CentOS升级OpenSSL到最新版本的方法

0. 注意事项

整个过程不需要卸载原先的 openssl 包和 openssh 的 rpm 包、不影响我们的操作。

本文的环境都是系统自带的 openssh,没有经历过手动编译安装方式。如果之前有手动编译安装过 openssh,请参照本文自行测试是否能成功。

1. 原系统信息(未升级前)

1.1 系统版本

# cat /etc/redhat-release 
CentOS Linux release 7.7.1908 (Core)

1.2 原 openssl 版本

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

1.3 原 openssh 版本

# ssh -V    
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

2. 配置更新环境

2.1 yum 更新 openssh

yum update openssh 升级下到目前 yum 仓库默认的 openssh7.4p1 版本。(这里准备统一 openssh 版本为 7.4p1 之后再统一编译安装升级到 openssh8.0p1)

# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
# ssh -V    
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

2.2 安装 telnet-server 以及 xinetd

因为我们现在是远程更新 openssh 所以需要先使用另一种连接方式连接到服务器进行相关操作。

yum install xinetd telnet-server -y
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * nux-dextop: mirror.li.nux.ro
 * updates: mirrors.tuna.tsinghua.edu.cn

2.3 配置 telnet

现在很多 centos7 版本安装 telnet-server 以及 xinetd 之后没有一个叫 telnet 的配置文件了。

如果下面 telnet 文件不存在的话,可以跳过这部分的更改(我所测试的时候并没有此项文件)。

# ll /etc/xinetd.d/telnet
ls: 无法访问/etc/xinetd.d/telnet: 没有那个文件或目录

如果下面文件存在,请更改配置 telnet 可以 root 登录,把 disable = no 改成 disable = yes

# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = no
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}

[root@rhel yum.repos.d]# vim /etc/xinetd.d/telnet
[root@rhel yum.repos.d]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
#   unencrypted username/password pairs for authentication.
service telnet
{
    disable = yes
    flags       = REUSE
    socket_type = stream       
    wait        = no
    user        = root
    server      = /usr/sbin/in.telnetd
    log_on_failure  += USERID
}

2.4 配置 telnet 登录的终端类型

/etc/securetty 文件末尾增加一些 pts 终端,如下

pts/0
pts/1
pts/2
pts/3

2.5 启动 telnet 服务,并设置开机自动启动

# systemctl start telnet.socket
# systemctl enable telnet.socket
Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.

# systemctl restart telnet.socket
# systemctl status  telnet.socket
● telnet.socket - Telnet Server Activation Socket
   Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
   Active: active (listening) since 四 2019-09-19 19:33:58 CST; 14s ago
     Docs: man:telnetd(8)
   Listen: [::]:23 (Stream)
 Accepted: 0; Connected: 0

9月 19 19:33:58 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 systemd[1]: Closed Telnet Server Activation Socket.
9月 19 19:33:58 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 systemd[1]: Stopping Telnet Server Activation Socket.
9月 19 19:33:58 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 systemd[1]: Listening on Telnet Server Activation Socket.

2.6 查看端口监听状态、确认 telnet 工作状态

# netstat -lntp|grep 23
tcp        0      0 127.0.0.1:9236          0.0.0.0:*               LISTEN      4858/gitaly
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      2334/dnsmasq
tcp        0      0 127.0.0.1:631           0.0.0.0:*               LISTEN      29723/cupsd
tcp6       0      0 :::23                   :::*                    LISTEN      1/systemd
tcp6       0      0 ::1:631                 :::*                    LISTEN      29723/cupsd

2.7 添加防火墙规则

# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s31f6
  sources:
  services: dhcpv6-client ftp ssh zabbix-agent
  ports: 
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:


# firewall-cmd --add-service=telnet --permanent
success
# firewall-cmd --reload
success
# firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: enp0s31f6
  sources:
  services:dhcpv6-client ftp ssh telnet zabbix-agent
  ports: 
  protocols:
  masquerade: no
  forward-ports:
  source-ports:
  icmp-blocks:
  rich rules:

2.8 telnet 连接目标服务器

# telnet 192.168.1.2
# 输入用户名密码 
# 回车登录

2.9 安装依赖包

# yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-devel
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * nux-dextop: mirror.li.nux.ro
 * updates: mirrors.tuna.tsinghua.edu.cn

2.10 安装 pam 和 zlib 等

# yum install  -y pam* zlib*
已加载插件:fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirrors.tuna.tsinghua.edu.cn
 * extras: mirrors.tuna.tsinghua.edu.cn
 * nux-dextop: mirror.li.nux.ro
 * updates: mirrors.tuna.tsinghua.edu.cn

3. 下载所需文件

选择一个你所喜欢的文件夹保存下面你所下载的文件。

3.1 下载最新版本的 openssh

https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/

3.2 下载最新版本的 openssl

Index of /source

# ls
openssh-8.0p1.tar.gz  openssl-1.1.1d.tar.gz

4. 开始安装

4.1 安装 openssl

4.1.1 解压缩

# tar xfz openssh-8.0p1.tar.gz
# ls
openssh-8.0p1  openssh-8.0p1.tar.gz  openssl-1.1.1d.tar.gz
# tar xfz openssl-1.1.1d.tar.gz
# ls
openssh-8.0p1  openssh-8.0p1.tar.gz  openssl-1.1.1d  openssl-1.1.1d.tar.gz
#

4.1.2 备份原文件

# ll /usr/bin/openssl
-rwxr-xr-x 1 root root 555288 8月   9 09:38 /usr/bin/openssl
# mv /usr/bin/openssl /usr/bin/openssl_bak
# mv /usr/include/openssl /usr/include/openssl_bak
# ll /usr/include/openssl_bak/
总用量 1864
-rw-r--r-- 1 root root   6146 8月   9 09:38 aes.h
-rw-r--r-- 1 root root  63204 8月   9 09:38 asn1.h
-rw-r--r-- 1 root root  24435 8月   9 09:38 asn1_mac.h
-rw-r--r-- 1 root root  34475 8月   9 09:38 asn1t.h
-rw-r--r-- 1 root root  38742 8月   9 09:38 bio.h
...

4.1.3 开始编译安装

# cd openssl-1.1.1d/
# ./config shared && make && make install

4.1.4 后续配置

查看编译安装后的 openssl 的目录结构、默认安装到 /usr/local 目录下

# ls /usr/local/
bin/          etc/          games/        include/      lib/          lib64/        libexec/      sbin/         ServerStatus/ share/        src/          ssl/

# tree -L 2
.
├── bin
│   ├── c_rehash
│   └── openssl
├── include
│   └── openssl
│       ├── aes.h
│       ├── asn1err.h
│       ....
├── lib64
│   ├── engines-1.1
│   ├── libcrypto.a
│   ├── libcrypto.so -> libcrypto.so.1.1
│   ├── libcrypto.so.1.1
│   ├── libssl.a
│   ├── libssl.so -> libssl.so.1.1
│   ├── libssl.so.1.1
│   └── pkgconfig
└── ssl
    ├── certs
    ├── ct_log_list.cnf
    ├── ct_log_list.cnf.dist
    ├── misc
    ├── openssl.cnf
    ├── openssl.cnf.dist
    └── private

4.1.4 软连接 openssl 目录

# ln -s /usr/local/bin/openssl /usr/bin/openssl
# ln -s /usr/local/include/openssl/ /usr/include/openssl
# ll /usr/bin/openssl
lrwxrwxrwx 1 root root 22 9月  19 20:14 /usr/bin/openssl -> /usr/local/bin/openssl
#  ll /usr/include/openssl -ld
lrwxrwxrwx 1 root root 27 9月  19 20:14 /usr/include/openssl -> /usr/local/include/openssl/

4.1.5 加载新配置

echo "/usr/local/lib64"   >> /etc/ld.so.conf

/sbin/ldconfig

4.1.6 查看确认版本。没问题

# openssl version
OpenSSL 1.1.1d  10 Sep 2019

4.2 安装 openssh

4.2.1 解压并设置权限

# tar xfz openssh-8.0p1.tar.gz
# cd openssh-8.0p1
# 可能文件默认显示uid和gid数组都是1000,这里重新授权下。不授权可能也不影响安装(请自行测试)
# chown -R root.root /data/tools/openssh-8.0p1

4.2.2 备份原 ssh 的配置文件和目录

# mv /etc/ssh/* your_backup_dir

4.2.3 配置、编译、安装

  1. 查看编译参数、根据需要选择
# ./configure -h
`configure' configures OpenSSH Portable to adapt to many kinds of systems.

Usage: ./configure [OPTION]... [VAR=VALUE]...

To assign environment variables (e.g., CC, CFLAGS...), specify them as
VAR=VALUE.  See below for descriptions of some of the useful variables.

Defaults for the options are specified in brackets.

Configuration:
  -h, --help              display this help and exit
      --help=short        display options specific to this package
      --help=recursive    display the short help of all the included packages
  -V, --version           display version information and exit
  -q, --quiet, --silent   do not print `checking ...' messages
      --cache-file=FILE   cache test results in FILE [disabled]
  -C, --config-cache      alias for `--cache-file=config.cache'
  -n, --no-create         do not create output files
      --srcdir=DIR        find the sources in DIR [configure dir or `..']

Installation directories:
  --prefix=PREFIX         install architecture-independent files in PREFIX
                          [/usr/local]
  --exec-prefix=EPREFIX   install architecture-dependent files in EPREFIX
                          [PREFIX]

By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc.  You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.

For better control, use the options below.

Fine tuning of the installation directories:
  --bindir=DIR            user executables [EPREFIX/bin]
  --sbindir=DIR           system admin executables [EPREFIX/sbin]
  --libexecdir=DIR        program executables [EPREFIX/libexec]
  --sysconfdir=DIR        read-only single-machine data [PREFIX/etc]
  --sharedstatedir=DIR    modifiable architecture-independent data [PREFIX/com]
  --localstatedir=DIR     modifiable single-machine data [PREFIX/var]
  --libdir=DIR            object code libraries [EPREFIX/lib]
  --includedir=DIR        C header files [PREFIX/include]
  --oldincludedir=DIR     C header files for non-gcc [/usr/include]
  --datarootdir=DIR       read-only arch.-independent data root [PREFIX/share]
  --datadir=DIR           read-only architecture-independent data [DATAROOTDIR]
  --infodir=DIR           info documentation [DATAROOTDIR/info]
  --localedir=DIR         locale-dependent data [DATAROOTDIR/locale]
  --mandir=DIR            man documentation [DATAROOTDIR/man]
  --docdir=DIR            documentation root [DATAROOTDIR/doc/openssh]
  --htmldir=DIR           html documentation [DOCDIR]
  --dvidir=DIR            dvi documentation [DOCDIR]
  --pdfdir=DIR            pdf documentation [DOCDIR]
  --psdir=DIR             ps documentation [DOCDIR]

System types:
  --build=BUILD     configure for building on BUILD [guessed]
  --host=HOST       cross-compile to build programs to run on HOST [BUILD]

Optional Features:
  --disable-option-checking  ignore unrecognized --enable/--with options
  --disable-FEATURE       do not include FEATURE (same as --enable-FEATURE=no)
  --enable-FEATURE[=ARG]  include FEATURE [ARG=yes]
  --disable-largefile     omit support for large files
  --disable-pkcs11        disable PKCS#11 support code [no]
  --disable-strip         Disable calling strip(1) on install
  --disable-etc-default-login Disable using PATH from /etc/default/login no
  --disable-lastlog       disable use of lastlog even if detected no
  --disable-utmp          disable use of utmp even if detected no
  --disable-utmpx         disable use of utmpx even if detected no
  --disable-wtmp          disable use of wtmp even if detected no
  --disable-wtmpx         disable use of wtmpx even if detected no
  --disable-libutil       disable use of libutil (login() etc.) no
  --disable-pututline     disable use of pututline() etc. (uwtmp) no
  --disable-pututxline    disable use of pututxline() etc. (uwtmpx) no

Optional Packages:
  --with-PACKAGE[=ARG]    use PACKAGE [ARG=yes]
  --without-PACKAGE       do not use PACKAGE (same as --with-PACKAGE=no)
  --without-openssl       Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL**
  --without-stackprotect  Don't use compiler's stack protection
  --without-hardening     Don't use toolchain hardening flags
  --without-rpath         Disable auto-added -R linker paths
  --with-cflags           Specify additional flags to pass to compiler
  --with-cflags-after     Specify additional flags to pass to compiler after configure
  --with-cppflags         Specify additional flags to pass to preprocessor
  --with-ldflags          Specify additional flags to pass to linker
  --with-ldflags-after    Specify additional flags to pass to linker after configure
  --with-libs             Specify additional libraries to link with
  --with-Werror           Build main code with -Werror
  --with-solaris-contracts Enable Solaris process contracts (experimental)
  --with-solaris-projects Enable Solaris projects (experimental)
  --with-solaris-privs    Enable Solaris/Illumos privileges (experimental)
  --with-osfsia           Enable Digital Unix SIA
  --with-zlib=PATH        Use zlib in PATH
  --without-zlib-version-check Disable zlib version check
  --with-ldns[=PATH]      Use ldns for DNSSEC support (optionally in PATH)
  --with-libedit[=PATH]   Enable libedit support for sftp
  --with-audit=module     Enable audit support (modules=debug,bsm,linux)
  --with-pie              Build Position Independent Executables if possible
  --with-ssl-dir=PATH     Specify path to OpenSSL installation
  --without-openssl-header-check Disable OpenSSL version consistency check
  --with-ssl-engine       Enable OpenSSL (hardware) ENGINE support
  --with-prngd-port=PORT  read entropy from PRNGD/EGD TCP localhost:PORT
  --with-prngd-socket=FILE read entropy from PRNGD/EGD socket FILE (default=/var/run/egd-pool)
  --with-pam              Enable PAM support
  --with-pam-service=name Specify PAM service name
  --with-privsep-user=user Specify non-privileged user for privilege separation
  --with-sandbox=style    Specify privilege separation sandbox (no, capsicum, darwin, rlimit, seccomp_filter, systrace, pledge)
  --with-selinux          Enable SELinux support
  --with-kerberos5=PATH   Enable Kerberos 5 support
  --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
  --with-xauth=PATH       Specify path to xauth program
  --with-maildir=/path/to/mail    Specify your system mail directory
  --with-mantype=man|cat|doc  Set man page type
  --with-md5-passwords    Enable use of MD5 passwords
  --without-shadow        Disable shadow password support
  --with-ipaddr-display   Use ip address instead of hostname in $DISPLAY
  --with-default-path=    Specify default $PATH environment for server
  --with-superuser-path=  Specify different path for super-user
  --with-4in6             Check for and convert IPv4 in IPv6 mapped addresses
  --with-bsd-auth         Enable BSD auth support
  --with-pid-dir=PATH     Specify location of sshd.pid file
  --with-lastlog=FILE|DIR specify lastlog location common locations

Some influential environment variables:
  CC          C compiler command
  CFLAGS      C compiler flags
  LDFLAGS     linker flags, e.g. -L<lib dir> if you have libraries in a
              nonstandard directory <lib dir>
  LIBS        libraries to pass to the linker, e.g. -l<library>
  CPPFLAGS    (Objective) C/C++ preprocessor flags, e.g. -I<include dir> if
              you have headers in a nonstandard directory <include dir>
  CPP         C preprocessor

Use these variables to override the choices made by `configure' or to help
it to find libraries and programs with nonstandard names/locations.

Report bugs to <openssh-unix-dev@mindrot.org>.

2.configure 参数

# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh  --with-ssl-dir=/usr/local/lib64 --with-zlib   --with-md5-passwords   --with-pam --with-ssl-engine --with-selinux --with-ipaddr-display

3.安装

# make && make install

4.3 配置验证(最后)

4.3.1 查看相应的配置文件

# ls /etc/ssh/
moduli  ssh_config  sshd_config  ssh_host_dsa_key  ssh_host_dsa_key.pub  ssh_host_ecdsa_key  ssh_host_ecdsa_key.pub  ssh_host_ed25519_key  ssh_host_ed25519_key.pub  ssh_host_rsa_key  ssh_host_rsa_key.pub

4.3.2 修改 sshd 配置文件

# vim /etc/ssh/sshd_config

4.3.3 配置启动文件

从原先的解压的包中拷贝一些文件到目标位置(如果目标目录存在就覆盖)

# cp -a contrib/redhat/sshd.init /etc/init.d/sshd
# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
# chmod +x /etc/init.d/sshd

# chkconfig --add sshd
# systemctl enable sshd

把原先的 systemd 管理的 sshd 文件删除或者移走或者删除,不移走的话影响我们重启 sshd 服务

# mv  /usr/lib/systemd/system/sshd.service your_backup_dir

4.3.4 配置开机启动

# chkconfig sshd on
Note: Forwarding request to 'systemctl enable sshd.socket'.
Created symlink from /etc/systemd/system/sockets.target.wants/sshd.socket to /usr/lib/systemd/system/sshd.socket.

4.3.5 接下来测试启停服务

# /etc/init.d/sshd restart
Restarting sshd (via systemctl):                           [  确定  ]

# netstat -lntp | grep 22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      26069/sshd
tcp6       0      0 :::22                   :::*                    LISTEN      26069/sshd

# /etc/init.d/sshd stop
Stopping sshd (via systemctl):                             [  确定  ]
# netstat -lntp | grep 22

# /etc/init.d/sshd start
Starting sshd (via systemctl):                             [  确定  ]
# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: active (running) since 四 2019-09-19 20:39:57 CST; 11s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 26229 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
  Process: 26310 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 26320 (sshd)
    Tasks: 1
   Memory: 608.0K
   CGroup: /system.slice/sshd.service
           └─26320 /usr/sbin/sshd

9月 19 20:39:57 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 systemd[1]: Starting SYSV: OpenSSH server daemon...
9月 19 20:39:57 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 sshd[26320]: Server listening on 0.0.0.0 port 22.
9月 19 20:39:57 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 sshd[26320]: Server listening on :: port 22.
9月 19 20:39:57 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 sshd[26310]: Starting sshd:[  确定  ]
9月 19 20:39:57 sz-lab-centos7-gitlab-nginx-proxy-192.168.178.46 systemd[1]: Started SYSV: OpenSSH server daemon.

4.4 验证版本

# ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1d  10 Sep 2019

4.5 SSH 连接测试

# ssh you_username@your_server_ip

4.6 重启测试

# sync
# reboot now
声明: 本站所有文章,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。

给TA打赏
共{{data.count}}人
人已打赏
Linux

宝塔Linux面板移除.user.ini文件失败解决办法

2024-12-12 18:30:35

Linux

Linux系统路由配置及相关命令大全

2024-12-13 10:43:00

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索