redhat7-openssh工具离线升级8.4版本

avatar
avatar
云惠网小编
2404
文章
1
评论
2020年12月5日10:30:29 评论 125 次浏览 5458字阅读18分11秒
摘要

openssh低版本存在安全漏洞,所以升级至新版本,由于是生产环境所以采用的是离线版本。

准备工作

openssh低版本存在安全漏洞,所以升级至新版本,由于是生产环境所以采用的是离线版本。

  • Linux系统为Redhat7
  • ssh当前版本为6.6.1,升级至8.4版本。
  • 下载依赖包openssh 8.4安装包
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
  • 下载pam安装包
    链接: https://pan.baidu.com/s/1q6PpkRYtCwLFuYoN1Q87LQ 提取码: ycps 复制这段内容后打开百度网盘(免费链接)

开始升级

  • 安装包 依赖包上次到/home/eastcom/目录中并解压
tar zxf openssh-8.1p1.tar.gz
  • 给新版本文件加root权限
chown -R root.root /home/eastcom/openssh-8.4p1
  • 老文件进行备份到/home/eastcom/目录
cp -r /etc/ssh/ /home/eastcom/
  • 安装依赖包
rpm -ivh pam-devel-1.1.8-18.el7.x86_64.rpm
  • 删除老文件
rm -rf /etc/ssh/*
  • 进入新版本openssh-8.4p1目录中
cd /home/eastcom/openssh-8.4p1
  • 执行编译安装
./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-openssl-includes=/usr/local/ssl/include  --with-ssl-dir=/usr/local/ssl   --with-zlib   --with-md5-passwords   --with-pam  && make && make install
  • 查看编译安装状态。(0是成功,其他数值为失败)
echo $?
  • 编辑ssh的配置文件
vi /etc/ssh/sshd_config

     Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

     MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
     KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
    #PermitRootLogin yes
  • 拷贝当前目录文件到可执行文件并改名
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
  • 给ssh启动文件加可执行权限
chmod +x /etc/init.d/sshd

chkconfig --add sshd

systemctl enable sshd
  • 原执行文件删除或者移动到其他文件目录中
mv  /usr/lib/systemd/system/sshd.service  /home/

chkconfig sshd on

systemctl enable sshd.socket
  • 启动sshd服务
systemctl restart sshd

注:没有错误才能算成功

  • 查询下升级后的ssh版本
ssh -V
OpenSSH_8.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

启动错误及解决方案

错误1 提示权限错误

[root@db-01 eastcom]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since Tue 2020-11-03 15:08:27 CST; 1min 58s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 14206 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=1/FAILURE)
 Main PID: 1355 (code=exited, status=0/SUCCESS)
   CGroup: /system.slice/sshd.service
           └─19856 /usr/sbin/sshd

Nov 03 15:08:27 db-01 sshd[14206]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Nov 03 15:08:27 db-01 sshd[14206]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
Nov 03 15:08:27 db-01 sshd[14206]: It is required that your private key files are NOT accessible by others.
Nov 03 15:08:27 db-01 sshd[14206]: This private key will be ignored.
Nov 03 15:08:27 db-01 sshd[14206]: sshd: no hostkeys available -- exiting.
Nov 03 15:08:27 db-01 systemd[1]: sshd.service: control process exited, code=exited status=1
Nov 03 15:08:27 db-01 sshd[14206]: [FAILED]
Nov 03 15:08:27 db-01 systemd[1]: Failed to start SYSV: OpenSSH server daemon.
Nov 03 15:08:27 db-01 systemd[1]: Unit sshd.service entered failed state.
Nov 03 15:08:27 db-01 systemd[1]: sshd.service failed.

解决方案:

chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key
  • 重启sshd服务
systemctl restart sshd

错误2 提示进程已存在

-- Unit sshd.service has begun starting up.
Nov 03 16:10:04 db-02 sshd[22919]: Starting sshd:GMSSL: pem_lib.c 863: pem_str = RSA PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 864: suffix = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 869: p = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 863: pem_str = RSA PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 864: suffix = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 869: p = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 863: pem_str = EC PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 864: suffix = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 869: p = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 863: pem_str = EC PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 864: suffix = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22919]: GMSSL: pem_lib.c 869: p = PRIVATE KEY
Nov 03 16:10:04 db-02 sshd[22925]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.
Nov 03 16:10:04 db-02 sshd[22925]: error: Bind to port 22 on :: failed: Address already in use.
Nov 03 16:10:04 db-02 sshd[22925]: fatal: Cannot bind any address.
Nov 03 16:10:04 db-02 sshd[22919]: [  OK  ]
Nov 03 16:10:04 db-02 systemd[1]: PID file /var/run/sshd.pid not readable (yet?) after start.
Nov 03 16:15:05 db-02 systemd[1]: sshd.service start operation timed out. Terminating.
Nov 03 16:15:05 db-02 systemd[1]: Failed to start SYSV: OpenSSH server daemon.
-- Subject: Unit sshd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- 
-- Unit sshd.service has failed.
-- 
-- The result is failed.
Nov 03 16:15:05 db-02 systemd[1]: Unit sshd.service entered failed state.
Nov 03 16:15:05 db-02 systemd[1]: sshd.service failed.
Nov 03 16:15:05 db-02 polkitd[992]: Unregistered Authentication Agent for unix-process:22913:943361681 (system bus name :1.5403, object path /org/freedesktop

解决方案:

ps -ef|grep sshd
#kill掉进程即可

  • 重启sshd服务
systemctl restart sshd

错误 3 主机连接失败

eastcom@server-01 ~]$ ssh root@196.168.10.72
/etc/ssh/ssh_config line 25: Unsupported option "gssapiauthentication"
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the ECDSA key sent by the remote host is
SHA256:oXp8kQKrgUko1oc7UeG8cZRfHolQlPwIngqeNQGCYxA.
Please contact your system administrator.
Add correct host key in /home/eastcom/.ssh/known_hosts to get rid of this message.
Offending ECDSA key in /home/eastcom/.ssh/known_hosts:3
ECDSA host key for 196.168.10.72 has changed and you have requested strict checking.
Host key verification failed.

解决方案:

#删除本地known_hosts里面的缓存信息即可。命令:ssh-keygen -R "你的远程服务器ip地址"  
ssh-keygen -R "196.168.10.72"

腾讯云618
avatar
腾讯云618
匿名

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: