【美高梅手机版4858】陆晋级OpenSSH到最新版本七,编写翻译进级至openssh柒

By admin in 美高梅手机版4858 on 2019年5月4日

 

本文首要回顾记录CentOS
陆.6下OpenSSH升级步骤,及1键晋级脚本。安装编写翻译所需工具包
yum install gcc pam-devel zlib-devel

redhat linux6.5升级openssh,linux6.5openssh

1.下载最新的openssh包

美高梅手机版4858 1

美高梅手机版4858 2

美高梅手机版4858 3

 

二.晋级openssh在此之前要先开拓服务器telnet,通过telnet登六服务器,因为升迁进程中会导致ssh权且不能够用

打开linux telnet服务:

查阅telnet是或不是曾经设置:

rpm -qa|grep telnet

telnet-0.17-48.el6.x86_64

telnet-server-0.17-48.el6.x86_64

 

若是未有设置,通过yum安装

[[email protected]
~]# yum install telnet

[[email protected]
~]# yum install telnet-server

 

启动telnet服务:

编辑telnet文件,将disable改成no

[[email protected]
xinetd.d]# vi /etc/xinetd.d/telnet

# default: on

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        disable         = no

}

 

 

重启xinetd服务:

service xinetd restart

or:

/etc/rc.d/init.d/xinetd restart

 

经过telnet连接服务器:

[c:\~]$ telnet 192.168.5.5

 

 

Connecting to 192.168.5.5:23…

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642.el6.x86_64 on an x86_64

login: test

Password:

[[email protected]
~]$

是因为暗中认可telnet只能一连普通用户,所以需求报到普通用户之后跳转到root用户

 

三.备份原openssh相关文件:

cp /usr/sbin/sshd /usr/sbin/sshd.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

 

Note:删除掉上面多少个公文,不然安装的时候会报错:

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

 

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/moduli -fr

 

yum install pam-devel

yum install zlib-devel

yum install openssl-devel

 

 

肆.解压并安装openssh

[[email protected]
softs]# tar -zxvf openssh-7.4p1.tar.gz

[[email protected]
softs]# ls

openssh-7.4p1  openssh-7.4p1.tar.gz  openssh-7.4p1-vs-openbsd.diff.gz

[[email protected]
softs]# cd openssh-7.4p1

[[email protected]
openssh-7.4p1]#./configure –prefix=/usr/local/openssh
–sysconfdir=/etc/ssh –with-pam –with-md5-passwords
–mandir=/usr/share/man

### configure: error: *** zlib.h missing – please install first or
check config.log

#yum install zlib-devel

###configure: error: *** Can’t find recent OpenSSL libcrypto (see
config.log for details) ***

#yum install openssl openssl-devel

 

重复编译:

再也编写翻译前要先清理之前的编写翻译音讯:

make clean

ldconfig

[[email protected]
openssh-7.4p1]#  ./configure –prefix=/usr/local/openssh
–sysconfdir=/etc/ssh –with-pam –with-md5-passwords
–mandir=/usr/share/man

OpenSSH has been configured with the following options:

                     User binaries: /usr/bin

                   System binaries: /usr/sbin

               Configuration files: /etc/ssh

                   Askpass program: /usr/libexec/ssh-askpass

                      Manual pages: /usr/share/man/manX

                          PID file: /var/run

  Privilege separation chroot path: /var/empty

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

                    Manpage format: doc

                       PAM support: no

                   OSF SIA support: no

                 KerberosV support: no

                   SELinux support: no

                 Smartcard support:

                     S/KEY support: no

              MD5 password support: no

                   libedit support: no

  Solaris process contract support: no

           Solaris project support: no

         Solaris privilege support: no

       IP address in $DISPLAY hack: no

           Translate v4 in v6 hack: yes

                  BSD Auth support: no

              Random number source: OpenSSL internal ONLY

             Privsep sandbox style: rlimit

 

              Host: x86_64-pc-linux-gnu

          Compiler: gcc

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE

Preprocessor flags:

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-all -pie

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

 

make && make install

/etc/init.d/sshd restart

 

伍.蒙面旧的文本

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

chmod u+x /etc/init.d/sshd

chkconfig –add sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

[[email protected]
openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

cp: overwrite `/usr/sbin/sshd’? y

cp: cannot create regular file `/usr/sbin/sshd’: Text file busy

文件正在被运用

[[email protected]
openssh-7.4p1]# ps -ef|grep sshd

root     14111     1  0 10:05 ?        00:00:00 sshd:
[email protected]/0

root     14865     1  0 10:22 ?        00:00:00 sshd:
[email protected]

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

[[email protected]
openssh-7.4p1]# kill -9 14865

[[email protected]
openssh-7.4p1]# ps -ef|grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

 

再也覆盖:

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

 

[[email protected]
openssh-7.4p1]# service sshd restart

Stopping sshd:                                             [  OK  ]

ssh-keygen: illegal option — A

usage: ssh-keygen [options]

Options:

 

cat /etc/init.d/sshd

start()

{

# Create keys if necessary

/usr/bin/ssh-keygen -A

if [ -x /sbin/restorecon ]; then

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

fi

 

echo -n $”Starting $prog:”

$SSHD $OPTIONS && success || failure

RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

echo

}

 

*因为暗中认可低版本的ssh-keygen没有-A参数***

杀鸡取蛋办法:

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

 

 

重启sshd服务:

[[email protected]
ssh]# service sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:/etc/ssh/sshd_config line 81: Unsupported option
GSSAPIAuthentication

/etc/ssh/sshd_config line 83: Unsupported option
GSSAPICleanupCredentials

 

案由:新本子的openssh不帮衬上述参数,需求修改sshd的布局文件

 

[[email protected]
openssh-7.4p1]# vi /etc/ssh/sshd_config

##免去前面包车型大巴笺注,允许root通过ssh登陆

PermitRootLogin yes

 

##申明掉上面八个参数

#【美高梅手机版4858】陆晋级OpenSSH到最新版本七,编写翻译进级至openssh柒。GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

#UsePAM yes

 

 

##在文件末尾加上如下音信,不然依然不可能透过ssh登陆linux:

导致此主题材料的因由是ssh晋级后,为了安全,私下认可不再利用原来有的加密算法,大家手工业增多进去就能够。

Ciphers
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs
hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,[email protected]

 

 

陆.重启sshd服务,测试ssh连接服务器

service sshd restart

[c:\~]$ ssh 192.168.5.5

 

Connecting to 192.168.5.5:22…

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[[email protected]
~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

7.禁用telnet**
**

[[email protected]
~]# vi /etc/xinetd.d/telnet

 

# default: on

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        disable         = yes

}

 

停掉xinetd服务:

[[email protected]
~]# service xinetd stop

Stopping xinetd:                                           [  OK  ]

停掉开机自运转:

[[email protected]
~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:on        4:on        5:on        6:off

[[email protected]
~]# chkconfig  xinetd off

[[email protected]
~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:off        4:off        5:off        6:off

 

 


 

 进级后问题化解:

由此winscp登6linux报错,消除方式如下:

[[email protected]
~]# vi /etc/ssh/sshd_config

 

# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp    internal-sftp

将原来的申明掉,改成上面包车型大巴internal-sftp

 

重启sshd服务:

service sshd restart

 

linux陆.5晋级openssh,linux陆.伍openssh
1.下载最新的openssh包
2.晋级openssh此前要先展开服务器telnet,通过telnet登…

一.下载最新的openssh包

美高梅手机版4858,1.概述

目的:下载源码包(

适用:centOS-5.x/6.x。

Openssl:最好为一.0.一版本;若为壹.0.二则有希望在编写翻译进度中报错。

编写翻译意况须求:

1.openssl、openssl-devel、pam-devel、gcc、gcc-c++、zlib、zlib-devel、zlib-static

2.或包组:Development tools、Server Platform Development           

依据化解办法:

一.设置云情形内yum源。

二.插入对应版本的centOS光盘,设置本地yum源。

1、进级原因
7.肆以下openssh版本存在严重漏洞:
壹.OpenSSH 远程权力进步漏洞(CVE-201六-10010) 
二.OpenSSH J-PAKE授权难点漏洞(CVE-2010-447八) 
三.Openssh 马克斯AuthTries限量绕过漏洞(CVE-20一五-5600) 
OpenSSL>=1.0.一得以毫无进级OpenSSL

2.设置yum源

二、安装telnet服务
1.安装软件
1 # yum -y install telnet-server* telnet

美高梅手机版4858 4

2.1本地yum源

1.翻看/dev内cd设备名称。

ls -l /dev | grep cd

 美高梅手机版4858 5

二.挂载光盘至/mnt

mount /dev/cdrom /mnt

 美高梅手机版4858 6

 

三.备份源yumrepo文件,并新建yumrepo配置文件。

cd /etc/yum.repo.d/

ls

mv CentOS-Base.repo CentOS-Base.repo.bak

vim CentOS-Base.repo

 美高梅手机版4858 7

肆.设置本地光盘为yum更新源。

[local]

name=This is local repo

baseurl=file:///mnt

enabled=1

gpgcheck=0

 美高梅手机版4858 8

5.清空yum缓存,生成新的缓存文件,并查看yum源列表是不是有地点安装的本地源。

yum clean

yum makecache

yum repolist

 美高梅手机版4858 9

2.启用telnet服务
# vi /etc/xinetd.d/telnet
将其中disable字段的yes改为no以启用telnet服务
# mv /etc/securetty /etc/securetty.old   
#同意root用户通过telnet登6
# service xinetd start                    #启动telnet服务
# chkconfig xinetd on                   
#使telnet服务开机运维,防止晋级进程中服务器意外重启后不能远程登入系统

美高梅手机版4858 10

2.2http-yum源

1.编辑配置文件CentOS-Base.repo,新扩展http-yum源。

[base]

name=network yum repo

baseurl=

enabled=1

gpgcheck=0

 美高梅手机版4858 11

2.重复生成缓存文件,查看是不是有刚刚设置的http-yum源。

yum makecache

 美高梅手机版4858 12

叁.测试telnet能不能够正常登录系统
三、升级OpenSSH
一.备份当前openssh
mv /etc/ssh /etc/ssh.old
mv /etc/init.d/sshd /etc/init.d/sshd.old

美高梅手机版4858 13

三.企图阶段

贰.卸载当前openssh
# rpm -qa | grep openssh
openssh-clients-5.3p1-104.el6.x86_64
openssh-server-5.3p1-104.el6.x86_64
openssh-5.3p1-104.el6.x86_64
openssh-askpass-5.3p1-104.el6.x86_64
# rpm -e –nodeps openssh-5.3p1-104.el6.x86_64
# rpm -e –nodeps openssh-server-5.3p1-104.el6.x86_64
# rpm -e –nodeps openssh-clients-5.3p1-104.el6.x86_64
# rpm -e –nodeps openssh-askpass-5.3p1-104.el6.x86_64
# rpm -qa | grep openssh
注意:卸载进度中即使出现以下错误
[root@node1 openssh-7.5p1]# rpm -e –nodeps
openssh-server-5.3p1-104.el6.x86_64 
error reading information on service sshd: No such file or directory
error: %preun(openssh-server-5.3p1-104.el6.x86_64) scriptlet failed,
exit status 1
缓慢解决格局:
# rpm -e –noscripts openssh-server-5.3p1-104.el6.x86_64

 

3.1开启telnet服务(可选)

