1.下载最新的openssh包
操作系统:
[root@station28 ~]# cat /etc/issue.net
Red Hat Enterprise
Linux Server release 5.4 (Tikanga)
Kernel r on an m
[root@station28 ~]# uname -a
Linux station28.example.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48
EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
在配置sftp时,需要chroot特定的目录,则openssh的版本需不低于5.1,我这下载的是openssh
6.1版本的源码包,需要进行编译,
则需要安装gcc,同时需要安装openssl-devel-0.9.8e-12.el5
openssh-6.1p1下载地址:或者进入官网下载
ftp://ftp.openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
若不安装openssl-devel,则报如下错误:
[root@station28 openssh-6.1p1]#./configure --prefix=/usr/local/ssh
--sysconfdir=/etc/ssh --with-zlib
--with-ssl-dir=/usr/local/ssl--with-md5-passwords
--mandir=/usr/share/man
checking for openssl/opensslv.h... no
configure: error: *** OpenSSL headers missing - please install first
or check config.log ***
1、配置yum,安装gcc,openssl-devel-0.9.8e-12.el5,和telnet(当ssh不能用的时候,用于连接服务器)
[root@station28 ~]# cat /etc/yum.repos.d/base.repo
[base]
baseurl=file:///mnt/Server
gpgcheck=0
[root@station28 ~]# yum -y install "gcc*"
[root@station28 ~]# yum -y install "openssl-devel-0.9.8e-12.el5"
[root@station28 openssh-6.1p1]# yum -y install "telnet-server*"
卸载openssh,观察openssh的各个包包含的内容:
[root@station28 ~]# cd /etc/ssh
[root@station28 ssh]# mkdir /root/1114_ssh_bak
[root@station28 ssh]# cp * /root/1114_ssh_bak/
[root@station28 ssh]# rpm -qa | grep openssh
//目前系统安装的是4.3版本的
openssh-server-4.3p2-36.el5
openssh-askpass-4.3p2-36.el5
openssh-4.3p2-36.el5
openssh-clients-4.3p2-36.el5
[root@station28 ~]# ssh -V
OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
[root@station28 ssh]# rpm -ql openssh-server-4.3p2-36.el5
//查看安装包涉及的内容
/etc/pam.d/sshd
/etc/rc.d/init.d/sshd
/etc/ssh
/etc/ssh/sshd_config
/usr/libexec/openssh/sftp-server
/usr/sbin/.sshd.hmac
/usr/sbin/sshd
/usr/share/man/man5/sshd_config.5.gz
/usr/share/man/man8/sftp-server.8.gz
/usr/share/man/man8/sshd.8.gz
/var/empty/sshd
/var/empty/sshd/etc
/var/empty/sshd/etc/localtime
[root@station28 ssh]# rpm -ql openssh-askpass-4.3p2-36.el5
/etc/profile.d/gnome-ssh-askpass.csh
/etc/profile.d/gnome-ssh-askpass.sh
/usr/libexec/openssh/gnome-ssh-askpass
/usr/libexec/openssh/ssh-askpass
[root@station28 ssh]# rpm -ql openssh-4.3p2-36.el5
/etc/ssh
/etc/ssh/moduli
/usr/bin/ssh-keygen
/usr/libexec/openssh
/usr/libexec/openssh/ssh-keysign
.....
....
[root@station28 ssh]# rpm -ql openssh-clients-4.3p2-36.el5
/etc/ssh/ssh_config
/usr/bin/.ssh.hmac
/usr/bin/scp
/usr/bin/sftp
/usr/bin/slogin
/usr/bin/ssh
/usr/bin/ssh-add
/usr/bin/ssh-agent
/usr/bin/ssh-copy-id
/usr/bin/ssh-keyscan
......
.....
