[系统运维]Centos7.5 升级openssh到9.0p1

背景：

公司定期的漏洞安全扫描发现系统服务存在问题，需要升级OpenSSH。

[root@somsapidev ~]# cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)

[root@somsapiprd ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

[root@somsapidev openssh-9.0p1]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

升级前提：

1、openssl 升级到openssl-1.1.1以上

2、安装配置telnet

提示：这步最好是做，那怕用不上，但不能没有，如果后面升级失败SSH也坏掉了，OS就死掉了。

后面的操作都是在telnet链接的方式下进行，避免ssh中断导致升级失败
以telnet方式登录的时候，注意选择协议和端口，协议为telnet，端口为23

安装telnet

1、安装telnet-server

yum -y install xinetd telnet-server

2、配置/etc/xinetd.d/telnet

ll /etc/xinetd.d/telnet
ls: cannot access /etc/xinetd.d/telnet: No such file or directory
如果有，则将文件里面的disable = no改成disable = yes
如果没有，就进行下面的操作：
[root@somsapidev root]# cat > /etc/xinetd.d/telnet <<EOF
内容
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
EOF
回车即可

3、配置telnet登录的终端类型

[root@somsapidev root]# cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
EOF

?4、启动telnet

[root@somsapidev root]# systemctl enable xinetd --now
[root@somsapidev root]# systemctl enable telnet.socket --now
[root@somsapidev root]# ss -nltp | grep 23
LISTEN 0 128 :::23 :::* users:(("systemd",pid=1,fd=46))
"23端口起来了，表示telnet服务正常运行"

升级OpenSSL

1、下载升级包

wget https://www.openssl.org/source/openssl-1.1.1o.tar.gz

2、备份老版本 &解压

[root@somsapidev ~]# mv /usr/bin/openssl{,.bak}
[root@somsapidev ~]# mv /usr/include/openssl{,.bak}
[root@somsapidev ~]# tar xf openssl-1.1.1o.tar.gz
[root@somsapidev ~]# cd openssl-1.1.1o

3、 配置编译并安装

[root@somsapidev ~]# ./config shared && make && make install

4、配置软链接

[root@somsapidev openssl-1.1.1o]# ll /usr/local/bin/openssl
-rwxr-xr-x 1 root root 749104 Jun 13 17:18 /usr/local/bin/openssl
[root@somsapidev openssl-1.1.1o]# ll -d /usr/local/include/openssl/
drwxr-xr-x 2 root root 4096 Jun 13 17:18 /usr/local/include/openssl/
[root@somsapidev openssl-1.1.1o]# ln -s /usr/local/bin/openssl /usr/bin/openssl
[root@somsapidev openssl-1.1.1o]# ln -s /usr/local/include/openssl/ /usr/include/openssl
[root@somsapidev openssl-1.1.1o]# ll /usr/bin/openssl
lrwxrwxrwx 1 root root 22 Jun 13 17:21 /usr/bin/openssl -> /usr/local/bin/openssl
[root@somsapidev openssl-1.1.1o]# ll -d /usr/include/openssl
lrwxrwxrwx 1 root root 27 Jun 13 17:21 /usr/include/openssl -> /usr/local/include/openssl/
[root@somsapidev openssl-1.1.1o]# echo "/usr/local/lib64" >> /etc/ld.so.conf
[root@somsapidev openssl-1.1.1o]# /sbin/ldconfig
[root@somsapidev openssl-1.1.1o]# openssl version
OpenSSL 1.1.1o  3 May 2022

升级OpenSSH

1、下载升级所需依赖包

[root@somsapidev ~]# yum -y install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel

[root@somsapidev ~]# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz

#openssh官网：http://www.openssh.com/

2、编译安装OpenSSH

?解压&配置目录

[root@somsapidev ~]#tar xf openssh-9.0p1.tar.gz
[root@somsapidev ~]# mv /etc/ssh{,.bak}
[root@somsapidev ~]# mkdir /usr/local/openssh
[root@somsapidev ~]# cd openssh-9.0p1

配置环境&编译&安装

[root@somsapidev ~]# ./configure --prefix=/usr/local/openssh  --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/include --with-ssl-dir=/usr/local/lib64 --with-zlib --with-md5-passwords --with-pam

[root@somsapidev ~]#make 
[root@somsapidev ~]#make install

3、配置sshd_config文件

[root@somsapidev openssh-9.0p1]# echo "UseDNS no" >> /etc/ssh/sshd_config
[root@somsapidev openssh-9.0p1]# echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
[root@somsapidev openssh-9.0p1]# echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
[root@somsapidev openssh-9.0p1]# echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
[root@somsapidev openssh-9.0p1]# echo "X11Forwarding yes" >> /etc/ssh/sshd_config
[root@somsapidev openssh-9.0p1]# echo "X11UseLocalhost no" >> /etc/ssh/sshd_config
[root@somsapidev openssh-9.0p1]# echo "XAuthLocation /usr/bin/xauth" >> /etc/ssh/sshd_config

4、创建新的sshd二进制文件

[root@somsapidev openssh-9.0p1]# mv /usr/sbin/sshd{,.bak}
[root@somsapidev openssh-9.0p1]# mv /usr/bin/ssh{,.bak}
[root@somsapidev openssh-9.0p1]# mv /usr/bin/ssh-keygen{,.bak}
[root@somsapidev openssh-9.0p1]# ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh
[root@somsapidev openssh-9.0p1]# ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
[root@somsapidev openssh-9.0p1]# ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@somsapidev openssh-9.0p1]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

5、重新启动openssh服务

[root@somsapidev openssh-9.0p1]# systemctl disable sshd --now
Removed symlink /etc/systemd/system/multi-user.target.wants/sshd.service.
[root@somsapidev openssh-9.0p1]# mv /usr/lib/systemd/system/sshd.service{,.bak}
[root@somsapidev openssh-9.0p1]# systemctl daemon-reload
[root@somsapidev openssh-9.0p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
[root@somsapidev openssh-9.0p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam


[root@somsapidev openssh-9.0p1]# chkconfig --add sshd
[root@somsapidev openssh-9.0p1]# systemctl daemon-reload

[root@somsapidev openssh-9.0p1]# service sshd restart
Restarting sshd (via systemctl):                           [  OK  ]
[root@somsapidev openssh-9.0p1]# chkconfig --add sshd
[root@somsapidev openssh-9.0p1]# chkconfig --level 2345 sshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.
[root@somsapidev openssh-9.0p1]# chkconfig --list

6、ssh链接成功后的处理（可选）

[root@somsapidev openssh-9.0p1]# systemctl disable xinetd.service --now
[root@somsapidev openssh-9.0p1]# systemctl disable telnet.socket --now