1.安装telnet-server服务,制止出于进级失败致使不大概远程管理服务器。

yum install telnet-server

 美高梅手机版4858 14

二.敞开telnet所需的料理进度xinetd。

service xinetd start

 美高梅手机版4858 15

三.反省telnet服务是不是张开成功。

service xinetd status

netstat -pantu | grep xinetd

 美高梅手机版4858 16

四.暗中认可telnet只可以普通用户登入,root管理员不可能登陆,修改配置,允许root账号登入。(注:4/五步二选一就能够)

vim /etc/pam.d/login

/pam_securetty.so

#auth required pam_securetty.so(注释此行)

:wq

 美高梅手机版4858 17

美高梅手机版4858 18

伍.照旧将/etc/securetty文件重命名,使其失效。

(注:4/五步二选一就能够)

mv -v /etc/securetty /etc/securetty.bak

 美高梅手机版4858 19

陆.重启telnet服务,使修改的布局生效。

service xinetd restart

 美高梅手机版4858 20

7.测试telnet登录。

 美高梅手机版4858 21

三.openssh安装前遭逢安插
# install -v -m700 -d /var/lib/sshd
# chown -v root:sys /var/lib/sshd
当前系统sshd用户已经存在的话以下不用操作
# groupadd -g 50 sshd
# useradd -c ‘sshd PrivSep’ -d /var/lib/sshd -g sshd -s /bin/false -u
50 sshd

二.进级openssh此前要先展开服务器telnet,通过telnet登入服务器,因为提拔进程中会导致ssh目前无法用

3.二 搞定安装大概存在的正视关系

1.查看ssh版本

ssh -V

 美高梅手机版4858 22

二.检查依赖包的装置状态

rpm -qa openssl

rpm -qa openssl-devel

rpm -qa pam-devel

rpm -qa gcc

rpm -qa gcc-c++

rpm -qa zlib

rpm -qa zlib-devel

rpm -qa zlib-static

 美高梅手机版4858 23

叁.装置编写翻译缺失的正视包(注:此步依照服务器实际情状而定)

yum -y install openssl-devel pam-devel gcc gcc-c++ zlib-devel
zlib-static

 美高梅手机版4858 24

4.解压openssh_柒.五p一源码并编写翻译安装
# tar -zxvf openssh-7.5p1.tar.gz
# cd openssh-7.5p1
# ./configure –prefix=/usr –sysconfdir=/etc/ssh –with-md5-passwords
–with-pam –with-zlib –with-openssl-includes=/usr
–with-privsep-path=/var/lib/sshd
# make
# make install

打开linux telnet服务:

肆.编译安装

一.上传安装包至服务器。

 美高梅手机版4858 25

2.解压openssh的tarball。

tar xvf openssh-7.6p1.tar.gz

 美高梅手机版4858 26

3.生成makefile。

cd openssh-7.6p1

./configure –sbindir=/usr/sbin/  –bindir=/usr/bin/
–sysconfdir=/etc/ssh –with-ssl-engine –with-pam –with-md5-passwords

编写翻译实现无error消息即顺遂完结编写翻译,此处pam并从未实际行使。

 美高梅手机版4858 27

美高梅手机版4858 28

4.编译openssh。

make -j4

 美高梅手机版4858 29

5.链接安装openssh

make install

 美高梅手机版4858 30

注:连接的进度中出现此音讯,代表openssh7.6不协理GSSAPT那两条配置。

 美高梅手机版4858 31

6.重启ssh服务。

service sshd restart

 美高梅手机版4858 32

柒.装置收尾,测试root账号登入。服务器拒绝。

 美高梅手机版4858 33

八.创办普通用户,稍后测试普通用户登6状态。

Useradd xxxxx

psswd xxxxx

 美高梅手机版4858 34

玖.测试普通用户登陆状态。结果为能够符合规律登入。

 美高梅手机版4858 35

十.修改配置文件/etc/ssh/sshd_config.消除root不只怕登陆的景况。

Vim /etc/ssh/sshd_config

/PermitRootlogin

PermitRootlogin yes(撤废此行注释)

