源码下载地址
下载主页
https://www.openssh.com/portable.html
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/
或者
https://ftp.fr.openbsd.org/pub/OpenBSD/OpenSSH/portable/
或者
https://ftp.jaist.ac.jp/pub/OpenBSD/OpenSSH/portable/
或者
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
创建变量,当前日期
currdate=$(date +%Y%m%d%H%M)
确认下是否创建成功
echo $currdate
删除初始rpm包
rpm -e `rpm -qa |grep openssh` --nodeps
注:此步骤在CentOS7.X中首次升级openssh时必须,否则重启sshd会失败
备份之前安装
mv /usr/local/openssh /usr/local/openssh_$currdate
解压openssh软件包
tar vxf openssh-XXXXXX.tar.gz
进入openssh目录
cd openssh-XXXXXX
编译配置
openssh
将会安装在/usr/local/openssh
,配置文件安装到/etc/ssh/
目录,安装前需要先备份
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --with-pam --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl --without-hardening
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --without-openssl-header-check --with-ssl-dir=/usr/local/openssl --without-hardening
编译
make
备份相关配置文件(此部分必须要在make install前做,否则新文件将不会覆盖老文件)
mv /etc/sysconfig/sshd /etc/sysconfig/sshd_$currdate
mv /etc/init.d/sshd /etc/init.d/sshd_$currdate
mv /etc/pam.d/sshd /etc/pam.d/sshd_$currdate
mv /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam_$currdate
mv /etc/ssh /etc/ssh_$currdate
安装
make install
备份openssh相关命令,首先查看/usr/local/openssh/bin/目录下有那些命令,然后备份/usr/bin/目录下对应的命令
mv /usr/bin/scp /usr/bin/scp_$currdate
mv /usr/bin/sftp /usr/bin/sftp_$currdate
mv /usr/bin/ssh /usr/bin/ssh_$currdate
mv /usr/bin/ssh-add /usr/bin/ssh-add_$currdate
mv /usr/bin/ssh-agent /usr/bin/ssh-agent_$currdate
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen_$currdate
mv /usr/bin/ssh-keyscan /usr/bin/ssh-keyscan_$currdate
mv /usr/sbin/sshd /usr/sbin/sshd_$currdate
mv /usr/libexec/sftp-server /usr/libexec/sftp-server_$currdate
mv /usr/libexec/ssh-keysign /usr/libexec/ssh-keysign_$currdate
mv /usr/libexec/ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper_$currdate
mv /usr/libexec/ssh-sk-helper /usr/libexec/ssh-sk-helper_$currdate
#mv /usr/libexec/openssh/sftp-server /usr/libexec/openssh/sftp-server_$currdate
#mv /usr/libexec/openssh/ssh-keysign /usr/libexec/openssh/ssh-keysign_$currdate
#mv /usr/libexec/openssh/ssh-pkcs11-helper /usr/libexec/openssh/ssh-pkcs11-helper_$currdate
#mv /usr/libexec/openssh/ssh-sk-helper /usr/libexec/openssh/ssh-sk-helper_$currdate
此处可能还有其他,具体可以看make install的时候
拷贝新版本相关命令到对应目录
cp -rfvp /usr/local/openssh/bin/* /usr/bin/
cp -rfvp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp -rfvp /usr/local/openssh/libexec/* /usr/libexec/
#cp -rfvp /usr/local/openssh/libexec/* /usr/libexec/openssh/
cp -rfvp contrib/redhat/sshd.init /etc/init.d/sshd
chmod a+x /etc/init.d/sshd
cp -rfvp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
更改/etc/ssh/ssh_host_*文件权限
chmod 600 /etc/ssh/ssh_host_*
注:此步骤在CentOS7.X某些openssh版本中必须,如果服务启动不了,可以执行次步骤
配置文件修改/etc/ssh/sshd_config
开启root登录(系统只有root用户时此处非常重要,否则登录不了)
PermitRootLogin yes
关闭验证模块(验证模块优先级高于其他,如果验证不过去,则即使密码正确也会登录不了)
注释掉下面
#UsePAM yes
注释所有GSSAPI options
相关项(此处非必须,如果不做处理,启动sshd服务会报不持支的参数警告,但可以正常启动)
修改sftp-server目录
Subsystem sftp /usr/libexec/sftp-server
#Subsystem sftp /usr/libexec/openssh/sftp-server
重启sshd服务
service sshd restart
此处需要注意,跨版本升级重启会自动退出ssh登录,且启动不成功,需要做好其他登录方式进行重启(telnet、vnc...)
重启后查看是否升级成功
ssh -V
添加开机自启动
chkconfig --add sshd
chkconfig sshd on
停止telnet服务
service xinetd stop
退出后重新登录
重新登录会提示报错登录不了
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:1Qyq43VXRxRvxzKDo+yM64c1pzcAVZ8AAi+lNL79jEo.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /root/.ssh/known_hosts:3
ECDSA host key for nk6 has changed and you have requested strict checking.
Host key verification failed.
删除/root/.ssh/known_hosts
中对应主机的key
信息重新登录即可
回退
rm -rf /etc/sysconfig/sshd
rm -rf /etc/init.d/sshd
rm -rf /etc/pam.d/sshd
rm -rf /etc/pam.d/sshd.pam
rm -rf /etc/ssh
mv /etc/sysconfig/sshd_$currdate /etc/sysconfig/sshd
mv /etc/init.d/sshd_$currdate /etc/init.d/sshd
mv /etc/pam.d/sshd_$currdate /etc/pam.d/sshd
mv /etc/pam.d/sshd.pam_$currdate /etc/pam.d/sshd.pam
mv /etc/ssh_$currdate /etc/ssh
rm -rf /usr/bin/scp
rm -rf /usr/bin/sftp
rm -rf /usr/bin/ssh
rm -rf /usr/bin/ssh-add
rm -rf /usr/bin/ssh-agent
rm -rf /usr/bin/ssh-keygen
rm -rf /usr/bin/ssh-keyscan
rm -rf /usr/sbin/sshd
rm -rf /usr/sbin/sshd-keygen
mv /usr/bin/scp_$currdate /usr/bin/scp
mv /usr/bin/sftp_$currdate /usr/bin/sftp
mv /usr/bin/ssh_$currdate /usr/bin/ssh
mv /usr/bin/ssh-add_$currdate /usr/bin/ssh-add
mv /usr/bin/ssh-agent_$currdate /usr/bin/ssh-agent
mv /usr/bin/ssh-keygen_$currdate /usr/bin/ssh-keygen
mv /usr/bin/ssh-keyscan_$currdate /usr/bin/ssh-keyscan
mv /usr/sbin/sshd_$currdate /usr/sbin/sshd
mv /usr/sbin/sshd-keygen_$currdate /usr/sbin/sshd-keygen
rm -rf /usr/libexec/sftp-server
rm -rf /usr/libexec/ssh-keysign
rm -rf /usr/libexec/ssh-pkcs11-helper
rm -rf /usr/libexec/ssh-sk-helper
mv /usr/libexec/sftp-server_$currdate /usr/libexec/sftp-server
mv /usr/libexec/ssh-keysign_$currdate /usr/libexec/ssh-keysign
mv /usr/libexec/ssh-pkcs11-helper_$currdate /usr/libexec/ssh-pkcs11-helper
mv /usr/libexec/ssh-sk-helper_$currdate /usr/libexec/ssh-sk-helper
标签:bin,sshd,OpenSSH,升级,mv,currdate,usr,ssh
From: https://www.cnblogs.com/snowsolf/p/18533937