048 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 32056 (sshd)
Tasks: 1
CGroup: /system.slice/sshd.service
└─32056 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Jul 07 05:49:57 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
Jul 07 05:49:57 localhost.localdomain sshd[32048]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory
Jul 07 05:49:57 localhost.localdomain sshd[32048]: Starting sshd:[ OK ]
Jul 07 05:49:57 localhost.localdomain systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.
Jul 07 05:49:57 localhost.localdomain sshd[32056]: Server listening on 0.0.0.0 port 22.
Jul 07 05:49:57 localhost.localdomain sshd[32056]: Server listening on :: port 22.
Jul 07 05:49:57 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
[root@localhost openssh-9.0p1]#
[root@localhost openssh-9.0p1]# netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 32056/sshd: /usr/sb
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master
tcp6 0 0 :::111 :::* LISTEN 1/systemd
tcp6 0 0 :::22 :::* LISTEN 32056/sshd: /usr/sb
tcp6 0 0 :::23 :::* LISTEN 1/systemd
tcp6 0 0 ::1:25 :::* LISTEN 3439/master
udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd
udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd
udp6 0 0 :::111 :::* 1/systemd
udp6 0 0 ::1:323 :::* 2701/chronyd
[root@localhost openssh-9.0p1]#
客户端验证升级后的版本
cmd中使用ssh 命令连接验证
C:\Users\wenxi>ssh root@192.168.10.112 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:7TZnXWtjXRFK1AyCoa6hIO/7Gma9zcxYN/mnoywKww0. Please contact your system administrator. Add correct host key in C:\\Users\\wenxi/.ssh/known_hosts to get rid of this message. Offending ECDSA key in C:\\Users\\wenxi/.ssh/known_hosts:5 Host key for 192.168.10.112 has changed and you have requested strict checking. Host key verification failed. C:\Users\wenxi>echo "" > .ssh\known_hosts C:\Users\wenxi>ssh root@192.168.10.112 The authenticity of host '192.168.10.112 (192.168.10.112)' can't be established. ED25519 key fingerprint is SHA256:7TZnXWtjXRFK1AyCoa6hIO/7Gma9zcxYN/mnoywKww0. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '192.168.10.112' (ED25519) to the list of known hosts. root@192.168.10.112's password: Permission denied, please try again. root@192.168.10.112's password: C:\Users\wenxi>
限制了root远程登陆,修改sshd_config ,重启sshd服务。
[root@localhost openssh-9.0p1]# vi /usr/local/openssh/etc/sshd_config
[root@localhost openssh-9.0p1]# grep root /usr/local/openssh/etc/sshd_config
#ChrootDirectory none
[root@localhost openssh-9.0p1]# grep -i Root /usr/local/openssh/etc/sshd_config
PermitRootLogin yes
# the setting of "PermitRootLogin without-password".
#ChrootDirectory none
[root@localhost openssh-9.0p1]#
[root@localhost openssh-9.0p1]# systemctl restart sshd
[root@localhost openssh-9.0p1]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Thu 2022-07-07 06:13:51 EDT; 4s ago
Docs: man:systemd-sysv-generator(8)
Process: 899 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
Process: 905 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 913 (sshd)
Tasks: 1
CGroup: /system.slice/sshd.service
└─913 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Jul 07 06:13:51 localhost.localdomain systemd[1]: Stopped SYSV: OpenSSH server daemon.
Jul 07 06:13:51 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
Jul 07 06:13:51 localhost.localdomain sshd[905]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory
Jul 07 06:13:51 localhost.localdomain sshd[905]: Starting sshd:[ OK ]
Jul 07 06:13:51 localhost.localdomain systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.
Jul 07 06:13:51 localhost.localdomain sshd[913]: Server listening on 0.0.0.0 port 22.
Jul 07 06:13:51 localhost.localdomain sshd[913]: Server listening on :: port 22.
Jul 07 06:13:51 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
[root@localhost openssh-9.0p1]#
再次登录,则root登陆成功,删除telnnet 或者禁用
[root@localhost openssh-9.0p1]# systemctl stop xinetd [root@localhost openssh-9.0p1]# systemctl stop telnet.socket [root@localhost openssh-9.0p1]# systemctl stop telnet Failed to stop telnet.service: Unit telnet.service not loaded. [root@localhost openssh-9.0p1]# userdel -r admin [root@localhost openssh-9.0p1]# cd [root@localhost ~]# netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 913/sshd: /usr/sbin tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 3439/master tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::22 :::* LISTEN 913/sshd: /usr/sbin tcp6 0 0 ::1:25 :::* LISTEN 3439/master udp 0 0 0.0.0.0:111 0.0.0.0:* 1/systemd udp 0 0 127.0.0.1:323 0.0.0.0:* 2701/chronyd udp6 0 0 :::111 :::* 1/systemd udp6 0 0 ::1:323 :::* 2701/chronyd [root@localhost ~]#
至此升级完毕。
浙公网安备 33010602011771号