 美高梅手机版4858 36

美高梅手机版4858 37

11.重启ssh服务。

service sshd restart

service sshd status

netstat -pantu |grep :22

 美高梅手机版4858 38

12.测试root用户登六。测试结果为能够符合规律登入。并且openssh已经升高为柒.陆p一本子

并且init3四五开机品级自动开启此服务。

ssh -V

chkconfig –list |grep sshd

 美高梅手机版4858 39

一三.此外是因为新版openssh不扶助GSSAPI参数,全数须要注释此行,已免有不解影响。

Vim /etc/ssh/sshd_config

#GSSAPIAuthentication yes(注释以下两行)

#GSSAPICleanupCredentials yes

修改前拉开服务会有报错音讯。

 美高梅手机版4858 40

美高梅手机版4858 41

修改后重启服务报错音信未有。

 美高梅手机版4858 42

5.openssh安装后意况安排
# 在openssh编写翻译目录执行如下命令
# install -v -m755    contrib/ssh-copy-id /usr/bin
# install -v -m644    contrib/ssh-copy-id.1 /usr/share/man/man1
# install -v -m755 -d /usr/share/doc/openssh-7.5p1
# install -v -m644    INSTALL LICENCE OVERVIEW README*
/usr/share/doc/openssh-7.5p1
# ssh -V              #证实是不是进级成功

查阅telnet是还是不是曾经设置:

5.扫尾阶段

壹.关闭telnet-server服务进度。

service xinetd stop

service xinetd status

美高梅手机版4858 43

 

二.关闭telnet-server服务345等级开机自运转服务。

chkconfig –list |grep xinetd

chkconfig –level 345 xinetd off

chkconfig –list |grep xinetd

 美高梅手机版4858 44

 

6.启用OpenSSH服务
# 在openssh编写翻译目录施行如下目录
# echo ‘X11Forwarding yes’ >> /etc/ssh/sshd_config
# echo “PermitRootLogin yes” >> /etc/ssh/sshd_config 
#同意root用户通过ssh登入
# cp -p
contrib/RedHat/sshd.init
/etc/init.d/sshd
# chmod +x /etc/init.d/sshd
# chkconfig  –add  sshd
# chkconfig  sshd  on
# chkconfig  –list  sshd
# service sshd restart

rpm -qa|grep telnet

只顾:若是进级操作一直是在ssh远程会话中开始展览的,上述sshd服务重启命令恐怕形成会话断开并无法运用ssh再行登录(即ssh未能成功重启),此时内需经过telnet登陆再施行sshd服务重启命令。

telnet-0.17-48.el6.x86_64

7.重启系统验证没难题后关门telnet服务
# mv /etc/securetty.old /etc/securetty
# chkconfig  xinetd off
# service xinetd stop
如需还原此前的ssh配置消息,可一贯删除进级后的配置音信,恢复生机备份。
# rm -rf /etc/ssh
# mv /etc/ssh.old /etc/ssh

telnet-server-0.17-48.el6.x86_64

有关文书档案能够到Linux公社能源站下载:

 

——————————————分割线——————————————

即使没有安装,通过yum安装

免费下载地址在

[root@leotest ~]# yum install telnet

用户名与密码都以www.linuxidc.com

[root@leotest ~]# yum install telnet-server

具体下载目录在 /20一柒年龄资历料/四月/二十七日/CentOS
6.陆进级OpenSSH到最新版本7.五.p1/

 

下载格局见
http://www.linuxidc.com/Linux/2013-07/87684.htm

启动telnet服务:

——————————————分割线——————————————

编辑telnet文件,将disable改成no

OpenSSH 晋级至当下新星七.5版本碰着的一对坑

[root@leotest xinetd.d]# vi /etc/xinetd.d/telnet

openssh upgrade to latest version

不久前集团的连串被客户那边的1套扫描漏洞的装置扫出了关于 openssh
的多少个漏洞,差不多看了须臾间第1是因为 openssh 当前版本为
5.三,版本低了,本来认为是个没不符合规律,笔者自身的 distribution 是 centos
6.x, yum 最新的 openssh 也只是 伍.3,不能够只好到 rpm
官方网站找新的包,找到最新的是 陆.四,然后通过 yum localinstall
升级了,没悟出第2天客户反映还留存 openssh
漏洞,要多少个从未有过本领对外开放 22 端口。 懵逼,无法,只可以去openssh
官方网站找最新的 release,最新版本是
7.伍,安装进度中蒙受了一层层的坑,就不一一述说了,为了救助我们防止这几个坑,特记录下来仅供参考。

