CentOS下OpenSSH版本升级

发表于 更新于 分类于 阅读次数: Changyan: 本文字数: 2.1k

最近一段时间 OpenSSH 爆发了远程访问漏洞,需要升级现有服务器的OpenSSH版本,目前官网的最新版本为7.7

查看现有版本

1
2
# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

安装Telnet服务

安装 telnet 是为了防止卸载 OpenSSH 之后无法远程连接服务器

安装服务

1
# yum -y install telnet-server* telnet

修改配置

1
# vim /etc/xinetd.d/telnet

将其中 disable 字段的 yes 改为 no,允许 root 用户通过 telnet 登录(升级之后再修改回来)

启动服务

1
2
# service xinetd start
Starting xinetd:                                           [  OK  ]

设置开机启动

1
# chkconfig xinetd on

卸载原有OpenSSH

备份原有文件

1
2
# mv /etc/securetty /etc/securetty.old
# mv /etc/init.d/sshd  /etc/init.d/sshd.old

卸载

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
# rpm -qa | grep openssh
openssh-clients-5.3p1-123.el6_9.x86_64
openssh-5.3p1-123.el6_9.x86_64
openssh-server-5.3p1-123.el6_9.x86_64

# rpm -e --nodeps openssh-5.3p1-123.el6_9.x86_64 
warning:    erase unlink of /etc/ssh/moduli failed: No such file or directory
warning:    erase unlink of /etc/ssh failed: No such file or directory

# rpm -e --nodeps openssh-server-5.3p1-123.el6_9.x86_64
error reading information on service sshd: No such file or directory
error: %preun(openssh-server-5.3p1-123.el6_9.x86_64) scriptlet failed, exit status 1

# rpm -e --noscripts  openssh-server-5.3p1-123.el6_9.x86_64
warning:    erase unlink of /etc/ssh/sshd_config failed: No such file or directory
warning:    erase unlink of /etc/rc.d/init.d/sshd failed: No such file or directory

# rpm -e --nodeps openssh-clients-5.3p1-123.el6_9.x86_64
warning:    erase unlink of /etc/ssh/ssh_config failed: No such file or directory
# rpm -qa | grep openssh

安装新版本OpenSSH

依赖安装

1
# yum install -y gcc openssl-devel pam-devel rpm-build

下载源文件

1
# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz

解压

1
# tar -zxvf openssh-7.3p1.tar.gz

进入主目录

1
# cd openssh-7.3p1

配置相关参数

1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd

编译安装

1
2
# make
# make install

修改配置

默认情况下,root 用户禁止远程登录,需要修改 /etc/ssh/sshd_config 文件,将 PermitRootLogin 参数改为 yes,如果没有该配置,则在文件末尾追加

1
# vim /etc/ssh/sshd_config

添加服务并启动

1
2
3
4
5
6
7
# cp -p contrib/redhat/sshd.init /etc/init.d/sshd
# chmod +x /etc/init.d/sshd
# chkconfig  --add  sshd
# chkconfig sshd on
# chkconfig --list sshd
sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off
# service sshd restart

检查版本

1
2
# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

至此,OepnSSH 升级完毕!

别忘了关闭 telnet 的 root 远程访问权限