升级OpenSSL

1
2
3
4
5
6
7
8
9
10
11
# 下载OpenSSL
wget https://www.openssl.org/source/openssl-3.0.8.tar.gz
# 解压
tar -zxvf openssl-3.0.8.tar.gz
cd openssl-3.0.8
# 配置
./config --prefix=/usr/ --openssldir=/usr/ shared
# 编译安装
make && make install
# 查看版本
openssl version -a

问题:Can't locate IPC/Cmd.pm in @INC (@INC contains:

1
2
3
4
5
6
# 解决
yum install -y perl-CPAN
# 步骤:1.yes 2.manual 3.yes
perl -MCPAN -e shell
# 安装
install IPC/Cmd.pm

安装Telnet防止升级出错

1
2
yum -y install telnet-server
systemctl start telnet.socket

问题:无法远程

1
2
3
4
5
# 分析原因
cat /var/log/secure
# 结果:access denied: tty 'pts/2' is not secure !、
# securetty文件中添加pts/2
vi /etc/securetty

注意防火墙策略或者直接关闭防火墙

升级OpenSSH

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# 安装依赖
yum install -y pam* zlib*
# 备份卸载
mv /etc/ssh /etc/ssh_bak
systemctl stop sshd
rpm -qa | grep openssh
yum remove openssh*
# 下载解压
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
tar -xzvf openssh-9.3p1.tar.gz
cd openssh-9.3p1/
# 配置
./configure --with-zlib --with-ssl-dir --with-pam \
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
# 编译安装
make && make install
# 拷贝
cp contrib/redhat/sshd.init /etc/init.d/sshd
# 查看版本
ssh -V
# 启动服务
service sshd restart
systemctl restart sshd
# 设置开机自启
systemctl enable sshd
# 卸载telnet
yum remove -y telnet-server
# 将之前配置的信息删除
vi /etc/securetty

注意:升级到9.0之后需要关闭 selinux或者配置PAM才能连接

关闭selinux

1
2
1、临时关闭:输入命令setenforce 0,重启系统后还会开启。
2、永久关闭:输入命令vi /etc/selinux/config,将SELINUX=enforcing改为SELINUX=disabled,然后保存退出。

配置PAM

vi /etc/ssh/sshd_config编辑sshd_config文件添加UsePAM yes

然后vi /etc/pam.d/sshd添加如下内容:

1
2
3
4
5
6
7
8
9
10
11
12
13
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

问题:Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.

1
2
# 修改提示文件的权限,只列出了一个文件
chmod 0600 /etc/ssh/ssh_host_rsa_key