当前位置: 首页 > article >正文

@Openssh【rpm软件包7.x升级9.0版本(Centos7.9)】

article 2025/3/10 18:49:24

文章目录

      • 1.版本查看
      • 2.配置备份
      • 3.软件包openssh9.0下载
      • 4.升级openssh9.0版本
      • 5.配置备份恢复
      • 6.服务器启动验证及问题排查

1.版本查看

#系统版本
[root@HZLOPENSSHTEST ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)

#openssh版本
[root@HZLOPENSSHTEST ~]# rpm -qa |egrep "openssh|openssl"
openssh-clients-7.4p1-21.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
[root@HZLOPENSSHTEST ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

2.配置备份

#备份sshd主配置文件&特权登录用户配置文件
[root@HZLOPENSSHTEST ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/login /etc/pam.d/login.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

#查看备份文件
[root@HZLOPENSSHTEST ~]# ls /etc/pam.d/ | egrep *.bak
login.bak
sshd.bak
system-auth.bak

3.软件包openssh9.0下载

#下载升级的安装包,文件里是封装的rpm软件包
[root@HZLOPENSSHTEST ~]# wget openssh-9.0p1.tar.gz
[root@HZLOPENSSHTEST ~]# tar -xvfz openssh-9.0p1.tar.gz
[root@HZLOPENSSHTEST ~]# ls openssh-9.0p1
openssh-9.0p1-1.el7.x86_64.rpm  openssh-clients-9.0p1-1.el7.x86_64.rpm  openssh-debuginfo-9.0p1-1.el7.x86_64.rpm  openssh-server-9.0p1-1.el7.x86_64.rpm

4.升级openssh9.0版本

#端口检查&服务查看
[root@HZLOPENSSHTEST ~]# ss -ant |grep "22"
LISTEN     0      128          *:22                       *:*
ESTAB      0      0      10.21.25.124:22                 10.21.1.70:51233
ESTAB      0      0      10.21.25.124:22                 10.21.1.70:61866
ESTAB      0      48     10.21.25.124:22                 10.21.1.70:61848
ESTAB      0      0      10.21.25.124:22                 10.21.1.70:61865
LISTEN     0      128       [::]:22                    [::]:*
[root@HZLOPENSSHTEST ~]# systemctl status sshd
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: active (running) since 二 2023-11-28 17:18:23 CST; 18h ago
     Docs: man:sshd(8)
           man:sshd_config(5)
 Main PID: 1123 (sshd)
   CGroup: /system.slice/sshd.service
           └─1123 /usr/sbin/sshd -D
[root@HZLOPENSSHTEST ~]# systemctl stop sshd



#本地升级openssh
[root@HZLOPENSSHTEST ~]# cd openssh-9.0p1
[root@HZLOPENSSHTEST openssh-9.0p1]# yum upgrade openssh-*
更新安装包:
openssh.x86_64 0:9.0p1-1.el7                      openssh-clients.x86_64 0:9.0p1-1.el7                      openssh-server.x86_64 0:9.0p1-1.el7

#检查升级的openssh安装包
[root@HZLOPENSSHTEST openssh-9.0p1]# rpm -qa |grep openssh
openssh-server-9.0p1-1.el7.x86_64
openssh-9.0p1-1.el7.x86_64
openssh-clients-9.0p1-1.el7.x86_64
[root@HZLOPENSSHTEST pam.d]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

5.配置备份恢复

#备份openssh9.0的配置,恢复之前的ssh配置文件
[root@HZLOPENSSHTEST openssh-9.0p1]# cd /etc/ssh/
[root@HZLOPENSSHTEST ssh]# mv sshd_config sshd_config_1129.bak
[root@HZLOPENSSHTEST ssh]# cp sshd_config.bak sshd_config
[root@HZLOPENSSHTEST ssh]# cd /etc/pam.d/
[root@HZLOPENSSHTEST pam.d]# mv sshd sshd_1129.bak
[root@HZLOPENSSHTEST pam.d]# cp sshd.bak sshd

6.服务器启动验证及问题排查

#服务启动失败,如下所示(根据系统提示日志,可确认为密钥文件权限问题,修改文件权限)
[root@HZLOPENSSHTEST ~]# systemctl status  sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: failed (Result: exit-code) since 三 2023-11-29 11:46:02 CST; 11s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 16106 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=1/FAILURE)
 Main PID: 11868 (code=exited, status=0/SUCCESS)

1129 11:46:02 HZLOPENSSHTEST sshd[16106]: It is required that your private key files are NOT accessible by others.
1129 11:46:02 HZLOPENSSHTEST sshd[16106]: This private key will be ignored.
1129 11:46:02 HZLOPENSSHTEST sshd[16106]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
1129 11:46:02 HZLOPENSSHTEST sshd[16106]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
1129 11:46:02 HZLOPENSSHTEST sshd[16106]: sshd: no hostkeys available -- exiting.
1129 11:46:02 HZLOPENSSHTEST sshd[16106]: [失败]
1129 11:46:02 HZLOPENSSHTEST systemd[1]: sshd.service: control process exited, code=exited status=1
1129 11:46:02 HZLOPENSSHTEST systemd[1]: Failed to start SYSV: OpenSSH server daemon.
1129 11:46:02 HZLOPENSSHTEST systemd[1]: Unit sshd.service entered failed state.
1129 11:46:02 HZLOPENSSHTEST systemd[1]: sshd.service failed.


