我的朋友
相关博文
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
- ·
分类: linux
2018-04-15 12:35:05
1. 升级背景
最近,openssh出现漏洞,而ssh是远程连接必不可少的通道,所以必须保证ssh的版本达到最新,消除漏洞。
2.当前系统版本和ssh版本
2.1 系统版本
[root@k8s-master ~]# cat /etc/centos-release
centos linux release 7.4.1708 (core)
[root@k8s-master ~]# uname -a
linux k8s-master 3.10.0-693.el7.x86_64 #1 smp tue aug 22 21:09:27 utc 2017 x86_64 x86_64 x86_64 gnu/linux
[root@k8s-master ~]#
2.2 ssh版本
[root@k8s-master ~]# ssh -v
openssh_7.4p1, openssl 1.0.2k-fips 26 jan 2017
[root@k8s-master ~]# openssl version
openssl 1.0.2k-fips 26 jan 2017
[root@k8s-master ~]# rpm -qa zlib
zlib-1.2.7-17.el7.x86_64
3.下载openssh最新版本
3.1 官方网站下载最新的openssh版本
凯发k8官网下载客户端中心官网地址:
3.2 下载相关软件包
[root@k8s-master src]# wget -o /usr/local/src/openssh-7.7p1.tar.gz
4. 配置yum源,安装并配置telnet服务
因为,需要重新配置ssh服务,那么如果是远程服务器,那么要考虑适用其他的远程连接工具去临时替代ssh,所以需要安装和配置telnet服务。
4.1 配置yum源
[root@k8s-master yum.repos.d]# cat /etc/yum.repos.d/alibase.repo
[base]
name=ali base
baseurl=
enabled=1
gpgcheck=0
4.2 安装telnet服务
[root@k8s-master yum.repos.d]# yum install telnet-server -y
4.3 配置、启动并测试telent
[root@k8s-master xinetd.d]# systemctl start telnet.socket
[root@k8s-master xinetd.d]# systemctl status telnet.socket
● telnet.socket - telnet server activation socket
loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
active: active (listening) since sun 2018-04-15 10:42:29 cst; 6s ago
docs: man:telnetd(8)
listen: [::]:23 (stream)
accepted: 0; connected: 0
apr 15 10:42:29 k8s-master systemd[1]: listening on telnet server activation socket.
apr 15 10:42:29 k8s-master systemd[1]: starting telnet server activation socket.
[root@k8s-master xinetd.d]#
测试连接,注意要使用普通用户连接,然后,可以切换到root:
[c:\~]$ telnet 192.168.1.10
connecting to 192.168.1.10:23...
connection established.
to escape to local shell, press 'ctrl alt ]'.
kernel 3.10.0-693.el7.x86_64 on an x86_64
k8s-master login: neves
password:
last login: sun apr 15 10:44:47 from ::ffff:192.168.1.108
[neves@k8s-master ~]$ su - root
password:
last login: sun apr 15 10:44:54 cst 2018 on pts/2
[root@k8s-master ~]#
5. 升级ssh
任何linux服务可能都需要额外的依赖软件,openssh依赖如下软件:
openssh depends on zlib[3], openssl[4], and optionally pam[5] and libedit[6]
5.1 依赖软件版本
zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
libcrypto (libressl or openssl >= 1.0.1 < 1.1.0)
libressl ; or
openssl
大家可以发现,当前的zbli,openssl等软件依赖条件都满足,所以不需要再重新配置依赖环境了。
5.2 停止openssh服务
[root@k8s-master ssh]# systemctl stop sshd.service
将原有配置文件备份:
[root@k8s-master ssh]# mv /etc/ssh /etc/ssh.old
5.3 卸载openssh软件
[root@k8s-master ssh]# rpm -qa | grep openssh | xargs -i rpm -e --nodeps {}
5.4 安装新版本openssh软件
5.4.1 依赖软件
[root@k8s-master ssh]# yum install gcc zlib-devel openssl-devel pam-devel -y
5.4.2 配置软件
[root@k8s-master openssh-7.7p1]# cd /usr/local/src/openssh-7.7p1/
[root@k8s-master openssh-7.7p1]# make ./configure --prefix=/usr/local/sshd --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib
5.4.3 编译
[root@k8s-master openssh-7.7p1]# make
5.4.4 安装
[root@k8s-master openssh-7.7p1]# make install
5.4.5 重新安装命令及相应文档到相应的路径
[root@k8s-master sshd]# install -v -m755 /usr/local/sshd/bin/* /usr/bin
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man1/* /usr/share/man/man1
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man5/* /usr/share/man/man5
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man8/* /usr/share/man/man8
[root@k8s-master man]# install -v -m755 -d /usr/share/doc/openssh-7.7p1
[root@k8s-master openssh-7.7p1]# cd /usr/local/src/openssh-7.7p1/
[root@k8s-master openssh-7.7p1]# install -v -m644 install readme licence overview /usr/share/doc/openssh-7.7p1/
‘install’ -> ‘/usr/share/doc/openssh-7.7p1/install’
‘readme’ -> ‘/usr/share/doc/openssh-7.7p1/readme’
‘licence’ -> ‘/usr/share/doc/openssh-7.7p1/licence’
‘overview’ -> ‘/usr/share/doc/openssh-7.7p1/overview’
5.4.5配置sshd 启动
[root@k8s-master system]# /usr/local/sshd/sbin/sshd &
5.4.6 测试版本
[root@k8s-master system]# ssh -v
openssh_7.7p1, openssl 1.0.2k-fips 26 jan 2017
5.5.4.7 关闭telnet服务
