OpenSSH升級-RedHat
檢視當前版本
# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
使用telnet服務進行安裝升級
檢視telnet服務狀態:
[email protected] ~]# service xinetd status
/etc/sysconfig/network: line 3: hl-tyapp1: command not found
xinetd (pid 21601) is running...
重啟telnet服務
/etc/sysconfig/network: line 3: hl-tyapp1: command not found
Stopping xinetd: [ OK ]
Starting xinetd: [ OK ]
telnet服務預設不支援root賬戶登入,要先新建賬戶,升級時切換到root賬戶進行操作。新建一個賬戶test,密碼123,執行命令
[[email protected] ~]# useradd test
[[email protected] ~]# passwd test
Changing password for user test.
New UNIX password: #輸入test賬戶的密碼
BAD PASSWORD: it is WAY too short
Retype new UNIX password: #重複輸入test賬戶密碼
passwd: all authentication tokens updated successfully. #完成test賬戶建立
telnet預設採用的埠是TCP的23號埠,校驗埠是否正常,正常則配置成功,不正常則配置失敗,如下:
# telnet 127.0.0.1 #若本地連線正常,網路無法連線,則檢視防火牆是否放行telnet
[[email protected] ~]# telnet 127.0.0.1
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
ONLY Authorized users only! All accesses logged
login: test
Password: 輸入密碼
Last login: Mon Dec 24 10:31:47 from VM000003114
ONLY Authorized users only! All accesses logged
-bash: /var/log/audit/audit.log: Permission denied
[[email protected] ~]$
切換到root許可權
[[email protected] ~]$ su root
Password: 輸入密碼
[[email protected] test]# cd 回到root目錄
[[email protected] ~]#
接下來把要升級的三個安裝包上傳到root目錄下,
準備升級之前要做好備份
備份OpenSSH相關檔案:
# cp -r /etc/ssh/ /etc/ssh_bak #備份配置檔案目錄
# cp /etc/init.d/sshd /etc/init.d/sshd_bak #備份啟動指令碼
# cp /usr/sbin/sshd /usr/sbin/sshd_bak #備份啟動關聯檔案
咱們這邊不做原版本的解除安裝。
安裝OpenSSH
安裝OpenSSH需先安裝其所依賴的zlib和OpenSSL服務。
原始碼編譯zlib
# tar -xvzf zlib-1.2.8.tar #解壓縮
# cd zlib-1.2.8
[zlib-1.2.8]# ./configure --prefix=/usr/local/zlib #檢查配置
[zlib-1.2.8]Bash ./configure --prefix=/usr/local/zlib
[zlib-1.2.8]# make #編譯
[zlib-1.2.8]# make install #編譯安裝
原始碼編譯OpenSSL
# tar -xvzf openssl-1.0.1h.tar.gz #解壓縮
# cd openssl-1.0.1h #進入目錄
[openssl-1.0.1h]# ./config --prefix=/usr/local/openssl #檢查配置
[openssl-1.0.1h]# make #編譯
[openssl-1.0.1h]# make install #編譯安裝
原始碼編譯OpenSSH
# tar -xvzf openssh-6.5p1.tar.gz #解壓縮
# cd openssh-6.5p1 #進入目錄
[openssh-6.5p1]# ./configure \ #檢查配置
> --sysconfdir=/etc/ssh \
> --with-zlib=/usr/local/zlib/ \
> --with-ssl-dir=/usr/local/openssl
[openssh-6.5p1]#make #編譯
[openssh-6.5p1]#make install #編譯安裝
安裝完成之後,OpenSSH釋放檔案的情況如下:
範疇 |
路徑 |
例子 |
客戶端命令 |
/usr/local/bin |
ssh、ssh-add、ssh-agent、scp等 |
伺服器守護程序 |
/usr/local/sbin |
sshd |
其他額外命令 |
/usr/local/libexec |
sftp-server、ssh-pkcs11-helper |
配置檔案和公鑰 |
/etc/ssh |
sshd_config、ssh_host_* |
幫助文件 |
/usr/local/openssh/share |
share/{man1,man5,man8} |
啟動openssh
# /usr/local/sbin/sshd –d #除錯OpenSSH
# /usr/local/sbin/sshd -f /etc/ssh/sshd_config
開機管理OpenSSH
# vi /etc/init.d/sshd
SSHD=/usr/local/sbin/sshd #預設為SSHD=/usr/sbin/sshd
start()
{
# Create keys if necessary
/usr/local/bin/ssh-keygen –A #預設為/usr/bin/ssh-keygen –A
# chkconfig sshd on #開機啟動設定
# chkconfig --list sshd
sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off
# service sshd restart
Stopping sshd:[ OK ]
Starting sshd:[ OK ]
OpenSSH版本驗證
# /usr/local/bin/ssh -V
OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
設定openssh服務
# cp /usr/local/openssh/bin/ssh /usr/bin/
驗證升級後的版本
[[email protected] ~]# ssh -V
OpenSSH_6.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
重啟openssh
[[email protected] ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 97: Unsupported option UsePAM
[ OK ]
[[email protected] ~]#
設定root可以遠端訪問:
[[email protected] ~]# vim /etc/ssh/sshd_config
#LoginGraceTime 2m
PermitRootLogin yes 放開root許可權
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
遇到的問題
配置OpenSSH時出現缺少OpenSSL library
在完成OpenSSL配置後
#vi Makefile
修改 gcc下面的引數,新增-fPIC
之後正常安裝OpenSSL
在安裝OpenSSH之前,進行如下操作
#setenforce 0
#vi /etc/selinux/config
註釋SELINUX=enforcing
新增行:SELINUX=disabled
儲存退出
之後正常安裝即可。
不原始碼安裝OpenSSL的情況下安裝OpenSSH
在編譯[openssh-6.5p1]# ./configure \ #檢查配置
> --sysconfdir=/etc/ssh \
> --with-zlib=/usr/local/zlib/ \
> --with-ssl-dir=/usr/local/openssl
時報錯
OpenSSL headers missing - please install first or check config.log ***"的錯誤,這是缺少openssl-devel所致,只需安裝openssl-devel即可,執行命令:yum install openssl-devel
rpm或yum安裝openssl-devel即可滿足OpenSSH的安裝條件
#yum install openssl-devel
OpenSSH無法make install
#make install
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
./ssh-keygen: error while loading shared libraries: cannot restore segment prot after reloc: Permission denied
make: *** [host-key] Error 127
[[email protected] openssh-6.5p1]# /usr/sbin/setenforce 0
之後正常安裝即可