CentOS openssh升級到openssh-7.2版本
安全部門漏洞檢查,讓升級openssh版本,升級操作不復雜,但畢竟是線上環境,主要注意如果你是通過ssh遠端升級ssh版本,萬一失敗了,ssh不上去,是否可以到現場處理。(重要提示:當進行系統update的時候,會將sshd檔案和ssh檔案恢復到原來的版本,如果配置了支援jenkins相關的內容KexAlgorithms,會導致ssh無法啟動,解決方式參考文章最後,使用不同目錄安裝方式)
環境:
cat /etc/issueCentOS release 6.5 (Final)
ssh -VOpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
openssl version -aOpenSSL 1.0.1e-fips 11 Feb 2013
一、準備
備份ssh目錄(重要)
cp -rf /etc/ssh /etc/ssh.bak
【 可以現場處理的,不用設定
安裝telnet,避免ssh升級出現問題,導致無法遠端管理
yum install telnet-server
vi /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}
預設不允許root登入
vi /etc/securetty
增加
pts/0
pts/1
pts/2
如果登入使用者較多,需要更多的pts/*
/etc/init.d/xinetd restart
這樣root可以telnet登入了
ssh升級後建議再修改回還原設定
】
二、安裝
升級需要幾個元件
yum install -y gcc openssl-devel pam-devel rpm-build
現在新版本,目前是openssh-7.3最新,但剛剛出來,為保險,我選用7.2版本
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p1.tar.gz
解壓升級包,並安裝
tar -zxvf openssh-7.2p1.tar.gz
cd openssh-7.2p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make && make install
安裝後提示:
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
ssh-keygen: generating new host keys: ECDSA ED25519
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
修改配置檔案,允許root登入
vi /etc/ssh/sshd_config
#PermitRootLogin yes
修改為
PermitRootLogin yes
命令:
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
重啟openSSH
service sshd restart
升級後版本
ssh -V
OpenSSH_7.2p1, OpenSSL 1.0.1e-fips 11 Feb 2013
【
如果之前你將原ssh目錄修改名字
mv /etc/ssh /etc/ssh_bak
需要修改下配置:
修改配置檔案,禁止root登入
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
可以不操作,禁止dns解析
sed -i '/^#UseDNS yes/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
可以不操作預設是22,修改ssh埠至6022
echo "Port 6022" >> /etc/ssh/sshd_config
】
注:在升級SSH時你的SSH是不會因為升級或重啟服務而斷掉的.
問題1:
[
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials [ OK ]
解決:
將/etc/ssh/sshd_config檔案中以上行數內容註釋下即可
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
問題2:
更新後ssh有如下提示,但不影響使用:
[
/etc/ssh/ssh_config line 50: Unsupported option "gssapiauthentication"
解決:
可以註釋/etc/ssh/ssh_config的gssapiauthentication內容
------------------------------------------------------------------------------------------
CentOS7升級openssh參考這裡的內容
本次使用原始碼安裝(系統需要gcc),各軟體版本如下:
zlib-1.2.8
openssl-1.0.2h
openssh-7.3p1
安裝步驟如下:
1、安裝zlib
[[email protected]t ~]# cd zlib-1.2.8/
[[email protected] zlib-1.2.8]# ./configure
[[email protected] zlib-1.2.8]# make
[[email protected] zlib-1.2.8]# make install
2、安裝openssl
[[email protected] ~]# cd openssl-1.0.2h/
[[email protected] openssl-1.0.2h]# ./config --prefix=/usr/ --shared
[[email protected] openssl-1.0.2h]# make
[[email protected] openssl-1.0.2h]# make install
3、安裝openssh
[[email protected] ~]# cd openssh-7.3p1/
[[email protected] openssh-7.3p1]# ./configure --prefix=/usr/local --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
[[email protected] openssh-7.3p1]# make
[[email protected] openssh-7.3p1]# make install
4、檢視版本是否已更新
[[email protected] openssh-7.3p1]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 2016
5、新介質替換原有內容
[[email protected] openssh-7.3p1]# mv /usr/bin/ssh /usr/bin/ssh_bak
[[email protected] openssh-7.3p1]# cp /usr/local/bin/ssh /usr/bin/ssh
[[email protected] openssh-7.3p1]# mv /usr/sbin/sshd /usr/sbin/sshd_bak
[[email protected] openssh-7.3p1]# cp /usr/local/sbin/sshd /usr/sbin/sshd
6-載入ssh配置重啟ssh服務
[[email protected] ~]# systemctl daemon-reload
[[email protected] ~]# systemctl restart sshd.service
7、遇到的問題解決
問題1:
安裝完成後,telnet 22埠不通,通過systemctl status sshd.service檢視發現有警告資訊
部分資訊如Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open
修正:
修改相關提示檔案的許可權為600,並重啟sshd服務(systemctl restart sshd.service)
檢視服務狀態(systemctl status sshd.service)
例:chmod 600 /etc/ssh/ssh_host_ecdsa_key
問題2:
安裝完成後,如需root直接登入
修正:
修改/etc/ssh/sshd_config檔案,將檔案中#PermitRootLogin yes改為PermitRootLogin yes
並重啟sshd服務
升級後驗證
問題3:
如果你使用了jenkins進行部署,升級後會影響jenkins部署,測試連線web端會報錯 Algorithm negotiation fail
修正:
在web端修改sshd_config檔案最後一行增加以下內容