# default: on

ssh 升级步骤

# description: The telnet server serves telnet sessions; it uses \

安装

 

cd /root/
mkdir ssh_upgrade && cd ssh_upgrade

#       unencrypted username/password pairs for authentication.

上传openssh安装包

 

rz 安装包 

service telnet

查阅当前openssh版本

 

ssh -V     

{

卸载原有openssh

 

yum remove openssh -y    

        flags           = REUSE

安装 gcc、openssl和zlib

 

yum install gcc openssl-devel zlib-devel
tar zxvf openssh-7.5p1.tar.gz
cd openssh-7.5p1
./configure
make && make install

        socket_type     = stream

拷贝ssh服务文件

 

cp ./contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd

        wait            = no

修改SSHD服务文件

 

vim /etc/init.d/sshd
修改以下内容
SSHD=/usr/sbin/sshd 为 SSHD=/usr/local/sbin/sshd
/usr/sbin/ssh-keygen -A 为 /usr/local/bin/ssh-keygen -A 
保存退出

        user            = root

投入连串服务

 

chkconfig --add sshd

        server          = /usr/sbin/in.telnetd

查看系统运行服务是还是不是追加改项

 

chkconfig --list |grep sshd

sshd               0:off    1:off    2:on    3:on    4:on    5:on    6:off 

        log_on_failure  += USERID

同意root用户远程登入

 

cp sshd_config /etc/ssh/sshd_config
vim /etc/ssh/sshd_config 修改 PermitRootLogin yes,并去掉注释

        disable         = no

布署允许root用户远程登6

那壹操作很重大!很重视!很重视!首要的事情说3次,因为openssh安装好暗许是不实践sshd_config文件的,所以就算在sshd_config中布局允许root用户远程登陆,可是不丰裕那句发号施令,如故不会卓有功效!

 

vim /etc/init.d/sshd
在 ‘$SSHD $OPTIONS && success || failure’这一行上面加上一行 ‘OPTIONS="-f /etc/ssh/sshd_config"’
保存退出

}

重启 

service sshd start  

更加多OpenSSH相关内容能够查看以下的有用链接: 

在Ubuntu Server
壹三.拾种类中设置配备OpenSSH
http://www.linuxidc.com/Linux/2014-02/96953.htm

Ubuntu安装远程登6OpenSSH服务
http://www.linuxidc.com/Linux/2014-02/97218.htm

CentOS 六下OpenSSH 五.3荣升至柒手续记录
http://www.linuxidc.com/Linux/2016-11/137166.htm

OpenSSH普通用户不可能登入的二种处境的化解办法
http://www.linuxidc.com/Linux/2012-05/59457.htm

通用线程: OpenSSH 密钥管理,第 壹 部分驾驭 PRADOSA/DSA 认证
http://www.linuxidc.com/Linux/2011-08/39871.htm

Linux下升级 OpenSSH 
http://www.linuxidc.com/Linux/2017-03/142411.htm

正文长久更新链接地址:http://www.linuxidc.com/Linux/2017-05/143568.htm

美高梅手机版4858 45

 

 

重启xinetd服务:

service xinetd restart

or:

/etc/rc.d/init.d/xinetd restart

 

经过telnet连接服务器:

[c:\~]$ telnet 192.168.5.5

 

 

Connecting to 192.168.5.5:23…

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

Red Hat Enterprise Linux Server release 6.8 (Santiago)

Kernel 2.6.32-642.el6.x86_64 on an x86_64

login: test

Password:

