OpenSSH基于源码编译升级
环境信息:
操作系统: Ubuntu 16.04
openssh版本: OpenSSH_7.3p1
基于源码升级到 Openssh-8.6p1
1.安装telnet
安装telnet服务,启动23,通过telnet连接,防止ssh22断开,无法访问
sudo apt install -y openbsd-inetd
sudo apt install -y telnetd
# sudo apt install -y openbsd-inetd && sudo apt install -y telnetd检查服务是否正常
systemctl status inetd.service测试telnet连接,默认23端口,使用用户名密码登录即可
telnet IP
2.安装编译依赖
安装编译所需依赖包
sudo apt update
sudo apt install libzip-dev libssl-dev autoconf gcc libxml2 make -y
# 通过 -d 仅下载软件包及其依赖,deb包位置:/var/cache/apt/archives
# sudo apt install -d libzip-dev libssl-dev autoconf gcc libxml2 make3.下载源码
下载源码包
mkdir openssh && cd openssh
wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.7p1.tar.gz
wget http://www.zlib.net/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1.tar.gz --no-check-certificate解压
tar -xzvf openssl-1.1.1.tar.gz
tar -xzvf openssh-8.7p1.tar.gz
tar -xzvf zlib-1.2.11.tar.gz
# tar -xzvf openssl-1.1.1.tar.gz && tar -xzvf openssh-8.7p1.tar.gz && tar -xzvf zlib-1.2.11.tar.gz4.编译安装zlib
编译安装zlib
cd zlib-1.2.11/
./configure --prefix=/usr/local
make
sudo make install
# make && sudo make install5.编译安装openssl
编译安装openssl
# 卸载openssl
# sudo apt purge openssl安装postgresql的机器会卸载postgresql,危险操作,注意!!!
swift@openssh-test:/usr/local$ sudo apt purge openssl
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following packages were automatically installed and are no longer required:
python3-chardet python3-pkg-resources python3-six python3-urllib3
Use 'sudo apt autoremove' to remove them.
The following additional packages will be installed:
python3-software-properties
The following packages will be REMOVED:
ca-certificates* openssl* postgresql-11* postgresql-common* python3-requests*
software-properties-common* ssh-import-id* ssl-cert*
The following packages will be upgraded:
python3-software-properties
1 upgraded, 0 newly installed, 8 to remove and 172 not upgraded.
Need to get 20.2 kB of archives.
After this operation, 48.0 MB disk space will be freed.
Do you want to continue? [Y/n] n
Abort.
不卸载openssl编译替换尝试
cd openssl-1.1.1/
./config shared --prefix=/usr/local/ssl
make test
sudo make install
sudo ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib/libssl.so.1.1
sudo ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib/libcrypto.so.1.1
# make test && sudo make install
# sudo ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib/libssl.so.1.1 && sudo ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib/libcrypto.so.1.1备份替换
sudo mv /usr/bin/openssl /usr/bin/openssl.bak
sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
# sudo mv /usr/bin/openssl /usr/bin/openssl.bak && sudo ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl检查openssl版本 openssl version -a
OpenSSL 1.1.1 11 Sep 2018
built on: Fri Sep 24 06:39:20 2021 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPADLOCK_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/ssl/ssl"