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
參考:http://stackoverflow.com/questions/32627998/algorithm-negotiation-fail-in-jenkins
--------------------------------------------------------------
【臨時修改版本號,執行很久的線上環境升級存在風險,如果可以的話只修改版本號吧(後期經過驗證,這種修改版本號的方法無效,ssh -v IP可以檢視版本)
查詢
ssh -V
sshd -V
備份
cp /usr/bin/ssh /usr/bin/ssh.bak.version_edit
cp /usr/sbin/sshd /usr/sbin/sshd.bak.version_edit
修改
sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/bin/ssh
sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/sbin/sshd
】
補充彙總下:
centos7.X主機升級ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
mv /etc/ssh /etc/ssh.bak
---下載包、安裝gcc 、編譯等中間步驟參上邊內容---
make && make install
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
cp /etc/ssh.bak/sshd_config /etc/ssh/sshd_config 將原來的檔案覆蓋下這個新生成的內容
/bin/systemctl restart sshd.service
centos6.X升級ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
cp -rf /etc/ssh /etc/ssh.bak
---下載包、安裝gcc 、編譯等中間步驟參上邊內容---
make && make install
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^UsePAM/s/UsePAM yes/#UsePAM yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
service sshd restart
附錄:
CentOS7 sshd_config配置內容
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
CentOS6 sshd_config配置內容
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPICleanupCredentials yes
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
UseDNS no
#GSSAPIAuthentication no
#GSSAPIAuthentication yes
20161205補充:
實際使用中發現ansible和jenkins使用時有些問題,網上查詢了下,需要在/etc/ssh/sshd_config檔案中最後增加兩行:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
因為升級了openssh太新導致通訊時加密演算法出現問題,加上後重啟就可以了。20170428補充:
升級openssh版本指令碼
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
cp -rf /etc/ssh /etc/ssh.bak
yum install -y gcc openssl-devel pam-devel rpm-build
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
tar -zxvf openssh-7.2p1.tar.gz && cd openssh-7.2p1 && ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers && make && make install
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/ssh_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
#sed -i '/^#UsePAM/s/#UsePAM yes/UsePAM yes/' /etc/ssh/sshd_config 如果內網使用ldap需要設定這項
echo "
#ansible support" >>/etc/ssh/sshd_config
echo "Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc" >>/etc/ssh/sshd_config
echo "
service sshd restart
重要提示:最近發現,在升級完ssh版本後,如果你進行了系統update或者升級用到ssh包的相關軟體包,會導致ssh的版本回退到原來的版本。
20170504補充:
對於linux執行update,會導致升級後的ssh恢復到之前版本問題,處理方式(新版本ssh安裝到不用的目錄中,系統啟動使用新目錄的ssh)
一、備份檔案
cp /usr/bin/ssh /usr/bin/ssh.bak.20171124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20171124
cp -rf /etc/ssh /etc/ssh.bak.20171124
二、安裝(/usr/local/ssh7為新目錄,/usr/local/ssh7/ssh放置配置檔案)
yum install -y gcc openssl-devel pam-devel rpm-build
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
tar -zxvf openssh-7.2p1.tar.gz && cd openssh-7.2p1 && ./configure --prefix=/usr/local/ssh7 --sysconfdir=/usr/local/ssh7/ssh --with-pam --with-zlib --with-md5-passwords
--with-tcp-wrappers && make && make install
三、修改sshd_config內容
vi /usr/local/ssh7/ssh/sshd_config檔案內容:
Port 22
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/local/ssh7/libexec/sftp-server
UseDNS no
#ansible支援加入
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
#jenkins支援加入
KexAlgorithms diffie-hellman-group1-sha1,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-
sha256,diffie-hellman-group14-sha1
四、修改啟動檔案
cp /etc/init.d/sshd /etc/init.d/sshd7
mv /etc/init.d/sshd /etc/init.d/sshd.bak.20171124
vi /etc/init.d/sshd7
修改:
#SSHD=/usr/sbin/sshd 為
SSHD=/usr/local/ssh7/sbin/sshd
修改:
#[ -f /etc/ssh/sshd_config ] || exit 6 為
[ -f /usr/local/ssh7/ssh/sshd_config ] || exit 6
五、root下修改環境變數
# vi /etc/profile.d/ssh7.sh
export SSH_7=/usr/local/ssh7
export PATH=${SSH_7}/bin:${SSH_7}/sbin:$PATH
六、重啟ssh
service sshd7 restart
以後需要這樣重啟ssh服務
參考:
http://blog.c1gstudio.com/archives/1474
https://www.douban.com/note/306958442/
http://www.cnblogs.com/elisun/p/5523696.html