cat /etc/issue.net CentOS release 5.5 (Final) Kernel \r on an \m 在centos5.x,6.x上升级都没问题 ssh -V OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008 rpm -qa |grep openssh openssh-4.3p2-41.el5 openssh-clients-4.3p2-41.el5 openssh-server-4.3p2-41.el5

openssh官方网站目前最新版OpenSSL 1.0.1c OpenSSL 1.0.1g 1.0.1-1.0.f和1.0.2-beta1含有心脏出血漏洞,OpenSSL 1.0.1g 可以使用

penssl官方网站/目前最新版OpenSSH_6.0p1

一,开启telnet预防升级失败后不能登录ssh 1.检查有无安装telnet服务端,没有就用yum装上

rpm -qa |grep telnet telnet-0.17-39.el5 yum install telnet-server

2.开启telnet

vi /etc/xinetd.d/telnet service telnet { flags = REUSE socket_type = stream wait = no user = root server = /usr/sbin/in.telnetd log_on_failure += USERID disable = yes #改成no }

disable改成no

3.启动telnet /etc/init.d/xinetd restart

4.开启telnet 23端口防火墙,并只限192.168.0.0内网进入

iptables -A INPUT -s 192.168.0.0/24 -m state –state NEW -m tcp -p tcp –dport 23 -j ACCEPT

5.在内网测试telnet服务

telnet 192.168.0.11 Trying 192.168.0.11… Connected to 192.168.0.11 (192.168.0.11). Escape character is ‘^]’. CentOS release 5.8 (Final) Kernel 2.6.18-308.el5 on an x86_64 login: c1g Password: xxxxx

二,升级zlib yum -y update zlib

三,升级openssl which openssl /usr/bin/openssl

注意:不要用openssl-1.0.1c了

wget http://www.openssl.org/source/openssl-1.0.1c.tar.gz tar zxvf openssl-1.0.1c.tar.gz cd openssl-1.0.1c ./config –prefix=/usr –shared make && make test && make install

需带上–shared参数 否则会出现头文件和库文件不匹配

checking whether getpgrp requires zero arguments… yes checking OpenSSL header version… 1000103f (OpenSSL 1.0.1c 10 May 2012) checking OpenSSL library version… 90802f (OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008) checking whether OpenSSL’s headers match the library… no configure: error: Your OpenSSL headers do not match your library. Check config.log for details. If you are sure your installation is consistent, you can disable the check by running “./configure –without-openssl-header-check”. Also see contrib/findssl.sh for help identifying header/library mismatches.

会无法正常运行

ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key OpenSSL version mismatch. Built against 1000103f, you have 90802f

四,升级ssh 1.安装pam开发包,避免以下错误

configure: error: PAM headers not found

yum install pam-devel

2.备份原ssh配置 mv /etc/ssh /etc/ssh_bak

3.升级ssh

cd .. wget http://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz tar zxvf openssh-6.0p1.tar.gz cd openssh-6.0p1 ./configure –prefix=/usr –with-zlib –sysconfdir=/etc/ssh –with-ssl-dir=/usr –with-md5-passwords –with-pam OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no TCP Wrappers support: no MD5 password support: yes libedit support: no Solaris process contract support: no Solaris project support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: rlimit Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -fno-builtin-memset -fstack-protector-all -std=gnu99 Preprocessor flags: -I/usr/include Linker flags: -L/usr/lib -L/usr/local/lib -Wl,-rpath,/usr/local/lib -fstack-protector-all Libraries: -lcrypto -ldl -lutil -lz -lnsl -lcrypt -lresolv +for sshd: -lpam PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory

make && make install

4.检查安装后的版本 ssh -V OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012

5.修改配置文件,禁止root登录,禁止dns解析,使用协议2,修改ssh端口至6022

sed -i ‘/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/’ /etc/ssh/sshd_config sed -i ‘/^#UseDNS yes/s/#UseDNS yes/UseDNS no/’ /etc/ssh/sshd_config sed -i ‘/^#Protocol 2/s/#Protocol 2/Protocol 2/’ /etc/ssh/sshd_config echo “Port 6022” >> /etc/ssh/sshd_config

6.重启ssh服务 /etc/init.d/sshd restart

五,善后工作 1.停止telnet服务 /etc/init.d/xinetd stop

2.去除telnet的iptables

iptables -D INPUT -s 192.168.0.0/24 -m state –state NEW -m tcp -p tcp –dport 23 -j ACCEPT

3.移除telnet服务 yum remove telnet-server

4.升级ssh后其它机器登录需要重新生成key,会影响免登录的设置

Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that the RSA host key has just been changed. The fingerprint for the RSA key sent by the remote host is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx Please contact your system administrator. Add correct host key in /root/.ssh/known_hosts to get rid of this message. Offending key in /root/.ssh/known_hosts:7 RSA host key for 192.168.0.11 has changed and you have requested strict checking. Host key verification failed. rsync: connection unexpectedly closed (0 bytes received so far) [sender] rsync error: unexplained error (code 255) at io.c(463) [sender=2.6.8]

从known_hosts中删除相关主机 vi /root/.ssh/known_hosts

5.注:在升级SSH时你的SSH是不会因为升级或重启服务而断掉的.