升级到最新OpenSSH_9.3p1, OpenSSL 3.1.1

Posted on by Feel

openssl下载地址
git clone https://github.com/openssl/openssl.git
或者官网下载
https://www.openssl.org/
在写本文时最新版本为3.1系列,支持到2025年3月,也是长期支持版本LTS,本次只涉及升级系统openssl和openssh其他事项不涉及多讨论
openssh下载地址
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
或者官网上的其他方式下载
https://www.openssh.com/
在写本文时最新版本为9.3,2023.3.15发布的

测试系统版本为centos 7.9
[root@Test ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
目前的openssl版本
[root@Test ~]# openssl version
OpenSSL 1.0.2k-fips 26 Jan 2017
目前的openssh版本
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017

开始准备工作
1.安装编译所需的包
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel git
2.下载openssl和openssh
wget https://ftp.openssl.org/source/openssl-3.1.1.tar.gz –no-check-certificate

wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz –no-check-certificate

[root@Test src]# ls
openssh-9.3p1.tar.gz openssl-3.1.1.tar.gz

3.安装openssl
解压
tar xvf openssl-3.1.1.tar.gz
cd openssl-3.1.1
备份下openssl和include下的openssl文件
[root@Test openssl-3.1.1]# mv /usr/bin/openssl /usr/bin/openssl_bak
[root@Test openssl-3.1.1]# mv /usr/include/openssl/ /usr/include/openssl_bak

[root@Test openssl-3.1.1]#./config shared zlib –prefix=/usr/local/openssl && make && make install
Can’t locate IPC/Cmd.pm in @INC (@INC contains: /usr/local/src/openssl-3.1.1/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /usr/local/src/openssl-3.1.1/external/perl/Text-Template-1.56/lib) at /usr/local/src/openssl-3.1.1/util/perl/OpenSSL/config.pm line 19.
BEGIN failed–compilation aborted at /usr/local/src/openssl-3.1.1/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /usr/local/src/openssl-3.1.1/Configure line 23.
BEGIN failed–compilation aborted at /usr/local/src/openssl-3.1.1/Configure line 23.
安装报错系统缺少IPC/Cmd.pm

若是zlib报错,需www.zlib.net官网下载安装即可

[root@Test openssl-3.1.1]# yum install perl-CPAN -y
[root@Test openssl-3.1.1]#perl -MCPAN -e shell
进入perl shell需要配置,默认配置就可以了。
cpan[1]> install IPC/Cmd.pm
执行后自动下载安装IPC/Cmd.pm
cpan[2]> quit
继续执行
[root@Test openssl-3.1.1]#./config shared zlib –prefix=/usr/local/openssl && make && make install
[root@Test openssl-3.1.1]# echo $?
0
已安装成功

[root@Test openssl-3.1.1]# cd /usr/local/
[root@Test local]# ln -s openssl ssl
创建ssl软链接
[root@Test local]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
[root@Test local]# ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl
创建openssl系统的软链接

[root@Test local]# echo “/usr/local/ssl/lib” >> /etc/ld.so.conf
[root@Test local]# /sbin/ldconfig

[root@Test local]# openssl version
openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
报错重新加载lib64库
[root@Test local]# ldconfig /usr/local/openssl/lib64/
[root@Test local]# openssl version
OpenSSL 3.1.1 30 May 2023 (Library: OpenSSL 3.1.1 30 May 2023)

[root@Test ~]# openssl help
help:

Standard commands
asn1parse ca ciphers cmp
cms crl crl2pkcs7 dgst
dhparam dsa dsaparam ec
ecparam enc engine errstr
fipsinstall gendsa genpkey genrsa
help info kdf list
mac nseq ocsp passwd
pkcs12 pkcs7 pkcs8 pkey
pkeyparam pkeyutl prime rand
rehash req rsa rsautl
s_client s_server s_time sess_id
smime speed spkac srp
storeutl ts verify version
x509

Message Digest commands (see the `dgst’ command for more details)
blake2b512 blake2s256 md4 md5
mdc2 rmd160 sha1 sha224
sha256 sha3-224 sha3-256 sha3-384
sha3-512 sha384 sha512 sha512-224
sha512-256 shake128 shake256 sm3

Cipher commands (see the `enc’ command for more details)
aes-128-cbc aes-128-ecb aes-192-cbc aes-192-ecb
aes-256-cbc aes-256-ecb aria-128-cbc aria-128-cfb
aria-128-cfb1 aria-128-cfb8 aria-128-ctr aria-128-ecb
aria-128-ofb aria-192-cbc aria-192-cfb aria-192-cfb1
aria-192-cfb8 aria-192-ctr aria-192-ecb aria-192-ofb
aria-256-cbc aria-256-cfb aria-256-cfb1 aria-256-cfb8
aria-256-ctr aria-256-ecb aria-256-ofb base64
bf bf-cbc bf-cfb bf-ecb
bf-ofb camellia-128-cbc camellia-128-ecb camellia-192-cbc
camellia-192-ecb camellia-256-cbc camellia-256-ecb cast
cast-cbc cast5-cbc cast5-cfb cast5-ecb
cast5-ofb des des-cbc des-cfb
des-ecb des-ede des-ede-cbc des-ede-cfb
des-ede-ofb des-ede3 des-ede3-cbc des-ede3-cfb
des-ede3-ofb des-ofb des3 desx
idea idea-cbc idea-cfb idea-ecb
idea-ofb rc2 rc2-40-cbc rc2-64-cbc
rc2-cbc rc2-cfb rc2-ecb rc2-ofb
rc4 rc4-40 seed seed-cbc
seed-cfb seed-ecb seed-ofb sm4-cbc
sm4-cfb sm4-ctr sm4-ecb sm4-ofb
zlib

