CentOS 7.6 升级 Openssl 及 Openssh 方法文档
1、上传相关安装包至服务器
●环境准备
1.上传软件包至/root/soft 目录下
2.服务开启外网,安装依赖包需要使用
2、安装依赖包
2.1.安装新版 perl 包
●检测服务器当前 perl 包版本
perl -v
●安装 5.40.0 版本的 perl 包
cd /root/soft
tar zxvf perl-5.40.0.tar.gz
cd perl-5.40.0/
./Configure -des -Dprefix=/usr/local/perl -Dusethreads -Uversiononly
make && make install
●替换老版本 perl 命令
cd /usr/bin
mv perl perl.old #把原来的 perl 更名为 perl.old,弃用。
ln -s /usr/local/perl/bin/perl /usr/bin/perl #做一个软链接,使用新的 perl
●验证安装完成
perl -v
2.2.安装其他依赖包
●配置 yum 源
cd /etc/yum.repos.d/
mkdir bk
mv *.repo bk
sudo curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
●安装依赖包
yum -y install pam-devel tcp_wrappers tcp-wrappers-devel gcc gcc-c++ glibc make
autoconf openssl-devel zlib-devel
3、升级 Openssl 至 3.3.2
●检查服务器当前 openssl 版本
openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
●查看当前 openssl 相关文件路径
whereis openssl
●备份当前 openssl 相关文件
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
●卸载当前 openssl
yum remove openssl
●编译安装 openssl3.3.2 版本
cd /root/soft
tar zxvf openssl-3.3.2.tar.gz
cd openssl-3.3.2/
./config shared zlib --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
make
make install
●创建新版本链接
ln -s /usr/local/openssl/bin/openssl /usr/bin/ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
●重新编译 lib 库
echo "/usr/local/openssl/lib64" >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v
●验证 openssl 版本
openssl version
OpenSSL 3.3.2 3 Sep 2024 (Library: OpenSSL 3.3.2 3 Sep 2024)
4、升级 Openssh 至 9.8p1
4.1.安装 telnet 工具
●安装 telnet
yum install telnet* -y
systemctl start telnet.socket
systemctl enable telnet.socket
●临时关闭安全登录,否则无法进行远程 telnet 连接,升级完成后需要改回来
mv /etc/securetty /etc/securetty.bak
●有防火墙记得关闭防火墙,并关闭 SELinux
firewall-cmd --state
systemctl stop firewalld.service
●测试 telnet 远程登录
telnet 192.168.101.198
4.2.通过 telnet 登录升级 openssh
##使用 telnet 远程登录,是为了防止 sshd 服务升级失败,远程连不上服务器
telnet IP 地址
●检查服务器当前 openssh 版本
ssh -v
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
●查看当前 openssh 相关文件路径
where is openssh
●备份 openssh 配置文件
mv /etc/ssh /etc/ssh.bak
mv /usr/bin/ssh /usr/bin/ssh.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
●备份 pam 验证文件
mv /etc/pam.d/sshd /etc/pam.d/sshd.old
●卸载旧的 openssh 软件包
yum remove openssh
4.3.编译安装 openssh9.8p1
●编译安装
cd /root/soft
tar zxvf openssh-9.8p1.tar.gz
cd openssh-9.8p1/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam
--with-tcp-wrappers --with-ssl-dir=/usr/local/openssl/ --without-hardening --with-zlib
make && make install
●创建启动脚本
cp contrib/redhat/sshd.init /etc/init.d/sshd
●配置 PAM 模块
vi /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the
user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
●还原并开启安全登录
mv /etc/securetty.bak /etc/securetty
●重启 ssh 服务
chkconfig --add sshd
chkconfig sshd on
systemctl enable sshdsystemctl restart sshd
●查看版本
ssh -V
OpenSSH_9.8p1, OpenSSL 3.3.2 3 Sep 2024
4、检测
●修改配置文件,启用 root 登录
vi /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
UsePAM yes
●重启 ssh 服务
systemctl restart sshd
●测试 ssh
ssh ip 地址
●关闭 telnet 服务
systemctl stop telnet.socket
systemctl disable telnet.socket