技術文章 » 整體升級openssl至1.1.1g及openssh8.3p1

整體升級openssl至1.1.1g及openssh8.3p1

2020-10-22 14:00:58

open全部操作請使用root
一、前序準備條件
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
wget http://www.openssl.org/source/openssl-1.1.1g.tar.gz
mkdir /data/lib64-bak
cp -p /usr/lib64/libssl.so.1.* /data/lib64-bak/
cp -p /usr/lib64/libcrypto.so.1.* /data/lib64-bak/

二、升級openssl環境至openssl-1.1.1g
–(1)檢視源版本
[root@zj ~]# openssl version -a
OpenSSL 1.0.2e-fips-rhel5 01 Jul 2008

yum install -y zlib

–(2)解除安裝原有openssl

rpm -qa| grep openssl
rpm -e `rpm -qa | grep openssl` --nodeps

–(3)解壓安裝
tar zxf openssl-1.1.1g.tar.gz
cd openssl-1.1.1g
./config shared zlib
make
make install
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl /usr/include/openssl
echo 「/usr/local/lib」 >> /etc/ld.so.conf
ldconfig -v
–(4)檢視是否升級成功
openssl version -a

OpenSSL 1.1.1g 7 Apr 2014

–(5)***遇到openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory執行以下
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

三、Openssh-8.4P1修復
–(1)檢查openssh
rpm -qa|grep openssh

–(2)避免openssh失敗無法登陸安裝telnet --連網或者單機傳包
rpm -Uvh telnet-server-0.17-64.el7.x86_64.rpm
rpm -Uvh xinetd-2.3.15-13.el7.x86_64.rpm

yum install -y telnet-server xinetd

注意:yum如果報錯的話是因為缺少檔案,即執行下面四的步驟即可
echo -e ‘pts/0\npts/1\npts/2\npts/3’ >>/etc/securetty
systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd

–(3)驗證telnet已可用,通過telnet23埠連線主機

–(4)安裝必要的軟體:–連網或者單機傳包
gcc pam pam-devel zlib zlib-devel openssl-devel
rpm -Uvh 程式包名

yum -y update pam zlib

yum -y install gcc pam pam-devel zlib zlib-devel openssl-devel

–(5)解除安裝舊的openssh

rpm -e `rpm -qa | grep openssh` --nodeps

–(6)解壓編譯

tar -zxvf openssh-8.4p1.tar.gz

cd openssh-8.4p1

./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --with-ssl-dir=/usr/local/ssl --with-privsep-path=/var/lib/sshd

make

make install

如果遇到如下報錯:chmod 600 /etc/ssh/ssh_host_*

chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key

#修訂組態檔
echo ‘PermitRootLogin no’ >> /etc/ssh/sshd_config (注意:執行這句代表root不能登入,請根據情況操作)
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd

#加入開機啟動
chkconfig sshd on
chkconfig --list sshd
service sshd start

#停止telnet服務
systemctl stop telnet.socket
systemctl disable telnet.socket
systemctl stop xinetd.service
systemctl disable xinetd.service

四、整體驗證,及修復
–(1)測試yum ping ssh cp等命令以及上傳、重新開啟新的ssh連線情況
cp /data/lib64-bak/* /usr/lib64/
cd /usr/lib64/
ll libssl*
ll libcrypt*

–(2)將原來備份的libssl和libcrypto進行軟連線
ln -s libssl.so.1.0.1e /usr/lib64/libssl.so.10
ln -s libcrypto.so.1.0.1e /usr/lib64/libcrypto.so.10

–(3)再次驗證之前使用有問題的功能
檢視當前openssh和openssl版本
ssh -V
openssl version -a