4.安装openssh
tar xvf openssh-9.3p1.tar.gz
[root@Test src]# cd openssh-9.3p1
备份ssh目录
cp -r /etc/ssh /etc/bakssh
cp -r /etc/pam.d/sshd /etc/pam.d/baksshd

[root@Test openssh-9.3p1]# ./configure –prefix=/usr/ –sysconfdir=/etc/ssh –with-openssl-includes=/usr/local/ssl/include –with-ssl-dir=/usr/local/ssl –with-zlib –with-md5-passwords –with-pam && make && make install
chmod 600 /etc/ssh/ssh_host_*_key
cp -a contrib/redhat/sshd.init /etc/init.d/sshd

chmod u+x /etc/init.d/sshd
mv /etc/pam.d/sshd-bak /etc/pam.d/sshd
cp /etc/bakssh/sshd_config /etc/ssh/sshd_config
systemctl restart sshd
systemctl enable sshd
若是root用户不能登录请把sshd_config里的权限开启
PermitRootLogin yes
[root@Test ~]# cat /etc/shadow | grep root
查看是否root用户锁定 密码前是不是有!!
若是锁定 解除锁定即可
passwd -u root
出现一下错误请注释掉配置文件的80 81行
/etc/ssh/sshd_config line 80: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 81: Unsupported option GSSAPICleanupCredentials
[root@Test ~]# systemctl status sshd -l
● sshd.service – OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (start) since Mon 2023-06-26 12:53:12 CST; 15s ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 42585 (sshd)
CGroup: /system.slice/sshd.service
└─42585 sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startup

Jun 26 12:53:12 Test systemd[1]: Starting OpenSSH server daemon…
Jun 26 12:53:12 Test sshd[42585]: Server listening on 0.0.0.0 port 22.
Jun 26 12:53:12 Test sshd[42585]: Server listening on :: port 22.

不是Active: active (running)

查看日志

Jun 26 12:54:42 Test systemd: sshd.service start operation timed out. Terminating.
Jun 26 12:54:42 Test systemd: Failed to start OpenSSH server daemon.
Jun 26 12:54:42 Test systemd: Unit sshd.service entered failed state.
Jun 26 12:54:42 Test systemd: sshd.service failed.
Jun 26 12:54:46 Test systemd: Stopped OpenSSH server daemon.
Jun 26 12:54:46 Test systemd: Starting OpenSSH server daemon…
Jun 26 12:56:16 Test systemd: sshd.service start operation timed out. Terminating.
Jun 26 12:56:16 Test systemd: Failed to start OpenSSH server daemon.
Jun 26 12:56:16 Test systemd: Unit sshd.service entered failed state.
Jun 26 12:56:16 Test systemd: sshd.service failed.
Jun 26 12:56:59 Test systemd: sshd.service holdoff time over, scheduling restart.
Jun 26 12:56:59 Test systemd: Stopped OpenSSH server daemon.
Jun 26 12:56:59 Test systemd: Starting OpenSSH server daemon…

解决方案
systemctl stop sshd
rm -rf /lib/systemd/system/sshd.service
systemctl daemon-reload

openssh-9.3p1是你最开始tar解压的目录,而不是安装后的目录

cp openssh-9.3p1/contrib/redhat/sshd.init /etc/init.d/sshd
systemctl daemon-reload
/etc/init.d/sshd restart 或者 systemctl start sshd
systemctl enable sshd

升级后的版本
[root@Test ~]# ssh -V
OpenSSH_9.3p1, OpenSSL 3.1.1 30 May 2023

5.生成环境注意事项
远程操作请备份好配置文件
/etc/ssh 整个目录 以及 /etc/pam.d/ssh
临时新添加用户 有ssh telnet等权限
需要开启telnet功能,ssh升级会停止sshd服务
[root@Test ~]# yum install telnet telnet-server xinetd -y
[root@Test ~]# systemctl enable telnet.socket
[root@Test ~]# systemctl start telnet.socket
[root@Test ~]# systemctl enable xinetd
[root@Test ~]# systemctl start xinetd

防火墙过23端口以及关闭selinux

[root@Test ~]# echo ‘pts/0’ >>/etc/securetty
[root@Test ~]# echo ‘pts/1’ >>/etc/securetty

允许telnet远程登录root
有时候会也会出现不能登录状况 看日志,以防万一把pts/2 pts/3加上
[root@Test ~]# echo ‘pts/2’ >>/etc/securetty
[root@Test ~]# echo ‘pts/3’ >>/etc/securetty

请记住升级生产环境,请提前备份好一切,并模拟生产环境升级预演测试,万无一失后请再去升级,做好应急方案确保能顺利完成。
切记别把服务器ssh升级后连不上去了。

RPM包查询下载地址
http://www.rpmfind.net/linux/RPM/

https://pkgs.org/
能查到的版本是openssh 7.4p1 openssl 1.0.2k

发表回复

您的电子邮箱地址不会被公开。 必填项已用 * 标注