归档文章 (2011-2017)

date
2017/07/15

一、查看当前版本

ssh -V
#OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017 (7.4.1708)

openssl version
#OpenSSL 1.0.2k-fips  26 Jan 2017 (7.4.1708)

查看已安装的RPM包 (可选,仅参考)

rpm -qa | grep openssl
#openssl-libs-1.0.2k-16.el7.x86_64
#openssl-1.0.2k-16.el7.x86_64
#openssl-devel-1.0.2k-16.el7.x86_64

rpm -qa | grep openssh
#openssh-7.4p1-16.el7.x86_64
#openssh-server-7.4p1-16.el7.x86_64
#openssh-clients-7.4p1-16.el7.x86_64

二、安装依赖

yum install -y wget curl gcc gcc-c++ make zlib-devel pam-devel tcp_wrappers tcp_wrappers-devel

安装Perl (可选,仅参考)

via http://www.cpan.org/src/
wget https://www.cpan.org/src/5.0/perl-5.28.1.tar.gz && \
tar -xzf perl-5.28.1.tar.gz && \
cd perl-5.28.1 && \
./Configure -des -Dprefix=/usr/local/perl && \
make && \
make install
perl -v

三、安装 OpenSSL

OpenSSL 默认安装在 /usr/local/ssl,与旧版不冲突,建议不要去卸载旧版,很多软件都依赖旧版的 SSL 库,否则你得要花更多时间去处理相关错误。

3.1 卸载现有版本 (仅参考,不需要卸载)

rpm -e `rpm -qa | grep openssh`
rpm -e `rpm -qa | grep openssl` --nodeps
若误卸载了,可将下面文件复制到 /usr/lib64/
libcrypto.so.10 libcrypto.so.1.0.1e libssl.so.10 libssl.so.1.0.1e

3.2 安装 OpenSSL

注意 openssl-1.1.x 新版不兼容 openssh ,请用回最新的的 1.0.x 版本
wget https://www.openssl.org/source/openssl-1.0.2q.tar.gz && \
tar -zxf openssl-1.0.2q.tar.gz && \
cd openssl-1.0.2q && \
./config shared zlib && \
make depend && \
make install

3.3 替换旧版 OpenSSL

mv /usr/bin/openssl /usr/bin/openssl.backup && \
mv /usr/include/openssl /usr/include/openssl.backup

ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl && \
ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl

echo '/usr/local/ssl/lib' >> /etc/ld.so.conf && ldconfig && \
/sbin/restorecon -v /usr/local/ssl/lib/libcrypto.so.1.0.0

四、安装 OpenSSH

4.1 卸载 OpenSSH 旧版本

OpenSSH 建议卸载旧版本,卸载前也可以备份一下。
# 备份
cp -r /usr/bin/ssh /usr/bin/ssh.bak && \
cp -r /usr/sbin/sshd /usr/sbin/sshd.bak && \
cp -r /usr/libexec/openssh/sftp-server /usr/libexec/openssh/sftp-server.bak && \
cp -r /etc/ssh /etc/ssh.bak

# 卸载
# yum remove -y openssh openssh-server openssh-clients
rpm -e `rpm -qa | grep openssh` --nodeps

4.2 安装 OpenSSH

wget http://ftp.eu.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz && \
tar -zxf openssh-7.9p1.tar.gz && \
cd openssh-7.9p1 && \
./configure --prefix=/usr/local/ssh \
            --sysconfdir=/etc/ssh \
            --with-ssl-dir=/usr/local/ssl \
            --with-pam \
            --with-tcp-wrappers \
            --with-md5-passwords \
            --with-zlib=zlib && \
make && make install

echo "/usr/local/ssl/lib/" >> /etc/ld.so.conf.d/openssl.conf
ldconfig
如果出现“Your OpenSSL headers do not match your library. ”
配置以下三个变量,让其指向新版本的opnessl库文件:
DEFAULT_LIBPATH=/usr/local/ssl/include/openssl:/usr/local/ssl/lib/ && \
LIBPATH=${LIBPATH:=$DEFAULT_LIBPATH}  && \
LD_LIBRARY_PATH=${LD_LIBRARY_PATH:=$DEFAULT_LIBPATH} && \
LIBRARY_PATH=${LIBRARY_PATH:=$DEFAULT_LIBPATH} && \
export LIBPATH LD_LIBRARY_PATH LIBRARY_PATH
更新系统库文件(选做)
yum -y install mlocate
updatedb

