centos7 升级openssh
由于官方不再不支持选择源码编译方式
官方网站下载
https://zlib.net/ https://openssl-library.org/source/ https://www.openssh.com/portable.html
zlib
wget https://zlib.net/zlib-1.3.1.tar.gz tar xf zlib-1.3.1.tar.gz cd zlib-1.3.1 ./configure --prefix=/usr/local/zlib-1.3.1 sudo make sudo make install
openssl
wget https://github.com/openssl/openssl/releases/download/openssl-3.5.2/openssl-3.5.2.tar.gz tar xf openssl-3.5.2.tar.gz cd openssl-3.5.2 ./Configure \ --prefix=/usr/local/openssl-3.5.2 \ --openssldir=/usr/local/openssl-3.5.2/ssl \ enable-fips \ shared sudo make sudo make install
openssh
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p2.tar.gz wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p2.tar.gz.asc wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/RELEASE_KEY.asc gpg --import RELEASE_KEY.asc gpg --verify openssh-10.0p2.tar.gz.asc gpg --edit-key 736060BA gpg> trust #然后选择 5 = I trust ultimately gpg> quit tar zxf openssh-10.0p2.tar.gz openssh-10.0p1 export PATH="/usr/local/openssl-3.5.2/bin:$PATH" export LD_LIBRARY_PATH="/usr/local/openssl-3.5.2/lib64:$LD_LIBRARY_PATH" ./configure \ --prefix=/usr/local/ssh \ --sysconfdir=/usr/local/ssh/etc \ --with-privsep-path=/usr/local/ssh/var/empty \ --with-zlib=/usr/local/zlib-1.3.1 \ --with-ssl-dir=/usr/local/openssl-3.5.2 \ --without-openssl-header-check sudo make sudo LD_LIBRARY_PATH="/usr/local/openssl-3.5.2/lib64:$LD_LIBRARY_PATH" make install
调整配置
sudo cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak /usr/lib/systemd/system/sshd.service [Service] ... Environment="LD_LIBRARY_PATH=/usr/local/openssl-3.5.2/lib64:/usr/local/zlib-1.3.1/lib" ExecStart=/usr/local/ssh/sbin/sshd -D -f /usr/local/ssh/etc/sshd_config ...
/usr/local/ssh/etc/sshd_config Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org ChallengeResponseAuthentication no MaxAuthTries 3 MaxSessions 2 TCPKeepAlive no ClientAliveInterval 300 ClientAliveCountMax 2 AllowUsers garlic
重新启动服务
sudo systemctl daemon-reload sudo systemctl restart sshd sudo systemctl status sshd
ubuntu 升级openssh
sudo apt update sudo apt install --only-upgrade openssh-server openssh-client 虽然不是最新版本但是官方版本会backport安全补丁 如果端口改变需要 sudo systemctl daemon-reload
图片from曾彥博
Comments are closed.