CentOS-7.3-x86_64-Everything-1611.iso --高版本向下相容

檢視系統版本

[root@test ~]# cat /etc/redhat-release

CentOS Linux release 7.4.1708 (Core)

[root@test ~]#

關閉防火牆

systemctl stop firewalld.service

systemctl disable firewalld.service

systemctl status firewalld.service

上傳相關軟體

[root@test ~]# ll /soft/

CentOS-7-x86_64-Everything-1708.iso

rhel-server-7.4-x86_64-dvd.iso

Openssh&Openssl&zlib version.zip

掛接系統映象

[root@test ~]# mount -o loop /soft/CentOS-7-x86_64-Everything-1708.iso /mnt --若是rhel的OS則掛接rhel-server-7.4-x86_64-dvd.iso映象

mount: /dev/loop0 is write-protected, mounting read-only

[root@test ~]#

[root@test ~]# df -h

Filesystem Size Used Avail Use% Mounted on

/dev/mapper/centos-root 41G 9.3G 30G 24% /

devtmpfs 982M 0 982M 0% /dev

tmpfs 993M 0 993M 0% /dev/shm

tmpfs 993M 8.6M 984M 1% /run

tmpfs 993M 0 993M 0% /sys/fs/cgroup

/dev/sda1 477M 94M 354M 21% /boot

tmpfs 199M 0 199M 0% /run/user/0

/dev/loop0 8.1G 8.1G 0 100% /mnt

[root@test ~]#

備份原有YUM檔案

[root@test ~]# mkdir -p /etc/yum.repos.d/bak

[root@test ~]#

[root@test ~]# mv /etc/yum.repos.d/*.repo

CentOS-Base.repo CentOS-fasttrack.repo CentOS-Vault.repo

CentOS-CR.repo CentOS-Media.repo

CentOS-Debuginfo.repo CentOS-Sources.repo

[root@test ~]# mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/

[root@test ~]#

[root@test ~]# ll /etc/yum.repos.d/

total 4

drwxr-xr-x. 2 root root 4096 Apr 12 14:01 bak

[root@test ~]#

配置本地YUM

[root@test ~]# cat /etc/yum.repos.d/centosdvd.repo

[centosdvd]

name=centosdvd

baseurl=file:///mnt

enabled=1

gpgcheck=0

[root@test ~]#

清除YUM快取

[root@test ~]# yum clean all

Loaded plugins: fastestmirror

Cleaning repos: centosdvd

Cleaning up everything

Maybe you want: rm -rf /var/cache/yum, to also free up space taken by orphaned data from disabled or removed repos

[root@test ~]#

製作YUM Cache

[root@test ~]# yum makecache

Loaded plugins: fastestmirror

centosdvd | 3.6 kB 00:00:00

(1/4): centosdvd/group_gz | 156 kB 00:00:00

(2/4): centosdvd/primary_db | 5.7 MB 00:00:00

(3/4): centosdvd/filelists_db | 6.7 MB 00:00:00

(4/4): centosdvd/other_db | 2.5 MB 00:00:00

Determining fastest mirrors

Metadata Cache Created

[root@test ~]#

列出YUM源

[root@test ~]# yum list

………………………………………………………………………………………………省略………………………………………………………………………………………………………………………………………………

ifconfig網路檢視命令找不到處理

[root@localhost soft]# yum install net-tools -y

[root@localhost ~]# ifconfig -a

eno16777728: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500

inet 188.190.117.194 netmask 255.255.255.0 broadcast 188.190.117.255

inet6 fe80::20c:29ff:fe3b:5926 prefixlen 64 scopeid 0x20<link>

ether 00:0c:29:3b:59:26 txqueuelen 1000 (Ethernet)

RX packets 347 bytes 31356 (30.6 KiB)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 300 bytes 66209 (64.6 KiB)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536

inet 127.0.0.1 netmask 255.0.0.0

inet6 ::1 prefixlen 128 scopeid 0x10<host>

loop txqueuelen 0 (Local Loopback)

RX packets 4 bytes 352 (352.0 B)

RX errors 0 dropped 0 overruns 0 frame 0

TX packets 4 bytes 352 (352.0 B)

TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

[root@localhost ~]#

安裝telnet服務並啟用

因升級OpenSSH過程中需要解除安裝現有OpenSSH, 因此為了保持伺服器的遠端連線可用，需

要啟用telnet服務作為替代，如升級出現問題，也可透過telnet登入伺服器進行回退。

同時安裝telnet守護程式：xinetd

安裝telnet服務

[root@test ~]# yum install telnet-* xinetd y

[root@test ~]#

[root@test ~]# rpm -qa|grep telnet

telnet-0.17-64.el7.x86_64

telnet-server-0.17-64.el7.x86_64

[root@test ~]#

[root@test ~]# rpm -qa|grep xinetd

xinetd-2.3.15-13.el7.x86_64

[root@test ~]#

將xinetd服務加入開機自啟動

[root@test ~]# systemctl enable xinetd.service

將telnet服務加入開機自啟動

[root@test ~]# systemctl enable telnet.socket

Created symlink from /etc/systemd/system/sockets.target.wants/telnet.socket to /usr/lib/systemd/system/telnet.socket.

[root@test ~]#

重啟服務：

由於telnet服務也是由xinetd守護的，所以安裝完telnet-server，要啟動telnet服務就必須重新啟動xinetd

[root@test ~]# systemctl restart telnet.socket

[root@test ~]#

[root@test ~]# systemctl restart xinetd

[root@test ~]#

配置telnet root使用者訪問

方法一：

linux預設情況下root使用者使用telnet是登入不了的，需要修改/etc/secrueety檔案末尾加入pts/1、pts/2、pts/3或者可以把secrueety檔案重新命名均可；

[root@test ~]# cat /etc/securetty

console

vc/1

vc/2

vc/3

vc/4

vc/5

vc/6

vc/7

vc/8

vc/9

vc/10

vc/11

tty1

tty2

tty3

tty4

tty5

tty6

tty7

tty8

tty9

tty10

tty11

ttyS0

ttysclp0

sclp_line0

3270/tty1

hvc0

hvc1

hvc2

hvc3

hvc4

hvc5

hvc6

hvc7

hvsi0

hvsi1

hvsi2

xvc0

pts/0

pts/1

pts/2

pts/3

[root@test ~]#

方法二：

mv /etc/securetty /etc/securetty.bak 這樣ROOT就可以用ROOT登陸了

驗證telnet

[root@test ~]# telnet 192.168.195.141 23 或者： telnet 192.168.195.141進行驗證

Trying 192.168.195.141...

Connected to 192.168.195.141.

Escape character is '^]'.

Kernel 3.10.0-693.el7.x86_64 on an x86_64

test login: root

Password:

Last failed login: Thu Apr 12 14:22:29 CST 2018 from ::ffff:192.168.195.141 on pts/1

There was 1 failed login attempt since the last successful login.

