{"id":363,"date":"2023-06-26T14:16:24","date_gmt":"2023-06-26T06:16:24","guid":{"rendered":"https:\/\/feel.name\/?p=363"},"modified":"2023-06-26T14:17:04","modified_gmt":"2023-06-26T06:17:04","slug":"%e5%8d%87%e7%ba%a7%e5%88%b0openssh_9-3p1-openssl-3-1-1-2023-6-25","status":"publish","type":"post","link":"http:\/\/feel.name\/?p=363","title":{"rendered":"\u5347\u7ea7\u5230\u6700\u65b0OpenSSH_9.3p1, OpenSSL 3.1.1"},"content":{"rendered":"\n<p>openssl\u4e0b\u8f7d\u5730\u5740<br>git clone https:\/\/github.com\/openssl\/openssl.git<br>\u6216\u8005\u5b98\u7f51\u4e0b\u8f7d<br>https:\/\/www.openssl.org\/<br>\u5728\u5199\u672c\u6587\u65f6\u6700\u65b0\u7248\u672c\u4e3a3.1\u7cfb\u5217\uff0c\u652f\u6301\u52302025\u5e743\u6708\uff0c\u4e5f\u662f\u957f\u671f\u652f\u6301\u7248\u672cLTS\uff0c\u672c\u6b21\u53ea\u6d89\u53ca\u5347\u7ea7\u7cfb\u7edfopenssl\u548copenssh\u5176\u4ed6\u4e8b\u9879\u4e0d\u6d89\u53ca\u591a\u8ba8\u8bba<br>openssh\u4e0b\u8f7d\u5730\u5740<br>https:\/\/ftp.openbsd.org\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-9.3p1.tar.gz<br>\u6216\u8005\u5b98\u7f51\u4e0a\u7684\u5176\u4ed6\u65b9\u5f0f\u4e0b\u8f7d<br>https:\/\/www.openssh.com\/<br>\u5728\u5199\u672c\u6587\u65f6\u6700\u65b0\u7248\u672c\u4e3a9.3\uff0c2023.3.15\u53d1\u5e03\u7684<\/p>\n\n\n\n<p>\u6d4b\u8bd5\u7cfb\u7edf\u7248\u672c\u4e3acentos 7.9<br>[root@Test ~]# cat \/etc\/redhat-release<br>CentOS Linux release 7.9.2009 (Core)<br>\u76ee\u524d\u7684openssl\u7248\u672c<br>[root@Test ~]# openssl version<br>OpenSSL 1.0.2k-fips 26 Jan 2017<br>\u76ee\u524d\u7684openssh\u7248\u672c<br>OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017<\/p>\n\n\n\n<p>\u5f00\u59cb\u51c6\u5907\u5de5\u4f5c<br>1.\u5b89\u88c5\u7f16\u8bd1\u6240\u9700\u7684\u5305<br>yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel git<br>2.\u4e0b\u8f7dopenssl\u548copenssh<br>wget https:\/\/ftp.openssl.org\/source\/openssl-3.1.1.tar.gz &#8211;no-check-certificate<\/p>\n\n\n\n<p>wget https:\/\/ftp.openbsd.org\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-9.3p1.tar.gz &#8211;no-check-certificate<\/p>\n\n\n\n<p>[root@Test src]# ls<br>openssh-9.3p1.tar.gz openssl-3.1.1.tar.gz<\/p>\n\n\n\n<p>3.\u5b89\u88c5openssl<br>\u89e3\u538b<br>tar xvf openssl-3.1.1.tar.gz<br>cd openssl-3.1.1<br>\u5907\u4efd\u4e0bopenssl\u548cinclude\u4e0b\u7684openssl\u6587\u4ef6<br>[root@Test openssl-3.1.1]# mv \/usr\/bin\/openssl \/usr\/bin\/openssl_bak<br>[root@Test openssl-3.1.1]# mv \/usr\/include\/openssl\/ \/usr\/include\/openssl_bak<\/p>\n\n\n\n<p>[root@Test openssl-3.1.1]#.