我是靠谱客的博主 清爽西装,最近开发中收集的这篇文章主要介绍CentOS 7 升级 OpenSSH 8.4环境说明升级前准备升级 OpenSSH 8.4,觉得挺不错的,现在分享给大家,希望可以做个参考。
概述
CentOS 7 升级 OpenSSH 8.4
- 环境说明
- 升级前准备
- 测试 SSH 远程连接
- 测试 PAM 保护
- 备份文件
- 安装编译工具
- 安装依赖软件
- pam 和 pam-devel
- zlib 和 zlib-devel
- openssl 和 openssl-devel
- perl 和 pcre-devel
- 升级 OpenSSH 8.4
- 卸载自带 SSH 组件
- 安装 OpenSSH 8.4
- 测试 SSH 远程连接
- 测试 PAM 保护
环境说明
-
系统镜像:CentOS-7-x86_64-DVD-1804.iso
-
系统版本:
[ft@bogon /]$ cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core) -
内核版本:
[ft@bogon ~]$ uname -a Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux -
OpenSSL:
[ft@bogon ~]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 -
OpenSSH:
[ft@bogon ~]$ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 [ft@bogon ~]$ rpm -qa | grep openssh openssh-clients-7.4p1-21.el7.x86_64 openssh-server-7.4p1-21.el7.x86_64 openssh-7.4p1-21.el7.x86_64
升级前准备
测试 SSH 远程连接
升级前首先确认当前版本 OpenSSH 是否可以正常使用:
C:UsersSunny>ssh ft@192.168.16.22
ft@192.168.16.22's password:
Last login: Wed Feb 24 22:19:47 2021 from 192.168.16.70
Last login: Wed Feb 24 22:19:47 2021 from 192.168.16.70
[ft@bogon ~]$ uname -a
Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.
测试结果:OpenSSH 功能正常
测试 PAM 保护
安装自定义的 PAM 模块,然后在 /etc/pam.d/sshd 配置文件添加自定义的 PAM 模块:
#%PAM-1.0
# 自定义 PMA 模块 pam_otp.so
auth required pam_otp.so
# ---------------------------------------------------------------
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
SSH 连接测试:
C:UsersSunny>ssh ft@192.168.16.22
Password:
PassCode:
Last login: Wed Feb 24 22:22:19 2021 from 192.168.16.70
Last login: Wed Feb 24 22:22:19 2021 from 192.168.16.70
[ft@bogon ~]$ uname -a
Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.
测试结果:OpenSSH PAM 模块功能正常
备份文件
备份 /etc/pam.d/sshd 文件
[root@bogon ~]# mv /etc/pam.d/sshd /etc/pam.d/sshd-bak
[root@bogon ~]# ls -l /etc/pam.d/sshd*
-rw-r--r--. 1 root root 939 Feb 24 22:29 /etc/pam.d/sshd-bak
安装编译工具
需要安装 gcc、gcc-c++、make 工具(如果已经安装请忽略此步骤):
# 安装 gcc
[root@bogon ~]# yum -y install gcc
...
...
...
[root@bogon ~]# gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# 安装 gcc-c++
[root@bogon ~]# yum -y install gcc-c++
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
...
...
...
Installed:
gcc-c++.x86_64 0:4.8.5-44.el7
Dependency Installed:
libstdc++-devel.x86_64 0:4.8.5-44.el7
Complete!
[root@bogon ~]# g++ --version
g++ (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# 安装 make
[root@bogon ~]# yum -y install make
...
...
...
[root@bogon ~]# make -v
GNU Make 3.82
Built for x86_64-redhat-linux-gnu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
安装依赖软件
以下安装过程在不同的系统环境下会提示不同的内容,只需要保证软件安装成功即可。
pam 和 pam-devel
[root@bogon ~]# yum -y install pam pam-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.163.com
Package pam-1.1.8-23.el7.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package pam-devel.x86_64 0:1.1.8-23.el7 will be installed
--> Finished Dependency Resolution
...
...
...
Running transaction
Installing : pam-devel-1.1.8-23.el7.x86_64 1/1
Verifying : pam-devel-1.1.8-23.el7.x86_64 1/1
Installed:
pam-devel.x86_64 0:1.1.8-23.el7
Complete!
zlib 和 zlib-devel
[root@bogon ~]# yum -y install zlib zlib-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.163.com
Package zlib-1.2.7-19.el7_9.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package zlib-devel.x86_64 0:1.2.7-19.el7_9 will be installed
--> Finished Dependency Resolution
...
