#背景 CentOS release 6.5系统版本比较老,openssh 有漏洞需要升级
# 1. 安装依赖
```
下载源码
https://github.com/openssl/openssl/releases/download/openssl-3.0.18/openssl-3.0.18.tar.gz
https://www.cpan.org/authors/id/B/BI/BINGOS/IPC-Cmd-1.04.tar.gz
http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz
-------------------------------------------------------------
yum -y install gcc make perl #zlib zlib-devel
yum install -y gcc openssl-devel pam-devel rpm-build
yum install telnet-server telnet xinetd -y
yum install -y perl-CPAN perl-ExtUtils-MakeMaker
# 安装 Perl 核心开发工具
yum install -y perl-CPAN perl-Module-Build perl-ExtUtils-CBuilder
# 方案一:通过 yum 直接安装(推荐)
yum install -y perl-Params-Check
yum install -y perl-core
yum install -y perl-ExtUtils-Embed perl-devel
yum install -y perl-Module-Load-Conditional
#执行如下提示即可
perl -MModule::Load::Conditional -e 'print "Module ready\n"'
# 成功输出:Module ready
#### 离线下载rpm安装
yum -y install 安装包 --downloadonly --downloaddir=./
yum -y localinstall *.rpm
```
# 2. 安装telnet
```
# 修改 telnet 配置文件
vi /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no # 关键配置项
}
# 重新加载 xinetd 配置
service xinetd reload
# 或完整重启
service xinetd restart
# 检查 23 端口监听
netstat -antp | grep :23
# 预期输出示例:
# tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1234/xinetd
如果登录失败添加查看允许的终端类型
# 查看允许的终端类型(如果不能登录查看/var/log/secure 日志少pts什么类型)
cat /etc/securetty
# 典型问题:缺少 pts 设备(Telnet 使用虚拟终端)
echo "pts/0" >> /etc/securetty
echo "pts/1" >> /etc/securetty
echo "pts/2" >> /etc/securetty
echo "pts/3" >> /etc/securetty
echo "pts/4" >> /etc/securetty
echo "pts/5" >> /etc/securetty
echo "pts/6" >> /etc/securetty
echo "pts/7" >> /etc/securetty
echo "pts/8" >> /etc/securetty
echo "pts/9" >> /etc/securetty
echo "pts/10" >> /etc/securetty
echo "pts/11" >> /etc/securetty
```
# 3. 安装openssl 3.0.18
```
安装IPC-Cmd,否则会提示少IPC等
tar xf IPC-Cmd-1.04.tar.gz
cd IPC-Cmd-1.04
ls
perl Makefile.PL
make && make install
tar xf openssl-3.0.18.tar.gz
cd openssl-3.0.18
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl/ssl shared zlib
make && make install
echo "/usr/local/openssl/lib64/" >> /etc/ld.so.conf
ldconfig
mv /usr/bin/openssl /usr/bin/openssl.old # 备份旧版本
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
````
# 4. 安装openssh 10.2
```
卸载 ssh
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done
mv /etc/ssh /etc/ssh.old
tar xf openssh-10.2p1.tar.g
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr --with-ssl-dir=/usr/local/openssl --with-zlib --with-pam --with-md5-passwords
make && make install
cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list|grep sshd
sed -i "32a PermitRootLogin yes" /etc/ssh/sshd_config
重启
/etc/init.d/sshd stop && /etc/init.d/sshd start
#检查是否升级成功
[root@localhost ~]# ssh -V
OpenSSH_10.2p1, OpenSSL 3.0.18 30 Sep 2025
```
浙公网安备 33010602011771号