Skip to content

centos 升级ssh

  1. cat /etc/
  2. CentOS release 5.5 (Final)
  3. Kernel \r on an \m
  4. 在centos5.x,6.x上升级都没问题
  1. ssh -V
  2. OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
  4. rpm -qa |grep openssh
  5. openssh-4.3p2-41.el5
  6. openssh-clients-4.3p2-41.el5
  7. openssh-server-4.3p2-41.el5

openssh官方网站目前最新版OpenSSL 1.0.1c OpenSSL 1.0.1g
1.0.1-1.0.f和1.0.2-beta1含有心脏出血漏洞,OpenSSL 1.0.1g 可以使用



  1. rpm -qa |grep telnet
  2. telnet-0.17-39.el5
  3. yum install telnet-server


  1. vi /etc/xinetd.d/telnet
  2. service telnet
  3. {
  4.     flags       = REUSE
  5.     socket_type = stream
  6.     wait        = no
  7.     user        = root
  8.     server      = /usr/sbin/in.telnetd
  9.     log_on_failure  += USERID
  10.     disable     = yes #改成no
  11. }


/etc/init.d/xinetd restart

4.开启telnet 23端口防火墙,并只限192.168.0.0内网进入

  1. iptables -A INPUT -s -m state --state NEW -m tcp -p tcp  --dport 23 -j ACCEPT


  1. telnet
  2. Trying
  3. Connected to (
  4. Escape character is '^]'.
  5. CentOS release 5.8 (Final)
  6. Kernel 2.6.18-308.el5 on an x86_64
  7. login: c1g
  8. Password: xxxxx

yum -y update zlib

which openssl


  1. wget
  2. tar zxvf openssl-1.0.1c.tar.gz
  3. cd openssl-1.0.1c
  4. ./config --prefix=/usr --shared
  5. make && make test && make install

需带上–shared参数 否则会出现头文件和库文件不匹配

  1. checking whether getpgrp requires zero arguments... yes
  2. checking OpenSSL header version... 1000103f (OpenSSL 1.0.1c 10 May 2012)
  3. checking OpenSSL library version... 90802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)
  4. checking whether OpenSSL's headers match the library... no
  5. configure: error: Your OpenSSL headers do not match your
  6. library. Check config.log for details.
  7. If you are sure your installation is consistent, you can disable the check
  8. by running "./configure --without-openssl-header-check".
  9. Also see contrib/ for help identifying header/library mismatches.


  1. ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
  2. OpenSSL version mismatch. Built against 1000103f, you have 90802f


  1. configure: error: PAM headers not found

yum install pam-devel

mv /etc/ssh /etc/ssh_bak


  1. cd ..
  2. wget
  3. tar zxvf openssh-6.0p1.tar.gz
  4. cd openssh-6.0p1
  5. ./configure --prefix=/usr --with-zlib --sysconfdir=/etc/ssh --with-ssl-dir=/usr --with-md5-passwords --with-pam
  1. OpenSSH has been configured with the following options:
  2.                      User binaries: /usr/bin
  3.                    System binaries: /usr/sbin
  4.                Configuration files: /etc/ssh
  5.                    Askpass program: /usr/libexec/ssh-askpass
  6.                       Manual pages: /usr/share/man/manX
  7.                           PID file: /var/run
  8.   Privilege separation chroot path: /var/empty
  9.             sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
  10.                     Manpage format: doc
  11.                        PAM support: yes
  12.                    OSF SIA support: no
  13.                  KerberosV support: no
  14.                    SELinux support: no
  15.                  Smartcard support:
  16.                      S/KEY support: no
  17.               TCP Wrappers support: no
  18.               MD5 password support: yes
  19.                    libedit support: no
  20.   Solaris process contract support: no
  21.            Solaris project support: no
  22.        IP address in $DISPLAY hack: no
  23.            Translate v4 in v6 hack: yes
  24.                   BSD Auth support: no
  25.               Random number source: OpenSSL internal ONLY
  26.              Privsep sandbox style: rlimit
  28.               Host: x86_64-unknown-linux-gnu
  29.           Compiler: gcc
  30.     Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all -std=gnu99
  31. Preprocessor flags: -I/usr/include
  32.       Linker flags: -L/usr/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector-all
  33.          Libraries: -lcrypto -ldl -lutil -lz -lnsl  -lcrypt -lresolv
  34.          +for sshd:  -lpam
  36. PAM is enabled. You may need to install a PAM control file
  37. for sshd, otherwise password authentication may fail.
  38. Example PAM control files can be found in the contrib/
  39. subdirectory

make && make install

ssh -V
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012


  1. sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
  2. sed -i '/^#UseDNS yes/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
  3. sed -i '/^#Protocol 2/s/#Protocol 2/Protocol 2/' /etc/ssh/sshd_config
  4. echo "Port 6022" >> /etc/ssh/sshd_config

/etc/init.d/sshd restart

/etc/init.d/xinetd stop


  1. iptables -D INPUT -s -m state --state NEW -m tcp -p tcp  --dport 23 -j ACCEPT

yum remove telnet-server


  1. Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  2. It is also possible that the RSA host key has just been changed.
  3. The fingerprint for the RSA key sent by the remote host is
  4. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  5. Please contact your system administrator.
  6. Add correct host key in /root/.ssh/known_hosts to get rid of this message.
  7. Offending key in /root/.ssh/known_hosts:7
  8. RSA host key for has changed and you have requested strict checking.
  9. Host key verification failed.
  10. rsync: connection unexpectedly closed (0 bytes received so far) [sender]
  11. rsync error: unexplained error (code 255) at io.c(463) [sender=2.6.8]

vi /root/.ssh/known_hosts


Posted in linux 维护优化, 安全.

Tagged with .

One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. centos upgrade ssh | Information News linked to this post on 2012/06/03

    […] C1G arsenal Be Sociable, Share! Tweet Shop Amazon – Get Ready for Summer – Everything You Need This entry was posted in ChinaSite and tagged centos, upgrade by beck917. Bookmark the permalink. […]

Some HTML is OK

or, reply to this post via trackback.