CentOS7.6升级OpenSSH到9.6p1

一、升级前的环境

[root@sghhzrzyj-zhcsskdsjyypt-web-103-1-6 software]# cat /etc/redhat-release 
CentOS Linux release 7.6.1810 (Core) 
[root@sghhzrzyj-zhcsskdsjyypt-web-103-1-6 software]# uname -a
Linux sghhzrzyj-zhcsskdsjyypt-web-103-1-6 3.10.0-957.el7.x86_64 #1 SMP Thu Nov 8 23:39:32 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
[root@sghhzrzyj-zhcsskdsjyypt-web-103-1-6 software]# ssh -V
OpenSSH_7.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@sghhzrzyj-zhcsskdsjyypt-web-103-1-6 software]# 

二、升级Openssl

mkdir /software
cd /software
wget --no-check-certificate https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
yum install -y gcc gcc-c++ glibc make automake autoconf zlib zlib-devel
tar -zxf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w/
./config shared zlib -fPIC --prefix=/usr/local/openssl
make -j 4
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo '/usr/local/openssl/lib' > /etc/ld.so.conf.d/openssl-x86_64.conf
ldconfig -v
openssl version -a

三、升级OpenSSH

3.1 安装telnet

升级openssh是一个很危险的操作，特别是在远程连接服务器的情况下，升级过程中因为网络不好或者其它一些原因导致ssh连接断开，那么就很有可能导致再也无法通过ssh连上服务器，因此升级之前我们要配置好备用的远程连接方法，这里我们使用telnet来作为备用连接

# 安装telnet-server
yum -y install telnet-server
# 启动并设置开机自启动
systemctl start telnet.socket && systemctl enable telnet.socket
# 如果有防火墙，则需要放行23端口
firewall-cmd --zone=public --add-port=23/tcp --permanent
# 添加普通用户并设置密码
useradd huge
echo 123456 | passwd --stdin huge
# 增加huge账号的sudo权限，但该文件默认是没有写权限的，因此需要先增加写权限
chmod u+w /etc/sudoers
vim /etc/sudoers
huge ALL=(ALL) ALL
# 上面配置完成后就可以在windows下的终端中使用telnet命令来测试连接
telnet 192.168.0.10 23

3.2升级OpenSSH

# 下载安装包和备份
cd /software
wget --no-check-certificate https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
systemctl stop sshd
mv /etc/ssh /etc/ssh.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
mv /usr/bin/ssh /usr/bin/ssh.bak

# 卸载原有openssh
rpm -qa | grep openssh
rpm -e openssh-clients-7.5p1-1.x86_64 --nodeps
rpm -e openssh-server-7.5p1-1.x86_64
rpm -e openssh-7.5p1-1.x86_64
rpm -e openssh-debuginfo-7.5p1-1.x86_64
(可以试试yum卸载，yum remove openssh)
rpm -qa | grep openssh

# 编译安装openssh
yum install -y pcre-devel  perl perl-Test-Simple
tar -zxf openssh-9.6p1.tar.gz
cd openssh-9.6p1/
./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/openssl --with-zlib
make -j 4
make install

# 取消原有sshd启动方式并配置新版sshd.service
ls /usr/lib/systemd/system/ssh*
rm -f /usr/lib/systemd/system/ssh*
cp contrib/redhat/sshd.init /etc/init.d/sshd

# 复制sshd相关文件到新目录
mkdir /etc/ssh
vim /usr/local/openssh/etc/sshd_config
PermitRootLogin yes
PubkeyAuthentication yes
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub

# 启动sshd服务并设置开机启动
systemctl daemon-reload
systemctl start sshd && systemctl enable sshd
ssh -V

# 停止并卸载telnet
systemctl stop telnet.socket
systemctl disable telnet.socket
rpm -e telnet-server
# 删除huge并取消huge用户权限
userdel -r huge
vim /etc/sudoers

四、升级后的结果

[root@sghhzrzyj-zhcsskdsjyypt-web-103-1-6 software]# ssh -V
OpenSSH_9.6p1, OpenSSL 1.1.1w  11 Sep 2023
[root@sghhzrzyj-zhcsskdsjyypt-web-103-1-6 software]#