4.3 替换旧版 OpenSSH

ln -s /usr/local/ssh/bin/ssh /usr/bin/ssh && \
ln -s /usr/local/ssh/sbin/sshd /usr/sbin/sshd && \
mkdir -p /usr/libexec/openssh/ && \
ln -s /usr/local/ssh/libexec/sftp-server /usr/libexec/openssh/sftp-server

4.4 开机自启动(方法1,不推荐)

cp contrib/redhat/sshd.init /etc/init.d/sshd
sed -i 's/usr\/sbin/usr\/local\/ssh\/sbin/g' /etc/init.d/sshd
sed -i 's/usr\/bin/usr\/local\/ssh\/bin/g' /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd

systemctl reload sshd
systemctl enable sshd
systemctl restart sshd.service

4.5 开机自启动(systemd,推荐)

4.5.1 方法一:使用 sshd.socket 套接字

/usr/lib/systemd/system/sshd.socket
[Unit]
Description=OpenSSH Server Socket
Documentation=man:sshd(8) man:sshd_config(5)
Conflicts=sshd.service
Wants=sshd-keygen.service

[Socket]
ListenStream=0.0.0.0:22
Accept=yes

[Install]
WantedBy=sockets.target
/usr/lib/systemd/system/sshd-keygen.service
[Unit]
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/etc/ssh/ssh_host_ed25519_key
PartOf=sshd.service sshd.socket

[Service]
ExecStart=/usr/local/ssh/bin/ssh-keygen
Type=oneshot
RemainAfterExit=yes
/usr/lib/systemd/system/sshd@.service
配置文件,定义服务如何启动
[Unit]
Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5)

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=-/usr/local/ssh/sbin/sshd -i $OPTIONS
StandardInput=socket
/etc/sysconfig/sshd
# Configuration file for the sshd service.

# The server keys are automatically generated if they are missing.
# To change the automatic creation uncomment and change the appropriate
# line. Accepted key types are: DSA RSA ECDSA ED25519.
# The default is "RSA ECDSA ED25519"

# AUTOCREATE_SERVER_KEYS=""
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"

# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing

# SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1
切换至 sshd.socket 自启动服务
systemctl stop sshd.service
systemctl disable sshd.service

#systemctl daemon-reload
#cat /etc/systemd/system/sockets.target.wants/sshd.socket
systemctl enable sshd.socket
systemctl start sshd.socket

4.5.2 方法二:使用 sshd.service 服务

/usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5)

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=-/usr/local/ssh/sbin/sshd -i $OPTIONS
StandardInput=socket
切换
systemctl mask --now sshd.socket
systemctl restart sshd.service
参考文档:

五、安装 Telnet (可选,仅参考)

yum -y install xinetd telnet telnet-server
配置
vi /etc/securetty
pts/0
pts/1
关闭 selinux
vim /etc/selinux/config
SELINUX=disabled
防火墙
#默认zone为public 可以使用firewall-cmd --get-default-zone 来获取默认zone
firewall-cmd --permanent --zone=public --add-port=23/tcp
firewall-cmd --reload
自启动
systemctl enable telnet.socket && \
systemctl start telnet.socket && \
systemctl enable xinetd && \
systemctl start xinetd
telnet dmfy@192.168.10.251
最后更新:2019.02.13
对于本文内容有任何疑问, 可与我联系.