升级需要关闭防火墙服务;关闭selinux服务;
升级过程中需要刷新lib库:ldconfig -v;
升级顺序:顺序是zlib库-> libressl -> openssh;
升级需要gcc、make、perl、zlib、zlib-devel、pam、pam-devel依赖包;
一、安装包准备:
软件 | 版本 | 下载地址 |
---|---|---|
openssh | 9.0p1 | https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.0p1.tar.gz |
zlib | 1.2.12 | https://zlib.net/zlib-1.2.12.tar.gz |
libressl | 3.5.3 | https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.5.3.tar.gz |
二、升级前环境准备
1、将上文下载的三个文件上传至服务器,目录可自行设定,方便即可。
zlib-1.2.12.tar.gz
libressl-3.5.3.tar.gz
openssh-9.0p1.tar.gz
2、关闭系统防火墙
systemctl stop firewalld.service
3、关闭SElinux
检查是否关闭:
getenforce
如果未关闭,关闭之
setenforce 0
上面只是临时关闭了,重启后不生效。下面改配置文件,使永久生效。
vi /etc/selinux/config
修改:
SELINUX=disabled
保存退出。
4、安装相关依赖包
yum install -y wget gcc libselinux-devel openssl-devel make perl zlib zlib-devel pam pam-devel
安装完毕后执行下面命令,确保所有依赖包正常安装
rpm -qa | egrep "gcc|make|perl|zlib|zlib-devel|pam|pam-devel"
二、升级前环境准备
1、停止ssh服务,备份ssh配置文件
systemctl stop sshd
cp -r /etc/ssh /etc/ssh.old
备份sshd.service文件
cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target
[Service]
Type=notify
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
备份opensshserver.config配置文件
cat /etc/crypto-policies/back-ends/opensshserver.config
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
备份sshd 配置文件
cat /etc/sysconfig/sshd
# Configuration file for the sshd service.
# The server keys are automatically generated if they are missing.
# To change the automatic creation, adjust sshd.service options for
# example using systemctl enable sshd-keygen@dsa.service to allow creation
# of DSA key or systemctl mask sshd-keygen@rsa.service to disable RSA key
# creation.
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing
SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1
# System-wide crypto policy:
# To opt-out, uncomment the following line
# CRYPTO_POLICY=
这个时候千万不能断开链接
2、查看系统原有openssh包
rpm -qa | grep openssh
openssh-8.0p1-5.an8.x86_64
openssh-server-8.0p1-5.an8.x86_64
openssh-clients-8.0p1-5.an8.x86_64
根据上面查询出的结果,卸载系统里原有Openssh(一般有三个包,全部卸载)
rpm -e --nodeps xxxxxxxxxx
rpm -e --nodeps openssh-8.0p1-5.an8.x86_64
rpm -e --nodeps openssh-server-8.0p1-5.an8.x86_64
rpm -e --nodeps openssh-clients-8.0p1-5.an8.x86_64
卸载完成后执行rpm -qa | grep openssh,确保没有回显
rpm -qa | grep openssh
卸载openssh-8.0p1 后检查sshd.service 文件,已删除。
systemctl status sshd
Unit sshd.service could not be found.
[root@anolis8 ~]# ll /usr/lib/systemd/system/sshd.service
ls: 无法访问'/usr/lib/systemd/system/sshd.service': 没有那个文件或目录
[root@anolis8 ~]# ll /etc/sysconfig/sshd
ls: 无法访问'/etc/sysconfig/sshd': 没有那个文件或目录
[root@anolis8 ~]# ll /etc/crypto-policies/back-ends/opensshserver.config
lrwxrwxrwx. 1 root root 52 9月 26 17:54 /etc/crypto-policies/back-ends/opensshserver.config -> /usr/share/crypto-policies/DEFAULT/opensshserver.txt
[root@anolis8 ~]# ll /usr/share/crypto-policies/DEFAULT/opensshserver.txt
-rw-r--r--. 2 root root 1663 6月 24 2021 /usr/share/crypto-policies/DEFAULT/opensshserver.txt
[root@anolis8 ~]# cat /usr/share/crypto-policies/DEFAULT/opensshserver.txt
CRYPTO_POLICY='-oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha1,umac-128@openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-,gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms=curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 -oHostKeyAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oPubkeyAcceptedKeyTypes=ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com -oCASignatureAlgorithms=ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,rsa-sha2-256,rsa-sha2-512,ssh-rsa'
3、编译安装zlib
tar xzvf zlib-1.2.12.tar.gz
cd zlib-1.2.12/
./configure --prefix=/usr/local/zlib
make
make install
验证zlib安装是否成功,要包含include、lib、share三个目录。
# ll /usr/local/zlib/
总用量 0
drwxr-xr-x 2 root root 35 9月 26 15:05 include
drwxr-xr-x 3 root root 91 9月 26 15:05 lib
drwxr-xr-x 3 root root 17 9月 26 15:05 share
新建并编辑配置文件:
vi /etc/ld.so.conf.d/zlib.conf
加入如下内容后保存退出
/usr/local/zlib/lib
刷新库文件,加载刚才编译安装的zlib生成的库文件
ldconfig -v
4、编译安装libressl
tar xzvf libressl-3.5.3.tar.gz
cd libressl-3.5.3/
