1 centos7.6升级openssl和openssh

系统加固列表文档

1、 openssl

当前版本：OpenSSL 1.0.2k-fips

升级后的版本：OpenSSL-1.1.1

下载路径： https://www.openssl.org/source/openssl-1.1.1h.tar.gz](https://www.openssl.org/source/openssl-1.1.1h.tar.gz

2、 openssh

当前版本：OpenSSH_7.4p1, OpenSSL 1.0.2k-fips

升级后的版本：OpenSSH_8.4p1, OpenSSL 1.1.1h

下载路径: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz

虚拟机环境测试可用：

]# yum install  -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel  pam-deve

]# yum install  -y pam* zlib*

安装 openssl

备份原来的openssl

]# mv /usr/bin/openssl /usr/bin/openssl_bak

]# mv /usr/include/openssl /usr/include/openssl_bak

]# tar -xzf openssl-1.1.1h.tar.gz && cd openssl-1.1.1h && ./config --prefix=/usr/local/openssl --shared && make && make install

]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl

]# `echo "/usr/local/openssl/lib" >>/etc/ld.so.conf`

]# ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1

]# ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

]# ldconfig

]# openssl version

OpenSSL 1.1.1h 22 Sep 2020

安装openssh

]# 安装openssh前 将openssl 安装到/usr/local/openssl

备份原来的 ssh配置

]# cd /etc/ssh && mkdir –p /root/sshbak && mv ./* /root/sshbak

]# cd /data/openssh-8.4p1

]# ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/openssl/include --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam

]# make && make install

]# mv /usr/bin/ssh /usr/bin/ssh-bak20201108

]# ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh

]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd

]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

]# chmod +x /etc/init.d/sshd

]# chkconfig --add sshd && systemctl enable sshd

]# mv  /usr/lib/systemd/system/sshd.service  /data/

]# chkconfig sshd on

]#ssh -V

OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020

扩展

参考链接 ：
centos7.6升级openssl和openssh ：jianshu.com/p/e2e61f0e467e

CentOS7 openssl&openssh 升级踩坑全记录 ：https://www.jianshu.com/p/518f85d8a9d0

升级Ubuntu16.04和CentOS7.4的openSSL和openSSH
https://www.jianshu.com/p/4746b6ec42bf