...
...
Running transaction
Installing : zlib-devel-1.2.7-19.el7_9.x86_64 1/1
Verifying : zlib-devel-1.2.7-19.el7_9.x86_64 1/1
Installed:
zlib-devel.x86_64 0:1.2.7-19.el7_9
Complete!
openssl 和 openssl-devel
[root@bogon ~]# yum -y install openssl openssl-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.163.com
Package 1:openssl-1.0.2k-21.el7_9.x86_64 already installed and latest version
Resolving Dependencies
...
...
...
Installed:
openssl-devel.x86_64 1:1.0.2k-21.el7_9
Dependency Installed:
keyutils-libs-devel.x86_64 0:1.5.8-3.el7 krb5-devel.x86_64 0:1.15.1-50.el7
libcom_err-devel.x86_64 0:1.42.9-19.el7 libselinux-devel.x86_64 0:2.5-15.el7
libsepol-devel.x86_64 0:2.5-10.el7 libverto-devel.x86_64 0:0.2.5-4.el7
pcre-devel.x86_64 0:8.32-17.el7
Complete!
perl 和 pcre-devel
[root@bogon ~]# yum -y install perl pcre-devel
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
* base: mirrors.tuna.tsinghua.edu.cn
* extras: mirrors.tuna.tsinghua.edu.cn
* updates: mirrors.163.com
Package 4:perl-5.16.3-299.el7_9.x86_64 already installed and latest version
Package pcre-devel-8.32-17.el7.x86_64 already installed and latest version
Nothing to do
升级 OpenSSH 8.4
卸载自带 SSH 组件
# 查看系统当前 openssh 组件
[root@bogon ~]# rpm -qa | grep openssh
openssh-clients-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64
# 停止 sshd 服务
[root@bogon ~]# systemctl stop sshd
...
# 卸载系统 SSH 组件
[root@bogon ~]# rpm -e `rpm -qa | grep openssh` --nodeps
...
# 查看系统当前 openssh 组件,若输出为空,则卸载成功
[root@bogon ~]# rpm -qa | grep openssh
安装 OpenSSH 8.4
-
下载安装包:openssh-8.4p1.tar.gz
[root@bogon ~]# mkdir -p /home/workspace/openssh [root@bogon ~]# cd /home/workspace/openssh/ [root@bogon openssh]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz ... ... ... [root@bogon openssh]# ls openssh-8.4p1.tar.gz -
解压 openssh-8.4p1.tar.gz
[root@bogon openssh]# tar -zxvf openssh-8.4p1.tar.gz ... ... ... [root@bogon openssh]# ls openssh-8.4p1 openssh-8.4p1.tar.gz -
编译和安装
[root@bogon openssh]# rm -rf /etc/ssh [root@bogon openssh]# cd openssh-8.4p1/ [root@bogon openssh-8.4p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-pam ... PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory [root@bogon openssh-8.4p1]# make ... [root@bogon openssh-8.4p1]# make install (cd openbsd-compat && make) make[1]: Entering directory `/home/workspace/openssh/openssh-8.4p1/openbsd-compat' make[1]: Nothing to be done for `all'. make[1]: Leaving directory `/home/workspace/openssh/openssh-8.4p1/openbsd-compat' /usr/bin/mkdir -p /usr/bin /usr/bin/mkdir -p /usr/sbin /usr/bin/mkdir -p /usr/share/man/man1 /usr/bin/mkdir -p /usr/share/man/man5 /usr/bin/mkdir -p /usr/share/man/man8 /usr/bin/mkdir -p /usr/libexec /usr/bin/mkdir -p -m 0755 /var/empty /usr/bin/install -c -m 0755 -s ssh /usr/bin/ssh /usr/bin/install -c -m 0755 -s scp /usr/bin/scp /usr/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add /usr/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent /usr/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen /usr/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan /usr/bin/install -c -m 0755 -s sshd /usr/sbin/sshd /usr/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign /usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper /usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper /usr/bin/install -c -m 0755 -s sftp /usr/bin/sftp /usr/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server /usr/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1 /usr/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1 /usr/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1 /usr/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1 /usr/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1 /usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1 /usr/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5 /usr/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5 /usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5 /usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8 /usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1 /usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8 /usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8 /usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8 /usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8 /usr/bin/mkdir -p /etc/ssh ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519 /usr/sbin/sshd -t -f /etc/ssh/sshd_config -
配置
[root@bogon openssh-8.4p1]# cp ./contrib/redhat/sshd.init /etc/init.d/sshd [root@bogon openssh-8.4p1]# chmod a+x /etc/init.d/sshd [root@bogon openssh-8.4p1]# cp /etc/pam.d/sshd-bak /etc/pam.d/sshd [root@bogon openssh-8.4p1]# cd /etc/ssh/ [root@bogon ssh]# chmod 600 ssh_host_* [root@bogon ssh]# chkconfig --add sshd [root@bogon ssh]# chkconfig sshd on执行完成上面的步骤之后,修改 /etc/ssh/sshd_config 文件中的下列配置项为 yes:
PasswordAuthentication yes PermitRootLogin yes UsePAM yes -
启动服务
[root@bogon ~]# systemctl restart sshd [root@bogon ~]# systemctl status sshd ● sshd.service - SYSV: OpenSSH server daemon Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled) Active: active (running) since Thu 2021-02-25 01:00:47 PST; 8s ago Docs: man:systemd-sysv-generator(8) Process: 17843 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS) Process: 17851 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS) Main PID: 17860 (sshd) Tasks: 1 CGroup: /system.slice/sshd.service └─17860 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups Feb 25 01:00:47 bogon systemd[1]: Starting SYSV: OpenSSH server daemon... Feb 25 01:00:47 bogon sshd[17860]: Server listening on 0.0.0.0 port 22. Feb 25 01:00:47 bogon sshd[17860]: Server listening on :: port 22. Feb 25 01:00:47 bogon sshd[17851]: Starting sshd:[ OK ] Feb 25 01:00:47 bogon systemd[1]: Started SYSV: OpenSSH server daemon. [root@bogon ~]# ssh -V OpenSSH_8.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
测试 SSH 远程连接
若 /etc/pam.d/sshd 文件被修改,请恢复为如下配置:
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
连接测试:
C:UsersSunny>ssh ft@192.168.16.22
Password:
Last login: Thu Feb 25 01:21:06 2021 from 192.168.16.70
[ft@bogon ~]$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.
注意:
在升级 OpenSSH 完成后,使用 ssh 命令远程登录主机时可能遇到如下的问题:
C:UsersSynny>ssh ft@192.168.16.22 @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ECDSA key sent by the remote host is SHA256:BZvRUJ93rpzzXtGp8PlKhbIG48KEcjN9dWsLAzEQlfM. Please contact your system administrator. Add correct host key in C:\Users\Synny/.ssh/known_hosts to get rid of this message. Offending ECDSA key in C:\Users\Synny/.ssh/known_hosts:5 ECDSA host key for 192.168.16.22 has changed and you have requested strict checking. Host key verification failed.这是由于主机 192.168.16.22 的 ECDSA 密钥被更改导致的,只需要在客户端执行下面的命令,然后重新建立连接即可:
C:UsersSunny>ssh-keygen -R 192.168.16.22 # Host 192.168.16.22 found: line 5 C:UsersSunny/.ssh/known_hosts updated. Original contents retained as C:UsersSunny/.ssh/known_hosts.old
测试 PAM 保护
安装自定义的 PAM 模块,然后在 /etc/pam.d/sshd 配置文件添加自定义的 PAM 模块:
#%PAM-1.0
# 自定义 PMA 模块 pam_otp.so
auth required pam_otp.so
# ---------------------------------------------------------------
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
SSH 连接测试:
C:UsersSunny>ssh ft@192.168.16.22
Password:
PassCode:
Last failed login: Thu Feb 25 01:30:00 PST 2021 from 192.168.16.70 on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Thu Feb 25 01:29:01 2021
[ft@bogon ~]$ cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.
最后
以上就是清爽西装为你收集整理的CentOS 7 升级 OpenSSH 8.4环境说明升级前准备升级 OpenSSH 8.4的全部内容,希望文章能够帮你解决CentOS 7 升级 OpenSSH 8.4环境说明升级前准备升级 OpenSSH 8.4所遇到的程序开发问题。
如果觉得靠谱客网站的内容还不错,欢迎将靠谱客网站推荐给程序员好友。
本图文内容来源于网友提供,作为学习参考使用,或来自网络收集整理,版权属于原作者所有。
发表评论 取消回复