centos 升级ssh

cat /etc/issue.net
CentOS release 5.5 (Final)
Kernel \r on an \m
在centos5.x,6.x上升级都没问题

ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

rpm -qa |grep openssh
openssh-4.3p2-41.el5
openssh-clients-4.3p2-41.el5
openssh-server-4.3p2-41.el5

openssh官方网站目前最新版OpenSSL 1.0.1c OpenSSL 1.0.1g
1.0.1-1.0.f和1.0.2-beta1含有心脏出血漏洞,OpenSSL 1.0.1g 可以使用

penssl官方网站/目前最新版OpenSSH_6.0p1

一,开启telnet预防升级失败后不能登录ssh
1.检查有无安装telnet服务端,没有就用yum装上

rpm -qa |grep telnet
telnet-0.17-39.el5
yum install telnet-server

2.开启telnet

vi /etc/xinetd.d/telnet
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes #改成no
}

disable改成no

3.启动telnet
/etc/init.d/xinetd restart

4.开启telnet 23端口防火墙,并只限192.168.0.0内网进入

iptables -A INPUT -s 192.168.0.0/24 -m state –state NEW -m tcp -p tcp –dport 23 -j ACCEPT

5.在内网测试telnet服务

telnet 192.168.0.11
Trying 192.168.0.11…
Connected to 192.168.0.11 (192.168.0.11).
Escape character is ‘^]’.
CentOS release 5.8 (Final)
Kernel 2.6.18-308.el5 on an x86_64
login: c1g
Password: xxxxx

二,升级zlib
yum -y update zlib

三,升级openssl
which openssl
/usr/bin/openssl

注意:不要用openssl-1.0.1c了

wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz
tar zxvf openssl-1.0.1c.tar.gz
cd openssl-1.0.1c
./config –prefix=/usr –shared
make && make test && make install

需带上–shared参数 否则会出现头文件和库文件不匹配

checking whether getpgrp requires zero arguments… yes
checking OpenSSL header version… 1000103f (OpenSSL 1.0.1c 10 May 2012)
checking OpenSSL library version… 90802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008)
checking whether OpenSSL’s headers match the library… no
configure: error: Your OpenSSL headers do not match your
library. Check config.log for details.
If you are sure your installation is consistent, you can disable the check
by running “./configure –without-openssl-header-check”.
Also see contrib/findssl.sh for help identifying header/library mismatches.

会无法正常运行

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
OpenSSL version mismatch. Built against 1000103f, you have 90802f

四,升级ssh
1.安装pam开发包,避免以下错误

configure: error: PAM headers not found

yum install pam-devel

2.备份原ssh配置
mv /etc/ssh /etc/ssh_bak

3.升级ssh

cd ..
wget http://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz
tar zxvf openssh-6.0p1.tar.gz
cd openssh-6.0p1
./configure –prefix=/usr –with-zlib –sysconfdir=/etc/ssh –with-ssl-dir=/usr –with-md5-passwords –with-pam


OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
TCP Wrappers support: no
MD5 password support: yes
libedit support: no
Solaris process contract support: no
Solaris project support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit

Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all -std=gnu99
Preprocessor flags: -I/usr/include
Linker flags: -L/usr/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector-all
Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv
+for sshd: -lpam

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

make && make install

4.检查安装后的版本
ssh -V
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

5.修改配置文件,禁止root登录,禁止dns解析,使用协议2,修改ssh端口至6022

sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config
sed -i ‘/^#UseDNS yes/s/#UseDNS yes/UseDNS no/’ /etc/ssh/sshd_config
sed -i ‘/^#Protocol 2/s/#Protocol 2/Protocol 2/’ /etc/ssh/sshd_config
echo “Port 6022” >> /etc/ssh/sshd_config

6.重启ssh服务
/etc/init.d/sshd restart

五,善后工作
1.停止telnet服务
/etc/init.d/xinetd stop

2.去除telnet的iptables

iptables -D INPUT -s 192.168.0.0/24 -m state –state NEW -m tcp -p tcp –dport 23 -j ACCEPT

3.移除telnet服务
yum remove telnet-server

4.升级ssh后其它机器登录需要重新生成key,会影响免登录的设置

Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:7
RSA host key for 192.168.0.11 has changed and you have requested strict checking.
Host key verification failed.
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: unexplained error (code 255) at io.c(463) [sender=2.6.8]

从known_hosts中删除相关主机
vi /root/.ssh/known_hosts

5.注:在升级SSH时你的SSH是不会因为升级或重启服务而断掉的.