Ubuntu 18.04.6下OpenSSL与OpenSSH版本升级
文章目录
- 升级背景
- 下载必要软件包
- 安装 zlib
- 创建目录
- 解压文件
- 安装前置依赖
- 离线安装依赖
- 编译安装 zlib
- 安装 OpenSSL
- 检查当前版本
- 创建安装目录
- 下载并解压 OpenSSL
- 配置与安装
- 验证安装
- 解决动态库依赖问题
- 永久更新环境变量
- 安装OpenSSL常见错误
- 离线安装 Telnet 服务端指南
- 1. 在联网机器上下载安装包
- 2. 安装 xinetd和telnetd
- 3. 检查 xinetd 服务状态
- 4. 配置 Telnet 服务
- 5. 重启服务并验证
- 6. 修改默认端口(可选)
- 备份并卸载老版本OpenSSH
- 1. 备份SSH配置文件
- 2. 备份SSH相关可执行文件
- 3. 停止SSH服务
- 4. 查询并卸载现有OpenSSH包
- 5. 执行卸载
- 6. 验证卸载结果
- 升级 OpenSSH
- 源码安装时自启动配置
- 启动配置文件
- 创建符号链接
- 创建系统用户
- 重新加载 systemd 配置
- 更新 SSH 访问端口
- 修改配置文件
- 同步配置文件
- 验证连接
- 配置文件示例
升级背景
SSL/TLS 协议信息泄露漏洞(CVE-2016-2183)
<*来源:Karthik Bhargavan
Gaetan Leurent
链接:https://www.openssl.org/news/secadv/20160922.txt
操作系统信息Ubuntu 18.04.6
*>
cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionicssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.7, OpenSSL 1.0.2n 7 Dec 2017
下载必要软件包
cd /usr/local/src/
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
wget https://www.openssl.org/source/openssl-3.2.2.tar.gz
wget https://www.zlib.net/fossils/zlib-1.3.1.tar.gz
安装 zlib
创建目录
mkdir -p /usr/local/zlib
cd /usr/local/src/
解压文件
tar -zxvf zlib-1.3.1.tar.gz
cd zlib-1.3
安装前置依赖
对于联网机器,仅下载所需依赖包:
sudo apt-get install --download-only gcc g++ make libc6-dev -y
此命令仅下载 gcc、g++、make 和 libc6-dev 及其依赖的 .deb 包,适用于离线部署。下载目录为 /var/cache/apt/archives/
root@ubuntu-virtual-machine:/opt/gcc-offline# ls
g++_4%3a7.4.0-1ubuntu2.3_amd64.deb libatomic1_8.4.0-1ubuntu1~18.04_amd64.deb libcilkrts5_7.5.0-3ubuntu1~18.04_amd64.deb libquadmath0_8.4.0-1ubuntu1~18.04_amd64.deb make_4.1-9.1ubuntu1_amd64.deb
g++-7_7.5.0-3ubuntu1~18.04_amd64.deb libc6_2.27-3ubuntu1.6_amd64.deb libgcc-7-dev_7.5.0-3ubuntu1~18.04_amd64.deb libstdc++-7-dev_7.5.0-3ubuntu1~18.04_amd64.deb manpages-dev_4.15-1_all.deb
gcc_4%3a7.4.0-1ubuntu2.3_amd64.deb libc6-dbg_2.27-3ubuntu1.6_amd64.deb libitm1_8.4.0-1ubuntu1~18.04_amd64.deb libtsan0_8.4.0-1ubuntu1~18.04_amd64.deb
gcc-7_7.5.0-3ubuntu1~18.04_amd64.deb libc6-dev_2.27-3ubuntu1.6_amd64.deb liblsan0_8.4.0-1ubuntu1~18.04_amd64.deb libubsan0_7.5.0-3ubuntu1~18.04_amd64.deb
libasan4_7.5.0-3ubuntu1~18.04_amd64.deb libc-dev-bin_2.27-3ubuntu1.6_amd64.deb libmpx2_8.4.0-1ubuntu1~18.04_amd64.deb linux-libc-dev_4.15.0-213.224_amd64.deb
离线安装依赖
tar -xzvf gcc-offline.tar.gz
cd gcc-offline
sudo dpkg -i *.deb
编译安装 zlib
./configure --prefix=/usr/local/zlib
root@ubuntu-virtual-machine:/opt/zlib-1.3.1# ./configure --prefix=/usr/local/zlib
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.3.1 with gcc.
Checking for size_t... Yes.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
make && make install
root@ubuntu-virtual-machine:/opt/zlib-1.3.1# make && make installgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o example.o test/example.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inffast.o inffast.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inflate.o inflate.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inftrees.o inftrees.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o trees.o trees.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o zutil.o zutil.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o compress.o compress.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o uncompr.o uncompr.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzclose.o gzclose.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzlib.o gzlib.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzread.o gzread.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzwrite.o gzwrite.car rc libz.a adler32.o crc32.o deflate.o infback.o inffast.o inflate.o inftrees.o trees.o zutil.o compress.o uncompr.o gzclose.o gzlib.o gzread.o gzwrite.o gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o example example.o -L. libz.agcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o minigzip.o test/minigzip.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzip minigzip.o -L. libz.agcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/adler32.o adler32.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/crc32.o crc32.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/deflate.o deflate.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/infback.o infback.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inffast.o inffast.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inflate.o inflate.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inftrees.o inftrees.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/trees.o trees.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/zutil.o zutil.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/compress.o compress.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/uncompr.o uncompr.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzclose.o gzclose.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzlib.o gzlib.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzread.o gzread.cgcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzwrite.o gzwrite.cgcc -shared -Wl,-soname,libz.so.1,--version-script,zlib.map -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o libz.so.1.3.1 adler32.lo crc32.lo deflate.lo infback.lo inffast.lo inflate.lo inftrees.lo trees.lo zutil.lo compress.lo uncompr.lo gzclose.lo gzlib.lo gzread.lo gzwrite.lo -lc rm -f libz.so libz.so.1ln -s libz.so.1.3.1 libz.soln -s libz.so.1.3.1 libz.so.1gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o examplesh example.o -L. libz.so.1.3.1gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzipsh minigzip.o -L. libz.so.1.3.1gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o example64.o test/example.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o example64 example64.o -L. libz.agcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o minigzip64.o test/minigzip.cgcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzip64 minigzip64.o -L. libz.arm -f /usr/local/zlib/lib/libz.acp libz.a /usr/local/zlib/libchmod 644 /usr/local/zlib/lib/libz.acp libz.so.1.3.1 /usr/local/zlib/libchmod 755 /usr/local/zlib/lib/libz.so.1.3.1rm -f /usr/local/zlib/share/man/man3/zlib.3cp zlib.3 /usr/local/zlib/share/man/man3chmod 644 /usr/local/zlib/share/man/man3/zlib.3rm -f /usr/local/zlib/lib/pkgconfig/zlib.pccp zlib.pc /usr/local/zlib/lib/pkgconfigchmod 644 /usr/local/zlib/lib/pkgconfig/zlib.pcrm -f /usr/local/zlib/include/zlib.h /usr/local/zlib/include/zconf.hcp zlib.h zconf.h /usr/local/zlib/includechmod 644 /usr/local/zlib/include/zlib.h /usr/local/zlib/include/zconf.h
安装 OpenSSL
检查当前版本
openssl version
# 输出:OpenSSL 1.1.1 11 Sep 2018
创建安装目录
mkdir -p /usr/local/ssl
下载并解压 OpenSSL
cd /usr/local/src
tar zxvf openssl-3.2.2.tar.gz
cd openssl-3.2.2
配置与安装
./config --prefix=/usr/local/ssl --shared
make && make install
# 安装过程约需 30 分钟
验证安装
openssl version
# 发现版本未更新
解决动态库依赖问题
/usr/local/ssl/bin/openssl version
# 报错:./openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory# 解决方法:
echo '/usr/local/ssl/lib64' >> /etc/ld.so.conf