[test@leotest ~]$

是因为默许telnet只可以三番五次普通用户,所以须求登陆普通用户之后跳转到root用户

 

三.备份原openssh相关文件:

cp /usr/sbin/sshd /usr/sbin/sshd.bak

cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/ssh/moduli /etc/ssh/moduli.bak

 

Note:删除掉下边四个公文,不然安装的时候会报错:

/etc/ssh/ssh_config already exists, install will not overwrite

/etc/ssh/sshd_config already exists, install will not overwrite

/etc/ssh/moduli already exists, install will not overwrite

 

rm /etc/ssh/ssh_config -fr

rm /etc/ssh/sshd_config -fr

rm /etc/ssh/moduli -fr

 

yum install pam-devel

yum install zlib-devel

yum install openssl-devel

 

 

肆.解压并设置openssh

[root@leotest softs]# tar -zxvf openssh-7.4p1.tar.gz

[root@leotest softs]# ls

openssh-7.4p1  openssh-7.4p1.tar.gz  openssh-7.4p1-vs-openbsd.diff.gz

[root@leotest softs]# cd openssh-7.4p1

[root@leotest openssh-7.4p1]#./configure –prefix=/usr/local/openssh
–sysconfdir=/etc/ssh –with-pam –with-md5-passwords
–mandir=/usr/share/man

### configure: error: *** zlib.h missing – please install first or
check config.log

#yum install zlib-devel

###configure: error: *** Can’t find recent OpenSSL libcrypto (see
config.log for details) ***

#yum install openssl openssl-devel

 

再一次编译:

重新编写翻译前要先清理以前的编写翻译音信:

make clean

ldconfig

[root@leotest openssh-7.4p1]#  ./configure
–prefix=/usr/local/openssh –sysconfdir=/etc/ssh –with-pam
–with-md5-passwords –mandir=/usr/share/man

OpenSSH has been configured with the following options:

                     User binaries: /usr/bin

                   System binaries: /usr/sbin

               Configuration files: /etc/ssh

                   Askpass program: /usr/libexec/ssh-askpass

                      Manual pages: /usr/share/man/manX

                          PID file: /var/run

  Privilege separation chroot path: /var/empty

            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin

                    Manpage format: doc

                       PAM support: no

                   OSF SIA support: no

                 KerberosV support: no

                   SELinux support: no

                 Smartcard support:

                     S/KEY support: no

              MD5 password support: no

                   libedit support: no

  Solaris process contract support: no

           Solaris project support: no

         Solaris privilege support: no

       IP address in $DISPLAY hack: no

           Translate v4 in v6 hack: yes

                  BSD Auth support: no

              Random number source: OpenSSL internal ONLY

             Privsep sandbox style: rlimit

 

              Host: x86_64-pc-linux-gnu

          Compiler: gcc

    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
-D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all
-fPIE

Preprocessor flags:

      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
-fstack-protector-all -pie

         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv

 

make && make install

/etc/init.d/sshd restart

 

5.蒙面旧的公文

cp -p /softs/openssh-7.4p1/contrib/redhat/sshd.init /etc/init.d/sshd

chmod u+x /etc/init.d/sshd

chkconfig –add sshd

cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd

[root@pttlstydb openssh-7.4p1]# cp /usr/local/openssh/sbin/sshd
/usr/sbin/sshd

cp: overwrite `/usr/sbin/sshd’? y

cp: cannot create regular file `/usr/sbin/sshd’: Text file busy

文本正在被应用

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     14111     1  0 10:05 ?        00:00:00 sshd: root@pts/0

root     14865     1  0 10:22 ?        00:00:00 sshd: root@notty

root     24182 14779  0 10:30 pts/1    00:00:00 grep sshd

[root@pttlstydb openssh-7.4p1]# kill -9 14865

[root@pttlstydb openssh-7.4p1]# ps -ef|grep sshd

root     24227 14779  0 10:31 pts/1    00:00:00 grep sshd

 

