升级openssh

目录隐藏

centos7 升级openssh

由于官方不再不支持选择源码编译方式

官方网站下载
https://zlib.net/
https://openssl-library.org/source/
https://www.openssh.com/portable.html

zlib
wget https://zlib.net/zlib-1.3.1.tar.gz
tar xf zlib-1.3.1.tar.gz
cd zlib-1.3.1
./configure –prefix=/usr/local/zlib-1.3.1
sudo make
sudo make install

openssl
wget https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz
tar xf openssl-3.5.2.tar.gz
cd openssl-3.5.2
./Configure \
–prefix=/usr/local/openssl-3.5.2 \
–openssldir=/usr/local/openssl-3.5.2/ssl \
enable-fips \
shared

openssh
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p2.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p2.tar.gz.asc
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/RELEASE_KEY.asc
gpg –import RELEASE_KEY.asc
gpg –verify openssh-10.0p2.tar.gz.asc

gpg –edit-key 736060BA
gpg> trust
#然后选择 5 = I trust ultimately
gpg> quit

tar zxf openssh-10.0p2.tar.gz
openssh-10.0p1
export PATH=”/usr/local/openssl-3.5.2/bin:$PATH”
export LD_LIBRARY_PATH=”/usr/local/openssl-3.5.2/lib64:$LD_LIBRARY_PATH”
./configure \
–prefix=/usr/local/ssh \
–sysconfdir=/usr/local/ssh/etc \
–with-privsep-path=/usr/local/ssh/var/empty \
–with-zlib=/usr/local/zlib-1.3.1 \
–with-ssl-dir=/usr/local/openssl-3.5.2 \
–without-openssl-header-check
sudo make
sudo LD_LIBRARY_PATH=”/usr/local/openssl-3.5.2/lib64:$LD_LIBRARY_PATH” make install

调整配置
sudo cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak

/usr/lib/systemd/system/sshd.service
[Service]
…
Environment=”LD_LIBRARY_PATH=/usr/local/openssl-3.5.2/lib64:/usr/local/zlib-1.3.1/lib”
ExecStart=/usr/local/ssh/sbin/sshd -D -f /usr/local/ssh/etc/sshd_config
…

/usr/local/ssh/etc/sshd_config

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
ChallengeResponseAuthentication no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers garlic

重新启动服务

sudo systemctl daemon-reload
sudo systemctl restart sshd
sudo systemctl status sshd

ubuntu 升级openssh

sudo apt update
sudo apt install –only-upgrade openssh-server openssh-client

虽然不是最新版本但是官方版本会backport安全补丁

图片from曾彥博