\/config shared zlib &#8211;prefix=\/usr\/local\/openssl &amp;&amp; make &amp;&amp; make install<br>Can&#8217;t locate IPC\/Cmd.pm in @INC (@INC contains: \/usr\/local\/src\/openssl-3.1.1\/util\/perl \/usr\/local\/lib64\/perl5 \/usr\/local\/share\/perl5 \/usr\/lib64\/perl5\/vendor_perl \/usr\/share\/perl5\/vendor_perl \/usr\/lib64\/perl5 \/usr\/share\/perl5 . \/usr\/local\/src\/openssl-3.1.1\/external\/perl\/Text-Template-1.56\/lib) at \/usr\/local\/src\/openssl-3.1.1\/util\/perl\/OpenSSL\/config.pm line 19.<br>BEGIN failed&#8211;compilation aborted at \/usr\/local\/src\/openssl-3.1.1\/util\/perl\/OpenSSL\/config.pm line 19.<br>Compilation failed in require at \/usr\/local\/src\/openssl-3.1.1\/Configure line 23.<br>BEGIN failed&#8211;compilation aborted at \/usr\/local\/src\/openssl-3.1.1\/Configure line 23.<br>\u5b89\u88c5\u62a5\u9519\u7cfb\u7edf\u7f3a\u5c11IPC\/Cmd.pm<\/p>\n\n\n\n<p>\u82e5\u662fzlib\u62a5\u9519\uff0c\u9700www.zlib.net\u5b98\u7f51\u4e0b\u8f7d\u5b89\u88c5\u5373\u53ef<\/p>\n\n\n\n<p>[root@Test openssl-3.1.1]# yum install perl-CPAN -y<br>[root@Test openssl-3.1.1]#perl -MCPAN -e shell<br>\u8fdb\u5165perl shell\u9700\u8981\u914d\u7f6e\uff0c\u9ed8\u8ba4\u914d\u7f6e\u5c31\u53ef\u4ee5\u4e86\u3002<br>cpan[1]&gt; install IPC\/Cmd.pm<br>\u6267\u884c\u540e\u81ea\u52a8\u4e0b\u8f7d\u5b89\u88c5IPC\/Cmd.pm<br>cpan[2]&gt; quit<br>\u7ee7\u7eed\u6267\u884c<br>[root@Test openssl-3.1.1]#.\/config shared zlib &#8211;prefix=\/usr\/local\/openssl &amp;&amp; make &amp;&amp; make install<br>[root@Test openssl-3.1.1]# echo $?<br>0<br>\u5df2\u5b89\u88c5\u6210\u529f<\/p>\n\n\n\n<p>[root@Test openssl-3.1.1]# cd \/usr\/local\/<br>[root@Test local]# ln -s openssl ssl<br>\u521b\u5efassl\u8f6f\u94fe\u63a5<br>[root@Test local]# ln -s \/usr\/local\/ssl\/bin\/openssl \/usr\/bin\/openssl<br>[root@Test local]# ln -s \/usr\/local\/ssl\/include\/openssl\/ \/usr\/include\/openssl<br>\u521b\u5efaopenssl\u7cfb\u7edf\u7684\u8f6f\u94fe\u63a5<\/p>\n\n\n\n<p>[root@Test local]# echo &#8220;\/usr\/local\/ssl\/lib&#8221; &gt;&gt; \/etc\/ld.so.conf<br>[root@Test local]# \/sbin\/ldconfig<\/p>\n\n\n\n<p>[root@Test local]# openssl version<br>openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory<br>\u62a5\u9519\u91cd\u65b0\u52a0\u8f7dlib64\u5e93<br>[root@Test local]# ldconfig \/usr\/local\/openssl\/lib64\/<br>[root@Test local]# openssl version<br>OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)<\/p>\n\n\n\n<p>[root@Test ~]# openssl help<br>help:<\/p>\n\n\n\n<p>Standard commands<br>asn1parse ca ciphers cmp<br>cms crl crl2pkcs7 dgst<br>dhparam dsa dsaparam ec<br>ecparam enc engine errstr<br>fipsinstall gendsa genpkey genrsa<br>help info kdf list<br>mac nseq ocsp passwd<br>pkcs12 pkcs7 pkcs8 pkey<br>pkeyparam pkeyutl prime rand<br>rehash req rsa rsautl<br>s_client s_server s_time sess_id<br>smime speed