重复覆盖:

cp /usr/local/openssh/bin/ssh /usr/bin/ssh

 

[root@leotest openssh-7.4p1]# service sshd restart

Stopping sshd:                                             [  OK  ]

ssh-keygen: illegal option — A

usage: ssh-keygen [options]

Options:

 

cat /etc/init.d/sshd

start()

{

# Create keys if necessary

/usr/bin/ssh-keygen -A

if [ -x /sbin/restorecon ]; then

/sbin/restorecon /etc/ssh/ssh_host_key.pub

/sbin/restorecon /etc/ssh/ssh_host_rsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub

/sbin/restorecon /etc/ssh/ssh_host_ecdsa_key.pub

fi

 

echo -n $”Starting $prog:”

$SSHD $OPTIONS && success || failure

RETVAL=$?

[ $RETVAL -eq 0 ] && touch /var/lock/subsys/sshd

echo

}

 

*因为暗中认可低版本的ssh-keygen没有-A参数***

缓慢解决情势:

cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

 

 

重启sshd服务:

[root@leotest ssh]# service sshd restart

Stopping sshd:                                             [  OK  ]

Starting sshd:                                             [  OK  ]

Starting sshd:/etc/ssh/sshd_config line
81: Unsupported option GSSAPIAuthentication

/etc/ssh/sshd_config line 83:
Unsupported option GSSAPICleanupCredentials

 

缘由:新本子的openssh不支持上述参数,须求修改sshd的配备文件

 

[root@leotest openssh-7.4p1]# vi /etc/ssh/sshd_config

##解除后面包车型地铁讲授,允许root通过ssh登6

PermitRootLogin yes

 

##注脚掉上边三个参数

#GSSAPIAuthentication yes

#GSSAPICleanupCredentials yes

#UsePAM yes

 

 

##在文件末尾加上如下音信,不然依旧无法透过ssh登陆linux:

致使此主题素材的缘故是ssh进级后,为了安全,暗中认可不再采纳原来有的加密算法,咱们手工业增添进去就能够。

Ciphers
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

MACs
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96

KexAlgorithms
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org

 

 

陆.重启sshd服务,测试ssh连接服务器

service sshd restart

[c:\~]$ ssh 192.168.5.5

 

Connecting to 192.168.5.5:22…

Connection established.

To escape to local shell, press ‘Ctrl+Alt+]’.

 

Last login: Tue Dec 27 00:22:10 2016 from 192.168.5.2

[root@leotest ~]# ssh -V

OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013

 

 

7.禁用telnet**
**

[root@leotest ~]# vi /etc/xinetd.d/telnet

 

# default: on

# description: The telnet server serves telnet sessions; it uses \

#       unencrypted username/password pairs for authentication.

service telnet

{

        flags           = REUSE

        socket_type     = stream

        wait            = no

        user            = root

        server          = /usr/sbin/in.telnetd

        log_on_failure  += USERID

        disable         = yes

}

 

停掉xinetd服务:

[root@leotest ~]# service xinetd stop

Stopping xinetd:                                           [  OK  ]

停掉开机自运行:

[root@leotest ~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:on        4:on        5:on        6:off

[root@leotest ~]# chkconfig  xinetd off

[root@leotest ~]# chkconfig –list xinetd

xinetd        
        0:off        1:off        2:off        3:off        4:off        5:off        6:off

 

 


 

 升级后难点一举成功:

经过winscp登入linux报错,解决办法如下:

[root@leotest ~]# vi /etc/ssh/sshd_config

 

# override default of no subsystems

#Subsystem      sftp    /usr/libexec/openssh/sftp-server

Subsystem       sftp   
internal-sftp

将原先的笺注掉,改成上边包车型客车internal-sftp

 

重启sshd服务:

service sshd restart

 

发表评论

电子邮件地址不会被公开。 必填项已用*标注

网站地图xml地图
Copyright @ 2010-2019 美高梅手机版4858 版权所有