linux下升級openssh
查詢是否安裝telnet
# rpm -qa | grep telnet
telnet-server-0.17-31.EL4.5
telnet-0.17-31.EL4.5
打開telnet服務
修改設置文件/etc/xinetd.d/telnet中disable字段改為no。
啟動服務#ntsysv或#service xinetd restart。
創建登陸用戶
因為不能直接root telnet登陸,所以創建一個登陸用戶.安轉完成後可以把該用戶刪除
useradd opensshinstall
(刪除用戶及/home/sshinstall目錄 userdel -r sshinstall 刪除這個用戶的組groupdel sshinstall)
安裝源文件在/usr/local/src目錄下
zlib和openssl安裝在/usr/local目錄下
安裝zlib-1.2.5
#tar -zxvf zlib-1.2.5.tar.gz
#cd zlib-1.2.5
#./configure --prefix=/usr/local/zlib-1.2.5 -share
#make
#make test
#make install
cp libz.a /usr/local/zlib-1.2.5/lib
cp libz.so.1.2.5 /usr/local/zlib-1.2.5/lib
cd /usr/local/zlib-1.2.5/lib; chmod u=rw,go=r libz.a
cp zlib.3 /usr/local/zlib-1.2.5/share/man/man3
chmod 644 /usr/local/zlib-1.2.5/share/man/man3/zlib.3
cp zlib.pc /usr/local/zlib-1.2.5/lib/pkgconfig
chmod 644 /usr/local/zlib-1.2.5/lib/pkgconfig/zlib.pc
cp zlib.h zconf.h /usr/local/zlib-1.2.5/include
chmod 644 /usr/local/zlib-1.2.5/include/zlib.h /usr/local/zlib-1.2.5/include/zconf.h
#vi /etc/ld.so.conf 配置庫文件搜索路徑
include ld.so.conf.d/*.conf
##add 2010.7.7
/usr/local/zlib-1.2.5/lib
##add end
#ldconfig -v 刷新緩存文件/etc/ld.so.cache
#ln -s /usr/local/zlib-1.2.5 /usr/local/zlib
安裝openssl
#cd /usr/local/src
#tar zxvf openssl-1.0.0a.tar.gz
#cd openssl-1.0.0a
#./config shared zlib-dynamic --prefix=/usr/local/openssl-1.0.0a --with-zlib-lib=/usr/local/zlib-1.2.5/lib --with-zlib-include=/usr/local/zlib-1.2.5/include
#make
#make test (這一步是進行 SSL 加密協議的完整測試,如果出現錯誤就要一定先找出原因,否則一味繼續可能導致 SSH 不能使用!)
#make install
#vi /etc/ld.so.conf 配置庫文件搜索路徑
############################################
## add below line to ld.so.conf
/usr/local/openssl-1.0.0a/lib 64位OS 沒有生成lib目錄,是lib64目錄
############################################
#ldconfig -v 刷新緩存文件/etc/ld.so.cache
#ln -s /usr/local/openssl-1.0.0a /usr/local/openssl
vi /etc/profile
###########################################
(add to end of the file)
PATH=/usr/local/openssl/bin:$PATH
export PATH
###########################################
退出,再登錄,查看openssl的版本號,以驗正是否安裝正確
#openssl version -a
OpenSSL 1.0.0a 1 Jun 2010
built on: Wed Jul 7 17:08:07 CST 2010
platform. linux-x86_64
options: bn(64,64) rc4(1x,char) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASM
OPENSSLDIR: "/usr/local/openssl-1.0.0a/ssl"
停止並卸載Openssh
1.停止OpenSSH服務
#service sshd stop
2. 查詢並卸載openssh
# rpm -qa | grep openssh
openssh-3.9p1-8.RHEL4.24
openssh-askpass-3.9p1-8.RHEL4.24
openssh-clients-3.9p1-8.RHEL4.24
openssh-server-3.9p1-8.RHEL4.24
openssh-askpass-gnome-3.9p1-8.RHEL4.24
#rpm -e openssh-3.9p1-8.RHEL4.24 --nodeps
#rpm -e openssh-clients-3.9p1-8.RHEL4.24 --nodeps
警告/etc/ssh/ssh_config 已存為 /etc/ssh/ssh_config.rpmsave
#rpm -e openssh-askpass-3.9p1-8.RHEL4.24
#rpm -e openssh-server-3.9p1-8.RHEL4.24 --nodeps
#rpm -e openssh-askpass-gnome-3.9p1-8.RHEL4.24
cd /usr/local/src
tar zxvf openssh-5.5p1.tar.gz
cd openssh-5.5p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl-1.0.0a --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib-1.2.5
#make
#make install
#
將sshd加入啟動服務:
進入ssh安裝解壓目錄
#cp ./contrib/redhat/sshd.init /etc/init.d/sshd
#chmod +x /etc/init.d/sshd
#chkconfig --add sshd
最後,啟動 SSH 服務使修改生效:
# service sshd start
重啟後確認一下當前的 OpenSSH 和 OpenSSL 是否正確:
# ssh -v
如果看到了新的版本號就沒問題啦!
關閉telnet服務
修改設置文件/etc/xinetd.d/telnet中disable字段改為yes。
啟動服務#ntsysv或#service xinetd restart。
注意問題
1.在安裝openssh, ./configure 時,報下面錯誤:
configure: error: PAM headers not found
運行# rpm -qa | grep pam
pam_smb-1.1.7-5
pam_ccreds-1-3
pam_passwdqc-0.7.5-2
pam-0.77-66.17
pam_krb5-2.1.8-1
spamassassin-3.0.6-1.el4
發現有 pam-0.77-66.17,從網上找到 pam-devel-0.77-66.17.i386.rpm,
運行rpm -ivh pam-devel-0.77-66.17.i386.rpm後,./configure正常
版本號0.77-66.17必須一樣。
2.在安裝openssh時,configure報錯:
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr/include/openssl --with-md5-passwords --mandir=/usr/share/man
.....
configure: error: *** zlib too old - check config.log ***
Your reported zlib version has known security problems. It's possible your
vendor has fixed these problems without changing the version number. If you
are sure this is the case, you can disable the check by running
"./configure --without-zlib-version-check".
If you are in doubt, upgrade zlib to version 1.2.3 or greater.
See http://www.gzip.org/zlib/ for details.
因此需要升級zlib.
3.如果操作系統是64位的,openssl-1.0.0a只生成了lib64,沒有生成lib目錄。openssh configure時,還是連接的老版本的openssl,郁悶。
4. ./configure顯示信息:
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl-1.0.0a --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib-1.2.5
顯示信息:
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
TCP Wrappers support: no
MD5 password support: yes
libedit support: no
Solaris process contract support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -fno-builtin-memset -std=gnu99
Preprocessor flags: -I/usr/local/openssl-1.0.0a/include -I/usr/local/zlib-1.2.5/include
Linker flags: -L/usr/local/openssl-1.0.0a/lib -L/usr/local/zlib-1.2.5/lib
Libraries: -lresolv -lcrypto -ldl -lutil -lz -lnsl -lcrypt
+for sshd: -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory