linux升级openssh提示密码错误,Linux升级openssh及问题总结
系统版本:[root@db ~]# uname -aLinux db 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013x86_64 x86_64 x86_64 GNU/Linux[root@db ~]# cat /etc/redhat-releaseRed Hat Enterprise Linux Server release 6.
系统版本:
[root@db ~]# uname -a
Linux db 2.6.32-431.el6.x86_64 #1 SMP Sun Nov 10 22:19:54 EST 2013
x86_64 x86_64 x86_64 GNU/Linux
[root@db ~]# cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.5
(Santiago)
升级步骤:
1、验证现有版本
[root@db 1]# yum
install pam-devel
[root@db 1]# pwd
/home/1
[root@db 1]# ls
openssh-7.1p2 openssl-1.1.0-pre3
zlib-1.2.8
[root@db 1]# ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29
Mar 2010 <<
1]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@db 1]# rpm -q zlib
zlib-1.2.3-29.el6.x86_64
[root@db 1]# rpm -qa | grep openssl
openssl-1.0.1e-15.el6.x86_64
[root@db 1]# rpm -qa | grep openssh
openssh-5.3p1-94.el6.x86_64
openssh-clients-5.3p1-94.el6.x86_64
openssh-server-5.3p1-94.el6.x86_64
openssh-askpass-5.3p1-94.el6.x86_64
2、卸载现有版本
[root@db 1]# rpm -e `rpm -qa | grep openssh`
error: Failed dependencies:
openssh-clients is needed by
(installed) Python-meh-0.12.1-3.el6.noarch
[root@db 1]# rpm -e `rpm -qa | grep openssl`
--nodeps [root@db 1]# rpm -e firstboot-1.110.15-1.el6.x86_64
[root@db 1]# rpm -e python-meh-0.12.1-3.el6.noarch
[root@db 1]# rpm -e `rpm -qa | grep openssh`
[root@db 1]# yum install firstboot
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:
libssl.so.10: cannot open
shared object file: No such file or directory
Please install a package which provides this module, or
verify that the module is installed correctly.
It's possible that the above module doesn't match the
current version of Python, which is:
2.6.6 (r266:84292, Sep 4 2013,
07:46:00) [GCC 4.4.7 20120313 (Red Hat 4.4.7-3)]
If you cannot solve this problem yourself,
please Go to the yum faq at:
http://yum.baseurl.org/wiki/Faq
3、安装zlib
[root@db 1]# cd zlib-1.2.8/
[root@db zlib-1.2.8]# ls
[root@db zlib-1.2.8]# ./configure
--prefix=/usr/local/zlib
[root@db zlib-1.2.8]# make &&
make install [root@db zlib-1.2.8]# cd ../openssl-1.1.0-pre3/
[root@db openssl-1.1.0-pre3]# ./config
--prefix=/usr/local/openssl
[root@db openssl-1.1.0-pre3]# make &&
make install
4、安装openssh
[root@db openssl-1.1.0-pre3]# cd ../openssh-7.1p2/
[root@db openssh-7.1p2]# ./configure --prefix=/usr
--sysconfdir=/etc/ssh
checking for gcc... gcc
...
configure: error: *** OpenSSL headers missing - please install
first or check config.log ***
2、如果配置时出现如下环境问题:
configure: error: *** zlib.h missing - please install first or
check config.log ***
使用 yum install openssl openssl-devel -y 安装相关依赖包
[root@db openssh-7.1p2]# rpm -qa |grep pam
pam-1.1.1-17.el6.x86_64
pam-devel-1.1.1-17.el6.x86_64
pam_krb5-2.3.11-9.el6.x86_64
pam_passwdqc-1.0.5-6.el6.x86_64
pam-devel-1.1.1-17.el6.i686
fprintd-pam-0.1-21.git04fd09cfa.el6.x86_64
pam-1.1.1-17.el6.i686
gnome-keyring-pam-2.28.2-8.el6_3.x86_64
[root@db openssh-7.1p2]# ./configure --prefix=/usr/local/openssh
--sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl
--with-md5-passwords --mandir=/usr/share/man
--with-zlib=/usr/local/zlib ^C
[root@db openssh-7.1p2]# rpm -ivh
/media/rhel/Packages/openssl-1.0.1e-15.el6.x86_64.rpm Preparing... ###########################################
[100%]
1:openssl ###########################################
[100%]
[root@db openssh-7.1p2]# rpm -ivh
openssl-1.0.1e-15.el6.x86_64.rpm [root@db openssh-7.1p2]# ./configure --prefix=/usr/local/openssh
--sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl
--with-md5-passwords --mandir=/usr/share/man
--with-zlib=/usr/local/zlib checking for gcc... gcc
...
configure: error: *** OpenSSL headers missing - please install
first or check config.log ***
[root@db openssh-7.1p2]# openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013
built on: Fri Sep 27 10:09:12 EDT 2013
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int)
des(idx,cisc,16,int) idea(int)
blowfish(idx) compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN
-DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64
-mtune=generic -Wa,--noexecstack -DPURIFY -DOPENSSL_IA32_SSE2
-DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m
-DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM
-DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM
OPENSSLDIR: "/etc/pki/tls"
engines: rdrand dynamic [root@db openssh-7.1p2]# [root@db openssh-7.1p2]# rpm -qa |grep gcc
gcc-4.4.7-4.el6.x86_64
gcc-c++-4.4.7-4.el6.x86_64
libgcc-4.4.7-4.el6.x86_64
libgcc-4.4.7-4.el6.i686
[root@db openssh-7.1p2]# rpm -qa |grep openssl-devel
[root@db openssh-7.1p2]# cd /media/rhel/Packages/
[root@db Packages]# rpm -ivh
openssl-devel-1.0.1e-15.el6.x86_64.rpm error: Failed dependencies:
krb5-devel is needed by
openssl-devel-1.0.1e-15.el6.x86_64
zlib-devel is needed by
openssl-devel-1.0.1e-15.el6.x86_64
[root@db Packages]# rpm -ivh
krb5-devel-1.10.3-10.el6_4.6.x86_64.rpm error: Failed dependencies:
keyutils-libs-devel is needed by
krb5-devel-1.10.3-10.el6_4.6.x86_64
libcom_err-devel is needed by
krb5-devel-1.10.3-10.el6_4.6.x86_64
libselinux-devel is needed by
krb5-devel-1.10.3-10.el6_4.6.x86_64
[root@db Packages]# rpm -ivh keyutils-libs-devel
error: open of keyutils-libs-devel failed: No such file or
directory
[root@db Packages]# rpm -ivh
keyutils-libs-devel-1.4-4.el6.x86_64.rpm Preparing... ###########################################
[100%]
1:keyutils-libs-devel
###########################################
[100%]
[root@db Packages]# rpm -ivh
libcom_err-devel-1.41.12-18.el6.x86_64.rpm Preparing... ###########################################
[100%]
1:libcom_err-devel
########################################### [100%]
[root@db Packages]# rpm -ivh
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64.rpm error: Failed dependencies:
libsepol-devel >= 2.0.32-1 is needed by
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
pkgconfig(libsepol) is needed by
libselinux-devel-2.0.94-5.3.el6_4.1.x86_64
[root@db Packages]# yum install libsepol-devel
[root@db Packages]# cd /home/1/openssh-7.1p2/
[root@db openssh-7.1p2]# ./configure --prefix=/usr/local/openssh
--sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl
--with-md5-passwords --mandir=/usr/share/man
--with-zlib=/usr/local/zlib [root@db openssh-7.1p2]# make && make
install 5、设置ssh服务
[root@db openssh-7.1p2]# cp -p contrib/redhat/sshd.init
/etc/init.d/sshd
[root@db openssh-7.1p2]# chmod u+x /etc/init.d/sshd
[root@db openssh-7.1p2]# chkconfig --add sshd
[root@db 1]# cp /usr/local/openssh/sbin/sshd
/usr/sbin/sshd [root@db 1]# service sshd start /etc/init.d/sshd: line 41: /usr/bin/ssh-keygen: No such file or
directory
Starting sshd:[ OK ]
[root@db 1]# find / -name ssh
/etc/ssh
/usr/local/openssh/bin/ssh
/home/1/openssh-7.1p2/ssh
[root@db 1]# /usr/local/openssh/bin/ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@db 1]# cp /usr/local/openssh/bin/ssh /usr/bin/
6、验证升级后版本及重启测试服务
[root@db 1]# ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@db 1]# [root@db 1]# [root@db 1]# service sshd restart
Stopping sshd:[ OK ]
/etc/init.d/sshd: line 41: /usr/bin/ssh-keygen: No such file or
directory
Starting sshd:[ OK ]
[root@db ~]# cd /usr/local/openssh/bin
[root@db bin]# ls
scp sftp slogin
ssh ssh-add
ssh-agent ssh-keygen
ssh-keyscan
[root@db bin]# cp ssh-keygen /usr/bin/
[root@db bin]# service sshd restart
Stopping sshd:[ OK ]
Starting sshd:[ OK ]
[root@db bin]# [root@db bin]# ssh -V
OpenSSH_7.1p2, OpenSSL 1.0.1e-fips 11 Feb 2013
7、设置允许root用户远程登录
[root@db ~]# cat /etc/ssh/sshd_config # Authentication:
...
#LoginGraceTime 2m
PermitRootLogin yes
8、SecureCRT不能上传文件的解决办法:
将 /etc/ssh/sshd_config 中的
Subsystem sftp /usr/libexec/openssh/sftp-server 改为
Subsystem sftp internal-sftp
重启sshd后,sftp正常工作了。
9、升级后的问题
使用SecureCRT
ssh协议连接正常,但使用其他工具无法远程连接操作系统:
解决方法:
=================================================================
参考网上解决方法如下:
修改sshd的配置文件
/etc/ssh/sshd_config
在配置文件中添加:
Ciphers
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs
hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms
diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org
导致此问题的原因是ssh升级后,为了安全,默认不再采用原来一些加密算法,我们手工添加进去即可。
(添加三行或者添加最后一行,重启服务都报错如下)
但重启服务报错如下:
[root@db ~]# service sshd restart
Stopping sshd:[ OK ]
Starting sshd:Unsupported KEX algorithm "ecdh-sha2-nistp521"
/etc/ssh/sshd_config line 137: Bad SSH2 KexAlgorithms 'diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org'.
[FAILED]
=================================================================
修改为如下:
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-sha1-96,hmac-md5-96
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org (此行中去掉ecdh-sha2-nistp521)
启动sshd服务即可:
更多推荐
1
0- 0
已为社区贡献1条内容
所有评论(0)