#查看密钥文件权限
[root@HZLOPENSSHTEST ~]# ll /etc/ssh/ssh_host_*
-rw-------. 1 root root     1393 1129 11:46 /etc/ssh/ssh_host_dsa_key
-rw-r--r--. 1 root root      609 1129 11:46 /etc/ssh/ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys  227 1128 17:18 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root      162 1128 17:18 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys  387 1128 17:18 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root       82 1128 17:18 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1675 1128 17:18 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root      382 1128 17:18 /etc/ssh/ssh_host_rsa_key.pub
[root@HZLOPENSSHTEST ~]#  chmod 600 /etc/ssh/ssh_host_*
[root@HZLOPENSSHTEST ~]# ll /etc/ssh/ssh_host_*
-rw-------. 1 root root     1393 1129 11:46 /etc/ssh/ssh_host_dsa_key
-rw-------. 1 root root      609 1129 11:46 /etc/ssh/ssh_host_dsa_key.pub
-rw-------. 1 root ssh_keys  227 1128 17:18 /etc/ssh/ssh_host_ecdsa_key
-rw-------. 1 root root      162 1128 17:18 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-------. 1 root ssh_keys  387 1128 17:18 /etc/ssh/ssh_host_ed25519_key
-rw-------. 1 root root       82 1128 17:18 /etc/ssh/ssh_host_ed25519_key.pub
-rw-------. 1 root ssh_keys 1675 1128 17:18 /etc/ssh/ssh_host_rsa_key
-rw-------. 1 root root      382 1128 17:18 /etc/ssh/ssh_host_rsa_key.pub

#重启后服务正常
[root@HZLOPENSSHTEST ~]# systemctl restart sshd


#测试登录验证(验证登录时拒绝,拒绝使用root用户直接登录,查看服务日志状态)
[root@HZLOPENSSHTEST ~]# ssh 10.21.25.124
root@10.21.25.124's password:
Permission denied, please try again.
[root@HZLOPENSSHTEST ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: active (running) since 三 2023-11-29 11:50:36 CST; 1min 58s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 17740 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 17748 (sshd)
   CGroup: /system.slice/sshd.service
           ├─17748 sshd: /usr/sbin/sshd [listener] 1 of 10-100 startups
           ├─18377 sshd: root [priv]
           └─18378 sshd: root [net]

11月 29 11:50:36 HZLOPENSSHTEST sshd[17748]: Server listening on :: port 22.
11月 29 11:50:36 HZLOPENSSHTEST systemd[1]: Started SYSV: OpenSSH server daemon.
11月 29 11:52:23 HZLOPENSSHTEST sshd[18374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.1.70  user=root
11月 29 11:52:23 HZLOPENSSHTEST sshd[18374]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
11月 29 11:52:25 HZLOPENSSHTEST sshd[18374]: Failed password for root from 10.21.1.70 port 62880 ssh2
11月 29 11:52:25 HZLOPENSSHTEST sshd[18374]: Connection closed by authenticating user root 10.21.1.70 port 62880 [preauth]
11月 29 11:52:26 HZLOPENSSHTEST unix_chkpwd[18379]: password check failed for user (root)
11月 29 11:52:26 HZLOPENSSHTEST sshd[18377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.1.70  user=root
11月 29 11:52:26 HZLOPENSSHTEST sshd[18377]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
11月 29 11:52:28 HZLOPENSSHTEST sshd[18377]: Failed password for root from 10.21.1.70 port 62881 ssh2

#问题
“pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"”
由上可见,主要由于使用root用户认证,在openssh9.0配置,默认拒绝root直接登录服务器,需修改pam下auth的权限限制和sshd
检查sshd配置文件中的root登录限制。

#检查排查相关配置;
[root@HZLOPENSSHTEST ~]# vim /etc/pam.d/system-auth
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success   #权限限制,注释或删除
[root@HZLOPENSSHTEST ~]# vim /etc/ssh/sshd_config
PermitRootLogin yes    #允许root登录配置




#重启sshd后,手动验证,登录正常
[root@HZLOPENSSHTEST ~]# systemctl restart sshd
[root@HZLOPENSSHTEST ~]# ssh 10.21.25.124
root@10.21.25.124's password:
Last failed login: Wed Nov 29 11:53:23 CST 2023 from 10.21.25.124 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Nov 29 11:17:50 2023 from 10.21.1.70

http://www.kler.cn/a/152260.html

相关文章:

  • 免杀原理(php)
  • 旋转框(obb)目标检测计算iou的方法
  • 微服务实战系列之EhCache
  • JavaScript添加快捷键、取消浏览器默认的快捷操作、js查看键盘按钮keycode值
  • 中国毫米波雷达产业分析3——毫米波雷达市场分析(四、五、六)
  • 数字图像处理(实践篇)十四 图像金字塔
  • 【腾讯云 HAI域探秘】借助高性能应用HAI——我也能使用【stable diffusion】制作高级视频封面了
  • Kubernetes 安全最佳实践:保护您的秘密
  • IDEA安装python插件并配置
  • python调用chatgpt4
  • shiro的前后端分离模式
  • 基于python和定向爬虫的商品比价系统
  • 二级等保,nginx设置问题,请求头,SSL密码组件,防web信息泄露,tls版本太老,头缺失
  • JenKins快速安装与使用,Gitlab自动触发Jenkins
  • 文献速递:机器学习在超声波非破坏性评估中的合成和增强训练数据综述(第一部分)— (机器学习方法在超声波检测中的概述)
  • 如何使用内网穿透实现无公网ip环境访问VScode远程开发
  • 如何在Ubuntu上清理缓存和垃圾文件
  • 解读免费化潮流:为何数据可视化软件向免费迈进?
  • FPGA程序前仿真和后仿真问题处理
  • 数据结构-二叉树(1)