Centos7.x操作升级openssh8.6p1
1、查看当前服务器ssh版本相关信息[root@k8s-master ~]# ssh -VOpenSSH_7.4p1, OpenSSL 1.0.2k-fips26 Jan 2017[root@k8s-master ~]# cat /etc/redhat-releaseCentOS Linux release 7.8.2003 (Core)2、首先机器联网安装升级相关依赖包[root@k8s-mas
·
备注:
ssh服务是linux服务器管理的关键入口,升级一定要注意在测试环境多加验证,确保升级过程万无一失,避免因升级失败而导致失去对服务器的控制。
强烈建议升级期间开启telnet服务:
配置telnet登录
1、安装telnet-server以及xinetd
[root@k8s-master ~]# yum -y install xinetd telnet-server
2、配置telnet(如果下面文件不存在,可以跳过这部分的更改;如果下面文件存在,请更改配置telnet可以root登录,把disable = no改成disable = yes)
[root@k8s-master ~]# ll /etc/xinetd.d/telnet
#输出如下结果,表示没有此配置文件,修改/etc/xinetd.d/telnet配置可跳过
[root@k8s-master ~]# ls: cannot access /etc/xinetd.d/telnet: No such file or directory
[root@k8s-master ~]# cat /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = yes
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/in.telnetd
log_on_failure += USERID
}
3、配置telnet登录的终端类型
[root@k8s-master ~]# cat >>/etc/securetty<<EOF
pts/0
pts/1
pts/2
pts/3
EOF
[root@k8s-master ~]# tail -5 /etc/securetty
xvc0
pts/0
pts/1
pts/2
pts/3
4、启动telnet服务,并设置开机自动启动
[root@k8s-master ~]# systemctl enable xinetd && systemctl enable telnet.socket
[root@k8s-master ~]# systemctl start telnet.socket && systemctl start xinetd
[root@k8s-master ~]# netstat -lntp|grep 23
[root@k8s-master ~]# firewall-cmd --add-port=23/tcp --zone=public --permanent
[root@k8s-master ~]# firewall-cmd --reload
5、切换到telnet方式登录,以后的操作都在telnet终端下操作,防止ssh连接意外中断造成升级失败
1、查看当前服务器ssh版本相关信息
[root@k8s-master ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@k8s-master ~]# cat /etc/redhat-release
CentOS Linux release 7.8.2003 (Core)
2、首先机器联网安装升级相关依赖包
[root@k8s-master ~]# yum -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel
3、升级OPENSSL
3.1、备份旧版openssl
[root@k8s-master ~]# mv /usr/bin/openssl{,.bak}
[root@k8s-master ~]# mv /usr/include/openssl{,.bak}
3.2、下载openssl-1.1.1k包,解压并编译安装
[root@k8s-master ~]# wget https://www.openssl.org/source/openssl-1.1.1k.tar.gz
[root@k8s-master ~]# tar zxf openssl-1.1.1k.tar.gz -C /usr/local/
[root@k8s-master ~]# cd /usr/local/openssl-1.1.1k/
[root@k8s-master openssl-1.1.1k]# ./config --prefix=/usr/local/openssl
[root@k8s-master openssl-1.1.1k]# make -j 2 && make install
3.3、创建相应的软链接及版本验证
[root@k8s-master openssl-1.1.1k]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
[root@k8s-master openssl-1.1.1k]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
[root@k8s-master openssl-1.1.1k]# echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
[root@k8s-master openssl-1.1.1k]# ldconfig -v
[root@k8s-master openssl-1.1.1k]# openssl version
OpenSSL 1.1.1k 25 Mar 2021
4、关键步骤:升级OPENSSH
4.1、停止原有服务并备份相关文件
升级过程建议开启telnet,开放telnet相关端口,以便在升级失败时,通过telnet来操作版本回滚
[root@k8s-master ~]# systemctl stop sshd
[root@k8s-master ~]# mv /etc/ssh{,.bak}
[root@k8s-master ~]# mv /etc/pam.d/sshd{,.bak}
4.2、卸载旧版本openssh包
强烈建议通过网络找到openssh的rpm包,以避免升级失败时,找不到相应的安装包
[root@k8s-master ~]# rpm -e --nodeps `rpm -qa | grep openssh`
4.3、下载openssh8.6p1并解压安装包
[root@k8s-master ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
[root@k8s-master ~]# tar zxf openssh-8.6p1.tar.gz
[root@k8s-master ~]# cd openssh-8.6p1
4.4、安装升级
[root@k8s-master openssh-8.6p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-hardening
[root@k8s-master openssh-8.6p1]# make -j 2 && make install
4.5、拷贝配置ssh相关文件并启动服务
[root@k8s-master openssh-8.6p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@k8s-master openssh-8.6p1]# mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
[root@k8s-master openssh-8.6p1]# mv /etc/ssh /etc/ssh_update.bak
[root@k8s-master openssh-8.6p1]# mv /etc/ssh.bak /etc/ssh
[root@k8s-master openssh-8.6p1]# chmod 600 /etc/ssh/*key
[root@k8s-master openssh-8.6p1]# chkconfig --add sshd
[root@k8s-master openssh-8.6p1]# chkconfig sshd on
[root@k8s-master openssh-8.6p1]# systemctl restart sshd
4.6、修改配置文件允许Root登陆与版本验证
[root@k8s-master ~]# sed -i 's/^#\(PermitRootLogin \).*/\1yes/' /etc/ssh/sshd_config
[root@k8s-master openssh-8.6p1]# ssh -V
OpenSSH_8.6p1, OpenSSL 1.1.1k 25 Mar 2021
有可能遇到的问题及相应的解决办法:
问题:
Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.
解决:
[root@k8s-master ~]# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp
K8S/Kubernetes社区为您提供最前沿的新闻资讯和知识内容
更多推荐
0
0- 0
已为社区贡献4条内容
所有评论(0)