./configure --prefix=/usr/local/libressl
make
make install
echo '/usr/local/libressl/lib' > /etc/ld.so.conf.d/libressl.conf
ldconfig -v
如下libressl库可以被系统找到
# ldconfig -p|grep /usr/local/libressl
libtls.so.25 (libc6,x86-64) => /usr/local/libressl/lib/libtls.so.25
libtls.so (libc6,x86-64) => /usr/local/libressl/lib/libtls.so
libssl.so.52 (libc6,x86-64) => /usr/local/libressl/lib/libssl.so.52
libssl.so (libc6,x86-64) => /usr/local/libressl/lib/libssl.so
libcrypto.so.49 (libc6,x86-64) => /usr/local/libressl/lib/libcrypto.so.49
libcrypto.so (libc6,x86-64) => /usr/local/libressl/lib/libcrypto.so
重命名现有文件目录
mv /usr/bin/openssl /usr/bin/openssl.bak
创建ssl相关软连接
ln -s /usr/local/libressl/bin/openssl /usr/bin/openssl
ln -s /usr/local/libressl/include/openssl /usr/include/openssl
编辑配置文件
vi /etc/ld.so.conf.d/ssl.conf
加入如下内容后保存退出
/usr/local/ssl/lib
刷新库文件,加载刚才编译安装的ssl生成的库文件
ldconfig -v
查看openssl版本
openssl version -a
5、编译安装openssh
tar xzvf openssh-9.0p1.tar.gz
cd openssh-9.0p1
./configure --prefix=/usr --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/libressl
make
修改文件权限
ll /etc/ssh
总用量 24
-rw-r-----. 1 root ssh_keys 480 6月 20 17:38 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 6月 20 17:38 ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys 387 6月 20 17:38 ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 6月 20 17:38 ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 2578 6月 20 17:38 ssh_host_rsa_key
-rw-r--r--. 1 root root 554 6月 20 17:38 ssh_host_rsa_key.pub
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
ll /etc/ssh
总用量 24
-rw-------. 1 root ssh_keys 480 6月 20 17:38 ssh_host_ecdsa_key
-rw-r--r--. 1 root root 162 6月 20 17:38 ssh_host_ecdsa_key.pub
-rw-------. 1 root ssh_keys 387 6月 20 17:38 ssh_host_ed25519_key
-rw-r--r--. 1 root root 82 6月 20 17:38 ssh_host_ed25519_key.pub
-rw-------. 1 root ssh_keys 2578 6月 20 17:38 ssh_host_rsa_key
-rw-r--r--. 1 root root 554 6月 20 17:38 ssh_host_rsa_key.pub
make install
.......
/usr/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /usr/etc
ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519
/usr/sbin/sshd -t -f /usr/etc/sshd_config
修改配置文件/usr/etc/sshd_config,允许root直接登录
开放22端口
#Port 22
Port 22
允许root登录
PermitRootLogin yes
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_ecdsa_key
#HostKey /etc/ssh_host_ed25519_key
改为
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
保存后退出
ssh服务必须开机自启动,因此要进行一些设置
如果是centos7就需要先备份就的service
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.serviceold
AnolisOS 8系统则可以直接新建
新建配置文件/etc/sysconfig/sshd
vim /etc/sysconfig/sshd
填写如下内容
# Configuration file for the sshd service.
# The server keys are automatically generated if they are missing.
# To change the automatic creation uncomment and change the appropriate
# line. Accepted key types are: DSA RSA ECDSA ED25519.
# The default is "RSA ECDSA ED25519"
# AUTOCREATE_SERVER_KEYS=""
# AUTOCREATE_SERVER_KEYS="RSA ECDSA ED25519"
# Do not change this option unless you have hardware random
# generator and you REALLY know what you are doing
SSH_USE_STRONG_RNG=0
# SSH_USE_STRONG_RNG=1
保存后退出
新建sshd.service
vim /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH 9 server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=simple
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
systemctl daemon-reload
启动sshd服务
systemctl start sshd
设置开机自动启动
systemctl enable sshd.service
查看sshd服务状态
systemctl status sshd -l
● sshd.service - OpenSSH 9 server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; disabled; vendor preset: enabled)
Active: active (running) since Mon 2022-09-26 16:34:09 CST; 4s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 68932 (sshd)
Tasks: 1 (limit: 23576)
Memory: 764.0K
CGroup: /system.slice/sshd.service
└─68932 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups
9月 26 16:34:09 anolis systemd[1]: Started OpenSSH 9 server daemon.
9月 26 16:34:09 anolis sshd[68932]: Server listening on 0.0.0.0 port 22.
9月 26 16:34:09 anolis sshd[68932]: Server listening on :: port 22.
验证ssh版本
ssh -V