安装telnet服务端
安全升级sshd的前提,先安装telnet服务端
① centos
yum install -y telnet-server telnet xinetd
systemctl start telnet.socket
② debian
apt install -y telnetd telnet xinetd
如果/etc/ xinetd.d/ 该路径下没有telnet文件,则构造一个telnet文件
vim /etc/xinetd.d/telnet
# default: on
# description: The telnet server serves telnet sessions; it uses \
# unencrypted username/password pairs for authentication.
service telnet
{
disable = no
flags = REUSE
socket_type = stream
wait = no
user = root
server = /usr/sbin/telnetd
log_on_failure += USERID
}
重启xinetd服务
systemctl restart xinetd
编译安装Openssh
用telnet登录,如果出现问题,可以恢复安装sshd
1、安装编译环境
apt install -y curl libssl-dev zlib1g-dev cmake gcc libpam0g-dev libsystemd-dev
2、编译安装openssl(略)
3、下载openssh源码
国外源
curl https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz -o /usr/local/src/openssh-9.6p1.tar.gz
国内镜像
curl https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz -o /usr/local/src/openssh-9.6p1.tar.gz
4、编译安装,覆盖安装
cd /usr/local/src/
tar zxf /usr/local/src/openssh-9.6p1.tar.gz
cd openssh-9.6p1/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl/openssl3/lib --with-zlib --with-pam
- #./configure
- #–prefix=/usr 安装目录,如不配置,默认存放在/usr/local/sbin和bin
- #–sysconfdir=/etc/ssh 配置文件目录,如不配置,默认存放/usr/local/etc
- #–with-privsep-path 非特权用户的chroot目录
- #–with-privsep-user=sshd 指定非特权用户为sshd
- #–with-ssl-dir=/usr/local/openssl/openssl3/lib 指定 OpenSSL 的安装目录
- #–with-zlib 指定zlib库的安装目录
- #–with-pam
源码编译的openssh不支持systemd,下面是在github上找的修改方法,修改sshd源码,添加对systemd的支持
https://gist.github.com/roommen/18cd78d07b0fbc962de4e79c1d468f92?permalink_comment_id=4682416#gistcomment-4682416
5、 edit sshd.c
① add the following marked line:
127 #include "sk-api.h"
128 #include "srclimit.h"
129 #include "dh.h"
130 #include <systemd/sd-daemon.h> <---- this line
②. add the following marked lines:
2097 /* Signal systemd that we are ready to accept connections */ <---- this line
2098 sd_notify (0, "READY=1"); <---- this line
2099
2100 /* Accept a connection and return in a forked child */
2101 server_accept_loop(&sock_in, &sock_out,
2102 &newsock, config_s);
6、 install devel library
centos
sudo yum install -y systemd-devel
debian
apt install -y systemd-dev
7、 update the LIBS variable in the Makefile
51 #LIBS=-ldl -lutil -lresolv
52 LIBS =-lcrypto -ldl -lutil -lz -lcrypt -lresolv -lsystemd
8、编译安装
make && make install
9、修改ssh服务(按照上面的安装路径进行安装就不用修改service文件)
vim /lib/systemd/system/ssh.service
[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd.service
6、修改sshd_config
对照历史文档修改sshd_config和ssh_config
vim /etc/ssh/sshd_config
......
7、重新载入服务
systemctl daemon-reload
systemctl restart sshd
8、软连接新的sftp-server
rm /usr/lib/sftp-server
ln -s /usr/libexec/sftp-server /usr/lib/sftp-server
9、查看版本号
ssh -V
OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024