1、准备工作(本次升级是虚拟机测试环境)
注意:如果是生产环境,建议先备份!!!
首先一台虚拟机,我这边使用的是centos7的系统,openssh版本如下
[root@docker-client ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@docker-client ~]#
2、安装centos对应的依赖包和命令
[root@docker-client ~]# yum -y install wget gcc openssl-devel pam-devel rpm-build zlib-devel
3、官网下载openssl安装包:[ 1.1.1 ] - /source/old/1.1.1/index.html (openssl.org)
可以下载好上传到对应服务器,或者直接使用wget命令下载
[root@docker-client ~]# wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz
[root@docker-client ~]# ls -l
total 490008
-rw-r--r-- 1 root root 491879424 Apr 2 11:01 centos7.tar
-rw-r--r-- 1 root root 9881866 Dec 4 22:38 openssl-1.1.1t.tar.gz
-rw-r--r-- 1 root root 56 Mar 29 15:41 test.txt
[root@docker-client ~]#
4、编译安装openssl
4.1 解压并移动到/usr/local/目录下
[root@docker-client ~]# tar xf openssl-1.1.1t.tar.gz
[root@docker-client ~]# mv openssl-1.1.1t /usr/local/
[root@docker-client local]# ls
bin etc games include lib lib64 libexec nginx openssl openssl-1.1.1t sbin share src
[root@docker-client local]# cd openssl-1.1.1t/
[root@docker-client openssl-1.1.1t]# ls
ACKNOWLEDGEMENTS config crypto FAQ libcrypto.pc libssl.so NOTES.ANDROID openssl.pc ssl
apps config.com demos fuzz libcrypto.so libssl.so.1.1 NOTES.DJGPP os-dep test
appveyor.yml configdata.pm doc include libcrypto.so.1.1 LICENSE NOTES.PERL pod2htmd.tmp tools
AUTHORS Configurations engines INSTALL libssl.a Makefile NOTES.UNIX README util
build.info Configure e_os.h libcrypto.a libssl.map ms NOTES.VMS README.ENGINE VMS
CHANGES CONTRIBUTING external libcrypto.map libssl.pc NEWS NOTES.WIN README.FIPS wycheproof
4.2 编译安装openssl
./config shared --prefix=/usr/local/openssl
:
./config
:这是运行 OpenSSL 配置脚本的命令。配置脚本用于根据系统环境和需求生成适当的 Makefile 文件,以便后续的编译过程。shared
:这个参数告诉配置脚本生成一个共享库(Shared Library),也就是动态链接库,使得 OpenSSL 库可以在不同的程序之间共享。--prefix=/usr/local/openssl
:这个参数指定了安装目录,即将 OpenSSL 安装到/usr/local/openssl
目录下。通常,--prefix
参数用于指定软件的安装目录,默认情况下,软件会安装到/usr/local
目录下。
make -j 4
:
make
:这是一个用于自动构建可执行程序和库的工具,通常与 Makefile 文件一起使用。它根据 Makefile 中的规则来编译源代码,并生成最终的可执行文件或库文件。-j 4
:这个参数告诉make
工具使用 4 个并行任务(jobs)来加速编译过程。这样可以同时处理多个文件,加快整个编译过程。具体的并行任务数可以根据系统的 CPU 核心数量和可用内存来调整。
make install
:
make install
:这个命令将编译好的 OpenSSL 库文件和相关的头文件、文档等安装到指定的目录中(在上一步中通过--prefix
参数指定)。通常,这个命令会将编译好的文件复制到系统的标准位置,以便其他程序可以使用 OpenSSL 库。
[root@docker-client openssl-1.1.1t]# ./config shared --prefix=/usr/local/openssl
[root@docker-client openssl-1.1.1t]# make -j 4
[root@docker-client openssl-1.1.1t]# make install
4.3 创建openssl软链接
# 将 /usr/local/openssl/lib/ 路径追加到 /etc/ld.so.conf 文件中
[root@docker-client openssl-1.1.1t]# echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf
[root@docker-client openssl-1.1.1t]# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/openssl/lib/
[root@docker-client openssl-1.1.1t]# cat /etc/ld.so.c
ld.so.cache ld.so.conf ld.so.conf.d/
# 加载配置文件
[root@docker-client openssl-1.1.1t]# ld
ld ldattach ld.bfd ldconfig ldd ld.gold
[root@docker-client openssl-1.1.1t]# ldconfig
# 备份之前版本的openssl
[root@docker-client openssl-1.1.1t]# mv /usr/bin/openssl /usr/bin/openssl.old
# 创建openssl软链接
[root@docker-client openssl-1.1.1t]# ln -sv /usr/local/openssl/bin/openssl /usr/bin/openssl
‘/usr/bin/openssl’ -> ‘/usr/local/openssl/bin/openssl’
[root@docker-client openssl-1.1.1t]# ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[root@docker-client openssl-1.1.1t]# ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
4.4 查看openssl版本
[root@docker-client openssl-1.1.1t]# openssl version -a
OpenSSL 1.1.1t 7 Feb 2023
built on: Mon Apr 15 07:45:31 2024 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/openssl/ssl"
ENGINESDIR: "/usr/local/openssl/lib/engines-1.1"
Seeding source: os-specific
[root@docker-client openssl-1.1.1t]#
5、卸载之前版本的openssh
检查之前的openssh安装包,并备份旧的openssh
[root@docker-client openssl-1.1.1t]# rpm -qa |grep openssh
openssh-clients-7.4p1-22.el7_9.x86_64
openssh-7.4p1-22.el7_9.x86_64
openssh-server-7.4p1-22.el7_9.x86_64
[root@docker-client openssl-1.1.1t]#
# 备份
[root@docker-client openssl-1.1.1t]# mv /etc/ssh/ /etc/ssh.bak
[root@docker-client openssl-1.1.1t]#
[root@docker-client openssl-1.1.1t]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@docker-client openssl-1.1.1t]#
[root@docker-client openssl-1.1.1t]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@docker-client openssl-1.1.1t]#
# 如果是第一次升级openssh,备份/etc/init.d/sshd时会报不存在文件或者目录,如下,忽略即可
[root@docker-client openssl-1.1.1t]# mv /etc/init.d/sshd /etc/init.d/sshd.bak
mv: cannot stat ‘/etc/init.d/sshd’: No such file or directory
# 卸载现在版本的openssh相关的包
[root@docker-client openssl-1.1.1t]# rpm -e --nodeps $(rpm -qa |grep openssh)
warning: file /usr/sbin/sshd: remove failed: No such file or directory
warning: file /etc/ssh/sshd_config: remove failed: No such file or directory
warning: file /usr/bin/ssh: remove failed: No such file or directory
warning: file /etc/ssh/ssh_config: remove failed: No such file or directory
warning: file /etc/ssh/moduli: remove failed: No such file or directory
warning: file /etc/ssh: remove failed: No such file or directory
# 卸载完成后在查一下是否卸载干净
[root@docker-client openssl-1.1.1t]# rpm -qa | grep openssh
[root@docker-client openssl-1.1.1t]#
6、下载openssh的二进制包
官网下载:Index of /pub/OpenBSD/OpenSSH/portable/
可以下载好上传到对应服务器,或者直接使用wget命令下载
[root@docker-client ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
--2024-04-15 16:02:55-- https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.111.52, 2a04:4e42:8c::820
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.111.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1835850 (1.8M) [application/octet-stream]
Saving to: ‘openssh-9.3p2.tar.gz’
100%[==============================================================================================>] 1,835,850 106KB/s in 26s
2024-04-15 16:03:24 (67.8 KB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]
[root@docker-client ~]#
7、编译安装openssh
7.1 解压并移动到/usr/local/目录下
[root@docker-client ~]# mv openssh-9.3p2.tar.gz /usr/local/
[root@docker-client ~]#
[root@docker-client ~]# cd /usr/local/
[root@docker-client local]# tar xf openssh-9.3p2.tar.gz
[root@docker-client local]# ls
bin etc games include lib lib64 libexec nginx openssh-9.3p2 openssh-9.3p2.tar.gz openssl openssl-1.1.1t sbin share src
