CentOS升级openssh8.0+openssl1.1.1c步骤及自动部署脚本

Linux自带的ssh版本一般与系统版本相差无几,然而,为了达到更高的安全标准,常常需要部署更新版本的openssh。本文讲述在CentOS系统下如何部署最新版本的openssh,适用于CentOS6和CentOS7。

安装前建议先备份原openssl和openssh,步骤略。

部署openssl

OpenSSL官方下载页面:https://www.openssl.org/source/

如果openssl版本较新,则无需更新。

安装依赖包

yum -y install gcc perl zlib zlib-devel

安装openssl

rm -rf /usr/local/openssl

cd /opt

wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz

tar zxvf openssl-1.1.1c.tar.gz

cd openssl-1.1.1c

./config --prefix=/usr/local/openssl --shared zlib

make && make install

rm -rf /usr/bin/openssl

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/openssl/include/openssl /usr/include/openssl

echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf

ldconfig -v

查看openssl版本

openssl version -a

部署openssh

OpenSSH官方下载页面:http://www.openssh.com/portable.html

安装依赖包

yum install -y gcc openssl-devel pam-devel rpm-build

安装openssh

cd /opt

wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz

tar zxvf openssh-8.0p1.tar.gz

cd openssh-8.0p1

cp contrib/redhat/sshd.pam /etc/pam.d/sshd

./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-openssl-dir=/usr/local/openssl --with-pam --with-zlib --with-md5-passwords

make && make install

cp contrib/redhat/sshd.init /etc/init.d/sshd

cp contrib/redhat/sshd.pam /etc/pam.d/

chmod 600 /etc/ssh/ssh_host_ed25519_key

systemctl enable sshd

# chkconfig --add sshd

# chkconfig sshd on

echo "PermitRootLogin    yes" >> /etc/ssh/sshd_config

ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd

rm -rf /usr/bin/ssh

切记:一定检查openssh是否开机启动!

没有编译部署openssl则必须去掉“--with-openssl-dir=/usr/local/openssl”参数,另外如果编译过程中出现如下错误:

configure: error: OpenSSL library not found.

可以尝试指定如下参数:

--with-openssl-includes=[openssl-inc-dir] --with-openssl-libraries=[openssl-lib-dir]

查看openssh版本

ssh -V

修改sshd_config

vim /etc/ssh/sshd_config

PermitRootLogin        yes #允许root登录
PermitEmptyPasswords   no  #不允许空密码登录
PasswordAuthentication yes #设置是否使用口令验证

启动opehssh

service sshd start

自动化部署openssh

此脚本只是示例,请根据实际需求自行调整相关代码。

#!/bin/bash

inspath="/opt/installation"
exelogs="$inspath/install.log"
errlogs="$inspath/error.log"
soft1="openssl-1.1.1c.tar.gz"
soft1na="openssl"
soft1dr="openssl-1.1.1c"
soft1dl="https://www.openssl.org/source/openssl-1.1.1c.tar.gz"
soft1pt="/usr/local/openssl"
soft2="openssh-8.0p1.tar.gz"
soft2na="openssh"
soft2dr="openssh-8.0p1"
soft2dl="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz"
soft2pt="/usr/local/openssh"

##### beginning #####

yum -y install gcc perl zlib zlib-devel openssl-devel pam-devel rpm-build

chkwget=`rpm -qa wget`
if [ -z "$chkwget" ]; then
  yum -y install wget
fi

if [ -d "$inspath" ];then
  echo "Installation folder exist, software downloading begin!" >> $exelogs
else
  mkdir -p $inspath
  echo "Installation folder create successfully!" >> $exelogs
fi

chkconfig () {
if [ -e "$errlogs" ];then
  errstatus=`cat $errlogs | grep error`
  if [ -n "$errstatus" ];then
    echo "Installed failed when configurating, exit now!" >> $exelogs
    rm -f $errlogs
    exit 0
  else
    echo "$soft1na configurate successfully!"  >> $exelogs
  fi
fi
}

##### install soft1 #####

cd $inspath
if [ -e "$soft1" ]; then
  echo "File $soft1 is exist!" >> $exelogs
else
  echo "File $soft1 is not exist! download begin!" >> $exelogs
  wget $soft1dl
fi

rm -rf $soft1pt
echo "Delete $soft1na old version!" >> $exelogs
tar zxvf "$soft1"
cd "$soft1dr"
./config --prefix="$soft1pt" shared zlib | grep "configure: error:" >> $errlogs
chkconfig
make depend
make && make install
rm -rf /usr/bin/openssl
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo /usr/local/openssl/lib/ >> /etc/ld.so.conf
ldconfig -v
echo "$soft1 update successfully!" >> $exelogs

##### install soft2 #####

cd $inspath
if [ -e "$soft2" ]; then
  echo "File $soft2 is exist!" >> $exelogs
else
  echo "File $soft2 is not exist! download begin!" >> $exelogs
  wget $soft2dl
fi
rpm -qa | egrep "$soft2na" | xargs rpm -e --nodeps
rm -rf $soft2pt
echo "Delete $soft2na old version!" >> $exelogs

tar zxvf "$soft2"
cd "$soft2dr"
./configure --prefix="$soft2pt" --sysconfdir=/etc/ssh --with-ssl-dir="$soft1pt" --with-pam --with-zlib --with-md5-passwords | grep "configure: error:" >> $errlogs
chkconfig
make && make install
\cp contrib/redhat/sshd.init /etc/init.d/sshd
\cp contrib/redhat/sshd.pam /etc/pam.d/
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
systemctl enable sshd
# chkconfig --add sshd
# chkconfig sshd on
echo "PermitRootLogin    yes" >> /etc/ssh/sshd_config
ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
rm -rf /usr/bin/ssh
ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
echo "$soft2na update successfully!" >> $exelogs
赞 (0) 打赏

评论 0

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

感谢您的支持与帮助

支付宝扫一扫打赏

微信扫一扫打赏