http://jackxiang.com/index.php zh-cn http://jackxiang.com/post// jack <xdy108@126.com> Fri, 17 Aug 2018 03:05:04 +0000 http://jackxiang.com/post//     Redhat企业级系统的6.7版自带SSH版本为OpenSSH_5.3p1, 基于审计和安全性需求，建议将其升级到最新的OpenSSH版本，当前官网最新版本为7.4p1. 本文档将详细介绍OpenSSH升级的完整步骤。需要说明的是，升级过程中虽然涉及zlib、openssl和openssh的卸载，但是并不会导致当前的ssh远程连接会话断开，因此是可以将整个升级过程写成自动化脚本以进行自动批量部署的。后面咱准备逐步过度到CentOS7了，新版在SSH底层上优化了TCP连接传输功能。在譬如拷贝时会用同一个TCP的FD，而旧版本的是没有这个功能的。再就是刚连接过了在超时设置范围内，再次发起连接时也会复用之前的一个Socket的FD句柄，提高连接效率。
编译安装OpenSSH7.4p1一共分二步，
第一步：安装编译需要的RPM包：
yum install  gcc -y yum install audit-libs glibc keyutils-libs krb5-libs libcom_err libselinux nss-softokn-freebl openssl pam zlib -y

第二步：编译并安装到和原来一样的目录，如下步骤：
tar zxvf openssh-7.4p1.tar.gz
cd openssh-7.4p1
ll
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-kerberos5=/usr/lib64/libkrb5.so
make && make install
cp -rf /usr/local/src/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd  
cp -rf contrib/redhat/sshd.init /etc/init.d/sshd  
chmod +x /etc/init.d/sshd
chkconfig --add sshd
vim /etc/init.d/sshd
sed -i '/sbin/restorecon /etc/ssh/ssh_host_key.pub/s/^/#/'  /etc/init.d/sshd  
sed -i 's/#PermitRootLogin/PermitRootLogin/' /etc/ssh/sshd_config
vim /etc/ssh/sshd_config
ssh -V
service sshd restart
vim /etc/ssh/sshd_config
ll
vim /etc/ssh/sshd_config
ps -ef|grep ssh
service sshd start
history

附录：
反查一些OpenSSH需要的动态库，RPM包的安装路径辅助上面参数配置：
rpm -ql openssh-server-5.3p1-122.el6.x86_64
/etc/pam.d/ssh-keycat
/etc/pam.d/sshd
/etc/rc.d/init.d/sshd
/etc/ssh/sshd_config
/etc/sysconfig/sshd
/usr/libexec/openssh/sftp-server
/usr/libexec/openssh/ssh-keycat
/usr/sbin/.sshd.hmac
/usr/sbin/sshd
/usr/share/doc/openssh-server-5.3p1
/usr/share/doc/openssh-server-5.3p1/HOWTO.ssh-keycat
/usr/share/man/man5/moduli.5.gz
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd



ldd /usr/sbin/sshd
        linux-vdso.so.1 =>  (0x00007fffbc5ff000)
        libpam.so.0 => /lib64/libpam.so.0 (0x00007f2d19bf3000)
        libcrypto.so.10 => /usr/lib64/libcrypto.so.10 (0x00007f2d1980e000)
        librt.so.1 => /lib64/librt.so.1 (0x00007f2d19605000)
        libdl.so.2 => /lib64/libdl.so.2 (0x00007f2d19401000)
        libutil.so.1 => /lib64/libutil.so.1 (0x00007f2d191fe000)
        libz.so.1 => /lib64/libz.so.1 (0x00007f2d18fe7000)
        libcrypt.so.1 => /lib64/libcrypt.so.1 (0x00007f2d18db0000)
        libresolv.so.2 => /lib64/libresolv.so.2 (0x00007f2d18b96000)
        libgssapi_krb5.so.2 => /lib64/libgssapi_krb5.so.2 (0x00007f2d18951000)
        libkrb5.so.3 => /lib64/libkrb5.so.3 (0x00007f2d1866a000)
        libk5crypto.so.3 => /lib64/libk5crypto.so.3 (0x00007f2d1843e000)
        libcom_err.so.2 => /lib64/libcom_err.so.2 (0x00007f2d18239000)
        libc.so.6 => /lib64/libc.so.6 (0x00007f2d17ea5000)
        libaudit.so.1 => /lib64/libaudit.so.1 (0x00007f2d17c89000)
        libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2d17a6b000)
        /lib64/ld-linux-x86-64.so.2 (0x0000003c0e400000)
        libfreebl3.so => /lib64/libfreebl3.so (0x00007f2d177f4000)
        libkrb5support.so.0 => /lib64/libkrb5support.so.0 (0x00007f2d175e9000)
        libkeyutils.so.1 => /lib64/libkeyutils.so.1 (0x00007f2d173e5000)
        libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2d171c6000)

rpm -qf /lib64/libpam.so.0 >> /tmp/jackRpmResult.txt
rpm -qf /usr/lib64/libcrypto.so.10 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/librt.so.1 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libdl.so.2 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libutil.so.1 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libz.so.1 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libcrypt.so.1 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libresolv.so.2 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libgssapi_krb5.so.2 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libkrb5.so.3 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libk5crypto.so.3 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libcom_err.so.2 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libc.so.6 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libaudit.so.1 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libpthread.so.0 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/ld-linux-x86-64.so.2 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libfreebl3.so >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libkrb5support.so.0 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libkeyutils.so.1 >> /tmp/jackRpmResult.txt
rpm -qf /lib64/libselinux.so.1 >> /tmp/jackRpmResult.txt

需要这些包：
rpm -qa|grep audit-libs-2.2-2
rpm -qa|grep glibc-2.12-1.192
rpm -qa|grep keyutils-libs-1.4-5
rpm -qa|grep krb5-libs-1.10.3-65
rpm -qa|grep libcom_err-1.41.12-23
rpm -qa|grep libselinux-2.0.94-7
rpm -qa|grep nss-softokn-freebl-3.14.3-9
rpm -qa|grep openssl-1.0.1e-57
rpm -qa|grep pam-1.1.1-24
rpm -qa|grep zlib-1.2.3-29


yum 安装软件包：
audit-libs-2.2-2 glibc-2.12-1.192 keyutils-libs-1.4-5 krb5-libs-1.10.3-65 libcom_err-1.41.12-23 libselinux-2.0.94-7 nss-softokn-freebl-3.14.3-9 openssl-1.0.1e-57 pam-1.1.1-24 zlib-1.2.3-29

去掉版本号直接安装：
yum install audit-libs glibc keyutils-libs krb5-libs libcom_err libselinux nss-softokn-freebl openssl pam zlib




参考编译来源：
（1）http://blog.chinaunix.net/uid-28266791-id-5759478.html
（2）https://www.cnblogs.com/xshrim/p/6472679.html ]]> http://jackxiang.com/post//#blogcomment <user@domain.com> Thu, 01 Jan 1970 00:00:00 +0000 http://jackxiang.com/post//#blogcomment