[root@docker-client local]#
7.2 编译安装openssh
[root@docker-client local]# cd openssh-9.3p2
[root@docker-client openssh-9.3p2]# CCFLAGS="-I/usr/local/include" \
> LDFLAGS="-L/usr/local/lib64" \
> ./configure \
> --sysconfdir=/etc/ssh \
> --with-zlib \
> --with-ssl-dir=/usr/local/openssl
[root@docker-client openssh-9.3p2]# make -j 4
[root@docker-client openssh-9.3p2]# make install
(cd openbsd-compat && make)
make[1]: Entering directory `/usr/local/openssh-9.3p2/openbsd-compat'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/usr/local/openssh-9.3p2/openbsd-compat'
/usr/bin/mkdir -p /usr/local/bin
/usr/bin/mkdir -p /usr/local/sbin
/usr/bin/mkdir -p /usr/local/share/man/man1
/usr/bin/mkdir -p /usr/local/share/man/man5
/usr/bin/mkdir -p /usr/local/share/man/man8
/usr/bin/mkdir -p /usr/local/libexec
/usr/bin/mkdir -p -m 0755 /var/empty
/usr/bin/install -c -m 0755 -s ssh /usr/local/bin/ssh
/usr/bin/install -c -m 0755 -s scp /usr/local/bin/scp
/usr/bin/install -c -m 0755 -s ssh-add /usr/local/bin/ssh-add
/usr/bin/install -c -m 0755 -s ssh-agent /usr/local/bin/ssh-agent
/usr/bin/install -c -m 0755 -s ssh-keygen /usr/local/bin/ssh-keygen
/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/local/bin/ssh-keyscan
/usr/bin/install -c -m 0755 -s sshd /usr/local/sbin/sshd
/usr/bin/install -c -m 4711 -s ssh-keysign /usr/local/libexec/ssh-keysign
/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/local/libexec/ssh-pkcs11-helper
/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/local/libexec/ssh-sk-helper
/usr/bin/install -c -m 0755 -s sftp /usr/local/bin/sftp
/usr/bin/install -c -m 0755 -s sftp-server /usr/local/libexec/sftp-server
/usr/bin/install -c -m 644 ssh.1.out /usr/local/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/local/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/local/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/local/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/local/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/local/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/local/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/local/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/local/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/local/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: RSA ECDSA ED25519
/usr/local/sbin/sshd -t -f /etc/ssh/sshd_config
[root@docker-client openssh-9.3p2]#
编译命令详解:
CCFLAGS="-I/usr/local/include"
:这部分设置了编译器标志,其中-I
选项用于指定编译时包含文件的搜索路径。在这里,-I/usr/local/include
指定了编译器在搜索头文件时应该包含/usr/local/include
目录。
LDFLAGS="-L/usr/local/lib64"
:这部分设置了链接器标志,其中-L
选项用于指定链接时库文件的搜索路径。在这里,-L/usr/local/lib64
指定了链接器在搜索库文件时应该包含/usr/local/lib64
目录。
./configure
:这是运行 OpenSSH 的配置脚本的命令。配置脚本会根据系统环境和指定的参数来生成 Makefile,用于后续编译和安装。
--sysconfdir=/etc/ssh
:这个选项指定了配置文件安装的目录。在这里,/etc/ssh
是指将 OpenSSH 的配置文件安装到/etc/ssh
目录下。
--with-zlib
:这个选项用于启用对 zlib 库的支持,以便 OpenSSH 可以使用 zlib 进行压缩和解压缩操作。
--with-ssl-dir=/usr/local/openssl
:这个选项用于指定 OpenSSL 库的安装路径。在这里,/usr/local/openssl
是指 OpenSSL 库的安装目录,OpenSSH 将会使用这个目录下的 OpenSSL 库进行加密和解密操作。
8、添加600权限
[root@docker-client openssh-9.3p2]# chmod 600 /etc/ssh/*
