RedHat安装OpenSSH和计划sftp锁定目录

By admin in 美高梅手机版4858 on 2019年4月5日

一.下载最新的openssh包

一.下载最新的openssh包

redhat linux6.5升级openssh,linux6.5openssh

1.下载最新的openssh包

美高梅手机版4858 1

美高梅手机版4858 2

美高梅手机版4858 3

 

二.升级openssh此前要先打开服务器telnet,通过telnet登录服务器,因为升迁进程中会导致ssh临时无法用

打开linux telnet服务:

翻看telnet是或不是已经安装:

rpm -qa|grep telnet

telnet-0.17-48.el6.x86_64

telnet-server-0.17-48.el6.x86_64

 

假定未有安装,通过yum安装

[[email protected]
~]# yum install telnet

[[email protected]
~]# yum install telnet-server

 

启动telnet服务:

编辑telnet文件,将disable改成no

[[email protected]
xinetd.d]# vi /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

service telnet

{

美高梅手机版4858,        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        disable         = no

}

 

 

重启xinetd服务:

service xinetd restart

or:

/etc/rc.d/init.d/xinetd restart

 

通过telnet连接服务器:

[c:\~]$ telnet 192.168.5.5

 

 

Connecting to 192.168.5.5:23…

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642.el6.x86_64 on an x86_64

login: test

Password:

[[email protected]
~]$

出于默许telnet只可以一而再普通用户,所以要求登录普通用户之后跳转到root用户

 

3.备份原openssh相关文件:

cp /usr/sbin/sshd /usr/sbin/sshd.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

 

Note:删除掉下边八个文件,不然安装的时候会报错:

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

 

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/moduli -fr

 

yum install pam-devel

yum install zlib-devel

yum install openssl-devel

 

 

四.解压并安装openssh

[[email protected]
softs]# tar -zxvf openssh-7.4p1.tar.gz

[[email protected]
softs]# ls

RedHat安装OpenSSH和计划sftp锁定目录。openssh-7.4p1  openssh-7.4p1.tar.gz  openssh-7.4p1-vs-openbsd.diff.gz

[[email protected]
softs]# cd openssh-7.4p1

[[email protected]
openssh-7.4p1]#./configure –prefix=/usr/local/openssh
–sysconfdir=/etc/ssh –with-pam –with-md5-passwords
–mandir=/usr/share/man

### configure: error: *** zlib.h missing – please install first or
check config.log

#yum install zlib-devel

###configure: error: *** Can’t find recent OpenSSL libcrypto (see
config.log for details) ***

#yum install openssl openssl-devel

 

再度编写翻译:

重复编写翻译前要先清理从前的编写翻译音讯:

make clean

ldconfig

[[email protected]
openssh-7.4p1]#  ./configure –prefix=/usr/local/openssh
–sysconfdir=/etc/ssh –with-pam –with-md5-passwords
–mandir=/usr/share/man

OpenSSH has been configured with the following options:

                     User binaries: /usr/bin

                   System binaries: /usr/sbin

               Configuration files: /etc/ssh

                   Askpass program: /usr/libexec/ssh-askpass

                      Manual pages: /usr/share/man/manX

                          PID file: /var/run

  Privilege separation chroot path: /var/empty

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

                    Manpage format: doc

                       PAM support: no

                   OSF SIA support: no

                 KerberosV support: no

                   SELinux support: no

                 Smartcard support:

                     S/KEY support: no

              MD5 password support: no

                   libedit support: no

  Solaris process contract support: no

           Solaris project support: no

         Solaris privilege support: no

       IP address in $DISPLAY hack: no

           Translate v4 in v6 hack: yes

                  BSD Auth support: no

              Random number source: OpenSSL internal ONLY

             Privsep sandbox style: rlimit

 

              Host: x86_64-pc-linux-gnu

          Compiler: gcc

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE

Preprocessor flags:

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-all -pie

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

 

make && make install

/etc/init.d/sshd restart

 

伍.遮盖旧的文本

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

chmod u+x /etc/init.d/sshd

chkconfig –add sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

[[email protected]
openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

cp: overwrite `/usr/sbin/sshd’? y

cp: cannot create regular file `/usr/sbin/sshd’: Text file busy

文件正在被利用

[[email protected]
openssh-7.4p1]# ps -ef|grep sshd

root     14111     1  0 10:05 ?        00:00:00 sshd:
[email protected]/0

root     14865     1  0 10:22 ?        00:00:00 sshd:
[email protected]

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

[[email protected]
openssh-7.4p1]# kill -9 14865

[[email protected]
openssh-7.4p1]# ps -ef|grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

 

重复覆盖:

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

 

[[email protected]
openssh-7.4p1]# service sshd restart

Stopping sshd:                                             [  OK  ]

ssh-keygen: illegal option — A

usage: ssh-keygen [options]

Options:

 

cat /etc/init.d/sshd

start()

{

# Create keys if necessary

/usr/bin/ssh-keygen -A

if [ -x /sbin/restorecon ]; then

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

fi

 

echo -n $”Starting $prog:”

$SSHD $OPTIONS && success || failure

RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

echo

}

 

*因为私下认可低版本的ssh-keygen没有-A参数***

消除办法:

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

 

 

重启sshd服务:

[[email protected]
ssh]# service sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option
GSSAPIAuthentication

/etc/ssh/sshd_config line 83: Unsupported option
GSSAPICleanupCredentials

 

案由:新本子的openssh不支持上述参数,必要修改sshd的配备文件

 

[[email protected]
openssh-7.4p1]# vi /etc/ssh/sshd_config

##免除前边的阐明,允许root通过ssh登录

PermitRootLogin yes

 

##诠释掉上边七个参数

#GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

#UsePAM yes

 

 

##在文书末尾加上如下音讯,不然照旧不能通过ssh登录linux:

造成此难点的由来是ssh升级后,为了安全,暗中同意不再动用原来有的加密算法,我们手工业添加进去即可。

Ciphers
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs
hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,[email protected]

 

 

陆.重启sshd服务,测试ssh连接服务器

service sshd restart

[c:\~]$ ssh 192.168.5.5

 

Connecting to 192.168.5.5:22…

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[[email protected]
~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

7.禁用telnet**
**

[[email protected]
~]# vi /etc/xinetd.d/telnet

 

# default: on

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        disable         = yes

}

 

停掉xinetd服务:

[[email protected]
~]# service xinetd stop

Stopping xinetd:                                           [  OK  ]

停掉开机自运营:

[[email protected]
~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:on        4:on        5:on        6:off

[[email protected]
~]# chkconfig  xinetd off

[[email protected]
~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:off        4:off        5:off        6:off

 

 


 

 升级后难点化解:

经过winscp登录linux报错,消除措施如下:

[[email protected]
~]# vi /etc/ssh/sshd_config

 

# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp    internal-sftp

将本来的注释掉,改成上面包车型大巴internal-sftp

 

重启sshd服务:

service sshd restart

 

linux六.伍升级openssh,linux陆.5openssh
一.下载最新的openssh包
二.升级openssh在此以前要先开辟服务器telnet,通过telnet登…

操作系统:
 [root@station28 ~]# cat /etc/issue.net
 Red Hat Enterprise
Linux Server release 5.4 (Tikanga)
 Kernel \r on an \m
 [root@station28 ~]# uname -a
 Linux station28.example.com 2.6.18-164.el5 #1 SMP Tue Aug 18 15:51:48
EDT 2009 x86_64 x86_64 x86_64 GNU/Linux
 
在配置sftp时,需求chroot特定的目录,则openssh的版本需相当大于伍.一,笔者那下载的是openssh
陆.1本子的源码包,须求进行编写翻译,
 则必要设置gcc,同时须要安装openssl-devel-0.玖.八e-1二.el5
 openssh-陆.一p一下载地址:只怕进入官网下载
 ftp://ftp.openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-6.1p1.tar.gz
 若不设置openssl-devel,则报如下错误:
 [root@station28 openssh-6.1p1]#./configure –prefix=/usr/local/ssh
–sysconfdir=/etc/ssh  –with-zlib
–with-ssl-dir=/usr/local/ssl–with-md5-passwords
–mandir=/usr/share/man
 checking for openssl/opensslv.h… no
 configure: error: *** OpenSSL headers missing – please install first
or check config.log ***
 
一、配置yum,安装gcc,openssl-devel-0.9.八e-1二.el5,和telnet(当ssh不能够用的时候,用于连接服务器)
 [root@station28 ~]# cat /etc/yum.repos.d/base.repo
 [base]
 baseurl=file:///mnt/Server
 gpgcheck=0
 [root@station28 ~]# yum -y install “gcc*”
 [root@station28 ~]# yum -y install “openssl-devel-0.9.8e-12.el5”
 [root@station28 openssh-6.1p1]# yum -y install “telnet-server*”
 
卸载openssh,旁观openssh的各种单肩包含的始末:
 [root@station28 ~]# cd /etc/ssh
 [root@station28 ssh]# mkdir /root/1114_ssh_bak
 [root@station28 ssh]# cp * /root/1114_ssh_bak/
 [root@station28 ssh]# rpm -qa | grep openssh
//近期系统设置的是四.三版本的
 openssh-server-4.3p2-36.el5
 openssh-askpass-4.3p2-36.el5
 openssh-4.3p2-36.el5
 openssh-clients-4.3p2-36.el5
 [root@station28 ~]# ssh -V
 OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 [root@station28 ssh]# rpm -ql openssh-server-四.3p二-36.el5
//查看安装包涉及的故事情节
 /etc/pam.d/sshd
 /etc/rc.d/init.d/sshd
 /etc/ssh
 /etc/ssh/sshd_config
 /usr/libexec/openssh/sftp-server
 /usr/sbin/.sshd.hmac
 /usr/sbin/sshd
 /usr/share/man/man5/sshd_config.5.gz
 /usr/share/man/man8/sftp-server.8.gz
 /usr/share/man/man8/sshd.8.gz
 /var/empty/sshd
 /var/empty/sshd/etc
 /var/empty/sshd/etc/localtime
 [root@station28 ssh]# rpm -ql openssh-askpass-4.3p2-36.el5
 /etc/profile.d/gnome-ssh-askpass.csh
 /etc/profile.d/gnome-ssh-askpass.sh
 /usr/libexec/openssh/gnome-ssh-askpass
 /usr/libexec/openssh/ssh-askpass
 [root@station28 ssh]# rpm -ql openssh-4.3p2-36.el5
 /etc/ssh
 /etc/ssh/moduli
 /usr/bin/ssh-keygen
 /usr/libexec/openssh
 /usr/libexec/openssh/ssh-keysign
 …..
 ….
 [root@station28 ssh]# rpm -ql openssh-clients-4.3p2-36.el5
 /etc/ssh/ssh_config
 /usr/bin/.ssh.hmac
 /usr/bin/scp
 /usr/bin/sftp
 /usr/bin/slogin
 /usr/bin/ssh
 /usr/bin/ssh-add
 /usr/bin/ssh-agent
 /usr/bin/ssh-copy-id
 /usr/bin/ssh-keyscan
 ……
 …..
 [root@station28 ssh]# rpm -qa | grep openssh //全体卸载
 openssh-server-4.3p2-36.el5
 openssh-askpass-4.3p2-36.el5
 openssh-4.3p2-36.el5
 openssh-clients-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-server-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-askpass-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-四.叁p贰-3陆.el5
//存在依靠关系,必要先卸载openssh-clients-四.3p2-3陆.el伍.x八六_64
 error: Failed dependencies:
        openssh = 4.3p2-36.el5 is needed by (installed)
openssh-clients-4.3p2-36.el5.x86_64
 [root@station28 ssh]# rpm -e openssh-clients-4.3p2-36.el5
 [root@station28 ssh]# rpm -e openssh-4.3p2-36.el5
 [root@station28 ssh]# rpm -qa | grep openssh //全体卸载干净
 
[root@station28 ~]# pwd
 /root
 [root@station28 ~]# ls openssh-6.1p1.tar.gz
 openssh-6.1p1.tar.gz
 [root@station28 ~]# tar -zxpf openssh-6.1p1.tar.gz //解压openssh
6.1
 [root@station28 ~]# cd openssh-6.1p一 //执行以下命令举办编写翻译
 [root@station28 openssh-6.1p1]# ./configure –prefix=/usr/local/ssh
–sysconfdir=/etc/ssh  –with-zlib –with-ssl-dir=/usr/local/ssl
–with-md5-passwords –mandir=/usr/share/man
 [root@station28 openssh-6.1p1]# make
 [root@station28 openssh-6.1p1]# make install //warn的报错忽略
 [root@station28 openssh-6.1p1]# cd /usr/local/ssh/bin
//刚用–frefix参数钦赐的路径/usr/local/ssh,将其bin下的拷贝到/usr/bin下
 [root@station28 bin]# ls
 scp  sftp  slogin  ssh  ssh-add  ssh-agent  ssh-keygen  ssh-keyscan
 [root@station28 bin]# cp * /usr/bin/
 [root@station28 bin]# cd /usr/local/ssh/sbin
 [root@station28 sbin]# ls
 sshd
 [root@station28 sbin]# cp sshd /usr/sbin/sshd //同理
 [root@station28 sbin]# cd
/root/openssh-6.1p1/contrib/RedHat/
//将sshd.init拷贝到/etc/init.d/下,名字为sshd(ssh的daemon名称)
 [root@station28 redhat]# ls
 gnome-ssh-askpass.csh  gnome-ssh-askpass.sh  openssh.spec  sshd.init 
sshd.init.old  sshd.pam  sshd.pam.old
 [root@station28 redhat]# cp sshd.init /etc/init.d/sshd
 [root@station28 redhat]# ls -l /etc/init.d/sshd
 -rwxr-xr-x 1 root root 1768 Nov 14 23:21 /etc/init.d/sshd
 [root@station28 redhat]# chkconfig –add sshd
 [root@station28 redhat]# service sshd restart
 
[root@station28 ~]# service sshd restart
//提醒报错,只要touch该文件即可规避
 Stopping sshd:                                            [  OK  ]
 lstat(/etc/ssh/ssh_host_ecdsa_key.pub) failed: No such file or
directory
 Starting sshd:                                            [  OK  ]
 [root@station28 ~]# touch /etc/ssh/ssh_host_ecdsa_key.pub
 [root@station28 ~]# service sshd restart
 Stopping sshd:                                            [  OK  ]
 Starting sshd:                                            [  OK  ]
 [root@station28 ~]# ssh -V //安装成功
 OpenSSH_6.1p1, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
 
以下步骤为搭建sftp步骤
 [root@station28 ssh]# mkdir /home/sftpserver
 [root@station28 ssh]# useradd -d /home/sftpserver -s /bin/false
test0一 //创立用户,钦命shell为/bin/false
 useradd: warning: the home directory already exists.
 Not copying any file from skel directory into it.
 [root@station28 ssh]# passwd test01
 Changing password for user test01.
 New UNIX password:
 BAD PASSWORD: it is based on a dictionary word
 Retype new UNIX password:
 passwd: all authentication tokens updated successfully.
 
[root@station28 ssh]# pwd
 /etc/ssh
 [root@station28 ssh]# cp sshd_config  sshd_config_1114.bak
 sshd_config配置如下
 # Authentication:
//在Authentication下插手如下两行,钦点能够登入的网段
 AllowUsers *@192.168.*.*
 AllowUsers *@127.0.0.1
 # override default of no subsystems
 #Subsystem      sftp    /usr/local/ssh/libexec/sftp-server
//将那行注释,使用internal-sftp,添加如下行
 Subsystem      sftp    internal-sftp
 
# Example of overriding settings on a per-user basis
 #Match User anoncvs
 #      X11Forwarding no
 #      AllowTcpForwarding no
 #      ForceCommand cvs server
 //在最下边添加如下行,对test0一那些用户chroot到/home/sftpserver目录下
 Match User test01
        X11Forwarding no
        AllowTcpForwarding no
        ForceCommand internal-sftp
        ChrootDirectory /home/sftpserver
 [root@station28 ssh]# sftp test01@192.168.14.28 //chroot成功
 test01@192.168.14.28’s password:
 Connected to 192.168.14.28.
 sftp> pwd
 Remote working directory: /
 
可参照如下rhel下的sftp配置链接:
http://www.linuxidc.com/Linux/2012-07/64871.htm美高梅手机版4858 4

美高梅手机版4858 5

美高梅手机版4858 6

美高梅手机版4858 7

美高梅手机版4858 8

美高梅手机版4858 9

美高梅手机版4858 10

 

 

贰.升级openssh此前要先打开服务器telnet,通过telnet登录服务器,因为升迁进度中会导致ssh一时半刻无法用

二.升级openssh在此之前要先开辟服务器telnet,通过telnet登录服务器,因为升级历程中会导致ssh权且不可能用

打开linux telnet服务:

打开linux telnet服务:

查阅telnet是不是已经安装:

翻开telnet是还是不是业已设置:

rpm -qa|grep telnet

rpm -qa|grep telnet

telnet-0.17-48.el6.x86_64

telnet-0.17-48.el6.x86_64

telnet-server-0.17-48.el6.x86_64

telnet-server-0.17-48.el6.x86_64

 

 

如若未有设置,通过yum安装

设若未有设置,通过yum安装

[root@leotest ~]# yum install telnet

[root@leotest ~]# yum install telnet

[root@leotest ~]# yum install telnet-server

[root@leotest ~]# yum install telnet-server

 

 

启动telnet服务:

启动telnet服务:

编辑telnet文件,将disable改成no

编辑telnet文件,将disable改成no

[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet

[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet

# default: on

# default: on

# description: The telnet server serves telnet sessions; it uses \

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

#       unencrypted username/password pairs for authentication.

service telnet

service telnet

{

{

        flags           = REUSE

        flags           = REUSE

        socket_type     = stream

        socket_type     = stream

        wait            = no

        wait            = no

        user            = root

        user            = root

        server          = /usr/sbin/in.telnetd

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        log_on_failure  += USERID

        disable         = no

        disable         = no

}

}

 

 

 

 

重启xinetd服务:

重启xinetd服务:

service xinetd restart

service xinetd restart

or:

or:

/etc/rc.d/init.d/xinetd restart

/etc/rc.d/init.d/xinetd restart

 

 

经过telnet连接服务器:

因而telnet连接服务器:

[c:\~]$ telnet 192.168.5.5

[c:\~]$ telnet 192.168.5.5

 

 

 

 

Connecting to 192.168.5.5:23…

Connecting to 192.168.5.5:23…

Connection established.

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

To escape to local shell, press ‘Ctrl+Alt+]’.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642.el6.x86_64 on an x86_64

Kernel 2.6.32-642.el6.x86_64 on an x86_64

login: test

login: test

Password:

Password:

[test@leotest ~]$

[test@leotest ~]$

鉴于暗中同意telnet只好延续普通用户,所以需求报到普通用户之后跳转到root用户

鉴于暗许telnet只好一连普通用户,所以需求登录普通用户之后跳转到root用户

 

 

三.备份原openssh相关文件:

叁.备份原openssh相关文件:

cp /usr/sbin/sshd /usr/sbin/sshd.bak

cp /usr/sbin/sshd /usr/sbin/sshd.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

 

 

Note:删除掉上面七个公文,不然安装的时候会报错:

Note:删除掉上面八个公文,不然安装的时候会报错:

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

 

 

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/moduli -fr

rm /etc/ssh/moduli -fr

 

 

yum install pam-devel

yum install pam-devel

yum install zlib-devel

yum install zlib-devel

yum install openssl-devel

yum install openssl-devel

 

 

 

 

肆.解压并安装openssh

4.解压并安装openssh

[root@leotest softs]# tar -zxvf openssh-7.4p1.tar.gz

[root@leotest softs]# tar -zxvf openssh-7.4p1.tar.gz

[root@leotest softs]# ls

[root@leotest softs]# ls

openssh-7.4p1  openssh-7.4p1.tar.gz  openssh-7.4p1-vs-openbsd.diff.gz

openssh-7.4p1  openssh-7.4p1.tar.gz  openssh-7.4p1-vs-openbsd.diff.gz

[root@leotest softs]# cd openssh-7.4p1

[root@leotest softs]# cd openssh-7.4p1

[root@leotest openssh-7.4p1]#./configure –prefix=/usr/local/openssh
–sysconfdir=/etc/ssh –with-pam –with-md5-passwords
–mandir=/usr/share/man

[root@leotest openssh-7.4p1]#./configure –prefix=/usr/local/openssh
–sysconfdir=/etc/ssh –with-pam –with-md5-passwords
–mandir=/usr/share/man

### configure: error: *** zlib.h missing – please install first or
check config.log

### configure: error: *** zlib.h missing – please install first or
check config.log

#yum install zlib-devel

#yum install zlib-devel

###configure: error: *** Can’t find recent OpenSSL libcrypto (see
config.log for details) ***

###configure: error: *** Can’t find recent OpenSSL libcrypto (see
config.log for details) ***

#yum install openssl openssl-devel

#yum install openssl openssl-devel

 

 

再也编写翻译:

再度编写翻译:

重复编写翻译前要先清理在此以前的编写翻译音信:

再一次编写翻译前要先清理在此之前的编写翻译音讯:

make clean

make clean

ldconfig

ldconfig

[root@leotest openssh-7.4p1]#  ./configure
–prefix=/usr/local/openssh –sysconfdir=/etc/ssh –with-pam
–with-md5-passwords –mandir=/usr/share/man

[root@leotest openssh-7.4p1]#  ./configure
–prefix=/usr/local/openssh –sysconfdir=/etc/ssh –with-pam
–with-md5-passwords –mandir=/usr/share/man

OpenSSH has been configured with the following options:

OpenSSH has been configured with the following options:

                     User binaries: /usr/bin

                     User binaries: /usr/bin

                   System binaries: /usr/sbin

                   System binaries: /usr/sbin

               Configuration files: /etc/ssh

               Configuration files: /etc/ssh

                   Askpass program: /usr/libexec/ssh-askpass

                   Askpass program: /usr/libexec/ssh-askpass

                      Manual pages: /usr/share/man/manX

                      Manual pages: /usr/share/man/manX

                          PID file: /var/run

                          PID file: /var/run

  Privilege separation chroot path: /var/empty

  Privilege separation chroot path: /var/empty

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

                    Manpage format: doc

                    Manpage format: doc

                       PAM support: no

                       PAM support: no

                   OSF SIA support: no

                   OSF SIA support: no

                 KerberosV support: no

                 KerberosV support: no

                   SELinux support: no

                   SELinux support: no

                 Smartcard support:

                 Smartcard support:

                     S/KEY support: no

                     S/KEY support: no

              MD5 password support: no

              MD5 password support: no

                   libedit support: no

                   libedit support: no

  Solaris process contract support: no

  Solaris process contract support: no

           Solaris project support: no

           Solaris project support: no

         Solaris privilege support: no

         Solaris privilege support: no

       IP address in $DISPLAY hack: no

       IP address in $DISPLAY hack: no

           Translate v4 in v6 hack: yes

           Translate v4 in v6 hack: yes

                  BSD Auth support: no

                  BSD Auth support: no

              Random number source: OpenSSL internal ONLY

              Random number source: OpenSSL internal ONLY

             Privsep sandbox style: rlimit

             Privsep sandbox style: rlimit

 

 

              Host: x86_64-pc-linux-gnu

              Host: x86_64-pc-linux-gnu

          Compiler: gcc

          Compiler: gcc

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE

Preprocessor flags:

Preprocessor flags:

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-all -pie

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-all -pie

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

 

 

make && make install

make && make install

/etc/init.d/sshd restart

/etc/init.d/sshd restart

 

 

五.遮盖旧的公文

五.蒙面旧的文书

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

chmod u+x /etc/init.d/sshd

chmod u+x /etc/init.d/sshd

chkconfig –add sshd

chkconfig –add sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd
/usr/sbin/sshd

[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd
/usr/sbin/sshd

cp: overwrite `/usr/sbin/sshd’? y

cp: overwrite `/usr/sbin/sshd’? y

cp: cannot create regular file `/usr/sbin/sshd’: Text file busy

cp: cannot create regular file `/usr/sbin/sshd’: Text file busy

文件正在被应用

文件正在被采取

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     14111     1  0 10:05 ?        00:00:00 sshd: root@pts/0

root     14111     1  0 10:05 ?        00:00:00 sshd: root@pts/0

root     14865     1  0 10:22 ?        00:00:00 sshd: root@notty

root     14865     1  0 10:22 ?        00:00:00 sshd: root@notty

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

[root@pttlstydb openssh-7.4p1]# kill -9 14865

[root@pttlstydb openssh-7.4p1]# kill -9 14865

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

 

 

双重覆盖:

再一次覆盖:

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

 

 

[root@leotest openssh-7.4p1]# service sshd restart

[root@leotest openssh-7.4p1]# service sshd restart

Stopping sshd:                                             [  OK  ]

Stopping sshd:                                             [  OK  ]

ssh-keygen: illegal option — A

ssh-keygen: illegal option — A

usage: ssh-keygen [options]

usage: ssh-keygen [options]

Options:

Options:

 

 

cat /etc/init.d/sshd

cat /etc/init.d/sshd

start()

start()

{

{

# Create keys if necessary

# Create keys if necessary

/usr/bin/ssh-keygen -A

/usr/bin/ssh-keygen -A

if [ -x /sbin/restorecon ]; then

if [ -x /sbin/restorecon ]; then

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

fi

fi

 

 

echo -n $”Starting $prog:”

echo -n $”Starting $prog:”

$SSHD $OPTIONS && success || failure

$SSHD $OPTIONS && success || failure

RETVAL=$?

RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

echo

echo

}

}

 

 

*因为暗中同意低版本的ssh-keygen没有-A参数***

*因为暗许低版本的ssh-keygen没有-A参数***

杀鸡取卵办法:

消除措施:

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

 

 

 

 

重启sshd服务:

重启sshd服务:

[root@leotest ssh]# service sshd restart

[root@leotest ssh]# service sshd restart

Stopping sshd:                                             [  OK  ]

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:/etc/ssh/sshd_config line
81: Unsupported option GSSAPIAuthentication

Starting sshd:/etc/ssh/sshd_config line
81: Unsupported option GSSAPIAuthentication

/etc/ssh/sshd_config line 83:
Unsupported option GSSAPICleanupCredentials

/etc/ssh/sshd_config line 83:
Unsupported option GSSAPICleanupCredentials

 