ENGINESDIR: "/usr/local/ssl/lib/engines-1.1"
Seeding source: os-specific
6.编译安装openssh
编译安装openssh
备份ssh配置文件
mkdir /tmp/ssh_bak -p
mkdir /tmp/ssh_bak/init.d -p
sudo cp -r /etc/ssh /tmp/ssh_bak
sudo cp /etc/init.d/ssh /tmp/ssh_bak/init.d编译
cd openssh-8.7p1/
./configure --prefix=/usr/local --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl
make
sudo make install
# make && sudo make install停止服务
sudo service sshd stop
sudo systemctl stop ssh不卸载更新
备份可执行文件,建立软链接
mkdir /tmp/ssh_bak/bin -p
sudo mv /usr/bin/scp /tmp/ssh_bak/bin
sudo mv /usr/bin/ssh* /tmp/ssh_bak/bin
sudo ln -s /usr/local/bin/ssh /usr/bin/ssh
sudo ln -s /usr/local/bin/scp /usr/bin/scp
sudo ln -s /usr/local/bin/ssh-add /usr/bin/ssh-add
sudo ln -s /usr/local/bin/ssh-agent /usr/bin/ssh-agent
sudo ln -s /usr/local/bin/ssh-keygen /usr/bin/ssh-keygen
sudo ln -s /usr/local/bin/ssh-keyscan /usr/bin/ssh-keyscan
mkdir /tmp/ssh_bak/sbin -p
sudo mv /usr/sbin/sshd /tmp/ssh_bak/sbin
sudo ln -s /usr/local/sbin/sshd /usr/sbin/sshd7.修改ssh.service
# 备份ssh.service
sudo mv /lib/systemd/system/ssh.service /lib/systemd/system/ssh.service.bak
# 修改ssh.service
sudo vim /lib/systemd/system/ssh.service
# 修改后的内容
# cat /lib/systemd/system/ssh.service
[Unit]
Description=OpenSSH server daemon
[Service]
ExecStart=/usr/sbin/sshd -f /etc/ssh/sshd_config -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
[Install]
WantedBy=multi-user.target8.重启ssh服务
sudo systemctl daemon-reload
sudo systemctl restart ssh.service
sudo systemctl enable ssh.service
# 查看服务状态
sudo systemctl status ssh.service9.查看当前版本验证
ssh -V
sshd -V结果
# ssh -V
OpenSSH_8.7p1, OpenSSL 1.1.1 11 Sep 2018
# sshd -V
unknown option -- V
OpenSSH_8.7p1, OpenSSL 1.1.1 11 Sep 2018
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]10.关闭telnet服务
测试正常,关闭telnet的服务,关闭自动启动
sudo systemctl stop inetd.service
sudo systemctl disable inetd.service
# 检查23端口是否已经关闭
sudo netstat -nltpu|grep 23问题
如果用户没有设置过密码,会被锁定,无法进行免密钥远程连接
# 设置用户密码
echo 'username:password' |sudo chpasswd修改inetd的telnet端口
1、修改端口,编辑配置文件/etc/inetd.conf
将telnet服务名称直接修改为端口,telnet就可以在指定的端口监听了。
# 修改inetd.service 的telnet连接端口
sudo vim /etc/inetd.conf
把下面一行修改的telnet服务名称,修改为端口
#telnet stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
修改为
24 stream tcp nowait telnetd /usr/sbin/tcpd /usr/sbin/in.telnetd
重启inetd.service服务
sudo systemctl restart inetd.service2、修改/etc/services文件telnet服务对应端口
swift@xxx-001:~$ cat /etc/services|grep telnet
telnet 23/tcp
jumpserver连接无法输入中文
出现无法输入中文的 locale
swift@xxx-001:~$ locale
LANG=
LANGUAGE=
LC_CTYPE="POSIX"
LC_NUMERIC="POSIX"
LC_TIME="POSIX"
LC_COLLATE="POSIX"
LC_MONETARY="POSIX"
LC_MESSAGES="POSIX"
LC_PAPER="POSIX"
LC_NAME="POSIX"
LC_ADDRESS="POSIX"
LC_TELEPHONE="POSIX"
LC_MEASUREMENT="POSIX"
LC_IDENTIFICATION="POSIX"
LC_ALL=更新openssh后出现,设置一下LANG变量即可
全局配置
echo "export LANG=en_US.UTF-8" |sudo tee -a /etc/bash.bashrc单用户配置
echo "export LANG=en_US.UTF-8" >> ~/.bashrc && source ~/.bashrc