无标题
openssh 源文件下载
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/
编译安装准备
which sshd
/usr/sbin/sshd
# 查看ssh安装位置
查看 SSH 版本
# SSH客户端版本
ssh -V
# SSH服务端版本
sshd -V
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/编译安装准备
which sshd
/usr/sbin/sshd
# 查看ssh安装位置
查看 SSH 版本
# SSH客户端版本
ssh -V
# SSH服务端版本
sshd -V
which sshd
/usr/sbin/sshd
# 查看ssh安装位置# SSH客户端版本
ssh -V
# SSH服务端版本
sshd -V配置备份
sudo cp -rp /etc/pam.d/sshd /etc/pam.d/sshd.bak
sudo cp -rp /etc/ssh /etc/ssh_bak
sudo cp -ar /etc/init.d/sshd /etc/init.d/sshd.bak
sudo cp -ar /usr/bin/ssh /usr/bin/ssh.bak
sudo cp -ar /usr/sbin/sshd /usr/sbin/sshd_bakSSH 配置恢复
cp -ar /etc/ssh_bak /etc/ssh安装启动 telnet
# 在线安装
yum install -y telnet telnet-server xinetd
# 本地安装
yum localinstall telnet-server-0.17-65.el7_8.x86_64.rpm -y
# 查询是否安装
rpm -qa | grep telnet
# 备份telnet配置文件
cp -rp /etc/securetty /etc/securetty.bak
#配置telnet登录的终端类型,增加一些pts终端
pts=$'pts/0\npts/1\npts/2\npts/3' && echo "$pts" >> /etc/securetty
vi /etc/services
#去掉23端口的注释
#配置文件
vi /etc/xinetd.d/telnet
将disable=yes改为disable=no
# 启动telnet服务
systemctl start telnet.socket
service xinetd start
# iptables放行23端口
iptables -I INPUT 1 -p tcp --dport 23 -j ACCEPT -m comment --comment "放行23端口"
iptables-save
firewall-cmd --zone=public --add-port=23/tcp --permanent
firewall-cmd --reload安装必要依赖
sudo yum localinstall pam-devel-1.1.8-23.el7.x86_64.rpm pam-1.1.8-23.el7.x86_64.rpm openssl-devel-1.0.2k-19.el7.x86_64.rpm openssl-libs-1.0.2k-19.el7.x86_64.rpm zlib-devel-1.2.7-18.el7.x86_64.rpm openssl-1.0.2k-19.el7.x86_64.rpm -y升级前提条件
OpenSSL≥1.1.1 CTRL+鼠标点此打开 OpenSSL 升级流程
无法直接传文件
scp username@remote_host:/usr/local/src/filename /usr/local/src/
scp smmc@192.168.115.40:/home/smmc/tjp/*.rpm /home/smmc/
# 注意权限问题
# 或者使用本地XFTP看看能不能连上上传离线文件
re -be编译
./configure --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/openssl 预编译成功提示
configure: WARNING: unrecognized options: --with-md5-passwords
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc -std=gnu11
Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -ldl -lutil -lresolv
+for channels: -lcrypto -lz
+for sshd: -lcrypt -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory编译并安装
# 编译并安装
sudo make && sudo make install关闭 Telnet
service xinetd stop
systemctl stop xinetd.serviceTips
openssh9.3 编译安装完成后会自动重启 SSH 服务
/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/sbin/sshd -t -f /etc/ssh/sshd_config
常见错误提示及其解决办法
版本没变
# 先检查是否正常安装完成sshd
/usr/local/sbin/sshd -V
# 替换系统二进制链接
ln -sf /usr/local/sbin/sshd /usr/sbin/sshd
configure: error: PAM headers not found
configure: error: PAM headers not found
先看看有没有安装 pam-devel
rpm -qa | grep pam-devel
安装 PAM
sudo yum install pam-devel-1.1.8-23.el7.x86_64.rpm
configure: error: zlib.h missing - please install first or check config.log
错误提示
configure: error: *** zlib.h missing - please install first or check config.log ***
解决办法
# 安装zlib
sudo yum localinstall zlib-devel-1.2.7-18.el7.x86_64.rpm
sudo yum localinstall pam-1.1.8-23.el7.x86_64.rpm
configure: error: working libcrypto not found, check config.log
