服务器安装openssh9.9p1

11.81.2.19

更新 SSL

1. 备份原有配置

1.1 查看 openssl 版本

openssl version

OpenSSL 1.0.2k-fips  26 Jan 2017

1.2 查看 openssl 路径

whereis openssl

openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz

1.3 备份 openssl 文件

cp /usr/bin/openssl /usr/bin/openssl_old
cp -r /usr/include/openssl /usr/include/openssl_old

2. 下载新 openssl 文件

下载地址：https://openssl-library.org/source/index.html
选择的版本是 openssl-3.0.15.tar.gz，长期支持版本，支持到 2026年 7月
上传到服务器： /data/soft

3. 升级 openssl

3.1 解压并进入

tar -zxvf openssl-3.0.15.tar.gz
cd openssl-3.0.15.tar.gz

3.2 配置 openssl 安装目录

./config --prefix=/usr/local/openssl

Can't locate IPC/Cmd.pm in @INC (@INC contains: /data/soft/openssl-3.0.15/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /data/soft/openssl-3.0.15/external/perl/Text-Template-1.56/lib) at /data/soft/openssl-3.0.15/util/perl/OpenSSL/config.pm line 19.
BEGIN failed--compilation aborted at /data/soft/openssl-3.0.15/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /data/soft/openssl-3.0.15/Configure line 23.
BEGIN failed--compilation aborted at /data/soft/openssl-3.0.15/Configure line 23.

报错解决方案：
方案一：使用 perl-CPAN 安装依赖【不推荐】
1）安装perl-CPAN

yum install -y perl-CPAN

2）进入CPAN的shell模式
注意：首次进入需要配置shell，按照提示操作即可，我这里是一路回车，安装需要一定时间

perl -MCPAN -e shell
【日志见附1】

3）在shell中安装缺少的模块
cpan[1]> install IPC/Cmd.pm
【日志见附2，未完成，换yum直接安装方式】

方案二：使用 yum 安装依赖
或者yum命令安装perl-IPC/Cmd 【更快】：
yum -y install zlib* perl pam* gcc* perl-IPC-Cmd
【日志见附3】

安装成功后，再次编译OpenSSL就成功啦

./config --prefix=/usr/local/openssl

Configuring OpenSSL version 3.0.15 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h

**********************************************************************
***                                                                ***
***   OpenSSL has been successfully configured                     ***
***                                                                ***
***   If you encounter a problem while building, please open an    ***
***   issue on GitHub <https://github.com/openssl/openssl/issues>  ***
***   and include the output from the following command:           ***
***                                                                ***
***       perl configdata.pm --dump                                ***
***                                                                ***
***   (If you are new to OpenSSL, you might want to consult the    ***
***   'Troubleshooting' section in the INSTALL.md file first)      ***
***                                                                ***
**********************************************************************

3.3 编译&&安装

make && make install
需要一定的时间

3.4 创建软连接
说明：创建的软链接和之前没升级通过whereis openssl保持一致即可。

mv /usr/bin/openssl /usr/bin/openssl_bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
mv /usr/include/openssl /usr/include/openssl_bak
ln -s /usr/local/openssl/include/openssl /usr/include/openssl

3.5 添加动态链接库数据

cat /etc/ld.so.conf

include ld.so.conf.d/*.conf

echo “/usr/local/openssl/lib64/” >> /etc/ld.so.conf
cat /etc/ld.so.conf

include ld.so.conf.d/*.conf
/usr/local/openssl/lib64/

3.6 更新动态链接库

ldconfig -v

4 验证 openssl 版本
说明：-a参数能显示更完整的信息

openssl version -a

更新完成

升级 openSSH

1. 检查版本

ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017

2. 下载新版本
   下载地址：https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
   选择版本 openssh-9.9p1.tar.gz
   上传到服务器： /data/soft

3. 解压并进入

tar -zxvf openssh-9.9p1.tar.gz
cd openssh-9.9p1

4. 安装依赖

yum -y install gcc pam-devel zlib-devel openssl-devel net-tools

Package gcc-4.8.5-39.el7.ns7.01.x86_64 already installed and latest version
Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version
Package zlib-devel-1.2.7-18.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-21.el7_9.ns7.01.x86_64 already installed and latest version
Package net-tools-2.0-0.24.20131004git.el7.ns7.01.x86_64 already installed and latest version
Nothing to do