spkac srp<br>storeutl ts verify version<br>x509<\/p>\n\n\n\n<p>Message Digest commands (see the `dgst&#8217; command for more details)<br>blake2b512 blake2s256 md4 md5<br>mdc2 rmd160 sha1 sha224<br>sha256 sha3-224 sha3-256 sha3-384<br>sha3-512 sha384 sha512 sha512-224<br>sha512-256 shake128 shake256 sm3<\/p>\n\n\n\n<p>Cipher commands (see the `enc&#8217; command for more details)<br>aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb<br>aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb<br>aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb<br>aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1<br>aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb<br>aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8<br>aria-256-ctr aria-256-ecb aria-256-ofb base64<br>bf bf-cbc bf-cfb bf-ecb<br>bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc<br>camellia-192-ecb camellia-256-cbc camellia-256-ecb cast<br>cast-cbc cast5-cbc cast5-cfb cast5-ecb<br>cast5-ofb des des-cbc des-cfb<br>des-ecb des-ede des-ede-cbc des-ede-cfb<br>des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb<br>des-ede3-ofb des-ofb des3 desx<br>idea idea-cbc idea-cfb idea-ecb<br>idea-ofb rc2 rc2-40-cbc rc2-64-cbc<br>rc2-cbc rc2-cfb rc2-ecb rc2-ofb<br>rc4 rc4-40 seed seed-cbc<br>seed-cfb seed-ecb seed-ofb sm4-cbc<br>sm4-cfb sm4-ctr sm4-ecb sm4-ofb<br>zlib<\/p>\n\n\n\n<p>4.\u5b89\u88c5openssh<br>tar xvf openssh-9.3p1.tar.gz<br>[root@Test src]# cd openssh-9.3p1<br>\u5907\u4efdssh\u76ee\u5f55<br>cp -r \/etc\/ssh \/etc\/bakssh<br>cp -r \/etc\/pam.d\/sshd \/etc\/pam.d\/baksshd<\/p>\n\n\n\n<p>[root@Test openssh-9.3p1]# .\/configure &#8211;prefix=\/usr\/ &#8211;sysconfdir=\/etc\/ssh &#8211;with-openssl-includes=\/usr\/local\/ssl\/include &#8211;with-ssl-dir=\/usr\/local\/ssl &#8211;with-zlib &#8211;with-md5-passwords &#8211;with-pam &amp;&amp; make &amp;&amp; make install<br>chmod 600 \/etc\/ssh\/ssh_host_*_key<br>cp -a contrib\/redhat\/sshd.init \/etc\/init.d\/sshd<\/p>\n\n\n\n<p>chmod u+x \/etc\/init.d\/sshd<br>mv \/etc\/pam.d\/sshd-bak \/etc\/pam.d\/sshd<br>cp \/etc\/bakssh\/sshd_config \/etc\/ssh\/sshd_config<br>systemctl restart sshd<br>systemctl enable sshd<br>\u82e5\u662froot\u7528\u6237\u4e0d\u80fd\u767b\u5f55\u8bf7\u628asshd_config\u91cc\u7684\u6743\u9650\u5f00\u542f<br>PermitRootLogin yes<br>[root@Test ~]# cat \/etc\/shadow | grep root<br>\u67e5\u770b\u662f\u5426root\u7528\u6237\u9501\u5b9a \u5bc6\u7801\u524d\u662f\u4e0d\u662f\u6709!!