[root@station28 ssh]# rpm -qa | grep openssh //全部卸载
openssh-server-4.3p2-36.el5
openssh-askpass-4.3p2-36.el5
openssh-4.3p2-36.el5
openssh-clients-4.3p2-36.el5
[root@station28 ssh]# rpm -e openssh-server-4.3p2-36.el5
[root@station28 ssh]# rpm -e openssh-askpass-4.3p2-36.el5
[root@station28 ssh]# rpm -e openssh-4.3p2-36.el5
//存在依赖关系,需要先卸载openssh-clients-4.3p2-36.el5.x86_64
error: Failed dependencies:
openssh = 4.3p2-36.el5 is needed by (installed)
openssh-clients-4.3p2-36.el5.x86_64
[root@station28 ssh]# rpm -e openssh-clients-4.3p2-36.el5
[root@station28 ssh]# rpm -e openssh-4.3p2-36.el5
[root@station28 ssh]# rpm -qa | grep openssh //全部卸载干净
[root@station28 ~]# pwd
/root
[root@station28 ~]# ls openssh-6.1p1.tar.gz
openssh-6.1p1.tar.gz
[root@station28 ~]# tar -zxpf openssh-6.1p1.tar.gz //解压openssh
6.1
[root@station28 ~]# cd openssh-6.1p1 //执行以下命令进行编译
[root@station28 openssh-6.1p1]# ./configure --prefix=/usr/local/ssh
--sysconfdir=/etc/ssh --with-zlib --with-ssl-dir=/usr/local/ssl
--with-md5-passwords --mandir=/usr/share/man
[root@station28 openssh-6.1p1]# make
[root@station28 openssh-6.1p1]# make install //warn的报错忽略
[root@station28 openssh-6.1p1]# cd /usr/local/ssh/bin
//刚用--frefix参数指定的路径/usr/local/ssh,将其bin下的拷贝到/usr/bin下
[root@station28 bin]# ls
scp sftp slogin ssh ssh-add ssh-agent ssh-keygen ssh-keyscan
[root@station28 bin]# cp * /usr/bin/
[root@station28 bin]# cd /usr/local/ssh/sbin
[root@station28 sbin]# ls
sshd
[root@station28 sbin]# cp sshd /usr/sbin/sshd //同理
[root@station28 sbin]# cd
/root/openssh-6.1p1/contrib/RedHat/
//将sshd.init拷贝到/etc/init.d/下,名字为sshd(ssh的daemon名称)
[root@station28 redhat]# ls
gnome-ssh-askpass.csh gnome-ssh-askpass.sh openssh.spec sshd.init
sshd.init.old sshd.pam sshd.pam.old
[root@station28 redhat]# cp sshd.init /etc/init.d/sshd
[root@station28 redhat]# ls -l /etc/init.d/sshd
-rwxr-xr-x 1 root root 1768 Nov 14 23:21 /etc/init.d/sshd
[root@station28 redhat]# chkconfig --add sshd
[root@station28 redhat]# service sshd restart
[root@station28 ~]# service sshd restart
//提示报错,只要touch该文件即可规避
Stopping sshd: [ OK ]
lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or
directory
Starting sshd: [ OK ]
[root@station28 ~]# touch /etc/ssh/ssh_host_ecdsa_key.pub
[root@station28 ~]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
[root@station28 ~]# ssh -V //安装成功
OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
以下步骤为搭建sftp步骤
[root@station28 ssh]# mkdir /home/sftpserver
[root@station28 ssh]# useradd -d /home/sftpserver -s /bin/false
test01 //创建用户,指定shell为/bin/false
useradd: warning: the home directory already exists.
Not copying any file from skel directory into it.
[root@station28 ssh]# passwd test01
Changing password for user test01.
New UNIX password:
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password:
passwd: all authentication tokens updated successfully.
[root@station28 ssh]# pwd
/etc/ssh
[root@station28 ssh]# cp sshd_config sshd_config_1114.bak
sshd_config配置如下
# Authentication:
//在Authentication下加入如下两行,指定可以登入的网段
AllowUsers *@192.168.*.*
AllowUsers *@127.0.0.1
# override default of no subsystems
#Subsystem sftp /usr/local/ssh/libexec/sftp-server
//将这行注释,使用internal-sftp,添加如下行
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
//在最下面添加如下行,对test01这个用户chroot到/home/sftpserver目录下
Match User test01
X11Forwarding no
AllowTcpForwarding no
ForceCommand internal-sftp
ChrootDirectory /home/sftpserver
[root@station28 ssh]# sftp test01@192.168.14.28 //chroot成功
test01@192.168.14.28's password:
Connected to 192.168.14.28.
