CentOS升级OpenSSH
2018-10-29 本文已影响0人
LordDeSies
ssh.png
openssh下载地址
centos 6.x
安装telnet
升级openssh前,为以防万一,首先安装telnet-server并打开相关服务。
yum install xinetd # 安装xinetd是因为telnet 依赖它
yum install telnet-server
修改xinetd配置文件vim /etc/xinetd.d/telnet
,将disable = no
改成yes。
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no # 修改成yes以启用telnet
}
启动xinetd服务,再确保防火墙已启用telnet使用的23端口就安装完毕了。
service xinetd restart
安装编译环境与依赖包
更新openssl
yum update openssl
安装gcc、openssl-devel、pam-devel、rpm-build
yum install -y gcc openssl-devel pam-devel rpm-build
安装openssh
备份ssh目录
cp -r /etc/ssh /etc/ssh.bak
如果需要卸载旧版openSSH
rpm -qa | grep openssh # 查看已安装openssh
rpm -e `rpm -qa | grep openssh` --nodeps # 卸载旧版openssh
解压并安装openssh
tar -zxvf openssh-7.8p1.tar.gz
cd openssh-7.4p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
复制启动脚本到/etc/init.d
cd openssh-7.4p1
cp contrib/RedHat/sshd.init /etc/init.d/sshd
将启动脚本加入开机启动
chkconfig --add sshd # 加入chkconfig
chkconfig sshd on # 设置开机启动
chkconfig sshd -- list # 查看是否设置成功
启动sshd
service sshd start # 用start或reload,restart会断开连接,而且不会启动sshd服务
查看ssh版本
ssh -V
卸载telnet
telnet不安全,ssh升级完成后卸载掉它。
centos 7.x
安装telnet
安装与启动
yum -y install xinetd telnet-server # 安装xinetd、telnet-server
systemctl enable xinetd.service # 设置xinetd开机启动
systemctl enable telnet.socket # 设置telnet开机启动
systemctl start telnet.socket # 启动telnet
systemctl start xinetd # 启动xined
开启防火墙23端口
firewall-cmd --state # 查看防火墙是否启用
firewall-cmd --list-all # 查看防护墙已打开端口
firewall-cmd --permanent --add-service=telnet # 永久打开防火墙telnet服务
firewall-cmd --permanent --add-port=23/tcp # 永久打开防火墙23/tcp端口
firewall-cmd --reload # 重载防火墙配置
安装编译环境与依赖包
更新openssl
yum update openssl
安装编译环境
yum -y install gcc openssl-devel
安装openssh
备份旧ssh目录
cp -r /etc/ssh /etc/ssh.bak
如果需要卸载旧版openSSH
rpm -qa | grep openssh # 查看已安装openssh
rpm -e `rpm -qa | grep openssh` --nodeps # 卸载旧版openssh
解压并安装openssh
tar -zxvf openssh-7.8p1.tar.gz
cd openssh-7.4p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
可能会出现如下错误:
ssh-keygen: generating new host keys: DSA /usr/sbin/sshd -t -f /etc/ssh/sshd_config @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_rsa_key @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_ecdsa_key @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_ed25519_key
先尝试重新赋权一遍这几个文件,然后make install
chmod 600 /etc/ssh/ssh_host_rsa_key chmod 600 /etc/ssh/ssh_host_ecdsa_key chmod 600 /etc/ssh/ssh_host_ed25519_key
不行就重新生成key,先
cd /etc/ssh
然后删除ssh_host前缀的KEY文件,在执行以下生成新key,然后重新make insallssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key
复制启动脚本到/etc/init.d
cd openssh-7.4p1
cp contrib/RedHat/sshd.init /etc/init.d/sshd
将启动脚本加入开机启动
chkconfig --add sshd # 加入chkconfig
chkconfig sshd on # 设置开机启动
chkconfig sshd -- list # 查看是否设置成功
启动sshd
service sshd start # 用start或reload,restart会断开连接,而且不会启动sshd服务
查看ssh版本
ssh -V
其他异常问题
安装好后可能无法连接,关闭SElinux就好了
getenforce # 查看selinux当前状态:permissive - 关闭;enforcing - 开启
setenforce 0 # 临时关闭/开启selinux: 0 - 关闭;1 - 开启
修改vim /etc/selinux/config
文件,永久设置selinux。
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
卸载telnet
telnet不安全,ssh升级完成后卸载掉它。
ssh配置文件
路径
/etc/ssh/sshd_config
内容
需要开启root直接登录修改#PermitRootLogin prohibit-password
为PermitRootLogin yes
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
完