升级最新版Openssl和Openssh
前言
某些版本的openssh和openssl是有依赖关系的,两个发布的时间和版本不要跨度太大,推荐一起升级。 例如Openssh在7.5p1的更新日志提到对OpenSSL的版本支持说明 http://www.openssh.com/releasenotes.html
* [Portable OpenSSH only] This version removes support for building against OpenSSL versions prior to 1.0.1. OpenSSL stopped supporting versions prior to 1.0.1 over 12 months ago (i.e. they no longer receive fixes for security bugs).
一、环境
测试系统:Centos7.3-最小化安装
升级版本:openssl-1.0.2n.tar.gz和openssh-7.6p1.tar.gz 关闭selinux
vim /etc/sysconfig/selinux 修改 SELINUX=disabled 关闭防火墙
systemctl stop firewalld systemctl disable firewalld
二、安装Telnet服务
升级Openssl和Openssh操作不当可能有风险,推荐先安装telnet服务留后路,待检验升级成功后再删除telnet服务,如果打开了防火墙,请放开23端口否则远程无法telnet进来。 [root@localhost ~]# yum -y install xinetd telnet-server [root@localhost ~]# systemctl enable xinetd.service [root@localhost ~]# systemctl enable telnet.socket [root@localhost ~]# systemctl start telnet.socket [root@localhost ~]# systemctl start xinetd
默认情况下,系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录,需设置如下内容: [root@localhost ~]# echo 'pts/0' >>/etc/securetty [root@localhost ~]# echo 'pts/1' >>/etc/securetty [root@localhost ~]# service xinetd restart
三、升级Openssl
Openssl下载地址:http://distfiles.macports.org/openssl/ 安装Openssl需要依赖的包
[root@localhost ~]# yum install gcc zlib zlib-devel -y 查看当前openssl版本
[root@localhost ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@localhost ~]# rpm -qa |grep openssl openssl-libs-1.0.1e-60.el7.x86_64 openssl-1.0.1e-60.el7.x86_64
openssl098e-0.9.8e-29.el7.centos.3.x86_64
查看安装路径
[root@localhost ~]# whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/share/man/man1/openssl.1ssl.gz 解压
[root@localhost src]# wget http://distfiles.macports.org/openssl/openssl-1.0.2n.tar.gz [root@localhost src]# tar -xzf openssl-1.0.2n.tar.gz [root@localhost src]# cd openssl-1.0.2n 编译
[root@localhost openssl-1.0.2n]# ./config shared zlib-dynamic [root@localhost openssl-1.0.2n]# make 安装
[root@localhost openssl-1.0.2n]# make install
从安装输出的内容得知新的opensshl被安装在/usr/local/ssl 将新编译的openssl library 加入系统动态库链接中
[root@localhost openssl-1.0.2n]# echo /usr/local/ssl/lib >> /etc/ld.so.conf [root@localhost openssl-1.0.2n]# ldconfig -v 查看新装的ssl版本为最新的1.0.2n
[root@localhost openssl-1.0.2n]# /usr/local/ssl/bin/openssl version OpenSSL 1.0.2n 7 Dec 2017 查看当前的ssl版本还是1.0.1e
[root@localhost openssl-1.0.2n]# openssl version OpenSSL 1.0.1e-fips 11 Feb 2013
备份和移除旧的openssl
[root@localhost openssl-1.0.2n]# mv /usr/bin/openssl /tmp/openssl_old
[root@localhost openssl-1.0.2n]# cp -r /usr/include/openssl/ /tmp/openssl_old_2 [root@localhost openssl-1.0.2n]# rm -rf /usr/include/openssl 对新openssl建立软连接
[root@localhost openssl-1.0.2n]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
[root@localhost openssl-1.0.2n]# ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl 查看openssl动态库依赖关系
[root@localhost openssl-1.0.2n]# ldd /usr/local/ssl/bin/openssl linux-vdso.so.1 => (0x00007ffc6e3c9000)
libssl.so.1.0.0 => /usr/local/ssl/lib/libssl.so.1.0.0 (0x00007f2e8f8f9000)
libcrypto.so.1.0.0 => /usr/local/ssl/lib/libcrypto.so.1.0.0 (0x00007f2e8f4a8000) libdl.so.2 => /lib64/libdl.so.2 (0x00007f2e8f29b000) libz.so.1 => /lib64/libz.so.1 (0x00007f2e8f085000) libc.so.6 => /lib64/libc.so.6 (0x00007f2e8ecc3000) /lib64/ld-linux-x86-64.so.2 (0x00007f2e8fb6c000) 查看openssl版本
[root@localhost openssl-1.0.2n]# openssl version OpenSSL 1.0.2n 7 Dec 2017 升级成功。
--------------------------------------------------------------------------------------------------------------------------------------
四、升级Openssh
下载地址:http://www.openssh.com/portable.html 安装Openssl需要依赖的包
[root@localhost src]# yum install pam pam-devel -y
要备份修改这个目录,不然make install的时候会出现权限问题 [root@localhost src]# mv /etc/ssh /etc/ssh_bak_20171209 下载
[root@localhost src]# wget https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz 删除旧的openssh
[root@localhost src]# yum remove openssh -y 解压
[root@localhost src]# tar -zxvf openssh-7.6p1.tar.gz [root@localhost src]# cd openssh-7.6p1
编译
[root@localhost openssh-7.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --without-zlib-version-check --with-md5-passwords --with-pam [root@localhost openssh-7.6p1]# make 安装
[root@localhost openssh-7.6p1]# make install 复制启动文件到/etc/init.d/下并命名为sshd
[root@localhost openssh-7.6p1]# cp ./contrib/redhat/sshd.init /etc/init.d/sshd [root@localhost openssh-7.6p1]# chmod u+x /etc/init.d/sshd 设置开机自启
[root@localhost openssh-7.6p1]# chkconfig --add sshd
复制新的配置文件
[root@localhost openssh-7.6p1]# cp ssh_config /etc/ssh/ssh_config
[root@localhost openssh-7.6p1]# cp -p sshd_config /etc/ssh/sshd_config [root@localhost openssh-7.6p1]# ssh -V
修改配置文件允许root直接登录将#PermitRootLogin prohibit-password 修改为PermitRootLogin yes [root@localhost openssh-7.6p1]# vi /etc/ssh/sshd_config 查看Openssh版本
[root@localhost openssh-7.6p1]# ssh -V
OpenSSH_7.6p1, OpenSSL 1.0.2n 7 Dec 2017
[root@localhost openssh-7.6p1]# systemctl restart sshd
最后验证升级的openssl和openssh没问题后再停止telnet的服务 [root@localhost ~]# systemctl disable xinetd.service [root@localhost ~]# systemctl disable telnet.socket [root@localhost ~]# systemctl stop telnet.socket [root@localhost ~]# systemctl stop xinetd
--with-ssl-dir=/usr/local/ssl
-------------------------------------------------------------------------------------------------------------------------------------- Openssl 编译参数说明:
shared 如果不加会导致openssh编译的时候会找不到新安装的openssl的library, 会报错: openssl的 header和library版本不匹配
zlib-dynamic 全局安装了zlib-devel,使用动态库
Openssh 编译参数说明: --prefix 安装目录
--sysconfdir 配置文件目录
--with-ssl-dir 指定 OpenSSL 的安装目录 --without-zlib-version-check 不检查zlib版本
--with-md5-passwords 支持读取经过MD5加密的口令
--with-pam 对ssh启动pam_chroot模块来限制用户远程登录 Pam说明参考文章:http://blog.51cto.com/jetyi/1651372