5. 备份原始文件

cp -r -a /etc/ssh/ /etc/ssh.bak

cp -r -a /etc/pam.d/ /etc/pam.d.bak

cp -r -a /usr/sbin/sshd /usr/sbin/sshd.bak

cp -r -a /usr/bin/ssh /usr/bin/ssh.bak

cp -r -a /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak

6. 卸载原系统的openssh包

rpm -e --nodeps rpm -qa | grep openssh

7. 编译安装openssh【注意，此步骤之后不能断开连接，直到配置完成才能建立新连接】

注意修改 ssl 目录为先前配置的目录

./configure --prefix=/usr/local/openssh-9.9p1 --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --with-zlib

make && make install

cc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib64  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie  -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil  -lresolv  -lcrypto  -lz
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/bin
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/sbin
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man1
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man5
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man8
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/libexec
/usr/bin/mkdir -p -m 0755 /var/empty
/usr/bin/install -c -m 0755 -s ssh /usr/local/openssh-9.9p1/bin/ssh
/usr/bin/install -c -m 0755 -s scp /usr/local/openssh-9.9p1/bin/scp
/usr/bin/install -c -m 0755 -s ssh-add /usr/local/openssh-9.9p1/bin/ssh-add
/usr/bin/install -c -m 0755 -s ssh-agent /usr/local/openssh-9.9p1/bin/ssh-agent
/usr/bin/install -c -m 0755 -s ssh-keygen /usr/local/openssh-9.9p1/bin/ssh-keygen
/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/local/openssh-9.9p1/bin/ssh-keyscan
/usr/bin/install -c -m 0755 -s sshd /usr/local/openssh-9.9p1/sbin/sshd
/usr/bin/install -c -m 0755 -s sshd-session /usr/local/openssh-9.9p1/libexec/sshd-session
/usr/bin/install -c -m 4711 -s ssh-keysign /usr/local/openssh-9.9p1/libexec/ssh-keysign
/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/local/openssh-9.9p1/libexec/ssh-pkcs11-helper
/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/local/openssh-9.9p1/libexec/ssh-sk-helper
/usr/bin/install -c -m 0755 -s sftp /usr/local/openssh-9.9p1/bin/sftp
/usr/bin/install -c -m 0755 -s sftp-server /usr/local/openssh-9.9p1/libexec/sftp-server
/usr/bin/install -c -m 644 ssh.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/local/openssh-9.9p1/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/local/openssh-9.9p1/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/local/openssh-9.9p1/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/local/openssh-9.9p1/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/local/openssh-9.9p1/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/openssh-9.9p1/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/openssh-9.9p1/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/openssh-9.9p1/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_key
sshd: no hostkeys available -- exiting.
make: [check-config] Error 1 (ignored)
make: warning:  Clock skew detected.  Your build may be incomplete.

8. 复制新配置到原来的目录

cp /usr/local/openssh-9.9p1/sbin/sshd /usr/sbin/sshd
会报 cp: cannot create regular file ‘/usr/sbin/sshd’: Text file busy
可以先 > mv /usr/sbin/sshd /usr/sbin/sshd.bak 然后再执行

cp /usr/local/openssh-9.9p1/bin/ssh /usr/bin/ssh

cp /usr/local/openssh-9.9p1/bin/ssh-keygen /usr/bin/ssh-keygen

cp -p contrib/redhat/sshd.init /etc/init.d/sshd

我装完这个已经在里面了，如果没有则复制一下

cp /usr/local/openssh-9.9p1/etc/sshd_config /etc/ssh/sshd_config

9. 修改配置(重要)

chmod +x /etc/init.d/sshd

vim /etc/ssh/sshd_config

将配置文件中这几个改为yes：

• PermitRootLogin yes
• PubkeyAuthentication yes
• PasswordAuthentication yes

说明：
PermitRootLogin yes：允许root用户通过SSH登录到系统（最最最重要这个一定要设置，不然你重启sshd服务之后就不能远程连接了）
PubkeyAuthentication yes：启用公钥身份验证
PasswordAuthentication yes：启用密码身份验证

10. 开机自启

systemctl enable sshd

11. 重启 sshd

systemctl restart sshd

报错

Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

查看错误
systemctl status sshd.service
● sshd.service - OpenSSH server daemon
   Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Fri 2024-09-20 03:49:26 CST; 16s ago
     Docs: man:sshd(8)
           man:sshd_config(5)
  Process: 83036 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=1/FAILURE)
 Main PID: 83036 (code=exited, status=1/FAILURE)

Sep 20 03:49:26  sshd[83036]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Sep 20 03:49:26  sshd[83036]: Permissions 0640 for '/etc/ssh/ssh_host_key' are too open.
Sep 20 03:49:26  sshd[83036]: It is required that your private key files are NOT accessible by others.
Sep 20 03:49:26  sshd[83036]: This private key will be ignored.
Sep 20 03:49:26  sshd[83036]: Unable to load host key "/etc/ssh/ssh_host_key": bad permissions
Sep 20 03:49:26  sshd[83036]: Unable to load host key: /etc/ssh/ssh_host_key
Sep 20 03:49:26  sshd[83036]: sshd: no hostkeys available -- exiting.
Sep 20 03:49:26  systemd[1]: Failed to start OpenSSH server daemon.
Sep 20 03:49:26  systemd[1]: Unit sshd.service entered failed state.
Sep 20 03:49:26  systemd[1]: sshd.service failed.

解决方案
修改目录权限

chmod -R 600 /etc/ssh

再次重启服务

systemctl restart sshd

12. 检查版本

sshd -V

另建立一个新会话，查看连接是否正常。