相關說明
CentOS6.5 自帶的SSH版本太低,安全檢查報有漏洞,需要升級版本。
本文使用openssh-7.3p1的版本進行源碼升級安裝。
升級OpenSSH不難,難的是在升級前的基礎環境安裝。需要以下的軟件:
- gcc-c++
- zlib
- OpenSSL
- pam
升級OpenSSH
基礎環境安裝
yum安裝
應該是最方便的方法了。
yum -y gcc-c++,zlib,zlib-devel,openssl,openssl-devel,pam-devel
rpm安裝
由于第一次升級沒有外網環境,一個個找依賴關系,相當麻煩。也虧的我當時耐心那么好,都找全了。
現在想想,其實可以把鏡像上傳到服務器,再配個yum源就行了。
不過當時把步驟都記下來了,拿出來分享一下吧。
- gcc-c++安裝步驟
順序不能顛倒,否則會報錯
rpm -ivh ppl-0.10.2-11.el6.x86_64.rpm
rpm -ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm
rpm -ivh mpfr-2.4.1-6.el6.x86_64.rpm
rpm -ivh cpp-4.4.7-17.el6.x86_64.rpm
rpm -Uvh kernel-headers-2.6.32-642.el6.x86_64.rpm
rpm -Uvh tzdata-2016c-1.el6.noarch.rpm
rpm -Uvh glibc-devel-2.12-1.192.el6.x86_64.rpm glibc-2.12-1.192.el6.x86_64.rpm glibc-headers-2.12-1.192.el6.x86_64.rpm glibc-common-2.12-1.192.el6.x86_64.rpm
rpm -Uvh libgcc-4.4.7-17.el6.x86_64.rpm
rpm -Uvh libgomp-4.4.7-17.el6.x86_64.rpm
rpm -ivh gcc-4.4.7-17.el6.x86_64.rpm
rpm -Uvh libstdc++-4.4.7-17.el6.x86_64.rpm
rpm -ivh libstdc++-devel-4.4.7-17.el6.x86_64.rpm
rpm -ivh gcc-c++-4.4.7-17.el6.x86_64.rpm
- zlib安裝步驟
rpm -ivh zlib-devel-1.2.3-29.el6.x86_64.rpm
- OpenSSL安裝步驟
順序不能電腦,否則會報錯。
rpm -Uvh keyutils-1.4-5.el6.x86_64.rpm keyutils-libs-1.4-5.el6.x86_64.rpm keyutils-libs-devel-1.4-5.el6.x86_64.rpm
rpm -Uvh krb5-libs-1.10.3-57.el6.x86_64.rpm krb5-workstation-1.10.3-57.el6.x86_64.rpm
rpm -Uvh libselinux-2.0.94-7.el6.x86_64.rpm libselinux-utils-2.0.94-7.el6.x86_64.rpm libselinux-python-2.0.94-7.el6.x86_64.rpm
rpm -ivh libsepol-devel-2.0.41-4.el6.x86_64.rpm
rpm -ivh libselinux-devel-2.0.94-7.el6.x86_64.rpm
rpm -Uvh e2fsprogs-libs-1.41.12-22.el6.x86_64.rpm e2fsprogs-1.41.12-22.el6.x86_64.rpm libss-1.41.12-22.el6.x86_64.rpm libcom_err-1.41.12-22.el6.x86_64.rpm
rpm -ivh krb5-devel-1.10.3-57.el6.x86_64.rpm libcom_err-devel-1.41.12-22.el6.x86_64.rpm
rpm -Uvh openssl-devel-1.0.1e-48.el6.x86_64.rpm openssl-1.0.1e-48.el6.x86_64.rpm
- pam安裝步驟
rpm -Uvh pam-devel-1.1.1-22.el6.x86_64.rpm pam-1.1.1-22.el6.x86_64.rpm
源碼安裝
只做過zlib和OpenSSL的源碼安裝。
- zlib源碼安裝
[root@localhost tmp]# tar xf zlib-1.2.8.tar.gz
[root@localhost tmp]# cd zlib-1.2.8
[root@localhost zlib-1.2.8]# ./configure --prefix=/usr/local/zlib
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.2.8 with gcc.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
[root@localhost zlib-1.2.8]# make
[root@localhost zlib-1.2.8]# make install
- OpenSSL源碼安裝
[root@localhost tmp]# tar zxf openssl-1.0.2h.tar.gz
[root@localhost tmp]# cd openssl-1.0.2h
[root@localhost openssl-1.0.2h]# ./config --prefix=/usr/local/openssl --shared
[root@localhost openssl-1.0.2h]# make depend
[root@localhost openssl-1.0.2h]# make
[root@localhost openssl-1.0.2h]# make test
[root@localhost openssl-1.0.2h]# make install
源碼安裝OpenSSH
安裝前最好先開啟telnet服務,以防升級失敗,無法使用ssh登錄時可以使用telnet。
# 卸載舊版本openssh,卸載可以在make之后進行。
rpm -qa | grep openssh
rpm -e --nodeps `rpm -qa | grep openssh`
# 升級新版本
# --with-ssl-dir=*** 選項,在OpenSSL不是默認安裝路徑的時候添加。
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-md5-passwords --with-pam
make
make install
# 復制配置文件
cp ssh_config /etc/ssh/
cp sshd_config /etc/ssh/
cp moduli /etc/ssh/
# 復制啟動腳本到/etc/init.d
# 根據安裝路徑情況,可能需要修改啟動腳本中sshd的路徑
cp contrib/redhat/sshd.init /etc/init.d/sshd
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
# 加入開機自啟
chkconfig --add sshd
chkconfig sshd on
chkconfig sshd --list
# 開啟root用戶遠程登錄。
# 此步驟不是必須。建議是關閉該選項,開啟會有安全隱患。
vi /etc/ssh/sshd_config
PermitRootLogin yes
# 開啟SSH服務
# 千萬不能restart。使用restart會造成連不上,需要登錄控制臺啟動。
service sshd start
相關依賴包和安裝包下載
已經上傳到度娘。
鏈接: http://pan.baidu.com/s/1jIK7gJs 密碼: er2c