[root@docker-client openssh-9.3p2]#
[root@docker-client openssh-9.3p2]# ls -l /etc/ssh/*
-rw------- 1 root root 573991 Apr 15 16:10 /etc/ssh/moduli
-rw------- 1 root root 1531 Apr 15 16:10 /etc/ssh/ssh_config
-rw------- 1 root root 3137 Apr 15 16:10 /etc/ssh/sshd_config
-rw------- 1 root root 513 Apr 15 16:10 /etc/ssh/ssh_host_ecdsa_key
-rw------- 1 root root 180 Apr 15 16:10 /etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1 root root 411 Apr 15 16:10 /etc/ssh/ssh_host_ed25519_key
-rw------- 1 root root 100 Apr 15 16:10 /etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 root root 2610 Apr 15 16:10 /etc/ssh/ssh_host_rsa_key
-rw------- 1 root root 572 Apr 15 16:10 /etc/ssh/ssh_host_rsa_key.pub
[root@docker-client openssh-9.3p2]#
9、cp复制配置文件
[root@docker-client openssh-9.3p2]# cp -rf /usr/local/sbin/sshd /usr/sbin/sshd
[root@docker-client openssh-9.3p2]# cp -rf /usr/local/bin/ssh /usr/bin/ssh
[root@docker-client openssh-9.3p2]# cp -rf /usr/local/bin/ssh-keygen /usr/bin/ssh-keygen
[root@docker-client openssh-9.3p2]# cp -ar /usr/local/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd
[root@docker-client openssh-9.3p2]# cp -ar /usr/local/openssh-9.3p2/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@docker-client openssh-9.3p2]#
10、修改/etc/ssh/sshd_config配置文件,允许root登录,并开启端口22访问
[root@docker-client openssh-9.3p2]# vim /etc/ssh/ssh_config
未尾行添加如下信息
PermitRootLogin yes
X11Forwarding yes
PasswordAuthentication yes
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,[email protected]
[root@docker-client openssh-9.3p2]# sed -i "s/^#Port/Port/g" /etc/ssh/sshd_config
11、给sshd添加权限,并重启sshd服务
[root@docker-client openssh-9.3p2]# chmod 755 /etc/init.d/sshd
[root@docker-client openssh-9.3p2]#
[root@docker-client openssh-9.3p2]#
[root@docker-client openssh-9.3p2]# systemctl enable sshd
sshd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig sshd on
[root@docker-client openssh-9.3p2]# systemctl restart sshd
[root@docker-client openssh-9.3p2]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
Active: active (running) since Mon 2024-04-15 16:14:26 CST; 9s ago
Docs: man:systemd-sysv-generator(8)
Process: 36517 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 36525 (sshd)
Tasks: 1
Memory: 548.0K
CGroup: /system.slice/sshd.service
└─36525 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
Apr 15 16:14:26 docker-client systemd[1]: Starting SYSV: OpenSSH server daemon...
Apr 15 16:14:26 docker-client systemd[1]: Can't open PID file /var/run/sshd.pid (yet?) after start: No such file or directory
Apr 15 16:14:26 docker-client sshd[36517]: Starting sshd:[ OK ]
Apr 15 16:14:26 docker-client sshd[36525]: Server listening on 0.0.0.0 port 22.
Apr 15 16:14:26 docker-client sshd[36525]: Server listening on :: port 22.
Apr 15 16:14:26 docker-client systemd[1]: Started SYSV: OpenSSH server daemon.
[root@docker-client openssh-9.3p2]#
12、查看openssh版本是否升级完成
[root@docker-client openssh-9.3p2]# ssh -V
OpenSSH_9.3p2, OpenSSL 1.1.1t 7 Feb 2023
[root@docker-client openssh-9.3p2]#
以上就是openssh7.4p1升级到openssh9.3p2的过程,希望能帮助到你!