服务器安装openssh9.9p1

11.81.2.19

更新 SSL

1.1 查看 openssl 版本

openssl version

OpenSSL 1.0.2k-fips 26 Jan 2017

1.2 查看 openssl 路径

whereis openssl

openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz

1.3 备份 openssl 文件

cp /usr/bin/openssl /usr/bin/openssl_old cp -r /usr/include/openssl /usr/include/openssl_old

下载地址：https://openssl-library.org/source/index.html 选择的版本是 openssl-3.0.15.tar.gz，长期支持版本，支持到 2026年 7月 上传到服务器： /data/soft

3.1 解压并进入

tar -zxvf openssl-3.0.15.tar.gz cd openssl-3.0.15.tar.gz

3.2 配置 openssl 安装目录

./config –prefix=/usr/local/openssl

Can't locate IPC/Cmd.pm in @INC (@INC contains: /data/soft/openssl-3.0.15/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /data/soft/openssl-3.0.15/external/perl/Text-Template-1.56/lib) at /data/soft/openssl-3.0.15/util/perl/OpenSSL/config.pm line 19.
BEGIN failed–compilation aborted at /data/soft/openssl-3.0.15/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /data/soft/openssl-3.0.15/Configure line 23.
BEGIN failed–compilation aborted at /data/soft/openssl-3.0.15/Configure line 23.

报错解决方案： 方案一：使用 perl-CPAN 安装依赖【不推荐】 1）安装perl-CPAN

yum install -y perl-CPAN

2）进入CPAN的shell模式 注意：首次进入需要配置shell，按照提示操作即可，我这里是一路回车，安装需要一定时间

perl -MCPAN -e shell 【日志见附1】

3）在shell中安装缺少的模块 cpan[1]> install IPC/Cmd.pm 【日志见附2，未完成，换yum直接安装方式】

方案二：使用 yum 安装依赖 或者yum命令安装perl-IPC/Cmd 【更快】： yum -y install zlib* perl pam* gcc* perl-IPC-Cmd 【日志见附3】

安装成功后，再次编译OpenSSL就成功啦

./config –prefix=/usr/local/openssl

Configuring OpenSSL version 3.0.15 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h

**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm –dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************

3.3 编译&&安装

make && make install 需要一定的时间

3.4 创建软连接 说明：创建的软链接和之前没升级通过whereis openssl保持一致即可。

mv /usr/bin/openssl /usr/bin/openssl_bak ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl mv /usr/include/openssl /usr/include/openssl_bak ln -s /usr/local/openssl/include/openssl /usr/include/openssl

3.5 添加动态链接库数据

cat /etc/ld.so.conf

include ld.so.conf.d/*.conf

echo “/usr/local/openssl/lib64/” >> /etc/ld.so.conf cat /etc/ld.so.conf

include ld.so.conf.d/*.conf
/usr/local/openssl/lib64/

3.6 更新动态链接库

ldconfig -v

4 验证 openssl 版本 说明：-a参数能显示更完整的信息

openssl version -a

更新完成

升级 openSSH

ssh -V OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017

tar -zxvf openssh-9.9p1.tar.gz cd openssh-9.9p1

yum -y install gcc pam-devel zlib-devel openssl-devel net-tools

Package gcc-4.8.5-39.el7.ns7.01.x86_64 already installed and latest version
Package pam-devel-1.1.8-22.el7.x86_64 already installed and latest version
Package zlib-devel-1.2.7-18.el7.x86_64 already installed and latest version
Package 1:openssl-devel-1.0.2k-21.el7_9.ns7.01.x86_64 already installed and latest version
Package net-tools-2.0-0.24.20131004git.el7.ns7.01.x86_64 already installed and latest version
Nothing to do

cp -r -a /etc/ssh/ /etc/ssh.bak

cp -r -a /etc/pam.d/ /etc/pam.d.bak

cp -r -a /usr/sbin/sshd /usr/sbin/sshd.bak

cp -r -a /usr/bin/ssh /usr/bin/ssh.bak

cp -r -a /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak

rpm -e –nodeps rpm -qa | grep openssh

注意修改 ssl 目录为先前配置的目录

./configure –prefix=/usr/local/openssh-9.9p1 –sysconfdir=/etc/ssh –with-pam –with-ssl-dir=/usr/local/openssl –with-md5-passwords –with-zlib

