OpenSSH升级

源码下载地址

下载主页

https://www.openssh.com/portable.html

https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/
或者
https://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/
或者
https://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/
或者
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/

创建变量，当前日期

currdate=$(date +%Y%m%d%H%M)

确认下是否创建成功

echo $currdate

删除初始rpm包

rpm -e `rpm -qa |grep openssh` --nodeps

注：此步骤在CentOS7.X中首次升级openssh时必须，否则重启sshd会失败

备份之前安装

mv /usr/local/openssh /usr/local/openssh_$currdate

解压openssh软件包

tar vxf openssh-XXXXXX.tar.gz

进入openssh目录

cd openssh-XXXXXX

编译配置

openssh将会安装在/usr/local/openssh，配置文件安装到/etc/ssh/目录，安装前需要先备份

./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --with-pam --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl --without-hardening


./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --without-openssl-header-check --with-ssl-dir=/usr/local/openssl --without-hardening

编译

make

备份相关配置文件(此部分必须要在make install前做，否则新文件将不会覆盖老文件)

mv /etc/sysconfig/sshd /etc/sysconfig/sshd_$currdate
mv /etc/init.d/sshd /etc/init.d/sshd_$currdate
mv /etc/pam.d/sshd /etc/pam.d/sshd_$currdate
mv /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam_$currdate
mv /etc/ssh /etc/ssh_$currdate

安装

make install

备份openssh相关命令，首先查看/usr/local/openssh/bin/目录下有那些命令，然后备份/usr/bin/目录下对应的命令

mv /usr/bin/scp /usr/bin/scp_$currdate
mv /usr/bin/sftp /usr/bin/sftp_$currdate
mv /usr/bin/ssh /usr/bin/ssh_$currdate
mv /usr/bin/ssh-add /usr/bin/ssh-add_$currdate
mv /usr/bin/ssh-agent /usr/bin/ssh-agent_$currdate
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen_$currdate
mv /usr/bin/ssh-keyscan /usr/bin/ssh-keyscan_$currdate
mv /usr/sbin/sshd /usr/sbin/sshd_$currdate
mv /usr/libexec/sftp-server /usr/libexec/sftp-server_$currdate
mv /usr/libexec/ssh-keysign /usr/libexec/ssh-keysign_$currdate
mv /usr/libexec/ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper_$currdate
mv /usr/libexec/ssh-sk-helper /usr/libexec/ssh-sk-helper_$currdate

#mv /usr/libexec/openssh/sftp-server /usr/libexec/openssh/sftp-server_$currdate
#mv /usr/libexec/openssh/ssh-keysign /usr/libexec/openssh/ssh-keysign_$currdate
#mv /usr/libexec/openssh/ssh-pkcs11-helper /usr/libexec/openssh/ssh-pkcs11-helper_$currdate
#mv /usr/libexec/openssh/ssh-sk-helper /usr/libexec/openssh/ssh-sk-helper_$currdate

此处可能还有其他，具体可以看make install的时候

拷贝新版本相关命令到对应目录

cp -rfvp /usr/local/openssh/bin/* /usr/bin/
cp -rfvp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp -rfvp /usr/local/openssh/libexec/* /usr/libexec/

#cp -rfvp /usr/local/openssh/libexec/* /usr/libexec/openssh/

cp -rfvp contrib/redhat/sshd.init /etc/init.d/sshd
chmod a+x /etc/init.d/sshd

cp -rfvp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

更改/etc/ssh/ssh_host_*文件权限

chmod 600 /etc/ssh/ssh_host_*

注：此步骤在CentOS7.X某些openssh版本中必须，如果服务启动不了，可以执行次步骤

配置文件修改/etc/ssh/sshd_config

开启root登录（系统只有root用户时此处非常重要，否则登录不了）

PermitRootLogin yes

关闭验证模块（验证模块优先级高于其他，如果验证不过去，则即使密码正确也会登录不了）
注释掉下面

#UsePAM yes

注释所有GSSAPI options相关项（此处非必须，如果不做处理，启动sshd服务会报不持支的参数警告，但可以正常启动）

修改sftp-server目录

Subsystem       sftp    /usr/libexec/sftp-server

#Subsystem       sftp    /usr/libexec/openssh/sftp-server

重启sshd服务

service sshd restart

此处需要注意，跨版本升级重启会自动退出ssh登录，且启动不成功，需要做好其他登录方式进行重启（telnet、vnc...）

重启后查看是否升级成功

ssh -V

添加开机自启动

chkconfig --add sshd
chkconfig sshd on

停止telnet服务

service xinetd stop

退出后重新登录

重新登录会提示报错登录不了

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:1Qyq43VXRxRvxzKDo+yM64c1pzcAVZ8AAi+lNL79jEo.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:3
ECDSA host key for nk6 has changed and you have requested strict checking.
Host key verification failed.

删除/root/.ssh/known_hosts中对应主机的key信息重新登录即可

回退

rm -rf /etc/sysconfig/sshd
rm -rf /etc/init.d/sshd
rm -rf /etc/pam.d/sshd
rm -rf /etc/pam.d/sshd.pam
rm -rf /etc/ssh

mv /etc/sysconfig/sshd_$currdate /etc/sysconfig/sshd
mv /etc/init.d/sshd_$currdate /etc/init.d/sshd
mv /etc/pam.d/sshd_$currdate /etc/pam.d/sshd
mv /etc/pam.d/sshd.pam_$currdate /etc/pam.d/sshd.pam
mv /etc/ssh_$currdate /etc/ssh



rm -rf /usr/bin/scp
rm -rf /usr/bin/sftp
rm -rf /usr/bin/ssh
rm -rf /usr/bin/ssh-add
rm -rf /usr/bin/ssh-agent
rm -rf /usr/bin/ssh-keygen
rm -rf /usr/bin/ssh-keyscan
rm -rf /usr/sbin/sshd
rm -rf /usr/sbin/sshd-keygen

mv /usr/bin/scp_$currdate /usr/bin/scp
mv /usr/bin/sftp_$currdate /usr/bin/sftp
mv /usr/bin/ssh_$currdate /usr/bin/ssh
mv /usr/bin/ssh-add_$currdate /usr/bin/ssh-add
mv /usr/bin/ssh-agent_$currdate /usr/bin/ssh-agent
mv /usr/bin/ssh-keygen_$currdate /usr/bin/ssh-keygen
mv /usr/bin/ssh-keyscan_$currdate /usr/bin/ssh-keyscan
mv /usr/sbin/sshd_$currdate /usr/sbin/sshd
mv /usr/sbin/sshd-keygen_$currdate /usr/sbin/sshd-keygen

rm -rf /usr/libexec/sftp-server
rm -rf /usr/libexec/ssh-keysign
rm -rf /usr/libexec/ssh-pkcs11-helper
rm -rf /usr/libexec/ssh-sk-helper

mv /usr/libexec/sftp-server_$currdate /usr/libexec/sftp-server
mv /usr/libexec/ssh-keysign_$currdate /usr/libexec/ssh-keysign
mv /usr/libexec/ssh-pkcs11-helper_$currdate /usr/libexec/ssh-pkcs11-helper
mv /usr/libexec/ssh-sk-helper_$currdate /usr/libexec/ssh-sk-helper