归档文章 (2011-2017)
date
2017/07/15
一、查看当前版本
ssh -V #OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 (7.4.1708) openssl version #OpenSSL 1.0.2k-fips 26 Jan 2017 (7.4.1708)
查看已安装的RPM包 (可选,仅参考)
rpm -qa | grep openssl #openssl-libs-1.0.2k-16.el7.x86_64 #openssl-1.0.2k-16.el7.x86_64 #openssl-devel-1.0.2k-16.el7.x86_64 rpm -qa | grep openssh #openssh-7.4p1-16.el7.x86_64 #openssh-server-7.4p1-16.el7.x86_64 #openssh-clients-7.4p1-16.el7.x86_64
二、安装依赖
yum install -y wget curl gcc gcc-c++ make zlib-devel pam-devel tcp_wrappers tcp_wrappers-devel
安装Perl (可选,仅参考)
wget https://www.cpan.org/src/5.0/perl-5.28.1.tar.gz && \ tar -xzf perl-5.28.1.tar.gz && \ cd perl-5.28.1 && \ ./Configure -des -Dprefix=/usr/local/perl && \ make && \ make install perl -v
三、安装 OpenSSL
OpenSSL 默认安装在
/usr/local/ssl
,与旧版不冲突,建议不要去卸载旧版,很多软件都依赖旧版的 SSL 库,否则你得要花更多时间去处理相关错误。3.1 卸载现有版本 (仅参考,不需要卸载)
rpm -e `rpm -qa | grep openssh` rpm -e `rpm -qa | grep openssl` --nodeps
若误卸载了,可将下面文件复制到
/usr/lib64/
libcrypto.so.10 libcrypto.so.1.0.1e libssl.so.10 libssl.so.1.0.1e
3.2 安装 OpenSSL
注意 openssl-1.1.x 新版不兼容 openssh ,请用回最新的的 1.0.x 版本
wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz && \ tar -zxf openssl-1.0.2q.tar.gz && \ cd openssl-1.0.2q && \ ./config shared zlib && \ make depend && \ make install
3.3 替换旧版 OpenSSL
mv /usr/bin/openssl /usr/bin/openssl.backup && \ mv /usr/include/openssl /usr/include/openssl.backup ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl && \ ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl echo '/usr/local/ssl/lib' >> /etc/ld.so.conf && ldconfig && \ /sbin/restorecon -v /usr/local/ssl/lib/libcrypto.so.1.0.0
四、安装 OpenSSH
4.1 卸载 OpenSSH 旧版本
OpenSSH 建议卸载旧版本,卸载前也可以备份一下。
# 备份 cp -r /usr/bin/ssh /usr/bin/ssh.bak && \ cp -r /usr/sbin/sshd /usr/sbin/sshd.bak && \ cp -r /usr/libexec/openssh/sftp-server /usr/libexec/openssh/sftp-server.bak && \ cp -r /etc/ssh /etc/ssh.bak # 卸载 # yum remove -y openssh openssh-server openssh-clients rpm -e `rpm -qa | grep openssh` --nodeps
4.2 安装 OpenSSH
wget http://ftp.eu.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz && \ tar -zxf openssh-7.9p1.tar.gz && \ cd openssh-7.9p1 && \ ./configure --prefix=/usr/local/ssh \ --sysconfdir=/etc/ssh \ --with-ssl-dir=/usr/local/ssl \ --with-pam \ --with-tcp-wrappers \ --with-md5-passwords \ --with-zlib=zlib && \ make && make install echo "/usr/local/ssl/lib/" >> /etc/ld.so.conf.d/openssl.conf ldconfig
如果出现“Your OpenSSL headers do not match your library. ”配置以下三个变量,让其指向新版本的opnessl库文件:
DEFAULT_LIBPATH=/usr/local/ssl/include/openssl:/usr/local/ssl/lib/ && \ LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH} && \ LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} && \ LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} && \ export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
更新系统库文件(选做)
yum -y install mlocate updatedb
4.3 替换旧版 OpenSSH
ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh && \ ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd && \ mkdir -p /usr/libexec/openssh/ && \ ln -s /usr/local/ssh/libexec/sftp-server /usr/libexec/openssh/sftp-server
4.4 开机自启动(方法1,不推荐)
cp contrib/redhat/sshd.init /etc/init.d/sshd sed -i 's/usr\/sbin/usr\/local\/ssh\/sbin/g' /etc/init.d/sshd sed -i 's/usr\/bin/usr\/local\/ssh\/bin/g' /etc/init.d/sshd chmod +x /etc/init.d/sshd chkconfig --add sshd systemctl reload sshd systemctl enable sshd systemctl restart sshd.service
4.5 开机自启动(systemd,推荐)
4.5.1 方法一:使用 sshd.socket
套接字
/usr/lib/systemd/system/sshd.socket
[Unit] Description=OpenSSH Server Socket Documentation=man:sshd(8) man:sshd_config(5) Conflicts=sshd.service Wants=sshd-keygen.service [Socket] ListenStream=0.0.0.0:22 Accept=yes [Install] WantedBy=sockets.target
/usr/lib/systemd/system/sshd-keygen.service
[Unit] Description=OpenSSH Server Key Generation ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key PartOf=sshd.service sshd.socket [Service] ExecStart=/usr/local/ssh/bin/ssh-keygen Type=oneshot RemainAfterExit=yes
/usr/lib/systemd/system/sshd@.service
配置文件,定义服务如何启动
[Unit] Description=OpenSSH per-connection server daemon Documentation=man:sshd(8) man:sshd_config(5) [Service] EnvironmentFile=-/etc/sysconfig/sshd ExecStart=-/usr/local/ssh/sbin/sshd -i $OPTIONS StandardInput=socket
/etc/sysconfig/sshd
# Configuration file for the sshd service. # The server keys are automatically generated if they are missing. # To change the automatic creation uncomment and change the appropriate # line. Accepted key types are: DSA RSA ECDSA ED25519. # The default is "RSA ECDSA ED25519" # AUTOCREATE_SERVER_KEYS="" # AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519" # Do not change this option unless you have hardware random # generator and you REALLY know what you are doing # SSH_USE_STRONG_RNG=0 # SSH_USE_STRONG_RNG=1
切换至
sshd.socket
自启动服务systemctl stop sshd.service systemctl disable sshd.service #systemctl daemon-reload #cat /etc/systemd/system/sockets.target.wants/sshd.socket systemctl enable sshd.socket systemctl start sshd.socket
4.5.2 方法二:使用 sshd.service
服务
/usr/lib/systemd/system/sshd.service
[Unit] Description=OpenSSH per-connection server daemon Documentation=man:sshd(8) man:sshd_config(5) [Service] EnvironmentFile=-/etc/sysconfig/sshd ExecStart=-/usr/local/ssh/sbin/sshd -i $OPTIONS StandardInput=socket
切换
systemctl mask --now sshd.socket systemctl restart sshd.service
参考文档:
五、安装 Telnet (可选,仅参考)
yum -y install xinetd telnet telnet-server
配置
vi /etc/securetty pts/0 pts/1
关闭 selinux
vim /etc/selinux/config SELINUX=disabled
防火墙
#默认zone为public 可以使用firewall-cmd --get-default-zone 来获取默认zone firewall-cmd --permanent --zone=public --add-port=23/tcp firewall-cmd --reload
自启动
systemctl enable telnet.socket && \ systemctl start telnet.socket && \ systemctl enable xinetd && \ systemctl start xinetd
telnet dmfy@192.168.10.251
最后更新:2019.02.13