make && make install

cc -std=gnu11 -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/usr/local/openssl/lib64 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -ldl -lutil -lresolv -lcrypto -lz
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/bin
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/sbin
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man1
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man5
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/share/man/man8
/usr/bin/mkdir -p /usr/local/openssh-9.9p1/libexec
/usr/bin/mkdir -p -m 0755 /var/empty
/usr/bin/install -c -m 0755 -s ssh /usr/local/openssh-9.9p1/bin/ssh
/usr/bin/install -c -m 0755 -s scp /usr/local/openssh-9.9p1/bin/scp
/usr/bin/install -c -m 0755 -s ssh-add /usr/local/openssh-9.9p1/bin/ssh-add
/usr/bin/install -c -m 0755 -s ssh-agent /usr/local/openssh-9.9p1/bin/ssh-agent
/usr/bin/install -c -m 0755 -s ssh-keygen /usr/local/openssh-9.9p1/bin/ssh-keygen
/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/local/openssh-9.9p1/bin/ssh-keyscan
/usr/bin/install -c -m 0755 -s sshd /usr/local/openssh-9.9p1/sbin/sshd
/usr/bin/install -c -m 0755 -s sshd-session /usr/local/openssh-9.9p1/libexec/sshd-session
/usr/bin/install -c -m 4711 -s ssh-keysign /usr/local/openssh-9.9p1/libexec/ssh-keysign
/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/local/openssh-9.9p1/libexec/ssh-pkcs11-helper
/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/local/openssh-9.9p1/libexec/ssh-sk-helper
/usr/bin/install -c -m 0755 -s sftp /usr/local/openssh-9.9p1/bin/sftp
/usr/bin/install -c -m 0755 -s sftp-server /usr/local/openssh-9.9p1/libexec/sftp-server
/usr/bin/install -c -m 644 ssh.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/local/openssh-9.9p1/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/local/openssh-9.9p1/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/local/openssh-9.9p1/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/local/openssh-9.9p1/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/local/openssh-9.9p1/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/local/openssh-9.9p1/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/openssh-9.9p1/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/openssh-9.9p1/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh-9.9p1/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/openssh-9.9p1/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 79: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 80: Unsupported option GSSAPICleanupCredentials
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_key
sshd: no hostkeys available — exiting.
make: [check-config] Error 1 (ignored)
make: warning: Clock skew detected. Your build may be incomplete.

cp /usr/local/openssh-9.9p1/sbin/sshd /usr/sbin/sshd 会报 cp: cannot create regular file ‘/usr/sbin/sshd’: Text file busy 可以先 > mv /usr/sbin/sshd /usr/sbin/sshd.bak 然后再执行

cp /usr/local/openssh-9.9p1/bin/ssh /usr/bin/ssh

cp /usr/local/openssh-9.9p1/bin/ssh-keygen /usr/bin/ssh-keygen

cp -p contrib/redhat/sshd.init /etc/init.d/sshd

我装完这个已经在里面了，如果没有则复制一下

cp /usr/local/openssh-9.9p1/etc/sshd_config /etc/ssh/sshd_config

chmod +x /etc/init.d/sshd

vim /etc/ssh/sshd_config

将配置文件中这几个改为yes：

• PermitRootLogin yes
• PubkeyAuthentication yes
• PasswordAuthentication yes

说明： PermitRootLogin yes：允许root用户通过SSH登录到系统（最最最重要这个一定要设置，不然你重启sshd服务之后就不能远程连接了） PubkeyAuthentication yes：启用公钥身份验证 PasswordAuthentication yes：启用密码身份验证

systemctl enable sshd

systemctl restart sshd

报错

Job for sshd.service failed because the control process exited with error code. See "systemctl status sshd.service" and "journalctl -xe" for details.

查看错误
systemctl status sshd.service
● sshd.service – OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: activating (auto-restart) (Result: exit-code) since Fri 2024-09-20 03:49:26 CST; 16s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 83036 ExecStart=/usr/sbin/sshd -D $OPTIONS (code=exited, status=1/FAILURE)
Main PID: 83036 (code=exited, status=1/FAILURE)

Sep 20 03:49:26 sshd[83036]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Sep 20 03:49:26 sshd[83036]: Permissions 0640 for '/etc/ssh/ssh_host_key' are too open.
Sep 20 03:49:26 sshd[83036]: It is required that your private key files are NOT accessible by others.
Sep 20 03:49:26 sshd[83036]: This private key will be ignored.
Sep 20 03:49:26 sshd[83036]: Unable to load host key "/etc/ssh/ssh_host_key": bad permissions
Sep 20 03:49:26 sshd[83036]: Unable to load host key: /etc/ssh/ssh_host_key
Sep 20 03:49:26 sshd[83036]: sshd: no hostkeys available — exiting.
Sep 20 03:49:26 systemd[1]: Failed to start OpenSSH server daemon.
Sep 20 03:49:26 systemd[1]: Unit sshd.service entered failed state.
Sep 20 03:49:26 systemd[1]: sshd.service failed.

解决方案 修改目录权限

chmod -R 600 /etc/ssh

再次重启服务

systemctl restart sshd

sshd -V

另建立一个新会话，查看连接是否正常。