Last login: Thu Apr 12 13:51:21 from 192.168.195.1

[root@test ~]#

關閉selinux

[root@test ~]# vi /etc/sysconfig/selinux

# This file controls the state of SELinux on the system.

# SELINUX= can take one of these three values:

# enforcing - SELinux security policy is enforced.

# permissive - SELinux prints warnings instead of enforcing.

# disabled - No SELinux policy is loaded.

#SELINUX=enforcing

SELINUX=disabled

# SELINUXTYPE= can take one of three two values:

# targeted - Targeted processes are protected,

# minimum - Modification of targeted policy. Only selected processes are protected.

# mls - Multi Level Security protection.

SELINUXTYPE=targeted

安裝編譯所需工具包

[root@test ~]# yum -y install gcc pamdevel zlibdevel perl*

安裝unzip軟體：

[root@test soft]# yum -y install unzip

解壓Openssh&Openssl&zlib version.zip

[root@test soft]# unzip Openssh\&Openssl\&zlib\ version.zip

[root@test soft]# ll Openssh\&Openssl\&zlib\ version

-rw-r--r--. 1 root root 1489788 Mar 30 12:42 openssh-7.6p1.tar.gz

-rw-r--r--. 1 root root 5329472 Mar 30 12:56 openssl-1.0.2o.tar.gz

-rw-r--r--. 1 root root 607698 Mar 30 10:08 zlib-1.2.11.tar.gz

[root@test soft]#

升級ZLIB

解壓zlib_1.2.11原始碼

[root@test soft]# tar -xvzf zlib-1.2.11.tar.gz

[root@test soft]# cd zlib-1.2.11

[root@test zlib-1.2.11]# ls

adler32.c deflate.h infback.c make_vms.com trees.h zlib.h

amiga doc inffast.c msdos uncompr.c zlib.map

ChangeLog examples inffast.h nintendods watcom zlib.pc.cmakein

CMakeLists.txt FAQ inffixed.h old win32 zlib.pc.in

compress.c gzclose.c inflate.c os400 zconf.h zutil.c

configure gzguts.h inflate.h qnx zconf.h.cmakein zutil.h

contrib gzlib.c inftrees.c README zconf.h.in

crc32.c gzread.c inftrees.h test zlib2ansi

crc32.h gzwrite.c Makefile treebuild.xml zlib.3

deflate.c INDEX Makefile.in trees.c zlib.3.pdf

配置檢查zlib

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# ./configure --prefix=/usr

Checking for gcc...

Checking for shared library support...

Building shared library libz.so.1.2.11 with gcc.

Checking for size_t... Yes.

Checking for off64_t... Yes.

Checking for fseeko... Yes.

Checking for strerror... Yes.

Checking for unistd.h... Yes.

Checking for stdarg.h... Yes.

Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().

Checking for vsnprintf() in stdio.h... Yes.

Checking for return value of vsnprintf()... Yes.

Checking for attribute(visibility) support... Yes.

[root@test zlib-1.2.11]#

編譯zlib庫

[root@test zlib1.2.11]# make

[root@test zlib-1.2.11]# make

gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o example.o test/example.c

……………………………………………………………………省略……………………………………………………………………………………………………………………………………

rm -f libz.so libz.so.1

ln -s libz.so.1.2.11 libz.so

ln -s libz.so.1.2.11 libz.so.1

gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o examplesh example.o -L. libz.so.1.2.11

gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzipsh minigzip.o -L. libz.so.1.2.11

gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o example64.o test/example.c

gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o example64 example64.o -L. libz.a

gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o minigzip64.o test/minigzip.c

gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzip64 minigzip64.o -L. libz.a

[root@test zlib-1.2.11]#

解除安裝當前zlib

注意：此步驟必須在步驟A執行完畢後再執行，否則先解除安裝zlib後，/lib64/目錄下的zlib相

關庫檔案會被刪除，步驟A編譯zlib會失敗。（補救措施：從其他相同系統的伺服器上覆

制/lib64、/usr/lib和/usr/lib64目錄下的libcrypto.so.10、libssl.so.10、libz.so.1、libz.so.1.2.3

四個檔案到相應目錄即可。可透過whereis、locate或find命令找到這些檔案的位置）

[root@test zlib-1.2.11]# rpm -qa|grep zlib

zlib-1.2.7-17.el7.x86_64

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# rpm -e --nodeps zlib

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# rpm -qa|grep zlib

rpm: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory

[root@test zlib-1.2.11]#

安裝之前編譯好的zlib

[root@test zlib-1.2.11]# make install

rm -f /usr/lib/libz.a

cp libz.a /usr/lib

chmod 644 /usr/lib/libz.a

cp libz.so.1.2.11 /usr/lib

chmod 755 /usr/lib/libz.so.1.2.11

rm -f /usr/share/man/man3/zlib.3

cp zlib.3 /usr/share/man/man3

chmod 644 /usr/share/man/man3/zlib.3

rm -f /usr/lib/pkgconfig/zlib.pc

cp zlib.pc /usr/lib/pkgconfig

chmod 644 /usr/lib/pkgconfig/zlib.pc

rm -f /usr/include/zlib.h /usr/include/zconf.h

cp zlib.h zconf.h /usr/include

chmod 644 /usr/include/zlib.h /usr/include/zconf.h

[root@test zlib-1.2.11]#

共享庫註冊

zlib安裝完成後，會在/usr/lib目錄中生產zlib相關庫檔案，需要將這些共享庫檔案註冊到系統

中:echo '/usr/lib' >> /etc/ld.so.conf

[root@test zlib-1.2.11]# echo '/usr/lib' >> /etc/ld.so.conf

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# cat /etc/ld.so.conf

include ld.so.conf.d/*.conf

/usr/lib

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# ll /usr/lib/libz.so.1

lrwxrwxrwx. 1 root root 14 Apr 12 14:42 /usr/lib/libz.so.1 -> libz.so.1.2.11

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# ll /usr/lib/libz.so

lrwxrwxrwx. 1 root root 14 Apr 12 14:42 /usr/lib/libz.so -> libz.so.1.2.11

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# ll /usr/lib/libz.so.1

lrwxrwxrwx. 1 root root 14 Apr 12 14:42 /usr/lib/libz.so.1 -> libz.so.1.2.11

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# ldconfig

[root@test zlib-1.2.11]#

升級OpenSSL

官方升級文件

備份當前openssl

[root@test zlib-1.2.11]# find / -name openssl

/usr/bin/openssl

/usr/lib64/openssl

/etc/pki/ca-trust/extracted/openssl

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# mv /usr/lib64/openssl /usr/lib64/openssl.old

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# mv /usr/bin/openssl /usr/bin/openssl.old

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# mv /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old

[root@test zlib-1.2.11]#

解除安裝當前openssl

[root@test zlib-1.2.11]# rpm -qa|grep openssl |xargs

openssl-libs-1.0.2k-8.el7.x86_64

xmlsec1-openssl-1.2.20-5.el7.x86_64

openssl-1.0.2k-8.el7.x86_64

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# rpm -qa|grep openssl|xargs -i rpm -e --nodeps {}

warning: file /usr/lib64/openssl/engines/libubsec.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libsureware.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libpadlock.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libnuron.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libgmp.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libcswift.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libchil.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libcapi.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libatalla.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/libaep.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines/lib4758cca.so: remove failed: No such file or directory

warning: file /usr/lib64/openssl/engines: remove failed: No such file or directory

warning: file /usr/lib64/openssl: remove failed: No such file or directory

warning: file /usr/bin/openssl: remove failed: No such file or directory

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# rpm -qa|grep openssl|xargs -i rpm -e --nodeps {}

[root@test zlib-1.2.11]#

[root@test zlib-1.2.11]# rpm -qa|grep openssl |xargs

[root@test zlib-1.2.11]#

解壓openssl_1.0.2k原始碼

[root@test soft]# tar -xvzf openssl-1.0.2o.tar.gz

[root@test soft]# cd openssl-1.0.2o

[root@test openssl-1.0.2o]#

[root@test openssl-1.0.2o]# ls

ACKNOWLEDGMENTS CONTRIBUTING GitMake INSTALL.W32 makevms.com README.ASN1

apps crypto include INSTALL.W64 ms README.ENGINE

appveyor.yml demos INSTALL INSTALL.WCE Netware shlib

bugs doc install.com LICENSE NEWS ssl

certs engines INSTALL.DJGPP MacOS openssl.doxy test

CHANGES e_os2.h INSTALL.MacOS Makefile openssl.spec tools

CHANGES.SSLeay e_os.h INSTALL.NW Makefile.bak os2 util

config FAQ INSTALL.OS2 Makefile.org PROBLEMS VMS

Configure GitConfigure INSTALL.VMS Makefile.shared README

[root@test openssl-1.0.2o]#

[root@test openssl-1.0.2o]# ./config --prefix=/usr --openssldir=/etc/ssl --shared zlib #由於系統是最小化安裝，因此會預設Perl，透過yum進行安裝即可

Operating system: x86_64-whatever-linux2

You need Perl 5.

[root@test openssl-1.0.2o]#

Operating system: x86_64whateverlinux2

You need Perl 5.