 

原因:新本子的openssh不支持上述参数,须要修改sshd的配备文件

原因:新本子的openssh不协助上述参数,需求修改sshd的布署文件

 

 

[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config

[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config

##破除后面包车型大巴注释,允许root通过ssh登录

##免除前边的笺注,允许root通过ssh登录

PermitRootLogin yes

PermitRootLogin yes

 

 

##声明掉下边多少个参数

##诠释掉上边七个参数

#GSSAPIAuthentication yes

#GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

#GSSAPICleanupCredentials yes

#UsePAM yes

#UsePAM yes

 

 

 

 

##在文书末尾加上如下音信,否则依然不能通过ssh登录linux:

##在文书末尾加上如下音讯,不然依旧不能够通过ssh登录linux:

导致此问题的来由是ssh升级后,为了安全,暗中认可不再动用原来有的加密算法,大家手工业添加进去即可。

致使此题材的缘故是ssh升级后,为了安全,暗中同意不再行使原来有的加密算法,大家手工业添加进去即可。

Ciphers
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

Ciphers
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

MACs
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

KexAlgorithms
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

 

 

 

 

陆.重启sshd服务,测试ssh连接服务器

陆.重启sshd服务,测试ssh连接服务器

service sshd restart

service sshd restart

[c:\~]$ ssh 192.168.5.5

[c:\~]$ ssh 192.168.5.5

 

 

Connecting to 192.168.5.5:22…

Connecting to 192.168.5.5:22…

Connection established.

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

To escape to local shell, press ‘Ctrl+Alt+]’.

 

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[root@leotest ~]# ssh -V

[root@leotest ~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

 

 

7.禁用telnet**
**

7.禁用telnet**
**

[root@leotest ~]# vi /etc/xinetd.d/telnet

[root@leotest ~]# vi /etc/xinetd.d/telnet

 

 

# default: on

# default: on

# description: The telnet server serves telnet sessions; it uses \

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

#       unencrypted username/password pairs for authentication.

service telnet

service telnet

{

{

        flags           = REUSE

        flags           = REUSE

        socket_type     = stream

        socket_type     = stream

        wait            = no

        wait            = no

        user            = root

        user            = root

        server          = /usr/sbin/in.telnetd

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        log_on_failure  += USERID

        disable         = yes

        disable         = yes

}

}

 

 

停掉xinetd服务:

停掉xinetd服务:

[root@leotest ~]# service xinetd stop

[root@leotest ~]# service xinetd stop

Stopping xinetd:                                           [  OK  ]

Stopping xinetd:                                           [  OK  ]

停掉开机自运维:

停掉开机自运行:

[root@leotest ~]# chkconfig –list xinetd

[root@leotest ~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:on        4:on        5:on        6:off

xinetd        
        0:off        1:off        2:off        3:on        4:on        5:on        6:off

[root@leotest ~]# chkconfig  xinetd off

[root@leotest ~]# chkconfig  xinetd off

[root@leotest ~]# chkconfig –list xinetd

[root@leotest ~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:off        4:off        5:off        6:off

xinetd        
        0:off        1:off        2:off        3:off        4:off        5:off        6:off

 

 

 

 



 

 

 升级后难点化解:

 升级后难点消除:

透过winscp登录linux报错,化解方式如下:

经过winscp登录linux报错,消除办法如下:

[root@leotest ~]# vi /etc/ssh/sshd_config

[root@leotest ~]# vi /etc/ssh/sshd_config

 

 

# override default of no subsystems

# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp   
internal-sftp

Subsystem       sftp   
internal-sftp

将原先的笺注掉,改成上面包车型地铁internal-sftp

将原本的注脚掉,改成上边的internal-sftp

 

 

重启sshd服务:

重启sshd服务:

service sshd restart

service sshd restart

 

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图
Copyright @ 2010-2019 美高梅手机版4858 版权所有