1.查看openssh、openssl版本
openssl version
ssh -V
2.安装配置telnet
2.1 安装telnet-server
yum -y install xinetd telnet-server
2.2 配置telnet
#先看一下xinetd.d目录下是否有telnet文件
[root@localhost ~]# ll /etc/xinetd.d/telnet
ls: cannot access /etc/xinetd.d/telnet: No such file or directory
#如果有,则将文件里面的disable = no改成disable = yes
#如果没有,就进行下面的操作
[root@localhost ~]# cat > /etc/xinetd.d/telnet <<EOF
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
EOF
2.3 配置telnet登录的终端类型
[root@localhost ~]# cat >> /etc/securetty <<EOF
pts/0
pts/1
pts/2
pts/3
EOF
2.4 启动telnet服务
[root@localhost ~]# systemctl enable xinetd --now
[root@localhost ~]# systemctl enable telnet.socket --now
[root@localhost ~]# ss -nltp | grep 23
LISTEN 0 128 :::23 :::* users:(("systemd",pid=1,fd=46))
#23端口起来了,表示telnet服务正常运行
2.5 切换登录方式为telnet
后面的操作都是在telnet链接的方式下进行,避免ssh中断导致升级失败,以telnet方式登录的时候,注意选择协议和端口,协议为telnet,端口为23,需要开放23端口,使用telnet ip方式进行登录。
如果登录报错:
则执行: cat /var/log/secure 查看日志
执行:vi /etc/securetty 在末尾添加 pts/5 pts/6 保存即可
3.更新openssl
wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz --no-check-certificate
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
tar -zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l/
./config --prefix=/usr/local/openssl
make
make install
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
openssl version
4.安装openssh
yum install -y pam* zlib* openssl-devel
chmod 600 /etc/ssh/* #权限要改为600,否则会报警
wget -c https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz --no-check-certificate
cp /usr/bin/ssh /usr/bin/ssh.bak
cp /usr/sbin/sshd /usr/sbin/sshd.bak
mv /etc/ssh /etc/ssh.bak
tar -zxvf openssh-8.8p1.tar.gz
cd openssh-8.8p1.tar.gz
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam
make && make install
# 修改启动文件和pam
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
#编辑/etc/pam.d/sshd文件,删除原有,添加以下
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
#编辑/etc/ssh/sshd_config,最下方添加PermitRootLogin yes
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
5.还原ssh方式登录
5.1 开启sshd方式登录
vi /etc/ssh/sshd_config
# 设置 PasswordAuthentication yes
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
5.2 关闭telnet服务
[root@localhost ~]# systemctl disable xinetd.service --now
[root@localhost ~]# systemctl disable telnet.socket --now