sftp> pwd
Remote working directory: /
可参考如下rhel下的sftp配置链接:
http://www.linuxidc.com/Linux/2012-07/64871.htm
一、问题描述(默认Linux安装的SSHD服务存在一些漏洞,特此升级)
在曾经手动升级sshd服务后发现了三个后遗症:
selinux开启的状态下,重启机器sshd不启动(原因:库文件“libcrypto.so.1.0.0”的selinux标记不正确,导致sshd无法调用访问该文件,使用setroubleshoot工具找到原因)
hosts.allow,hosts.deny对sshd不起作用(原因:编译时未加上--with-tcp-wrappers)
sftp无法使用(原因:源码安装后配置文件未找到sftp-server工具)
为了方便以后安装,再加上修补以上遗留问题,特写成脚本。(脚本测试在CentOS6.5、RHEL6.4、CentOS5.10测试通过)
注意事项:为了降低风险,运行脚本之前,需以telnet登陆系统取得root权限(telnet默认不允许root登陆,可以设置允许root或者以普通用户切换)
二、安装
- 工具包:openssh-6.6p1.tar.gz openssl-1.0.1g.tar.gz
2.升级openssh之前要先打开服务器telnet,通过telnet登录服务器,因为升级过程中会导致ssh暂时不能用
openssh: http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/
打开linux telnet服务:
openssl: ftp://ftp.openssl.org/source/old/1.0.1/
查看telnet是否已经安装:
rpm -qa|grep telnet
安装时将脚本和两个包放在相同路径下,解决依赖请配置好YUM仓库
脚本:updatesshd.sh
#!/bin/bash #-------------------------------------| #"WARING"!!! Please use telnet-server.| #"WARING"!!! Please use telnet-server.| #"WARING"!!! Please use telnet-server.| #-------------------------------------| ssh_update() { #Backup the old files SSL_VER=openssl-1.0.1g SSH_VER=openssh-6.6p1 CUR_DIR=$(pwd) SSH_DIR=/usr/local/openssh cd /etc/ssh/ mkdir old mv ssh* moduli old mv /etc/init.d/sshd /etc/init.d/sshd.old
#Update ssl yum -y install gcc gcc-c zlib-devel pam-devel tcp_wrappers* cd $CUR_DIR tar zxf $SSL_VER.tar.gz cd $SSL_VER ./config shared zlib make && make install mv /usr/bin/openssl /usr/bin/openssl.old mv /usr/include/openssl /usr/include/openssl.old ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl ln -s /usr/local/ssl/include/openssl/ /usr/include/openssl echo "/usr/local/ssl/lib" >> /etc/ld.so.conf ldconfig /sbin/restorecon -v /usr/local/ssl/lib/libcrypto.so.1.0.0 cd ..
#Update sshd rpm -e
rpm -qa | grep openssh--nodeps tar zvxf $SSH_VER.tar.gz cd $SSH_VER/ ./configure --prefix=$SSH_DIR --sysconfdir=/etc/ssh --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --with-md5-passwords --with-zlib=zlib make && make install cp contrib/redhat/sshd.init /etc/init.d/sshd chmod u x /etc/init.d/sshd chkconfig --add sshd chkconfig sshd on cp -rf sshd_config /etc/ssh/sshd_config cd $SSH_DIR cp -rf sbin/sshd /usr/sbin/sshd cp -rf bin/* /usr/bin/ sed -i 's#/usr/libexec/sftp-server#/usr/local/openssh/libexec/sftp-server#' /etc/ssh/sshd_config service sshd restart }read -p "Are you using telnet[YES/NO]?" ANSWER case $ANSWER in YES)
echo "Fine,continue!!!" ssh_update 2>&1 | tee -a /tmp/update.log ;;NO)
echo "It is dangerous,bye!!!";;*)
echo "Error choice";;esac
telnet-0.17-48.el6.x86_64
telnet-server-0.17-48.el6.x86_64
- 结果验证:
[root@localhost src]# ssh -V
如果没有安装,通过yum安装
SSH, OpenSSL 1.0.1g 7 Apr 2014
[root@leotest ~]# yum install telnet
[root@leotest ~]# yum install telnet-server
启动telnet服务:
编辑telnet文件,将disable改成no
[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
本子晋级openssh,RedHat安装OpenSSH和配备sftp锁定目录。 socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
本子晋级openssh,RedHat安装OpenSSH和配备sftp锁定目录。 log_on_failure = USERID
disable = no
}
重启xinetd服务:
service xinetd restart
or:
/etc/rc.d/init.d/xinetd restart
通过telnet连接服务器:
[c:~]$ telnet 192.168.5.5
Connecting to 192.168.5.5:23...
Connection established.
To escape to local shell, press 'Ctrl Alt ]'.
