升级openssh

centos7 升级openssh

由于官方不再不支持选择源码编译方式

官方网站下载

https://zlib.net/
https://openssl-library.org/source/
https://www.openssh.com/portable.html

zlib

wget https://zlib.net/zlib-1.3.1.tar.gz
tar xf zlib-1.3.1.tar.gz
cd zlib-1.3.1
./configure --prefix=/usr/local/zlib-1.3.1
sudo make
sudo make install

openssl

wget https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz
tar xf openssl-3.5.2.tar.gz
cd openssl-3.5.2
./Configure \
--prefix=/usr/local/openssl-3.5.2 \
--openssldir=/usr/local/openssl-3.5.2/ssl \
enable-fips \
shared
sudo make 
sudo make install

openssh

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p2.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p2.tar.gz.asc
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/RELEASE_KEY.asc
gpg --import RELEASE_KEY.asc
gpg --verify openssh-10.0p2.tar.gz.asc

gpg --edit-key 736060BA
gpg> trust
#然后选择 5 = I trust ultimately
gpg> quit

tar zxf openssh-10.0p2.tar.gz
openssh-10.0p1
export PATH="/usr/local/openssl-3.5.2/bin:$PATH"
export LD_LIBRARY_PATH="/usr/local/openssl-3.5.2/lib64:$LD_LIBRARY_PATH"
./configure \
--prefix=/usr/local/ssh \
--sysconfdir=/usr/local/ssh/etc \
--with-privsep-path=/usr/local/ssh/var/empty \
--with-zlib=/usr/local/zlib-1.3.1 \
--with-ssl-dir=/usr/local/openssl-3.5.2 \
--without-openssl-header-check
sudo make
sudo LD_LIBRARY_PATH="/usr/local/openssl-3.5.2/lib64:$LD_LIBRARY_PATH" make install

调整配置

sudo cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak

/usr/lib/systemd/system/sshd.service
[Service]
...
Environment="LD_LIBRARY_PATH=/usr/local/openssl-3.5.2/lib64:/usr/local/zlib-1.3.1/lib"
ExecStart=/usr/local/ssh/sbin/sshd -D -f /usr/local/ssh/etc/sshd_config
...

/usr/local/ssh/etc/sshd_config

Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
ChallengeResponseAuthentication no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers garlic

重新启动服务

sudo systemctl daemon-reload
sudo systemctl restart sshd
sudo systemctl status sshd

 

ubuntu 升级openssh

sudo apt update
sudo apt install --only-upgrade openssh-server openssh-client

虽然不是最新版本但是官方版本会backport安全补丁

如果端口改变需要 sudo systemctl daemon-reload

 

图片from曾彥博

Comments are closed.