centos7升级openssh9.3p1
制作rpm包
安装依赖包
yum install -y rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel xmkmf libXt-devel initscripts libXt-devel imake gtk2-devel lrzsz
创建制作rpm相关目录
mkdir -pv /root/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
下载openssh和x11-ssh-askpass安装包
cd /root/rpmbuild/SOURCES/
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
tar -xf openssh-9.3p1.tar.gz
#下载x11-ssh-askpass-1.2.4.1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz
编辑编译配置文件
cp openssh-9.3p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/
#不生产ask包
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" openssh.spec
#修改openssl-devel的报错
sed -i '/openssl-devel < 1.1/s/^/#/' openssh.spec
#修改PreReq的报错
sed -i '/PreReq:/s/^/#/' openssh.spec
编译文件
rpmbuild -ba openssh.spec
#生产rpm文件
[root@localhost SPECS]# ls /root/rpmbuild/RPMS/x86_64/
openssh-9.3p1-1.el7.x86_64.rpm openssh-debuginfo-9.3p1-1.el7.x86_64.rpm
openssh-clients-9.3p1-1.el7.x86_64.rpm openssh-server-9.3p1-1.el7.x86_64.rpm
升级openssh
yum localinstall openssh-9.3p1-1.el7.x86_64.rpm openssh-clients-9.3p1-1.el7.x86_64.rpm openssh-server-9.3p1-1.el7.x86_64.rpm -y
验证openssh是否升级成功
#修改文件权限
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
#检查是否有配置错误
sshd -t
#/etc/pam.d/sshd配置丢失,从其他机器拷贝一份配置过来
#注释掉/etc/pam.d/password-auth /etc/pam.d/system-auth中uid >= 1000的行,否则root不能登陆
sed -i '/uid < 1000/s/^/#/' /etc/pam.d/password-auth
sed -i '/uid < 1000/s/^/#/' /etc/pam.d/system-auth
#修改/etc/ssh/sshd_config
sed -i '/^#PermitRootLogin yes/s/^#//' /etc/ssh/sshd_config
#重启sshd服务
systemctl restart sshd
遇到的问题
读写权限不对
现象
[root@localhost x86_64]# sshd -t
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.
解决方法
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
重启后服务正常,但是无法正常登陆
现象
Mar 25 17:44:22 localhost sshd[56496]: PAM adding faulty module: /usr/lib64/security/pam_stack.so
[root@localhost x86_64]# tail -f /var/log/secure
Mar 25 17:44:10 localhost polkitd[584]: Registered Authentication Agent for unix-process:56480:1949117 (system bus name :1.71 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Mar 25 17:44:10 localhost sshd[56494]: Server listening on 0.0.0.0 port 22.
Mar 25 17:44:10 localhost sshd[56494]: Server listening on :: port 22.
Mar 25 17:44:10 localhost polkitd[584]: Unregistered Authentication Agent for unix-process:56480:1949117 (system bus name :1.71, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
Mar 25 17:44:22 localhost sshd[56496]: PAM unable to dlopen(/usr/lib64/security/pam_stack.so): /usr/lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
Mar 25 17:44:22 localhost sshd[56496]: PAM adding faulty module: /usr/lib64/security/pam_stack.so
Mar 25 17:44:22 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:25 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:27 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:27 localhost sshd[56496]: Connection closed by authenticating user root 192.168.184.1 port 2515 [preauth]
解决方法
[root@localhost pam.d]# grep pam_stack.so *
sshd:auth required pam_stack.so service=system-auth
sshd:account required pam_stack.so service=system-auth
sshd:password required pam_stack.so service=system-auth
sshd:session required pam_stack.so service=system-auth
#查找在那个配置文件中启用了改模块。注释改行配置
[root@localhost pam.d]# grep pam_stack.so * -l
sshd
标签:sshd,p1,openssh,centos7,etc,host,ssh,key,openssh9.3
From: https://www.cnblogs.com/cynriczgc/p/17255368.html