版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/baidu_39459954/article/details/89447343
文章目录
本文安装环境CentOS7
1、安装telnet
为确保升级出现问题导致服务器无法连接,先安装telnet以备不时之需。
[root@DZFP-DMZ-Server2 ~]# rpm -ivh telnet-0.17-64.el7.x86_64.rpm
警告:telnet-0.17-64.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:telnet-1:0.17-64.el7 ################################# [100%]
[root@DZFP-DMZ-Server2 ~]# rpm -ivh telnet-server-0.17-64.el7.x86_64.rpm
警告:telnet-server-0.17-64.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:telnet-server-1:0.17-64.el7 ################################# [100%]
[root@DZFP-DMZ-Server2 ~]#
[root@DZFP-DMZ-Server2 ~]# rpm -ivh xinetd-2.3.15-13.el7.x86_64.rpm
警告:xinetd-2.3.15-13.el7.x86_64.rpm: 头V3 RSA/SHA256 Signature, 密钥 ID f4a80eb5: NOKEY
准备中... ################################# [100%]
正在升级/安装...
1:xinetd-2:2.3.15-13.el7 ################################# [100%]
[root@DZFP-DMZ-Server2 ~]#
[root@DZFP-DMZ-Server2 ~]# systemctl start telnet.socket
[root@DZFP-DMZ-Server2 ~]# systemctl start xinetd
[root@DZFP-DMZ-Server2 ~]# systemctl status xinetd
[root@DZFP-DMZ-Server2 ~]# systemctl status telnet.socket
默认情况下,系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录,需设置如下内容:
echo 'pts/0' >>/etc/securetty
echo 'pts/1' >>/etc/securetty
安装完成之后检查telnet是否可用
2、检查依赖包
2.1、检查pam和zlib版本
[root@DZFP-DMZ-Server2 ~]# rpm -qa|grep pam
gnome-keyring-pam-3.8.2-10.el7.x86_64
fprintd-pam-0.5.0-4.0.el7_0.x86_64
pam_krb5-2.4.8-4.el7.x86_64
pam-devel-1.1.8-12.el7.x86_64
pam-1.1.8-12.el7.x86_64
[root@DZFP-DMZ-Server2 ~]# rpm -qa|grep zlib
zlib-1.2.7-13.el7.x86_64
zlib-devel-1.2.7-13.el7.x86_64
2.2、检查perl版本
[root@DZFP-DMZ-Server2 ~]$perl -v
This is perl 5, version 16, subversion 3 (v5.16.3) built for x86_64-linux-thread-multi
(with 28 registered patches, see perl -V for more detail)
Copyright 1987-2012, Larry Wall
Perl may be copied only under the terms of either the Artistic License or the
GNU General Public License, which may be found in the Perl 5 source kit.
Complete documentation for Perl, including FAQ lists, should be found on
this system using "man perl" or "perldoc perl". If you have access to the
Internet, point your browser at http://www.perl.org/, the Perl Home Page.
[root@DZFP-DMZ-Server2 ~]$
2.3、【可选】安装新版zlib
yum install gcc pam-devel zlib-devel -y #提前安装好依赖
tar -zxvf zlib-1.2.11.tar.gz #先安装zlib,解压zlib
cd zlib-1.2.11
cat README #养成好习惯,在安装软件前查看README
./configure --prefix=/usr #检查依赖关系
make #编译32 rpm -e --nodeps zlib #卸载zlib
rpm -qa|grep zlib #是否卸载完全
make install #开始安装
echo '/usr/lib' >> /etc/ld.so.conf
ldconfig #使生效
rpm -qa|grep zlib #查看zlib版本是否升级正常,遗憾的是我的还是旧版本,但是对于openssh的升级没有太大影响
2.4、【可选】安装perl
wget https://www.cpan.org/src/5.0/perl-5.28.0.tar.gz
tar -zxvf perl-5.28.0.tar.gz #在安装openssl前,还需要先安装好perl5
cd perl-5.28.0
echo $HOME
./Configure -des -Dprefix=$HOME/localperl
make
make test #这里可能提示失败
export LD_LIBRARY_PATH=`pwd` #这个命令貌似没事么用处,不执行问题应该也不大
make test
echo $LD_LIBRARY_PATH
cd t
../cpan/File-Path/t/Path_root.t
./perl -I../lib harness op/filetest.t #如果这里提示全部成功了,应该就没什么问题
cd ..
make install
perl -v #检测perl5是否安装成功92 cd ..
