相关说明
CentOS6.5 自带的SSH版本太低,安全检查报有漏洞,需要升级版本。
本文使用openssh-7.3p1的版本进行源码升级安装。
升级OpenSSH不难,难的是在升级前的基础环境安装。需要以下的软件:
- gcc-c++
- zlib
- OpenSSL
- pam
升级OpenSSH
基础环境安装
yum安装
应该是最方便的方法了。
yum -y gcc-c++,zlib,zlib-devel,openssl,openssl-devel,pam-devel
rpm安装
由于第一次升级没有外网环境,一个个找依赖关系,相当麻烦。也亏的我当时耐心那么好,都找全了。
现在想想,其实可以把镜像上传到服务器,再配个yum源就行了。
不过当时把步骤都记下来了,拿出来分享一下吧。
- gcc-c++安装步骤
顺序不能颠倒,否则会报错
rpm -ivh ppl-0.10.2-11.el6.x86_64.rpm
rpm -ivh cloog-ppl-0.15.7-1.2.el6.x86_64.rpm
rpm -ivh mpfr-2.4.1-6.el6.x86_64.rpm
rpm -ivh cpp-4.4.7-17.el6.x86_64.rpm
rpm -Uvh kernel-headers-2.6.32-642.el6.x86_64.rpm
rpm -Uvh tzdata-2016c-1.el6.noarch.rpm
rpm -Uvh glibc-devel-2.12-1.192.el6.x86_64.rpm glibc-2.12-1.192.el6.x86_64.rpm glibc-headers-2.12-1.192.el6.x86_64.rpm glibc-common-2.12-1.192.el6.x86_64.rpm
rpm -Uvh libgcc-4.4.7-17.el6.x86_64.rpm
rpm -Uvh libgomp-4.4.7-17.el6.x86_64.rpm
rpm -ivh gcc-4.4.7-17.el6.x86_64.rpm
rpm -Uvh libstdc++-4.4.7-17.el6.x86_64.rpm
rpm -ivh libstdc++-devel-4.4.7-17.el6.x86_64.rpm
rpm -ivh gcc-c++-4.4.7-17.el6.x86_64.rpm
- zlib安装步骤
rpm -ivh zlib-devel-1.2.3-29.el6.x86_64.rpm
- OpenSSL安装步骤
顺序不能电脑,否则会报错。
rpm -Uvh keyutils-1.4-5.el6.x86_64.rpm keyutils-libs-1.4-5.el6.x86_64.rpm keyutils-libs-devel-1.4-5.el6.x86_64.rpm
rpm -Uvh krb5-libs-1.10.3-57.el6.x86_64.rpm krb5-workstation-1.10.3-57.el6.x86_64.rpm
rpm -Uvh libselinux-2.0.94-7.el6.x86_64.rpm libselinux-utils-2.0.94-7.el6.x86_64.rpm libselinux-python-2.0.94-7.el6.x86_64.rpm
rpm -ivh libsepol-devel-2.0.41-4.el6.x86_64.rpm
rpm -ivh libselinux-devel-2.0.94-7.el6.x86_64.rpm
rpm -Uvh e2fsprogs-libs-1.41.12-22.el6.x86_64.rpm e2fsprogs-1.41.12-22.el6.x86_64.rpm libss-1.41.12-22.el6.x86_64.rpm libcom_err-1.41.12-22.el6.x86_64.rpm
rpm -ivh krb5-devel-1.10.3-57.el6.x86_64.rpm libcom_err-devel-1.41.12-22.el6.x86_64.rpm
rpm -Uvh openssl-devel-1.0.1e-48.el6.x86_64.rpm openssl-1.0.1e-48.el6.x86_64.rpm
- pam安装步骤
rpm -Uvh pam-devel-1.1.1-22.el6.x86_64.rpm pam-1.1.1-22.el6.x86_64.rpm
源码安装
只做过zlib和OpenSSL的源码安装。
- zlib源码安装
[root@localhost tmp]# tar xf zlib-1.2.8.tar.gz
[root@localhost tmp]# cd zlib-1.2.8
[root@localhost zlib-1.2.8]# ./configure --prefix=/usr/local/zlib
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.2.8 with gcc.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
[root@localhost zlib-1.2.8]# make
[root@localhost zlib-1.2.8]# make install
- OpenSSL源码安装
[root@localhost tmp]# tar zxf openssl-1.0.2h.tar.gz
[root@localhost tmp]# cd openssl-1.0.2h
[root@localhost openssl-1.0.2h]# ./config --prefix=/usr/local/openssl --shared
[root@localhost openssl-1.0.2h]# make depend
[root@localhost openssl-1.0.2h]# make
[root@localhost openssl-1.0.2h]# make test
[root@localhost openssl-1.0.2h]# make install
源码安装OpenSSH
安装前最好先开启telnet服务,以防升级失败,无法使用ssh登录时可以使用telnet。
# 卸载旧版本openssh,卸载可以在make之后进行。
rpm -qa | grep openssh
rpm -e --nodeps `rpm -qa | grep openssh`
# 升级新版本
# --with-ssl-dir=*** 选项,在OpenSSL不是默认安装路径的时候添加。
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-md5-passwords --with-pam
make
make install
# 复制配置文件
cp ssh_config /etc/ssh/
cp sshd_config /etc/ssh/
cp moduli /etc/ssh/
# 复制启动脚本到/etc/init.d
# 根据安装路径情况,可能需要修改启动脚本中sshd的路径
cp contrib/redhat/sshd.init /etc/init.d/sshd
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
# 加入开机自启
chkconfig --add sshd
chkconfig sshd on
chkconfig sshd --list
# 开启root用户远程登录。
# 此步骤不是必须。建议是关闭该选项,开启会有安全隐患。
vi /etc/ssh/sshd_config
PermitRootLogin yes
# 开启SSH服务
# 千万不能restart。使用restart会造成连不上,需要登录控制台启动。
service sshd start
相关依赖包和安装包下载
已经上传到度娘。
链接: http://pan.baidu.com/s/1jIK7gJs 密码: er2c
网友评论