<br>\u82e5\u662f\u9501\u5b9a \u89e3\u9664\u9501\u5b9a\u5373\u53ef<br>passwd -u root<br>\u51fa\u73b0\u4e00\u4e0b\u9519\u8bef\u8bf7\u6ce8\u91ca\u6389\u914d\u7f6e\u6587\u4ef6\u768480 81\u884c<br>\/etc\/ssh\/sshd_config line 80: Unsupported option GSSAPIAuthentication<br>\/etc\/ssh\/sshd_config line 81: Unsupported option GSSAPICleanupCredentials<br>[root@Test ~]# systemctl status sshd -l<br>\u25cf sshd.service &#8211; OpenSSH server daemon<br>Loaded: loaded (\/usr\/lib\/systemd\/system\/sshd.service; enabled; vendor preset: enabled)<br>Active: activating (start) since Mon 2023-06-26 12:53:12 CST; 15s ago<br>Docs: man:sshd(8)<br>man:sshd_config(5)<br>Main PID: 42585 (sshd)<br>CGroup: \/system.slice\/sshd.service<br>\u2514\u250042585 sshd: \/usr\/sbin\/sshd -D [listener] 0 of 10-100 startup<\/p>\n\n\n\n<p>Jun 26 12:53:12 Test systemd[1]: Starting OpenSSH server daemon\u2026<br>Jun 26 12:53:12 Test sshd[42585]: Server listening on 0.0.0.0 port 22.<br>Jun 26 12:53:12 Test sshd[42585]: Server listening on :: port 22.<\/p>\n\n\n\n<p>\u4e0d\u662fActive: active (running)<\/p>\n\n\n\n<p>\u67e5\u770b\u65e5\u5fd7<\/p>\n\n\n\n<p>Jun 26 12:54:42 Test systemd: sshd.service start operation timed out. Terminating.<br>Jun 26 12:54:42 Test systemd: Failed to start OpenSSH server daemon.<br>Jun 26 12:54:42 Test systemd: Unit sshd.service entered failed state.<br>Jun 26 12:54:42 Test systemd: sshd.service failed.<br>Jun 26 12:54:46 Test systemd: Stopped OpenSSH server daemon.<br>Jun 26 12:54:46 Test systemd: Starting OpenSSH server daemon\u2026<br>Jun 26 12:56:16 Test systemd: sshd.service start operation timed out. Terminating.<br>Jun 26 12:56:16 Test systemd: Failed to start OpenSSH server daemon.<br>Jun 26 12:56:16 Test systemd: Unit sshd.service entered failed state.<br>Jun 26 12:56:16 Test systemd: sshd.service failed.<br>Jun 26 12:56:59 Test systemd: sshd.service holdoff time over, scheduling restart.<br>Jun 26 12:56:59 Test systemd: Stopped OpenSSH server daemon.<br>Jun 26 12:56:59 Test systemd: Starting OpenSSH server daemon\u2026<\/p>\n\n\n\n<p>\u89e3\u51b3\u65b9\u6848<br>systemctl stop sshd<br>rm -rf \/lib\/systemd\/system\/sshd.service<br>systemctl daemon-reload<\/p>\n\n\n\n<p>openssh-9.3p1\u662f\u4f60\u6700\u5f00\u59cbtar\u89e3\u538b\u7684\u76ee\u5f55,\u800c\u4e0d\u662f\u5b89\u88c5\u540e\u7684\u76ee\u5f55<\/p>\n\n\n\n<p>cp openssh-9.3p1\/contrib\/redhat\/sshd.init \/etc\/init.d\/sshd<br>systemctl daemon-reload<br>\/etc\/init.d\/sshd restart \u6216\u8005 systemctl start sshd<br>systemctl enable sshd<\/p>\n\n\n\n<p>\u5347\u7ea7\u540e\u7684\u7248\u672c<br>[root@Test ~]# ssh -V<br>OpenSSH_9.3p1, OpenSSL 3.1.1 30 May 2023<\/p>\n\n\n\n<p>5.