说明： 安装编译好的RPM需要安装 openssl 1.1.1 的动态库

yum install openssl11-libs

编译之前需要手动安装 openssl 1.1.1 到 /usr/local/openssl111 目录

./config shared --prefix=/usr/local/openssl111 --openssldir=/usr/local/openssl111  -Wl,-rpath,/usr/local/openssl111/lib
make clean && make -j8 && sudo make install
/usr/local/openssl111/bin/openssl ciphers -V 'ALL:COMPLEMENTOFALL'

echo /usr/local/openssl111/lib | sudo tee /etc/ld.so.conf.d/openssl111.conf 
sudo ldconfig -v

升级之后的问题和解决办法：

老客户端连不上

配置文件增加

KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

兼容老的密钥交换算法

root 连不上

PermitRootLogin yes

## 安装 dropbear 万一失败后可以远程ssh上
yum install -y dropbear

echo OPTIONS=\' -w -R -p 44444 \' | sudo tee /etc/sysconfig/dropbear

systemctl enable dropbear
systemctl restart dropbear


$ wget -c https://vault.centos.org/7.9.2009/os/Source/SPackages/openssh-7.4p1-21.el7.src.rpm
rpm -i openssh-7.4p1-21.el7.src.rpm

openssh8.5p1 下载地址: http://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz
x11-ssh-askpass 下载地址：http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-1.2.4.1.tar.gz


## 编译 rpm 
$ sudo yum install gtk2-devel libX11-devel openldap-devel autoconf automake audit-libs-devel groff pam-devel tcp_wrappers-devel fipscheck-devel systemd-devel libedit-devel xauth libXt-devel imake 



####  以下所有操作都是在普通用户下进行，不能使用 root 
mkdir -p ~/rpmbuild/{SOURCES,SPECS,SRPMS}
cp openssh-8.5p1.tar.gz ~/rpmbuild/SOURCES
tar zxf ~/rpmbuild/SOURCES/openssh-8.5p1.tar.gz -C ~/rpmbuild/SOURCES
cp x11-ssh-askpass-1.2.4.1.tar.gz ~/rpmbuild/SOURCES



cp ~/rpmbuild/SOURCES/openssh-8.5p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/

cd ~/rpmbuild/SPECS


sed -i -e 's#%configure \\$#%configure --with-ssl-dir=/usr/local/openssl111 \\#g' ~/rpmbuild/SPECS/openssh.spec

# sed -i -e "s/_askpass 0/_askpass 1/g" openssh.spec 

sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g"  openssh.spec

# %pre server 后面加  cp -r /etc/ssh /etc/ssh_bak
sed -i '/%pre server/acp -r /etc/pam.d/sshd /etc/pam.d/sshd.bak'  openssh.spec 
sed -i '/%pre server/acp -r /etc/ssh /etc/ssh_bak'  openssh.spec 

# %post server 后面加  chmod  600  /etc/ssh/ssh_host_*_key
sed -i '/%post server/achmod  600  /etc/ssh/ssh_host_*_key'  openssh.spec

# 默认的 pam.sshd 有问题，会覆盖 /etc/pam.d/ssh 导致无法登录

cat > ~/rpmbuild/SOURCES/sshd.pam <<EOF
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare


EOF

sed -i '/^Source1.*/aSource2: sshd.pam'  openssh.spec
sed -i '/^%clean/iinstall -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd'  openssh.spec


# 编译
rpmbuild -ba ~/rpmbuild/SPECS/openssh.spec

rm -rf ~/rpmbuild/RPMS/x86_64/openssh-debuginfo-*
ls ~/rpmbuild/RPMS/x86_64

openssh-8.5p1-1.el7.x86_64.rpm          
openssh-askpass-gnome-8.5p1-1.el7.x86_64.rpm  
openssh-askpass-8.5p1-1.el7.x86_64.rpm  
openssh-clients-8.5p1-1.el7.x86_64.rpm        
openssh-server-8.5p1-1.el7.x86_64.rpm




# 升级 脚本  install.sh
work_path=$(dirname $(readlink -f $0))
cd $work_path
pwd

yum --disablerepo=\*  install -y libtom*.rpm dropbear*.rpm openssl*.rpm
echo OPTIONS=\'  -R -p 20044 \' | sudo tee /etc/sysconfig/dropbear
cat /etc/sysconfig/dropbear
systemctl enable dropbear
systemctl restart dropbear
yum --disablerepo=\*  install -y openssh*.rpm lib*.rpm
systemctl restart sshd
systemctl status sshd

ss -tanpl |egrep 'dropbear|sshd'
ssh -V

# rpm 包
dropbear-2017.75-1.el7.x86_64.rpm
install.sh
libICE-1.0.9-9.el7.x86_64.rpm
libSM-1.2.2-2.el7.x86_64.rpm
libtomcrypt-1.17-26.el7.x86_64.rpm
libtommath-0.42.0-6.el7.x86_64.rpm
libX11-1.6.7-3.el7_9.x86_64.rpm
libX11-common-1.6.7-3.el7_9.noarch.rpm
libXau-1.0.8-2.1.el7.x86_64.rpm
libxcb-1.13-1.el7.x86_64.rpm
libXt-1.1.5-3.el7.x86_64.rpm
openssh-8.5p1-1.el7.x86_64.rpm
openssh-askpass-8.5p1-1.el7.x86_64.rpm
openssh-clients-8.5p1-1.el7.x86_64.rpm
openssh-server-8.5p1-1.el7.x86_64.rpm


sshd_config 文件参考
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile      .ssh/authorized_keys   .os/edk
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication no
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
UseDNS no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem       sftp    /usr/libexec/openssh/sftp-server
banner none
PermitRootLogin yes
KexAlgorithms +diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Port 22
Port 20022

参考： https://blog.csdn.net/u011394161/article/details/108995428