ldconfig# 再次验证
/usr/local/ssl/bin/openssl version
# 输出:OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
永久更新环境变量
-
确认安装
ls /usr/local/ssl/bin/ # 确认存在新的 openssl 可执行文件 -
更新环境变量
编辑.bashrc或.bash_profile文件:nano ~/.bashrc在文件末尾添加:
export PATH=/usr/local/ssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH保存并应用更改:
source ~/.bashrc -
更新共享库缓存
sudo ldconfig -
验证 OpenSSL 版本
openssl version # 输出:OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
安装OpenSSL常见错误
./config --prefix=/usr/local/ssl --shared 时,报错Setting locale failed。
root@dwork:/usr/local/src/openssl-3.2.2# ./config --prefix=/usr/local/ssl --sharedperl: warning: Setting locale failed.perl: warning: Please check that your locale settings:LANGUAGE = "”en_US:en”",LC_ALL = (unset),LANG = "”en_US.UTF-8″"are supported and installed on your system.perl: warning: Falling back to the standard locale ("C").Configuring OpenSSL version 3.2.2 for target linux-x86_64Using os-specific seed configurationCreated configdata.pmRunning configdata.pmperl: warning: Setting locale failed.perl: warning: Please check that your locale settings:LANGUAGE = "”en_US:en”",LC_ALL = (unset),LANG = "”en_US.UTF-8″"are supported and installed on your system.perl: warning: Falling back to the standard locale ("C").Created Makefile.inCreated MakefileCreated include/openssl/configuration.h************************************************************************* ****** OpenSSL has been successfully configured ****** ****** If you encounter a problem while building, please open an ****** issue on GitHub <https://github.com/openssl/openssl/issues> ****** and include the output from the following command: ****** ****** perl configdata.pm --dump ****** ****** (If you are new to OpenSSL, you might want to consult the ****** 'Troubleshooting' section in the INSTALL.md file first) ****** *************************************************************************
解决方案
# 使用编辑器打开配置文件
sudo nano ~/.bashrc# 添加以下内容
LANGUAGE="en_US:en"
LANG="en_US.UTF-8"# 使配置立即生效
source ~/.bashrc# 1. 安装 locales 工具包(如未安装)
sudo apt-get update && sudo apt-get install -y locales# 2. 生成 en_US.UTF-8 语言环境
sudo locale-gen en_US.UTF-8# 3. 验证语言环境是否生成成功
locale -a | grep en_US.UTF-8
离线安装 Telnet 服务端指南
1. 在联网机器上下载安装包
sudo apt-get install --download-only telnetd xinetd -y
2. 安装 xinetd和telnetd
dpkg -i xinetd_1%3a2.3.15.3-1_amd64.deb
dpkg -i telnetd_0.17-41_amd64.deb
3. 检查 xinetd 服务状态
systemctl status xinetd
输出示例:
● xinetd.service - LSB: Starts or stops the xinetd daemon.Loaded: loaded (/etc/init.d/xinetd; generated)Active: active (running) since Wed 2025-05-07 15:52:38 CST; 4 days agoDocs: man:systemd-sysv-generator(8)Process: 27492 ExecStop=/etc/init.d/xinetd stop (code=exited, status=0/SUCCESS)Process: 27499 ExecStart=/etc/init.d/xinetd start (code=exited, status=0/SUCCESS)Tasks: 3 (limit: 4915)CGroup: /system.slice/xinetd.service├─20505 in.telnetd: 10.252.248.10├─27527 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6└─27680 in.telnetd: 10.252.248.20
4. 配置 Telnet 服务
sudo nano /etc/xinetd.d/telnet
配置文件内容:
service telnet
{ disable = no socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/in.telnetd port = 23log_on_failure += USERID
}
5. 重启服务并验证
sudo systemctl restart xinetd
sudo systemctl status xinetd
lsof -i :23
6. 修改默认端口(可选)
若要修改 Telnet 服务端口(例如改为 123):
- 编辑
/etc/services文件:
telnet 123/tcp # 自定义 Telnet 服务端口
- 编辑
/etc/xinetd.d/telnet文件:
service telnet
{ disable = no socket_type = stream protocol = tcp wait = no user = root server = /usr/sbin/in.telnetd port = 123log_on_failure += USERID
}
- 重启服务并测试:
sudo systemctl restart xinetd
telnet <服务器IP> 123
备份并卸载老版本OpenSSH
1. 备份SSH配置文件
cp -r /etc/ssh /etc/ssh.old
2. 备份SSH相关可执行文件
cp -p /usr/sbin/sshd /usr/sbin/sshd.bak
cp -p /usr/bin/ssh /usr/bin/ssh.bak
cp -p /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
3. 停止SSH服务
systemctl status sshd
systemctl stop sshd
注意:请确保不要关闭远程连接
4. 查询并卸载现有OpenSSH包
dpkg -l | grep openssh
输出示例:
ii openssh-client 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
5. 执行卸载
apt purge openssh-server openssh-client openssh-sftp-server
卸载报错,提示缺少依赖包。
下载并安装缺失包:sudo apt-get install --download-only curl libcurl4 -y
6. 验证卸载结果
dpkg -l | grep openssh
升级 OpenSSH
首先,创建 OpenSSH 的安装目录:
mkdir -p /usr/local/openssh
进入 /usr/local/src 目录并下载 OpenSSH 源码包:
cd /usr/local/src
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
解压下载的源码包:
tar zxvf openssh-9.8p1.tar.gz
进入解压后的目录:
cd openssh-9.8p1
配置编译选项,指定安装路径、zlib 和 SSL 的路径:
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
成功配置后,输出如下:
root@ubuntu-virtual-machine:/opt/openssh-9.8p1# ./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/sslchecking for cc... ccchecking whether the C compiler works... yeschecking for C compiler default output file name... a.outchecking for suffix of executables... checking whether we are cross compiling... nochecking for suffix of object files... ochecking whether the compiler supports GNU C... yeschecking whether cc accepts -g... yeschecking for cc option to enable C11 features... none neededchecking if cc supports C99-style variadic macros... yeschecking build system type... x86_64-pc-linux-gnuchecking host system type... x86_64-pc-linux-gnuchecking for stdio.h... yeschecking for stdlib.h... yeschecking for string.h... yes……checking for dropbearconvert... noconfigure: creating ./config.statusconfig.status: creating Makefileconfig.status: creating buildpkg.shconfig.status: creating opensshd.initconfig.status: creating openssh.xmlconfig.status: creating openbsd-compat/Makefileconfig.status: creating openbsd-compat/regress/Makefileconfig.status: creating survey.shconfig.status: creating config.hOpenSSH has been configured with the following options:User binaries: /usr/local/openssh/binSystem binaries: /usr/local/openssh/sbinConfiguration files: /usr/local/openssh/etcAskpass program: /usr/local/openssh/libexec/ssh-askpassManual pages: /usr/local/openssh/share/man/manXPID file: /var/runPrivilege separation chroot path: /var/emptysshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/binManpage format: docPAM support: noOSF SIA support: noKerberosV support: noSELinux support: nolibedit support: nolibldns support: noSolaris process contract support: noSolaris project support: noSolaris privilege support: noIP address in $DISPLAY hack: noTranslate v4 in v6 hack: yesBSD Auth support: noRandom number source: OpenSSL internal ONLYPrivsep sandbox style: seccomp_filterPKCS#11 support: yesU2F/FIDO support: yesHost: x86_64-pc-linux-gnuCompiler: ccCompiler flags: -g -O2 -pipe -Wno-error=format-truncation -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/zlib/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000LLinker flags: -L/usr/local/ssl/lib64 -L/usr/local/zlib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie Libraries: -ldl -lutil -lresolv+for channels: -lcrypto -lz+for sshd: -lcrypt root@ubuntu-virtual-machine:/opt/openssh-9.8p1# systemctl status sshdUnit sshd.service could not be found.
执行 make && make install 命令后,系统输出如下安装信息:
/usr/bin/install -c -m 644 sshd.8.out /usr/local/openssh/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/openssh/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/openssh/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/openssh/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/openssh/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh/share/man/man8/ssh-sk-helper.8
/bin/mkdir -p /usr/local/openssh/etc
ssh-keygen: generating new host keys: RSA ECDSA ED25519
/usr/local/openssh/sbin/sshd -t -f /usr/local/openssh/etc/sshd_config
Privilege separation user sshd does not exist
Makefile:396: recipe for target 'check-config' failed
make: [check-config] Error 255 (ignored)
由于 SSH 默认禁止 root 用户登录,此处我们保持默认配置不变。
接下来,将编译安装生成的新配置文件复制到系统默认路径:
mkdir -p /etc/ssh/
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
通过以下命令验证 SSH 版本升级是否成功:
ssh -V
OpenSSH_9.8p1, OpenSSL 3.2.2 4 Jun 2024
源码安装时自启动配置
启动配置文件
路径:/lib/systemd/system/ssh.service
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755[Install]
WantedBy=multi-user.target
Alias=sshd.service
创建符号链接
sudo ln -s /lib/systemd/system/ssh.service /etc/systemd/system/sshd.service
创建系统用户
sudo useradd -r -u 122 -g 65534 -d /run/sshd -s /usr/sbin/nologin sshd
重新加载 systemd 配置
sudo systemctl daemon-reload
sudo systemctl status ssh
sudo systemctl enable ssh
sudo journalctl -xe | grep sshd
更新 SSH 访问端口
修改配置文件
路径:/usr/local/openssh/etc/sshd_config
Port 5000
#PermitRootLogin yes
同步配置文件
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
sudo systemctl daemon-reload
sudo systemctl restart ssh
验证连接
ssh -P 5000 IP
配置文件示例
root@dwork:/etc/ssh# cat /etc/ssh.old/sshd_config
#$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.Port 5000
#PermitRootLogin yes
……
至此,OpenSSH 升级顺利完成。如有任何建议,欢迎指教。