linux升级最新的ssl版本,CentOS7升级OpenSSL版本(1.1.1)
1.CentOS7.6默认安装的openssl版本为
# 查看openssl版本
2.下载最新的openssl
网址:https://www.openssl.org/source/*
Wget https://www.openssl.org/source/openssl-1.1.1*.tar.gz
*代表小的版本号码,当前为m
3.解压并编译安装
tar -zxvf openssl-1.1.1c.tar.gz
cd openssl-1.1.1c
./config --prefix=/usr/local/openssl #如果此步骤报错,需要安装perl以及gcc包
make && make install
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v # 设置生效
——————————————————————————————————————————————————————————————————————————————————
centos7 升级openssh8.8p1
因安全问题,需要把openssh升级到最新版。操作如下
yum install pam-devel libselinux-devel zlib-devel openssl-devel -y
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
tar zxvf openssh-8.8p1.tar.gz
需要注意ssl文件路径是否对,我服务器对应的是openssl,所以一直失败
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
或者
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/openssl --mandir=/usr/share/man --without-hardening
make
make install
vi /etc/init.d/sshd
# 按下图修改,需要注意,此路径是你安装新版本openssh的路径,根据你的实际情况修改:
SSHD=/usr/local/openssh/sbin/sshd
sed -i 's#/usr/sbin/sshd#/usr/local/openssh/sbin/sshd#' /etc/init.d/sshd
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
#cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
#chmod u+x /etc/init.d/sshd
rpm -aq | grep openssh
rpm -e 写在旧版的openssh
配置sshd开机启动
[root@localhost openssh-8.6p1]# chkconfig --add sshd
[root@localhost openssh-8.6p1]# chkconfig --level 2345 sshd on
[root@localhost openssh-8.6p1]# chkconfig --list
修改sshd配置文件/etc/ssh/sshd_config
[root@localhost openssh-8.6p1]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config #直接用root登录终端
[root@localhost openssh-8.6p1]# echo 'X11Forwarding yes' >> /etc/ssh/sshd_config #设置是否允许X11转发
[root@localhost openssh-8.6p1]# echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config #是否允许密码验证
Subsystem sftp /usr/libexec/sftp-server
替换相关命令,并重启sshd服务
[root@localhost openssh-8.6p1]# cp -arp /usr/local/openssh/bin/* /usr/bin/ #替换相关命令
[root@localhost openssh-8.6p1]# service sshd restart #重启sshd服务
cp -arp /usr/local/openssh/bin/* /usr/bin/
重启ssh
service sshd restart
查看版本号
ssh -V
报错解决:
1、Jan 19 08:09:47 Centos7 sshd: /etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
Jan 19 08:09:47 Centos7 sshd: /etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
解决:注释掉响应行
2、启动SSH服务时若出现“Permissions ****。 for '/etc/ssh/ssh_host_rsa_key' are too open”问题
解决办法正确设置文件的访问权限,如 chmod 600 /etc/ssh/ssh_host_rsa_key
补充:
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/openssl --mandir=/usr/share/man --without-hardening
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done
sed -i 's#/usr/sbin/sshd#/usr/local/openssh/sbin/sshd#' /etc/init.d/sshd
cp -arp /usr/local/openssh/bin/* /usr/bin/
sshd文件增加
PermitRootLogin yes
X11Forwarding yes
PasswordAuthentication yes
Ciphers aes256-ctr
MACs hmac-sha2-512,hmac-sha2-256
HostKeyAlgorithms +ssh-rsa