centos升級openssl方法及步驟

1.下載要升級到的openssl包

2.升級openssh前開通telnet
1)檢視telnet包
rpm -qa|grep telnet
--如未安裝，則yum安裝
# yum install telnet
# yum install telnet-server

2)啟動telnet
--編輯telnet檔案,將disable改成no
# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = no
}

--重啟xinetd服務
service xinetd restart
or
/etc/rc.d/init.d/xinetd restart

--透過telnet連線伺服器

c:\> telnet 192.168.5.5
--預設telnet只能連線普通使用者,然後,跳轉到root使用者

3.備份原openssh相關檔案
# cp /usr/sbin/sshd /usr/sbin/sshd.bak
# cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# cp /etc/ssh/moduli /etc/ssh/moduli.bak
--刪除掉下面三個檔案,否則安裝的時候會報錯.
rm -rf /etc/ssh/ssh_config
rm -rf /etc/ssh/sshd_config
rm -rf /etc/ssh/moduli
--安裝編譯所需包
yum install gcc
yum install pam-devel
yum install zlib-devel
yum install openssl-devel

4.解壓並安裝新版本openssh
# tar -zxvf openssh-7.4p1.tar.gz
# cd openssh-7.4p1
#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
--configure報錯終止,重新編譯前先清理之前的編譯資訊.
# make clean
# ldconfig
# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
# make && make install

# /etc/init.d/sshd restart

5.覆蓋舊的檔案
# cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
# hmod u+x /etc/init.d/sshd
# chkconfig --add sshd
# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp: overwrite `/usr/sbin/sshd'? y
cp: cannot create regular file `/usr/sbin/sshd': Text file busy
檔案正在被使用
# ps -ef|grep sshd

# kill -9 77777
# ps -ef|grep sshd

--重新覆蓋：
# cp /usr/local/openssh/bin/ssh /usr/bin/ssh
# service sshd restart

Stopping sshd: [ OK ]
ssh-keygen: illegal option -- A
usage: ssh-keygen [options]
Options:
...

# cat /etc/init.d/sshd
start()
{
       # Create keys if necessary
       /usr/bin/ssh-keygen -A
       if [ -x /sbin/restorecon ]; then
               /sbin/restorecon /etc/ssh/ssh_host_key.pub
               /sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
               /sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
               /sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
       fi

echo -n $"Starting $prog:"
       $SSHD $OPTIONS && success || failure
       RETVAL=$?
       [ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
       echo
}
--因低版本的ssh-keygen沒有-A引數,因此，如下解決。
# cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

--重啟sshd服務：
# service sshd restart

# vi /etc/ssh/sshd_config

--去掉如下條目註釋,允許root透過ssh登入
PermitRootLogin yes

--註釋掉下面三個引數
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes

6.重啟sshd服務,並透過ssh連線伺服器
# service sshd restart
c:\> ssh 192.168.5.5

# ssh -V

7.禁用telnet
# vi /etc/xinetd.d/telnet

# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
disable = yes
}

--停止xinetd服務
# service xinetd stop
# chkconfig --list xinetd
# chkconfig xinetd off
# chkconfig --list xinetd

--如winscp登入linux報錯,可如下解決
# vi /etc/ssh/sshd_config
--註釋掉如下條目
#Subsystem sftp /usr/libexec/openssh/sftp-server
--新增如下條目
Subsystem sftp internal-sftp

--重啟sshd服務：
# service sshd restart