[root@test openssl1.0.2o]#

[root@test openssl1.0.2o]# yum install perl* -y #建議在安裝編譯工具時安裝Perl,若之前已安裝則此處忽略,若此處理再進行安裝則需要再次刪除openssl相關包；

[root@test openssl1.0.2o]#

./config --prefix=/usr --openssldir=/etc/ssl --shared zlib #必須加上shared，否則編譯時會找不到新安裝的openssl的庫而報錯

[root@test openssl-1.0.2o]# ./config --prefix=/usr --openssldir=/etc/ssl --shared zlib

………………………………………………………………………………………………省略………………………………………………………………………………………………………………………………

make[1]: Leaving directory `/soft/openssl-1.0.2o/ssl'

making links in engines...

make[1]: Entering directory `/soft/openssl-1.0.2o/engines'

making links in engines/ccgost...

make[2]: Entering directory `/soft/openssl-1.0.2o/engines/ccgost'

make[2]: Nothing to be done for `links'.

make[2]: Leaving directory `/soft/openssl-1.0.2o/engines/ccgost'

make[1]: Leaving directory `/soft/openssl-1.0.2o/engines'

making links in apps...

make[1]: Entering directory `/soft/openssl-1.0.2o/apps'

make[1]: Nothing to be done for `links'.

make[1]: Leaving directory `/soft/openssl-1.0.2o/apps'

making links in test...

make[1]: Entering directory `/soft/openssl-1.0.2o/test'

make[1]: Nothing to be done for `links'.

make[1]: Leaving directory `/soft/openssl-1.0.2o/test'

making links in tools...

make[1]: Entering directory `/soft/openssl-1.0.2o/tools'

make[1]: Nothing to be done for `links'.

make[1]: Leaving directory `/soft/openssl-1.0.2o/tools'

generating dummy tests (if needed)...

make[1]: Entering directory `/soft/openssl-1.0.2o/test'

make[1]: Nothing to be done for `generate'.

make[1]: Leaving directory `/soft/openssl-1.0.2o/test'

Configured for linux-x86_64.

[root@test openssl-1.0.2o]#

編譯Openssl

[root@test openssl-1.0.2o]# make

…………………………………………………………………………………………………省略………………………………………………………………………………………………………………

make[2]: Entering directory `/soft/openssl-1.0.2o/test'

make[2]: Leaving directory `/soft/openssl-1.0.2o/test'

make[1]: Leaving directory `/soft/openssl-1.0.2o/test'

making all in tools...

make[1]: Entering directory `/soft/openssl-1.0.2o/tools'

make[1]: Nothing to be done for `all'.

make[1]: Leaving directory `/soft/openssl-1.0.2o/tools'

[root@test openssl-1.0.2o]#

測試Openssl

[root@test openssl-1.0.2o]# make test

……………………………………………………………………………………省略………………………………………………………………………………………………………………………………

**---- START OF HANDSHAKE MESSAGE FRAGMENT ----

**---- HANDSHAKE MESSAGE FRAGMENT ENCRYPTED ----

*---- END OF RECORD ----

---- END OF PACKET ----

PASS

test_bad_dtls

../util/shlib_wrap.sh ./bad_dtls_test

test_fatalerr

../util/shlib_wrap.sh ./fatalerrtest ../apps/server.pem ../apps/server.pem

SSL_accept() failed -1, 1

140677601674944:error:140800FF:SSL routines:ssl3_accept:unknown state:s3_srvr.c:869:

make[1]: Leaving directory `/soft/openssl-1.0.2o/test'

OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a

OpenSSL 1.0.2o 27 Mar 2018

built on: reproducible build, date unspecified

platform: linux-x86_64

options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)

compiler: gcc -I. -I.. -I../include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM

OPENSSLDIR: "/etc/ssl"

[root@test openssl-1.0.2o]#

安裝Openssl

[root@test openssl-1.0.2o]# make install

make[2]: Leaving directory `/soft/openssl-1.0.2o/engines/ccgost'

make[1]: Leaving directory `/soft/openssl-1.0.2o/engines'

making install in apps...

make[1]: Entering directory `/soft/openssl-1.0.2o/apps'

installing openssl

installing CA.sh

installing CA.pl

installing tsget

make[1]: Leaving directory `/soft/openssl-1.0.2o/apps'

making install in test...

make[1]: Entering directory `/soft/openssl-1.0.2o/test'

make[1]: Nothing to be done for `install'.

make[1]: Leaving directory `/soft/openssl-1.0.2o/test'

making install in tools...

