Centos/Redhat升级openssl/openssh服务

1、下载openssl-1.0.2h.tar.gz 

wget https://www.openssl.org/source/openssl-1.0.2n.tar.gz

2、升级zlib服务

yum install -y zlib zlib-devel

3、解压安装

tar zxf openssl-1.0.2n.tar.gz

cd openssl-1.0.2n

./config shared zlib

make

make install

mv /usr/bin/openssl /usr/bin/openssl.bak

mv /usr/include/openssl /usr/include/openssl.bak

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/ssl/include/openssl /usr/include/openssl

echo "/usr/local/ssl/lib" >> /etc/ld.so.conf

ldconfig -v

5、查看是否升级成功

[root@zj ~]# openssl version -a

OpenSSL 1.0.2h  3 May 2016

升级openssh

OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

openssl version -a

OpenSSL 1.0.1e-fips 11 Feb 2013

一、准备

备份ssh目录(重要)

cp -rf /etc/ssh /etc/ssh.bak

【 可以现场处理的，不用设置

安装telnet，避免ssh升级出现问题，导致无法远程管理

yum install telnet-server

vi /etc/xinetd.d/telnet

service telnet

{

        flags          = REUSE

        socket_type    = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        disable        = no

}

默认不允许root登录

vi /etc/securetty

增加

pts/0

pts/1

pts/2

如果登录用户较多，需要更多的pts/*

/etc/init.d/xinetd restart

这样root可以telnet登录了

ssh升级后建议再修改回还原设置

】

二、安装

升级需要几个组件

yum install -y gcc openssl-devel pam-devel rpm-build

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.5p1.tar.gz

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz

解压升级包，并安装

tar -zxvf openssh-7.7p1.tar.gz

cd openssh-7.5p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers

make && make install

安装后提示：

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

ssh-keygen: generating new host keys: ECDSA ED25519

/usr/sbin/sshd -t -f /etc/ssh/sshd_config

/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication

/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials

修改配置文件,允许root登录

vi /etc/ssh/sshd_config

#PermitRootLogin yes

修改为

PermitRootLogin yes

命令：

sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config

重启openSSH

service sshd restart

升级后版本

ssh -V

OpenSSH_7.2p1, OpenSSL 1.0.1e-fips 11 Feb 2013

【

可以不操作，禁止dns解析

sed -i '/^#UseDNS yes/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config

可以不操作默认是22，修改ssh端口至6022

echo "Port 9092" >> /etc/ssh/sshd_config

】

注:在升级SSH时你的SSH是不会因为升级或重启服务而断掉的.

问题1：

[root@testserver2 tmp]# service sshd restart

Stopping sshd:                                            [  OK  ]

Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication

/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials [  OK  ]

解决：

将/etc/ssh/sshd_config文件中以上行数内容注释下即可

sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config

sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config

sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config

问题2：

更新后ssh有如下提示，但不影响使用：

[root@testserver2 tmp]# ssh 10.111.32.51

/etc/ssh/ssh_config line 50: Unsupported option "gssapiauthentication"                                         

解决：

可以注释/etc/ssh/ssh_config的gssapiauthentication内容