CentOS 7 升级 OpenSSH#
由于官方不再支持,需要选择源码编译方式。
官方下载地址#
1. 安装 zlib#
1
2
3
4
5
6
| wget https://zlib.net/zlib-1.3.1.tar.gz
tar xf zlib-1.3.1.tar.gz
cd zlib-1.3.1
./configure --prefix=/usr/local/zlib-1.3.1
sudo make
sudo make install
|
2. 安装 OpenSSL#
1
2
3
4
5
6
7
8
9
10
11
| wget https://github.com/openssl/openssl/releases/download/openssl-3.6.1/openssl-3.6.1.tar.gz
tar xf openssl-3.6.1.tar.gz
cd openssl-3.6.1
CFLAGS="-std=c99 -D_GNU_SOURCE" ./configure \
--prefix=/usr/local/openssl-3.6.1 \
--openssldir=/usr/local/openssl-3.6.1/ssl \
enable-fips \
shared \
no-asm
sudo make
sudo make install
|
3. 安装 OpenSSH#
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
| # 下载并验证
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz.asc
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/RELEASE_KEY.asc
# 导入并信任密钥
gpg --import RELEASE_KEY.asc
gpg --verify openssh-10.2p1.tar.gz.asc
gpg --edit-key 736060BA
# 输入: trust
# 选择: 5 = I trust ultimately
# 输入: quit
# 编译安装
tar zxf openssh-10.2p1.tar.gz
cd openssh-10.2p1
export PATH="/usr/local/openssl-3.6.1/bin:$PATH"
export LD_LIBRARY_PATH="/usr/local/openssl-3.6.1/lib64:$LD_LIBRARY_PATH"
./configure \
--prefix=/usr/local/ssh \
--sysconfdir=/usr/local/ssh/etc \
--with-privsep-path=/usr/local/ssh/var/empty \
--with-zlib=/usr/local/zlib-1.3.1 \
--with-ssl-dir=/usr/local/openssl-3.6.1 \
--without-openssl-header-check
sudo make
sudo LD_LIBRARY_PATH="/usr/local/openssl-3.6.1/lib64:$LD_LIBRARY_PATH" make install
|
4. 配置 systemd 服务#
备份原配置:
1
| sudo cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
|
编辑 /usr/lib/systemd/system/sshd.service:
1
2
3
| [Service]
Environment="LD_LIBRARY_PATH=/usr/local/openssl-3.6.1/lib64:/usr/local/zlib-1.3.1/lib"
ExecStart=/usr/local/ssh/sbin/sshd -D -f /usr/local/ssh/etc/sshd_config
|
5. 安全配置#
编辑 /usr/local/ssh/etc/sshd_config:
1
2
3
4
5
6
7
8
9
10
11
12
13
| # 加密算法配置
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org
# 安全选项
ChallengeResponseAuthentication no
MaxAuthTries 3
MaxSessions 2
TCPKeepAlive no
ClientAliveInterval 300
ClientAliveCountMax 2
AllowUsers username # 替换为实际用户名
|
6. 重启服务#
1
2
3
| sudo systemctl daemon-reload
sudo systemctl restart sshd
sudo systemctl status sshd
|
Ubuntu 升级 OpenSSH#
Ubuntu 官方仓库提供的版本虽然不是最新,但会 backport 安全补丁,推荐使用官方版本:
1
2
| sudo apt update
sudo apt install --only-upgrade openssh-server openssh-client
|
注意:如果修改了 SSH 端口,需要执行 sudo systemctl daemon-reload 重新加载配置。
验证升级#
1
2
3
4
5
| # 查看版本
ssh -V
# 测试连接
ssh -T user@localhost
|
参考资料来源:曾彥博