make[1]: Entering directory `/soft/openssl-1.0.2o/tools'

make[1]: Leaving directory `/soft/openssl-1.0.2o/tools'

installing libcrypto.a

installing libssl.a

installing libcrypto.so.1.0.0

installing libssl.so.1.0.0

make[1]: Entering directory `/usr/lib64'

make[2]: Entering directory `/usr/lib64'

make[2]: Leaving directory `/usr/lib64'

make[2]: Entering directory `/usr/lib64'

make[2]: Leaving directory `/usr/lib64'

make[1]: Leaving directory `/usr/lib64'

cp libcrypto.pc /usr/lib64/pkgconfig

chmod 644 /usr/lib64/pkgconfig/libcrypto.pc

cp libssl.pc /usr/lib64/pkgconfig

chmod 644 /usr/lib64/pkgconfig/libssl.pc

cp openssl.pc /usr/lib64/pkgconfig

chmod 644 /usr/lib64/pkgconfig/openssl.pc

[root@test openssl-1.0.2o]#

驗證Openssl升級是否成功

[root@test openssl1.0.2o]# openssl version #檢視是否升級成功

OpenSSL 1.0.2o 27 Mar 2018

[root@test openssl1.0.2o]#

恢復共享庫

由於OpenSSL_1.0.2k不提供libcrypto.so.10和libssl.so.10這兩個庫，而yum、wget等工具又依賴此庫，因此需要將先前備份的這兩個庫進行恢復，其他的可視情況考慮是否恢復。

[root@test openssl-1.0.2o]#

[root@test openssl-1.0.2o]# mv /usr/lib64/libcrypto.so.10.old /usr/lib64/libcrypto.so.10

mv: overwrite `/usr/lib64/libcrypto.so.10'? y

[root@test openssl-1.0.2o]# mv /usr/lib64/libssl.so.10.old /usr/lib64/libssl.so.10

mv: overwrite `/usr/lib64/libssl.so.10'? y

[root@test openssl-1.0.2o]#

升級OpenSSH

10.1官方升級文件

備份當前openssh

[root@test openssl-1.0.2o]#

[root@test openssl-1.0.2o]# mv /etc/ssh /etc/ssh.old

[root@test openssl-1.0.2o]#

解除安裝當前openssh

[root@test openssl-1.0.2o]# rpm -qa|grep openssh

openssh-server-7.4p1-11.el7.x86_64

openssh-7.4p1-11.el7.x86_64

openssh-clients-7.4p1-11.el7.x86_64

[root@test openssl-1.0.2o]#

[root@test openssl1.0.2o]#

rpm -qa |grep openssh|xargs -i rpm -e --nodeps {} 或rpm e nodeps 包名如：rpm e nodeps openssh5.3p1111.el6.x86_64逐一刪除

[root@test openssl1.0.2o]#

[root@test openssl-1.0.2o]# rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}

warning: file /etc/ssh/sshd_config: remove failed: No such file or directory

warning: file /etc/ssh/moduli: remove failed: No such file or directory

warning: file /etc/ssh: remove failed: No such file or directory

warning: file /etc/ssh/ssh_config: remove failed: No such file or directory

[root@test openssl-1.0.2o]#

[root@test openssl-1.0.2o]# rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}

[root@test openssl-1.0.2o]#

[root@test openssl-1.0.2o]# rpm -qa |grep openssh|xargs

[root@test openssl-1.0.2o]#

Openssh安裝前環境配置

[root@test openssl1.0.2o]# install -v -m700 -d /var/lib/sshd

install: creating directory `/var/lib/sshd'

[root@test openssl1.0.2o]#

[root@test openssl1.0.2o]# chown -v root:sys /var/lib/sshd

changed ownership of `/var/lib/sshd' to root:sys

[root@test openssl1.0.2o]#

[root@test openssl1.0.2o]# groupadd -g 50 sshd

groupadd: group 'sshd' already exists

[root@test openssl1.0.2o]#

[root@test openssl1.0.2o]# useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd

useradd: user 'sshd' already exists

[root@test openssl1.0.2o]#

解壓openssh7.6p1.tar.gz原始碼

[root@test soft]# tar -xvzf openssh-7.6p1.tar.gz

[root@test soft]# cd openssh-7.6p1

配置Openssh

[root@test openssh-7.6p1]#

[root@test openssh-7.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam--with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd

……………………………………………………………………………………………………省略……………………………………………………………………………………………………………………………………

config.status: creating config.h

configure: WARNING: unrecognized options: --with-pam--with-zlib, --with-openssl-includes

OpenSSH has been configured with the following options:

User binaries: /usr/bin

System binaries: /usr/sbin

Configuration files: /etc/ssh

Askpass program: /usr/libexec/ssh-askpass

Manual pages: /usr/share/man/manX

PID file: /var/run

Privilege separation chroot path: /var/lib/sshd

sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

Manpage format: doc

PAM support: no

OSF SIA support: no

KerberosV support: no

SELinux support: no

Smartcard support:

S/KEY support: no

MD5 password support: yes

libedit support: no

libldns support: no

Solaris process contract support: no

Solaris project support: no

Solaris privilege support: no

IP address in $DISPLAY hack: no

Translate v4 in v6 hack: yes

BSD Auth support: no

Random number source: OpenSSL internal ONLY

Privsep sandbox style: seccomp_filter

Host: x86_64-pc-linux-gnu

Compiler: gcc

Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE

Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE

Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie

Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv

[root@test openssh-7.6p1]#

編譯Openssh

[root@test openssh7.6p1]# make

………………………………………………………………………………省略……………………………………………………………………………………………………

cc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz -lcrypt -lresolv

[root@test openssh-7.6p1]#

安裝Openssh

[root@test openssh-7.6p1]# make install

(cd openbsd-compat && make)

make[1]: Entering directory `/soft/openssh-7.6p1/openbsd-compat'

make[1]: Nothing to be done for `all'.

make[1]: Leaving directory `/soft/openssh-7.6p1/openbsd-compat'

./mkinstalldirs /usr/bin

./mkinstalldirs /usr/sbin

./mkinstalldirs /usr/share/man

./mkinstalldirs /usr/share/man/man1

./mkinstalldirs /usr/share/man/man5

./mkinstalldirs /usr/share/man/man8

./mkinstalldirs /usr/libexec

(umask 022 ; ./mkinstalldirs /var/lib/sshd)

/usr/bin/install -c -m 0755 -s ssh /usr/bin/ssh

/usr/bin/install -c -m 0755 -s scp /usr/bin/scp

/usr/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add

/usr/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent

/usr/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen

/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan

/usr/bin/install -c -m 0755 -s sshd /usr/sbin/sshd

/usr/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign

/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper

/usr/bin/install -c -m 0755 -s sftp /usr/bin/sftp

/usr/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server

/usr/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1

/usr/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1

/usr/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1

/usr/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1

/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1

/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1

/usr/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5

/usr/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5

/usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5

/usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8

/usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1

/usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8

/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8

/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8

if [ ! -d /etc/ssh ]; then \

./mkinstalldirs /etc/ssh; \

fi

mkdir /etc/ssh

ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519

/usr/sbin/sshd -t -f /etc/ssh/sshd_config

[root@test openssh-7.6p1]#

Openssh安裝後環境配置

# 在openssh編譯目錄執行如下命令

[root@test openssh-7.6p1]#

[root@test openssh-7.6p1]# install -v -m755 contrib/ssh-copy-id /usr/bin

[root@test openssh-7.6p1]#

‘contrib/ssh-copy-id’ -> ‘/usr/bin/ssh-copy-id’

[root@test openssh-7.6p1]#

[root@test openssh-7.6p1]# install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1

‘contrib/ssh-copy-id.1’ -> ‘/usr/share/man/man1/ssh-copy-id.1’

[root@test openssh-7.6p1]#

[root@test openssh-7.6p1]# install -v -m755 -d /usr/share/doc/openssh-7.6p1

install: creating directory ‘/usr/share/doc/openssh-7.6p1’

[root@test openssh-7.6p1]#

[root@test openssh-7.6p1]# install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.6p1

`INSTALL' > `/usr/share/doc/openssh7.6p1/INSTALL'

`LICENCE' > `/usr/share/doc/openssh7.6p1/LICENCE'

`OVERVIEW' > `/usr/share/doc/openssh7.6p1/OVERVIEW'

`README' > `/usr/share/doc/openssh7.6p1/README'

`README.dns' > `/usr/share/doc/openssh7.6p1/README.dns'

`README.platform' > `/usr/share/doc/openssh7.6p1/README.platform'

