OpenSSH
OpenSSH是实现远程控制、远程加密传输数据的安全的网络连接工具,也就是为我们提供ssh服务的程序。SSH由服务端和客户端组成,服务端是一个守护进程(sshd),在后台运行并响应客户端的连接请求;客户端包含ssh(openssh-clients)、scp、slogin、sftp等应用程序。
SSH服务本身提供了一种安全加密的数据传输方式。在一些比较旧的Linux系统版本中,多数是openssh 5版本。而目前OpenSSH已更新到OpenSSH 7.X版本,修复许多存在的安全漏洞,也是较为安全的版本。OpenSSH官网:http://www.openssh.com
本文主要记录OpenSSH 7在SLES(SuSe 11)上的升级过程。
安装软件包前提准备:
| openssh-7.1p1.tar.gz openssl-1.0.2h.tar.gz libopenssl-devel-1.0.2h-1.3.x86_64.rpm pam-devel-1.1.8-6.1.x86_64.rpm zlib-devel-1.2.7-2.1.2.x86_64.rpm |
系统版本:
SUSE Linux Enterprise Server 11 (x86_64)
一、安装依赖软件
1、安装必要的gcc、gcc-c++编译工具及libopenssl-devel、pam-devel、zlib-devel
|
1
2
3
4
|
hm:~
# zypper in -y gcc gcc-c++
hm:
/usr/local/src
# rpm -ivh libopenssl-devel-1.0.2h-1.3.x86_64.rpm --nodeps --force
hm:
/usr/local/src
# rpm -ivh pam-devel-1.1.8-6.1.x86_64.rpm --nodeps --force
hm:
/usr/local/src
# rpm -ivh zlib-devel-1.2.7-2.1.2.x86_64.rpm
|
二、安装OpenSSL
1、检查系统自带的openssl
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
hm:
/usr/local/src
# rpm -q openssl
openssl-0.9.8j-0.50.1
# 由于openssl依赖的软件太多,所以在升级openssl时,不用卸载旧的版本。如果强制卸载可能导致系统不能正常运行
hm:
/usr/local/src
# openssl version
OpenSSL 0.9.8j-fips 07 Jan 2009
# 检查openssl的目录
hm:
/usr/local/src
# which openssl
/usr/bin/openssl
# 在升级过程中将旧版的相关文件进行备份,在升级新版本后重新链接替换为新版本对应的文件目录
hm:
/usr/local/src
# whereis openssl
openssl:
/usr/bin/openssl
/usr/bin/X11/openssl
/usr/include/openssl
/usr/share/man/man1/openssl
.1ssl.gz
hm:
/usr/local/src
# ls /etc/ssl/
certs openssl.cnf private servercerts
# 备份上述文件,/usr/bin/X11/openssl为/usr/bin/openssl的软链接
hm:
/usr/local/src
# mkdir /home/ssl_bak
hm:
/usr/local/src
# mv /usr/bin/openssl /home/ssl_bak/
hm:
/usr/local/src
# mv /etc/ssl /home/ssl_bak/etc_ssl
hm:
/usr/local/src
# mv /usr/include/openssl /home/ssl_bak/include_openssl
|
2、升级openssl
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
# 1)安装openssl-1.0.2h.tar.gz
hm:
/usr/local/src
# tar -zxf openssl-1.0.2h.tar.gz
hm:
/usr/local/src
# cd openssl-1.0.2h/
hm:
/usr/local/src/openssl-1
.0.2h
# ./config --prefix=/usr/local/openssl --openssldir=/etc/ssl shared zlib
hm:
/usr/local/src/openssl-1
.0.2h
# make
hm:
/usr/local/src/openssl-1
.0.2h
# make install
# 查看安装好的/usr/local/openssl目录文件
hm:
/usr/local/src/openssl-1
.0.2h
# ls /usr/local/openssl/{bin,include,lib}
/usr/local/openssl/bin
:
c_rehash fips_standalone_sha1 fipsld openssl
/usr/local/openssl/include
:
openssl
/usr/local/openssl/lib
:
engines fips_premain.c.sha1 fipscanister.o.sha1 libcrypto.so libssl.a libssl.so.1.0.0
fips_premain.c fipscanister.o libcrypto.a libcrypto.so.1.0.0 libssl.so pkgconfig
# 查看/etc/ssl目录
hm:
/usr/local/src/openssl-1
.0.2h
# ls /etc/ssl/
certs
man
misc openssl.cnf private
|
3、配置升级后的openssl的相关目录(链接openssl程序)
|
1
2
3
4
5
6
7
|
hm:
/usr/local/src
# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
hm:
/usr/local/src
# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
hm:
/usr/local/src
# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
hm:
/usr/local/src
# ldconfig
# 查看升级的openssl版本
hm:
/usr/local/src
# openssl version
OpenSSL 1.0.2h 3 May 2016