Red Hat Enterprise Linux Server release 6.8 (Santiago)
Kernel 2.6.32-642.el6.x86_64 on an x86_64
login: test
Password:
[test@leotest ~]$
由于默认telnet只能连接普通用户,所以需要登录普通用户之后跳转到root用户
3.备份原openssh相关文件:
cp /usr/sbin/sshd /usr/sbin/sshd.bak
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /etc/ssh/moduli /etc/ssh/moduli.bak
Note:删除掉下面三个文件,否则安装的时候会报错:
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
rm /etc/ssh/ssh_config -fr
rm /etc/ssh/sshd_config -fr
rm /etc/ssh/moduli -fr
yum install pam-devel
yum install zlib-devel
yum install openssl-devel
4.解压并安装openssh
[root@leotest softs]# tar -zxvf openssh-7.4p1.tar.gz
[root@leotest softs]# ls
openssh-7.4p1 openssh-7.4p1.tar.gz openssh-7.4p1-vs-openbsd.diff.gz
[root@leotest softs]# cd openssh-7.4p1
[root@leotest openssh-7.4p1]#./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
### configure: error: *** zlib.h missing – please install first or check config.log
#yum install zlib-devel
###configure: error: *** Can’t find recent OpenSSL libcrypto (see config.log for details) ***
#yum install openssl openssl-devel
重新编译:
重新编译前要先清理之前的编译信息:
make clean
ldconfig
[root@leotest openssh-7.4p1]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-md5-passwords --mandir=/usr/share/man
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: rlimit
Host: x86_64-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE
Preprocessor flags:
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie
Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv
make && make install
/etc/init.d/sshd restart
5.覆盖旧的文件
cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod u x /etc/init.d/sshd
chkconfig --add sshd
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp: overwrite `/usr/sbin/sshd'? y
cp: cannot create regular file `/usr/sbin/sshd': Text file busy
文件正在被使用
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 14111 1 0 10:05 ? 00:00:00 sshd: root@pts/0
root 14865 1 0 10:22 ? 00:00:00 sshd: root@notty
root 24182 14779 0 10:30 pts/1 00:00:00 grep sshd
[root@pttlstydb openssh-7.4p1]# kill -9 14865
[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd
root 24227 14779 0 10:31 pts/1 00:00:00 grep sshd
重新覆盖:
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
[root@leotest openssh-7.4p1]# service sshd restart
Stopping sshd: [ OK ]
ssh-keygen: illegal option -- A
usage: ssh-keygen [options]
Options:
cat /etc/init.d/sshd
start()
{
# Create keys if necessary
/usr/bin/ssh-keygen -A
if [ -x /sbin/restorecon ]; then
/sbin/restorecon /etc/ssh/ssh_host_key.pub
/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub
fi
echo -n $"Starting $prog:"
$SSHD $OPTIONS && success || failure
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd
echo
}
*因为默认低版本的ssh-keygen没有-A参数***
解决方法:
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
重启sshd服务:
[root@leotest ssh]# service sshd restart
Stopping sshd: [ OK ]
Starting sshd: [ OK ]
Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
澳门新萄京官方网站,/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
原因:新版本的openssh不支持以上参数,需要修改sshd的配置文件
[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config
##去掉前面的注释,允许root通过ssh登录
PermitRootLogin yes
##注释掉下面三个参数
#GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
#UsePAM yes
##在文件末尾加上如下信息,否则还是无法通过ssh登录linux:
导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
6.重启sshd服务,测试ssh连接服务器
service sshd restart
[c:~]$ ssh 192.168.5.5
Connecting to 192.168.5.5:22...
Connection established.
To escape to local shell, press 'Ctrl Alt ]'.
Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2
[root@leotest ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
7.禁用telnet**
**
[root@leotest ~]# vi /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses
# unencrypted username/password pairs for authentication.
service telnet
{
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure = USERID
disable = yes
}
停掉xinetd服务:
[root@leotest ~]# service xinetd stop
Stopping xinetd: [ OK ]
停掉开机自启动:
[root@leotest ~]# chkconfig --list xinetd
xinetd 0:off 1:off 2:off 3:on 4:on 5:on 6:off
[root@leotest ~]# chkconfig xinetd off
[root@leotest ~]# chkconfig --list xinetd
xinetd 0:off 1:off 2:off 3:off 4:off 5:off 6:off
升级后问题解决:
通过winscp登录linux报错,解决方法如下:
[root@leotest ~]# vi /etc/ssh/sshd_config
# override default of no subsystems
#Subsystem sftp /usr/libexec/openssh/sftp-server
Subsystem sftp internal-sftp
将原来的注释掉,改成下面的internal-sftp
重启sshd服务:
service sshd restart
本文由澳门新萄京官方网站发布于澳门新萄京官方网站,转载请注明出处:本子晋级openssh,RedHat安装OpenSSH和配备sftp锁定目
关键词:
