Skip to content


centos 升级ssh

  1. cat /etc/issue.net
  2. CentOS release 5.5 (Final)
  3. Kernel \r on an \m
  4. 在centos5.x,6.x上升级都没问题
  1. ssh -V
  2. OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
  3.  
  4. rpm -qa |grep openssh
  5. openssh-4.3p2-41.el5
  6. openssh-clients-4.3p2-41.el5
  7. openssh-server-4.3p2-41.el5

openssh官方网站目前最新版OpenSSL 1.0.1c OpenSSL 1.0.1g
1.0.1-1.0.f和1.0.2-beta1含有心脏出血漏洞,OpenSSL 1.0.1g 可以使用

penssl官方网站/目前最新版OpenSSH_6.0p1

一,开启telnet预防升级失败后不能登录ssh
1.检查有无安装telnet服务端,没有就用yum装上

  1. rpm -qa |grep telnet
  2. telnet-0.17-39.el5
  3. yum install telnet-server

2.开启telnet

  1. vi /etc/xinetd.d/telnet
  2. service telnet
  3. {
  4.     flags       = REUSE
  5.     socket_type = stream
  6.     wait        = no
  7.     user        = root
  8.     server      = /usr/sbin/in.telnetd
  9.     log_on_failure  += USERID
  10.     disable     = yes #改成no
  11. }

disable改成no

3.启动telnet
/etc/init.d/xinetd restart

4.开启telnet 23端口防火墙,并只限192.168.0.0内网进入

  1. iptables -A INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp  --dport 23 -j ACCEPT

5.在内网测试telnet服务

  1. telnet 192.168.0.11
  2. Trying 192.168.0.11...
  3. Connected to 192.168.0.11 (192.168.0.11).
  4. Escape character is '^]'.
  5. CentOS release 5.8 (Final)
  6. Kernel 2.6.18-308.el5 on an x86_64
  7. login: c1g
  8. Password: xxxxx

二,升级zlib
yum -y update zlib

三,升级openssl
which openssl
/usr/bin/openssl

注意:不要用openssl-1.0.1c了

  1. wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
  2. tar zxvf openssl-1.0.1c.tar.gz
  3. cd openssl-1.0.1c
  4. ./config --prefix=/usr --shared
  5. make && make test && make install

需带上–shared参数 否则会出现头文件和库文件不匹配

  1. checking whether getpgrp requires zero arguments... yes
  2. checking OpenSSL header version... 1000103f (OpenSSL 1.0.1c 10 May 2012)
  3. checking OpenSSL library version... 90802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)
  4. checking whether OpenSSL's headers match the library... no
  5. configure: error: Your OpenSSL headers do not match your
  6. library. Check config.log for details.
  7. If you are sure your installation is consistent, you can disable the check
  8. by running "./configure --without-openssl-header-check".
  9. Also see contrib/findssl.sh for help identifying header/library mismatches.

会无法正常运行

  1. ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
  2. OpenSSL version mismatch. Built against 1000103f, you have 90802f

四,升级ssh
1.安装pam开发包,避免以下错误

  1. configure: error: PAM headers not found

yum install pam-devel

2.备份原ssh配置
mv /etc/ssh /etc/ssh_bak

3.升级ssh

  1. cd ..
  2. wget http://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz
  3. tar zxvf openssh-6.0p1.tar.gz
  4. cd openssh-6.0p1
  5. ./configure --prefix=/usr --with-zlib --sysconfdir=/etc/ssh --with-ssl-dir=/usr --with-md5-passwords --with-pam
  1. OpenSSH has been configured with the following options:
  2.                      User binaries: /usr/bin
  3.                    System binaries: /usr/sbin
  4.                Configuration files: /etc/ssh
  5.                    Askpass program: /usr/libexec/ssh-askpass
  6.                       Manual pages: /usr/share/man/manX
  7.                           PID file: /var/run
  8.   Privilege separation chroot path: /var/empty
  9.             sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
  10.                     Manpage format: doc
  11.                        PAM support: yes
  12.                    OSF SIA support: no
  13.                  KerberosV support: no
  14.                    SELinux support: no
  15.                  Smartcard support:
  16.                      S/KEY support: no
  17.               TCP Wrappers support: no
  18.               MD5 password support: yes
  19.                    libedit support: no
  20.   Solaris process contract support: no
  21.            Solaris project support: no
  22.        IP address in $DISPLAY hack: no
  23.            Translate v4 in v6 hack: yes
  24.                   BSD Auth support: no
  25.               Random number source: OpenSSL internal ONLY
  26.              Privsep sandbox style: rlimit
  27.  
  28.               Host: x86_64-unknown-linux-gnu
  29.           Compiler: gcc
  30.     Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all -std=gnu99
  31. Preprocessor flags: -I/usr/include
  32.       Linker flags: -L/usr/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector-all
  33.          Libraries: -lcrypto -ldl -lutil -lz -lnsl  -lcrypt -lresolv
  34.          +for sshd:  -lpam
  35.  
  36. PAM is enabled. You may need to install a PAM control file
  37. for sshd, otherwise password authentication may fail.
  38. Example PAM control files can be found in the contrib/
  39. subdirectory

make && make install

4.检查安装后的版本
ssh -V
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

5.修改配置文件,禁止root登录,禁止dns解析,使用协议2,修改ssh端口至6022

  1. sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
  2. sed -i '/^#UseDNS yes/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
  3. sed -i '/^#Protocol 2/s/#Protocol 2/Protocol 2/' /etc/ssh/sshd_config
  4. echo "Port 6022" >> /etc/ssh/sshd_config

6.重启ssh服务
/etc/init.d/sshd restart

五,善后工作
1.停止telnet服务
/etc/init.d/xinetd stop

2.去除telnet的iptables

  1. iptables -D INPUT -s 192.168.0.0/24 -m state --state NEW -m tcp -p tcp  --dport 23 -j ACCEPT

3.移除telnet服务
yum remove telnet-server

4.升级ssh后其它机器登录需要重新生成key,会影响免登录的设置

  1. Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  2. It is also possible that the RSA host key has just been changed.
  3. The fingerprint for the RSA key sent by the remote host is
  4. xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
  5. Please contact your system administrator.
  6. Add correct host key in /root/.ssh/known_hosts to get rid of this message.
  7. Offending key in /root/.ssh/known_hosts:7
  8. RSA host key for 192.168.0.11 has changed and you have requested strict checking.
  9. Host key verification failed.
  10. rsync: connection unexpectedly closed (0 bytes received so far) [sender]
  11. rsync error: unexplained error (code 255) at io.c(463) [sender=2.6.8]

从known_hosts中删除相关主机
vi /root/.ssh/known_hosts

5.注:在升级SSH时你的SSH是不会因为升级或重启服务而断掉的.

Posted in linux 维护优化, 安全.

Tagged with .


One Response

Stay in touch with the conversation, subscribe to the RSS feed for comments on this post.

Continuing the Discussion

  1. centos upgrade ssh | Information News linked to this post on 2012/06/03

    […] C1G arsenal Be Sociable, Share! Tweet Shop Amazon – Get Ready for Summer – Everything You Need This entry was posted in ChinaSite and tagged centos, upgrade by beck917. Bookmark the permalink. […]



Some HTML is OK

or, reply to this post via trackback.