|
三、卸载系统原有的OpenSSH
|
1
2
3
4
5
6
7
8
|
# 停止sshd服务
hm:~
# service sshd stop
Shutting down the listening SSH daemon
done
# 卸载openssh
hm:~
# zypper rm openssh
hm:~
# rpm -qa | grep openssh
hm:~
# mv /etc/ssh /home/ssl_bak/
|
四、升级OpenSSH
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
hm:
/usr/local/src
# gzip -d openssh-7.1p1.tar.gz
hm:
/usr/local/src
# tar xf openssh-7.1p1.tar
hm:
/usr/local/src
# cd openssh-7.1p1/
# 编译参数
hm:
/usr/local/src/openssh-7
.1p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib --with-ssl-engine --with-ssl-dir=/usr/local/openssl
hm:
/usr/local/src/openssh-7
.1p1
# make
hm:
/usr/local/src/openssh-7
.1p1
# make install
# 查看升级后的版本
hm:~
# ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.2h 3 May 2016
# 拷贝sshd启动脚本,contrib/目录下对应系统的启动脚本
hm:
/usr/local/src/openssh-7
.1p1
# cd contrib/
hm:
/usr/local/src/openssh-7
.1p1
/contrib
# ls
Makefile aix findssl.sh gnome-
ssh
-askpass2.c redhat
ssh
-copy-
id
sshd.pam.freebsd suse
README cygwin gnome-
ssh
-askpass1.c hpux solaris
ssh
-copy-
id
.1 sshd.pam.generic
hm:
/usr/local/src/openssh-7
.1p1
/contrib
# cp suse/rc.sshd /etc/init.d/sshd
hm:
/usr/local/src/openssh-7
.1p1
/contrib
# chmod 755 /etc/init.d/sshd
# 启动并设置开机启动
hm:
/usr/local/src/openssh-7
.1p1
/contrib
# chkconfig --add sshd
sshd 0:off 1:off 2:off 3:on 4:off 5:on 6:off
hm:
/usr/local/src/openssh-7
.1p1
/contrib
# chkconfig sshd on
hm:
/usr/local/src/openssh-7
.1p1
/contrib
# service sshd start
Starting SSH daemon
done
|
五、重新登陆服务器
注意几点:
1、OpenSSH 7版本默认不允许root登陆,需要修改PermitRootLogin、PasswordAuthentication为允许
2、编译openssh过程出现错误configure: error: *** Can't find recent OpenSSL libcrypto (see config.log for details) ***,这个是OpenSSL没有安装配置好所引起的错误
六、检验ssh密钥配置
1、通过客户端远程登陆本机(从客户端使用密钥验证方式登陆升级OpenSSH后的SuSe服务器)
|
1
2
3
4
5
6
7
8
9
10
|
# 创建密钥
[root@node4 ~]
# ssh-keygen
# 发送公钥到SuSe服务器
[root@node4 ~]
# ssh-copy-id -i ~/.ssh/id_rsa.pub 10.0.0.130
# 登陆验证
[root@node4 ~]
# ssh 10.0.0.130
Last login: Sat Jul 23 07:18:09 2016 from 10.0.0.14
hm:~
# ssh -V
OpenSSH_7.1p1, OpenSSL 1.0.2h 3 May 2016
hm:~
# exit
|
2、配置本机密钥远程登陆其他服务器
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
|
hm:~
# ssh-keygen
hm:~
# ssh-copy-id -i ~/.ssh/id_rsa.pub 10.0.0.14
/usr/bin/ssh-copy-id
: INFO: Source of key(s) to be installed:
"/root/.ssh/id_rsa.pub"
The authenticity of host
'10.0.0.14 (10.0.0.14)'
can't be established.
RSA key fingerprint is SHA256:ov9sIuzLGQyS2FaJa4hY
/SKSZ4YenjXBULFLYauDUz8
.
Are you sure you want to
continue
connecting (
yes
/no
)?
yes
/usr/bin/ssh-copy-id
: INFO: attempting to log
in
with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id
: INFO: 1 key(s) remain to be installed --
if
you are prompted now it is to
install
the new keys
root@10.0.0.14's password:
Number of key(s) added: 1
Now try logging into the machine, with:
"ssh '10.0.0.14'"
and check to
make
sure that only the key(s) you wanted were added.
hm:~
# ssh 10.0.0.14
Last login: Thu Aug 11 23:30:24 2016 from 10.0.0.130
[root@node4 ~]
# exit
|
本文转自 HMLinux 51CTO博客,原文链接:http://blog.51cto.com/7424593/1840487
