ssh.png
openssh下載地址
centos 6.x
安裝telnet
升級openssh前,為以防萬一,首先安裝telnet-server并打開相關服務。
yum install xinetd # 安裝xinetd是因為telnet 依賴它
yum install telnet-server
修改xinetd配置文件vim /etc/xinetd.d/telnet,將disable = no改成yes。
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no # 修改成yes以啟用telnet
}
啟動xinetd服務,再確保防火墻已啟用telnet使用的23端口就安裝完畢了。
service xinetd restart
安裝編譯環境與依賴包
更新openssl
yum update openssl
安裝gcc、openssl-devel、pam-devel、rpm-build
yum install -y gcc openssl-devel pam-devel rpm-build
安裝openssh
備份ssh目錄
cp -r /etc/ssh /etc/ssh.bak
如果需要卸載舊版openSSH
rpm -qa | grep openssh # 查看已安裝openssh
rpm -e `rpm -qa | grep openssh` --nodeps # 卸載舊版openssh
解壓并安裝openssh
tar -zxvf openssh-7.8p1.tar.gz
cd openssh-7.4p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
復制啟動腳本到/etc/init.d
cd openssh-7.4p1
cp contrib/RedHat/sshd.init /etc/init.d/sshd
將啟動腳本加入開機啟動
chkconfig --add sshd # 加入chkconfig
chkconfig sshd on # 設置開機啟動
chkconfig sshd -- list # 查看是否設置成功
啟動sshd
service sshd start # 用start或reload,restart會斷開連接,而且不會啟動sshd服務
查看ssh版本
ssh -V
卸載telnet
telnet不安全,ssh升級完成后卸載掉它。
centos 7.x
安裝telnet
安裝與啟動
yum -y install xinetd telnet-server # 安裝xinetd、telnet-server
systemctl enable xinetd.service # 設置xinetd開機啟動
systemctl enable telnet.socket # 設置telnet開機啟動
systemctl start telnet.socket # 啟動telnet
systemctl start xinetd # 啟動xined
開啟防火墻23端口
firewall-cmd --state # 查看防火墻是否啟用
firewall-cmd --list-all # 查看防護墻已打開端口
firewall-cmd --permanent --add-service=telnet # 永久打開防火墻telnet服務
firewall-cmd --permanent --add-port=23/tcp # 永久打開防火墻23/tcp端口
firewall-cmd --reload # 重載防火墻配置
安裝編譯環境與依賴包
更新openssl
yum update openssl
安裝編譯環境
yum -y install gcc openssl-devel
安裝openssh
備份舊ssh目錄
cp -r /etc/ssh /etc/ssh.bak
如果需要卸載舊版openSSH
rpm -qa | grep openssh # 查看已安裝openssh
rpm -e `rpm -qa | grep openssh` --nodeps # 卸載舊版openssh
解壓并安裝openssh
tar -zxvf openssh-7.8p1.tar.gz
cd openssh-7.4p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install
可能會出現如下錯誤:
ssh-keygen: generating new host keys: DSA /usr/sbin/sshd -t -f /etc/ssh/sshd_config @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_rsa_key @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_ecdsa_key @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_ed25519_key先嘗試重新賦權一遍這幾個文件,然后make install
chmod 600 /etc/ssh/ssh_host_rsa_key chmod 600 /etc/ssh/ssh_host_ecdsa_key chmod 600 /etc/ssh/ssh_host_ed25519_key不行就重新生成key,先
cd /etc/ssh然后刪除ssh_host前綴的KEY文件,在執行以下生成新key,然后重新make insallssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key
復制啟動腳本到/etc/init.d
cd openssh-7.4p1
cp contrib/RedHat/sshd.init /etc/init.d/sshd
將啟動腳本加入開機啟動
chkconfig --add sshd # 加入chkconfig
chkconfig sshd on # 設置開機啟動
chkconfig sshd -- list # 查看是否設置成功
啟動sshd
service sshd start # 用start或reload,restart會斷開連接,而且不會啟動sshd服務
查看ssh版本
ssh -V
其他異常問題
安裝好后可能無法連接,關閉SElinux就好了
getenforce # 查看selinux當前狀態:permissive - 關閉;enforcing - 開啟
setenforce 0 # 臨時關閉/開啟selinux: 0 - 關閉;1 - 開啟
修改vim /etc/selinux/config文件,永久設置selinux。
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=permissive
# SELINUXTYPE= can take one of three two values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
卸載telnet
telnet不安全,ssh升級完成后卸載掉它。
ssh配置文件
路徑
/etc/ssh/sshd_config
內容
需要開啟root直接登錄修改#PermitRootLogin prohibit-password為PermitRootLogin yes
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
完