[root@k8s-master system]# systemctl stop telnet.socket
最近,openssh出现漏洞,而ssh是远程连接必不可少的通道,所以必须保证ssh的版本达到最新,消除漏洞。
2.当前系统版本和ssh版本
2.1 系统版本
[root@k8s-master ~]# cat /etc/centos-release
centos linux release 7.4.1708 (core)
[root@k8s-master ~]# uname -a
linux k8s-master 3.10.0-693.el7.x86_64 #1 smp tue aug 22 21:09:27 utc 2017 x86_64 x86_64 x86_64 gnu/linux
[root@k8s-master ~]#
2.2 ssh版本
[root@k8s-master ~]# ssh -v
openssh_7.4p1, openssl 1.0.2k-fips 26 jan 2017
[root@k8s-master ~]# openssl version
openssl 1.0.2k-fips 26 jan 2017
[root@k8s-master ~]# rpm -qa zlib
zlib-1.2.7-17.el7.x86_64
3.下载openssh最新版本
3.1 官方网站下载最新的openssh版本
凯发k8官网下载客户端中心官网地址:
3.2 下载相关软件包
[root@k8s-master src]# wget -o /usr/local/src/openssh-7.7p1.tar.gz
4. 配置yum源,安装并配置telnet服务
因为,需要重新配置ssh服务,那么如果是远程服务器,那么要考虑适用其他的远程连接工具去临时替代ssh,所以需要安装和配置telnet服务。
4.1 配置yum源
[root@k8s-master yum.repos.d]# cat /etc/yum.repos.d/alibase.repo
[base]
name=ali base
baseurl=
enabled=1
gpgcheck=0
4.2 安装telnet服务
[root@k8s-master yum.repos.d]# yum install telnet-server -y
4.3 配置、启动并测试telent
[root@k8s-master xinetd.d]# systemctl start telnet.socket
[root@k8s-master xinetd.d]# systemctl status telnet.socket
● telnet.socket - telnet server activation socket
loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
active: active (listening) since sun 2018-04-15 10:42:29 cst; 6s ago
docs: man:telnetd(8)
listen: [::]:23 (stream)
accepted: 0; connected: 0
apr 15 10:42:29 k8s-master systemd[1]: listening on telnet server activation socket.
apr 15 10:42:29 k8s-master systemd[1]: starting telnet server activation socket.
[root@k8s-master xinetd.d]#
测试连接,注意要使用普通用户连接,然后,可以切换到root:
[c:\~]$ telnet 192.168.1.10
connecting to 192.168.1.10:23...
connection established.
to escape to local shell, press 'ctrl alt ]'.
kernel 3.10.0-693.el7.x86_64 on an x86_64
k8s-master login: neves
password:
last login: sun apr 15 10:44:47 from ::ffff:192.168.1.108
[neves@k8s-master ~]$ su - root
password:
last login: sun apr 15 10:44:54 cst 2018 on pts/2
[root@k8s-master ~]#
5. 升级ssh
任何linux服务可能都需要额外的依赖软件,openssh依赖如下软件:
openssh depends on zlib[3], openssl[4], and optionally pam[5] and libedit[6]
5.1 依赖软件版本
zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
libcrypto (libressl or openssl >= 1.0.1 < 1.1.0)
libressl ; or
openssl
大家可以发现,当前的zbli,openssl等软件依赖条件都满足,所以不需要再重新配置依赖环境了。
5.2 停止openssh服务
[root@k8s-master ssh]# systemctl stop sshd.service
将原有配置文件备份:
[root@k8s-master ssh]# mv /etc/ssh /etc/ssh.old
5.3 卸载openssh软件
[root@k8s-master ssh]# rpm -qa | grep openssh | xargs -i rpm -e --nodeps {}
5.4 安装新版本openssh软件
5.4.1 依赖软件
[root@k8s-master ssh]# yum install gcc zlib-devel openssl-devel pam-devel -y
5.4.2 配置软件
[root@k8s-master openssh-7.7p1]# cd /usr/local/src/openssh-7.7p1/
[root@k8s-master openssh-7.7p1]# make ./configure --prefix=/usr/local/sshd --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib
5.4.3 编译
[root@k8s-master openssh-7.7p1]# make
5.4.4 安装
[root@k8s-master openssh-7.7p1]# make install
5.4.5 重新安装命令及相应文档到相应的路径
[root@k8s-master sshd]# install -v -m755 /usr/local/sshd/bin/* /usr/bin
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man1/* /usr/share/man/man1
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man5/* /usr/share/man/man5
[root@k8s-master man]# install -v m644 /usr/local/sshd/share/man/man8/* /usr/share/man/man8
[root@k8s-master man]# install -v -m755 -d /usr/share/doc/openssh-7.7p1
[root@k8s-master openssh-7.7p1]# cd /usr/local/src/openssh-7.7p1/
[root@k8s-master openssh-7.7p1]# install -v -m644 install readme licence overview /usr/share/doc/openssh-7.7p1/
‘install’ -> ‘/usr/share/doc/openssh-7.7p1/install’
‘readme’ -> ‘/usr/share/doc/openssh-7.7p1/readme’
‘licence’ -> ‘/usr/share/doc/openssh-7.7p1/licence’
‘overview’ -> ‘/usr/share/doc/openssh-7.7p1/overview’
5.4.5配置sshd 启动
[root@k8s-master system]# /usr/local/sshd/sbin/sshd &
5.4.6 测试版本
[root@k8s-master system]# ssh -v
openssh_7.7p1, openssl 1.0.2k-fips 26 jan 2017
5.5.4.7 关闭telnet服务
[root@k8s-master system]# systemctl stop telnet.socket
给主人留下些什么吧!~~