\u751f\u6210\u73af\u5883\u6ce8\u610f\u4e8b\u9879<br>\u8fdc\u7a0b\u64cd\u4f5c\u8bf7\u5907\u4efd\u597d\u914d\u7f6e\u6587\u4ef6<br>\/etc\/ssh \u6574\u4e2a\u76ee\u5f55 \u4ee5\u53ca \/etc\/pam.d\/ssh<br>\u4e34\u65f6\u65b0\u6dfb\u52a0\u7528\u6237 \u6709ssh telnet\u7b49\u6743\u9650<br>\u9700\u8981\u5f00\u542ftelnet\u529f\u80fd\uff0cssh\u5347\u7ea7\u4f1a\u505c\u6b62sshd\u670d\u52a1<br>[root@Test ~]# yum install telnet telnet-server xinetd -y<br>[root@Test ~]# systemctl enable telnet.socket<br>[root@Test ~]# systemctl start telnet.socket<br>[root@Test ~]# systemctl enable xinetd<br>[root@Test ~]# systemctl start xinetd<\/p>\n\n\n\n<p>\u9632\u706b\u5899\u8fc723\u7aef\u53e3\u4ee5\u53ca\u5173\u95edselinux<\/p>\n\n\n\n<p>[root@Test ~]# echo &#8216;pts\/0&#8217; &gt;&gt;\/etc\/securetty<br>[root@Test ~]# echo &#8216;pts\/1&#8217; &gt;&gt;\/etc\/securetty<\/p>\n\n\n\n<p>\u5141\u8bb8telnet\u8fdc\u7a0b\u767b\u5f55root<br>\u6709\u65f6\u5019\u4f1a\u4e5f\u4f1a\u51fa\u73b0\u4e0d\u80fd\u767b\u5f55\u72b6\u51b5 \u770b\u65e5\u5fd7\uff0c\u4ee5\u9632\u4e07\u4e00\u628apts\/2 pts\/3\u52a0\u4e0a<br>[root@Test ~]# echo &#8216;pts\/2&#8217; &gt;&gt;\/etc\/securetty<br>[root@Test ~]# echo &#8216;pts\/3&#8217; &gt;&gt;\/etc\/securetty<\/p>\n\n\n\n<p>\u8bf7\u8bb0\u4f4f\u5347\u7ea7\u751f\u4ea7\u73af\u5883\uff0c\u8bf7\u63d0\u524d\u5907\u4efd\u597d\u4e00\u5207\uff0c\u5e76\u6a21\u62df\u751f\u4ea7\u73af\u5883\u5347\u7ea7\u9884\u6f14\u6d4b\u8bd5\uff0c\u4e07\u65e0\u4e00\u5931\u540e\u8bf7\u518d\u53bb\u5347\u7ea7\uff0c\u505a\u597d\u5e94\u6025\u65b9\u6848\u786e\u4fdd\u80fd\u987a\u5229\u5b8c\u6210\u3002<br>\u5207\u8bb0\u522b\u628a\u670d\u52a1\u5668ssh\u5347\u7ea7\u540e\u8fde\u4e0d\u4e0a\u53bb\u4e86\u3002<\/p>\n\n\n\n<p>RPM\u5305\u67e5\u8be2\u4e0b\u8f7d\u5730\u5740<br>http:\/\/www.rpmfind.net\/linux\/RPM\/<\/p>\n\n\n\n<p>https:\/\/pkgs.org\/<br>\u80fd\u67e5\u5230\u7684\u7248\u672c\u662fopenssh 7.4p1 openssl 1.0.2k<\/p>\n","protected":false},"excerpt":{"rendered":"<p>openssl\u4e0b\u8f7d\u5730\u5740git clone https:\/\/github.com\/openssl\/openssl&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-363","post","type-post","status-publish","format-standard","hentry","category-linux"],"_links":{"self":[{"href":"http:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts\/363","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=363"}],"version-history":[{"count":2,"href":"http:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts\/363\/revisions"}],"predecessor-version":[{"id":365,"href":"http:\/\/feel.name\/index.php?rest_route=\/wp\/v2\/posts\/363\/revisions\/365"}],"wp:attachment":[{"href":"http:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=363"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=363"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/feel.name\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=363"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}