一、安装telnet服务,用于远程控制处理ssh升级(有控制台的则不需要)
1.安装telnet服务
yum -y install telnet-server
2.启动telnet服务
systemctl start telnet.socket
3.检测防火墙状态
systemctl status firewalld
4.开启防火墙23端口(升级完后关闭23端口)
firewall-cmd --permanent --add-port=23/tcp --zone=public
firewall-cmd --reload
5.默认情况下,linux不允许root用户以telnet方式登录linux主机,移除securetty文件(升级完后还原)
mv /etc/securetty /etc/securettybak
二、openSSH升级
1.安装相关命令依赖
yum install -y pam* zlib*
2.备份原ssh配置
mv /etc/ssh /etc/ssh_bak
3.停止并卸载原有的OpenSSH
systemctl stop sshd
yum remove openssh*
4.安装升级OpenSSL
#mkdir ./sshupdate
#cd ./sshupdate
#wget https://www.openssl.org/source/openssl-1.1.1q.tar.gz
#tar -xzvf openssl-1.1.1q.tar.gz
#cd openssl-1.1.1q
#./config --prefix=/usr/ --openssldir=/usr/shared
#make && make install
如果提示 gcc:command not found 则安装gcc
yum install -y gcc
#查看升级后的openssl版本
openssl version
5.安装OpenSSH
#wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
#tar -xzvf openssh-9.3p1.tar.gz
#cd openssh-9.3p1
#./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
(有时报错需要加上--without-openssl-header-check)
#make && make install
#cp contrib/redhat/sshd.init /etc/init.d/sshd
#查看升级后的ssh版本
ssh -V
6.修改ssh配置文件
vi /etc/ssh/sshd_config
将#PermitRootLogin prohibit-password参数改成 PermitRootLogin yes 并取消注释,开启root权限登录
7.重启OpenSSH并加入开机启动
nohup service sshd restart
nohup systemctl restart sshd
#添加到自启动
chkconfig --add sshd
-------------------------------------------------------------------
脚本
#!/bin/bash
mkdir /root/openssl-update
cd /root/openssl-update/
yum install -y pam* zlib*
yum install -y gcc
mv /etc/ssh /etc/ssh_bak
systemctl stop sshd
yum remove -y openssh*
wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz --no-check-certificate
tar -xzvf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
./config --prefix=/usr/ --openssldir=/usr/shared
make && make install
cd /root/openssl-update/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz --no-check-certificate
tar -xzvf openssh-9.3p1.tar.gz
cd openssh-9.3p1
./configure --with-zlib --with-ssl-dir --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --without-openssl-header-check
make && make install
cp contrib/redhat/sshd.init /etc/init.d/sshd
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
systemctl start sshd
systemctl daemon-reload
systemctl restart sshd
systemctl enable sshd
exit 0