错误提示
configure: error: *** working libcrypto not found, check config.log
解决办法
sudo yum localinstall openssl-devel-1.0.2k-19.el7.x86_64.rpm -y
/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/sbin/sshd -t -f /etc/ssh/sshd_config版本没变
# 先检查是否正常安装完成sshd
/usr/local/sbin/sshd -V
# 替换系统二进制链接
ln -sf /usr/local/sbin/sshd /usr/sbin/sshdconfigure: error: PAM headers not found
configure: error: PAM headers not found先看看有没有安装 pam-devel
rpm -qa | grep pam-devel安装 PAM
sudo yum install pam-devel-1.1.8-23.el7.x86_64.rpmconfigure: error: zlib.h missing - please install first or check config.log
错误提示
configure: error: *** zlib.h missing - please install first or check config.log ***解决办法
# 安装zlib
sudo yum localinstall zlib-devel-1.2.7-18.el7.x86_64.rpm
sudo yum localinstall pam-1.1.8-23.el7.x86_64.rpmconfigure: error: working libcrypto not found, check config.log
错误提示
configure: error: *** working libcrypto not found, check config.log解决办法
sudo yum localinstall openssl-devel-1.0.2k-19.el7.x86_64.rpm -y上述命令执行时如果又现错误
Error: Package: 1:openssl-devel-1.0.2k-19.el7.x86_64 (/openssl-devel-1.0.2k-19.el7.x86_64)
Requires: openssl-libs(x86-64) = 1:1.0.2k-19.el7
Installed: 1:openssl-libs-1.0.2k-16.el7.x86_64 (@anaconda)
openssl-libs(x86-64) = 1:1.0.2k-16.el7
You could try using --skip-broken to work around the problem
** Found 1 pre-existing rpmdb problem(s), 'yum check' output follows:
pam-devel-1.1.8-23.el7.x86_64 has missing requires of pam(x86-64) = ('0', '1.1.8', '23.el7')解决办法
sudo yum localinstall openssl-libs-1.0.2k-19.el7.x86_64.rpm -yKEY 文件权限问题
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting解决办法
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_keyUnsupported option
/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
解决方法
sed -i 's/^GSSAPIAuthentication yes/#&/' /etc/ssh/sshd_config
sed -i 's/^GSSAPICleanupCredentials yes/#&/' /etc/ssh/sshd_config
# 测试发现9.7的配置需要注释下列行
sed -i 's/^GSSAPICleanupCredentials no/#&/' /etc/ssh/sshd_confighttp://mirror.centos.org/centos/6/os/x86_64/
sudo rpm --import https://mirrors.aliyun.com/centos-vault/6.0/os/x86_64/RPM-GPG-KEY-CentOS-6
Your new glibc installation seems to be ok.
make [1]: Leaving directory `/root/glibc-2.15'
密钥未在远程主机上注册问题
openssh9.0 之后的版本禁用了部分不安全的算法,在/etc/sshd_config 文件中添加下列代码进行修复
HostkeyAlgorithms +ssh-rsa
# 9.8之后使用这个
HostKeyAlgorithms=+ssh-rsa
PubkeyAcceptedAlgorithms +ssh-rsaTelnet 连接问题 telnet: connect to address 192.168.13.42: No route to host
解决办法
iptables -I INPUT 1 -p tcp --dport 23 -j ACCEPT -m comment --comment "放行23端口"ln -sf /usr/local/sbin/sshd /usr/bin/sshdlibcrypto.so.1.1 Permission denied
错误提示如下:
sshd: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: Permission denied解决办法:
# libcrypto.so.1.1
删除libcrypto.so.1.1,然后拷贝其他正常主机的文件到这这里
检查文件权限,链接的话查看源文件权限pam_unix(sshd: session): session closed for user root
查看/var/log/secure
错误提示如下:pam_unix(sshd: session): session closed for user root
# 将用户踢下线
who
pkill -kill -t pts/1etc/pam.d/sshd无法关闭 telnet
telnet 服务停止了,但是端口还在占用
Plain Text
systemctl stop telnet.socket
评论 (0)