CentOS7升级openssh 8.6p1

一、安装telnet服务

防止SSH远程控制时，升级过程中出现连接中断，可通过telnet备用方式进行远程连接

//安装
yum install -y telnet-server xinetd

systemctl start telnet.socket
systemctl start xinetd

echo 'pts/0' >>/etc/securetty
echo 'pts/1' >>/etc/securetty

//重启
systemctl restart telnet.socket

//设置自启动
systemctl enable telnet.socket
systemctl enable xinetd

//创建普通用户
useradd test
passwd test


//用完可以关闭
systemctl stop telnet.socket
systemctl stop xinetd

#删除用户
userdel test

二、关闭selinux

vi /etc/sysconfig/selinux 

SELINUX=disabled

修改后重启一下系统。

三、卸载原有的OpenSSH

rpm -qa | grep openssh
rpm -e --nodeps  xxxxxxx

四、安装OpenSSH和相关依赖

//安装依赖包
yum install -y gcc perl

//安装zlib
tar zxvf zlib-1.2.11.tar.gz
cd zlib-1.2.11
./configure --prefix=/usr/local/zlib
make -j8
make install

//安装openssl
tar zxvf openssl-1.1.1k.tar.gz 
cd openssl-1.1.1k
./config --prefix=/usr/local/openssl
make -j8
make install
echo '/usr/local/openssl/lib' >> /etc/ld.so.conf
ldconfig -v

//安装openssh

//由于openssh默认未对pam支持，需要增加--with-pam参数，修改的ulimit参数才能生效。

yum -y install pam-devel

//安装过程中提示如下文件权限太高，先把权限降低
chmod 700 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key

tar zxvf openssh-8.6p1.tar.gz 
cd openssh-8.6p1
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/openssl --with-pam --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh
make -j8
make install

//修改配置文件
vi /etc/ssh/sshd_config

PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes
UsePAM yes

//启动文件
cp /usr/local/openssh-8.6p1/contrib/redhat/sshd.init /etc/init.d/sshd

//pam文件，如果不配的话，当UsePAM yes时SSH无法连接
vi /etc/pam.d/sshd

#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare


//重启ssh
service sshd restart

//自启
chkconfig sshd on