1. 升级背景
最近,openssh出现漏洞,而ssh是远程连接必不可少的通道,所以必须保证ssh的版本达到最新,消除漏洞。
2.当前系统版本和ssh版本
2.1 系统版本
[root@k8s-master ~]# cat /etc/centos-release
CentOS Linux release 7.4.1708 (Core)
[root@k8s-master ~]# uname -a
Linux k8s-master 3.10.0-693.el7.x86_64 #1 SMP Tue Aug 22 21:09:27 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
[root@k8s-master ~]#
2.2 ssh版本
[root@k8s-master ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@k8s-master ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
[root@k8s-master ~]# rpm -qa zlib
zlib-1.2.7-17.el7.x86_64
3.下载openssh最新版本
3.1 官方网站下载最新的openssh版本
官网地址:
3.2 下载相关软件包
[root@k8s-master src]# wget -O /usr/local/src/openssh-7.7p1.tar.gz
4. 配置yum源,安装并配置telnet服务
因为,需要重新配置ssh服务,那么如果是远程服务器,那么要考虑适用其他的远程连接工具去临时替代ssh,所以需要安装和配置telnet服务。
4.1 配置yum源
[root@k8s-master yum.repos.d]# cat /etc/yum.repos.d/alibase.repo
[base]
name=ali base
baseurl=
enabled=1
gpgcheck=0
4.2 安装telnet服务
[root@k8s-master yum.repos.d]# yum install telnet-server -y
4.3 配置、启动并测试telent
[root@k8s-master xinetd.d]# systemctl start telnet.socket
[root@k8s-master xinetd.d]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Sun 2018-04-15 10:42:29 CST; 6s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
Apr 15 10:42:29 k8s-master systemd[1]: Listening on Telnet Server Activation Socket.
Apr 15 10:42:29 k8s-master systemd[1]: Starting Telnet Server Activation Socket.
[root@k8s-master xinetd.d]#
测试连接,注意要使用普通用户连接,然后,可以切换到root:
[c:\~]$ telnet 192.168.1.10
Connecting to 192.168.1.10:23...
Connection established.
To escape to local shell, press 'Ctrl+Alt+]'.
Kernel 3.10.0-693.el7.x86_64 on an x86_64
k8s-master login: neves
Password:
Last login: Sun Apr 15 10:44:47 from ::ffff:192.168.1.108
[neves@k8s-master ~]$ su - root
Password:
Last login: Sun Apr 15 10:44:54 CST 2018 on pts/2
[root@k8s-master ~]#
5. 升级ssh
任何Linux服务可能都需要额外的依赖软件,Openssh依赖如下软件:
OpenSSH depends on Zlib[3], OpenSSL[4], and optionally PAM[5] and libedit[6]
5.1 依赖软件版本
Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
LibreSSL ; or
OpenSSL
大家可以发现,当前的zbli,openssl等软件依赖条件都满足,所以不需要再重新配置依赖环境了。
5.2 停止openssh服务
[root@k8s-master ssh]# systemctl stop sshd.service
将原有配置文件备份:
[root@k8s-master ssh]# mv /etc/ssh /etc/ssh.old
5.3 卸载openssh软件
[root@k8s-master ssh]# rpm -qa | grep openssh | xargs -i rpm -e --nodeps {}
5.4 安装新版本openssh软件
5.4.1 依赖软件
[root@k8s-master ssh]# yum install gcc zlib-devel openssl-devel pam-devel -y
5.4.2 配置软件
[root@k8s-master openssh-7.7p1]# cd /usr/local/src/openssh-7.7p1/
[root@k8s-master openssh-7.7p1]# make ./configure --prefix=/usr/local/sshd --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib
5.4.3 编译
[root@k8s-master openssh-7.7p1]# make
5.4.4 安装
[root@k8s-master openssh-7.7p1]# make install
5.4.5 重新安装命令及相应文档到相应的路径
[root@k8s-master sshd]# install -v -m755 /usr/local/sshd/bin/* /usr/bin
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man1/* /usr/share/man/man1
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man5/* /usr/share/man/man5
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man8/* /usr/share/man/man8
[root@k8s-master man]# install -v -m755 -d /usr/share/doc/openssh-7.7p1
[root@k8s-master openssh-7.7p1]# cd /usr/local/src/openssh-7.7p1/
[root@k8s-master openssh-7.7p1]# install -v -m644 INSTALL README LICENCE OVERVIEW /usr/share/doc/openssh-7.7p1/
‘INSTALL’ -> ‘/usr/share/doc/openssh-7.7p1/INSTALL’
‘README’ -> ‘/usr/share/doc/openssh-7.7p1/README’
‘LICENCE’ -> ‘/usr/share/doc/openssh-7.7p1/LICENCE’
‘OVERVIEW’ -> ‘/usr/share/doc/openssh-7.7p1/OVERVIEW’
5.4.5配置sshd 启动
[root@k8s-master system]# /usr/local/sshd/sbin/sshd &
5.4.6 测试版本
[root@k8s-master system]# ssh -V
OpenSSH_7.7p1, OpenSSL 1.0.2k-fips 26 Jan 2017
5.5.4.7 关闭telnet服务
[root@k8s-master system]# systemctl stop telnet.socket
阅读(1803) | 评论(0) | 转发(0) |