3、备份配置文件
find / -name openssl #准备安装openssl,对查找的文件进行备份
[root@DZFP-DMZ-Server2 ~]# find / -name openssl
/etc/pki/ca-trust/extracted/openssl
/usr/share/ruby/openssl
/usr/include/openssl
/opt/nginx/nginx-1.6.2/auto/lib/openssl
cp -r /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old
cp /usr/bin/openssl /usr/bin/openssl.old
cp -r /usr/lib64/openssl /usr/lib64/openssl.old
cp -r /usr/share/ruby/openssl /usr/share/ruby/openssl.old
cp -r /usr/include/openssl /usr/include/openssl.old
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
4、升级openssl
4.1、卸载旧版本
查看
[root@DZFP-DMZ-Server2 ~]# rpm -qa|grep openssl
openssl-devel-1.0.1e-42.el7.x86_64
openssl098e-0.9.8e-29.el7.centos.2.x86_64
openssl-libs-1.0.1e-42.el7.x86_64
openssl-1.0.1e-42.el7.x86_64
#这两个文件也需要先备份好
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
卸载
rpm -e --nodeps openssl-libs-1.0.1e-42.el7.x86_64
rpm -e --nodeps openssl-1.0.1e-42.el7.x86_64
4.2、安装openssl
按顺序执行以下命令
[root@DZFP-DMZ-Server2 ~]# tar -zxvf openssl-1.0.2o.tar.gz
cd openssl-1.0.2o
./config --prefix=/usr --openssldir=/etc/ssl --shared zlib #在执行这里的时候,如果提示没有安装perl5,参考2.4安装perl
make
make test
make install
openssl version
cd
#恢复原来的库文件,因为新安装的openssl没包含这两个库文件
mv /usr/lib64/libcrypto.so.10.old /usr/lib64/libcrypto.so.10
mv /usr/lib64/libssl.so.10.old /usr/lib64/libssl.so.10
4.3、查看是否安装成功
[root@DZFP-DMZ-Server2 openssl-1.0.2o]# openssl version
OpenSSL 1.0.2o 27 Mar 2018
5、开始准备安装openssh
5.1、卸载旧版openssh
cp -r /etc/ssh /etc/ssh.old
[root@DZFP-DMZ-Server2 openssl-1.0.2o]# rpm -qa|grep openssh
openssh-6.6.1p1-11.el7.x86_64
openssh-server-6.6.1p1-11.el7.x86_64
openssh-clients-6.6.1p1-11.el7.x86_64
rpm -e --nodeps openssh-6.6.1p1-11.el7.x86_64
rpm -e --nodeps openssh-server-6.6.1p1-11.el7.x86_64
rpm -e --nodeps openssh-clients-6.6.1p1-11.el7.x86_64
rpm -qa|grep openssh
5.2、安装
install -v -m700 -d /var/lib/sshd
chown -v root:sys /var/lib/sshd
groupadd -g 50 sshd
useradd -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd
tar -zxvof openssh-7.6p1.tar.gz
cd openssh-7.6p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd
make
make install #执行好可能会提示WARNING: UNPROTECTED PRIVATE KEY FILE!原因是下面几个文件的权限问题
ll /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
make install
ssh -V
5.3、配置
install -v -m755 contrib/ssh-copy-id /usr/bin
install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -v -m755 -d /usr/share/doc/openssh-7.6p1
install -v -m644 INSTALL LICENCE OVERVIEW README*
install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.6p1
echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "UsePAM yes" >> /etc/ssh/sshd_config
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
配置PAM模块
vi /etc/pam.d/sshd
添加
auth required pam_unix.so
account required pam_unix.so
session required pam_chroot.so
5.4、设置开机自启动
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
chkconfig --list sshd
systemctl restart sshd
5.5、查看ssh版本
ssh -V #提示ssh为安装的最新版本,升级成功