`README.privsep' > `/usr/share/doc/openssh7.6p1/README.privsep'

`README.tun' > `/usr/share/doc/openssh7.6p1/README.tun'

驗證Openssh是否升級成功

[root@test openssh-7.6p1]#

[root@test openssh-7.6p1]# ssh -V

OpenSSH_7.6p1, OpenSSL 1.0.2o 27 Mar 2018

[root@test openssh-7.6p1]#

啟用OpenSSH服務

[root@test openssh-7.6p1]# echo 'X11Forwarding yes' >> /etc/ssh/sshd_config

[root@test openssh-7.6p1]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config #允許root使用者透過ssh登入

[root@test openssh-7.6p1]# cp -p contrib/redhat/sshd.init /etc/init.d/sshd

[root@test openssh-7.6p1]# chmod +x /etc/init.d/sshd

[root@test openssh-7.6p1]# chkconfig --add sshd

[root@test openssh-7.6p1]# chkconfig sshd on

[root@test openssh-7.6p1]# chkconfig --list sshd

Note: This output shows SysV services only and does not include native

systemd services. SysV configuration data might be overridden by native

systemd configuration.

If you want to list systemd services use 'systemctl list-unit-files'.

To see services enabled on particular target use

'systemctl list-dependencies [target]'.

sshd 0:off 1:off 2:on 3:on 4:on 5:on 6:off

[root@test openssh-7.6p1]#

7版本命令檢視

[root@test ~]# systemctl status sshd

● sshd.service - SYSV: OpenSSH server daemon

Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)

Active: active (running) since Thu 2018-04-12 16:24:03 CST; 8min ago

Docs: man:systemd-sysv-generator(8)

Process: 917 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)

Main PID: 944 (sshd)

CGroup: /system.slice/sshd.service

├─ 944 /usr/sbin/sshd

├─1119 sshd: root@pts/1

├─1121 -bash

└─1215 systemctl status sshd

Apr 12 16:24:02 test systemd[1]: Starting SYSV: OpenSSH server daemon...

Apr 12 16:24:03 test systemd[1]: Started SYSV: OpenSSH server daemon.

Apr 12 16:24:03 test sshd[917]: Starting sshd:[ OK ]

Apr 12 16:24:03 test sshd[944]: Server listening on 0.0.0.0 port 22.

Apr 12 16:24:03 test sshd[944]: Server listening on :: port 22.

Apr 12 16:25:56 test sshd[1119]: Accepted password for root from 192.168.195.1 port 61...sh2

Hint: Some lines were ellipsized, use -l to show in full.

[root@test ~]#

重啟sshd服務

[root@test openssh-7.6p1]# service sshd restart 或者用7版本命令：systemctl restart sshd

Restarting sshd (via systemctl): [ OK ]

[root@test openssh-7.6p1]#

方法二：

systemctl status sshd.service

啟動服務：

systemctl start sshd.service

重啟服務：

systemctl restart sshd.service

開機自啟：

systemctl enable sshd.service

重啟作業系統生效

reboot

檢視Openssh、Openssl升級情況

[root@test ~]# ssh -V

OpenSSH_7.6p1, OpenSSL 1.0.2o 27 Mar 2018

[root@test ~]#

檢視Bash當前版本

[root@test ~]# rpm -qa|grep bash

bash-4.2.46-28.el7.x86_64

[root@test ~]#

升級Bash

[root@test ]# cd /soft

[root@test soft]# ll

total 8506556

-rw-r--r-- 1 root root 1036336 Apr 18 14:00 bash-4.2.46-29.el7_4.x86_64.rpm

[root@test soft]#

[root@test soft]# rpm -Uvh bash-4.2.46-29.el7_4.x86_64.rpm

warning: bash-4.2.46-29.el7_4.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID f4a80eb5: NOKEY

Preparing... ################################# [100%]

Updating / installing...

1:bash-4.2.46-29.el7_4 ################################# [ 50%]

Cleaning up / removing...

2:bash-4.2.46-28.el7 ################################# [100%]

[root@test soft]#

[root@test ~]# rpm -qa|grep bash

bash-4.2.46-29.el7_4.x86_64

[root@test ~]#

RHEL7X_CentOS7X_升級Openssh7.6p1

相關文章