RHEL6/CENTOS6关于升级最新版openssh7.9p1方案
OpenSSH-7.9p1安装方案
Introduction to OpenSSH
The OpenSSH package contains ssh clients and the sshd daemon. This is useful for encrypting authentication and subsequent traffic over a network. The ssh and scp commands are secure implementations of telnet and rcp respectively.
This package is known to build and work properly using an LFS-8.4 platform.
Package Information
-
Download (HTTP): http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
-
Download MD5 sum: c6af50b7a474d04726a5aa747a5dce8f
-
Download size: 1.5 MB
-
Estimated disk space required: 39 MB (add 12 MB for tests)
-
Estimated build time: 0.4 SBU (running the tests takes 17+ minutes, irrespective of processor speed)
Additional Downloads
OpenSSH Dependencies
Optional
GDB-8.2.1 (for tests), Linux-PAM-1.3.0, X Window System, MIT Kerberos V5-1.17, libedit, LibreSSL Portable, OpenSC, and libsectok
Optional Runtime (Used only to gather entropy)
OpenJDK-11.0.2, Net-tools-CVS_20101030, and Sysstat-12.1.3
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSH
Installation of OpenSSH
OpenSSH runs as two processes when connecting to other computers. The first process is a privileged process and controls the issuance of privileges as necessary. The second process communicates with the network. Additional installation steps are necessary to set up the proper environment, which are performed by issuing the following commands as the root user:
install -v -m700 -d /var/lib/sshd &&
chown -v root:sys /var/lib/sshd &&
groupadd -g 50 sshd &&
useradd -c 'sshd PrivSep' \
-d /var/lib/sshd \
-g sshd \
-s /bin/false \
-u 50 sshd
Install OpenSSH by running the following commands:
patch -Np1 -i ../openssh-7.9p1-security_fix-1.patch &&
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-privsep-path=/var/lib/sshd &&
make
The testsuite requires an installed copy of scp to complete the multiplexing tests. To run the test suite, first copy the scp program to /usr/bin, making sure that you backup any existing copy first.
To test the results, issue: make tests.
Now, as the root user:
make install &&
install -v -m755 contrib/ssh-copy-id /usr/bin &&
install -v -m644 contrib/ssh-copy-id.1 \
/usr/share/man/man1 &&
install -v -m755 -d /usr/share/doc/openssh-7.9p1 &&
install -v -m644 INSTALL LICENCE OVERVIEW README* \
/usr/share/doc/openssh-7.9p1
Command Explanations
--sysconfdir=/etc/ssh: This prevents the configuration files from being installed in /usr/etc.
--with-md5-passwords: This enables the use of MD5 passwords.
--with-pam: This parameter enables Linux-PAM support in the build.
--with-xauth=/usr/bin/xauth: Set the default location for the xauth binary for X authentication. Change the location if xauth will be installed to a different path. This can also be controlled from sshd_config with the XAuthLocation keyword. You can omit this switch if Xorg is already installed.
--with-kerberos5=/usr: This option is used to include Kerberos 5 support in the build.
--with-libedit: This option enables line editing and history features for sftp.
Configuring OpenSSH
Config Files
~/.ssh/*, /etc/ssh/ssh_config, and /etc/ssh/sshd_config
There are no required changes to any of these files. However, you may wish to view the /etc/ssh/ files and make any changes appropriate for the security of your system. One recommended change is that you disable root login via ssh. Execute the following command as the root user to disable root login via ssh:
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
If you want to be able to log in without typing in your password, first create ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub with ssh-keygen and then copy ~/.ssh/id_rsa.pub to ~/.ssh/authorized_keys on the remote computer that you want to log into. You'll need to change REMOTE_USERNAME and REMOTE_HOSTNAME for the username and hostname of the remote computer and you'll also need to enter your password for the ssh-copy-id command to succeed:
ssh-keygen && ssh-copy-id -i ~/.ssh/id_rsa.pubREMOTE_USERNAME@REMOTE_HOSTNAME
Once you've got passwordless logins working it's actually more secure than logging in with a password (as the private key is much longer than most people's passwords). If you would like to now disable password logins, as the root user:
echo "PasswordAuthentication no" >> /etc/ssh/sshd_config && echo "ChallengeResponseAuthentication no" >> /etc/ssh/sshd_config
If you added Linux-PAM support and you want ssh to use it then you will need to add a configuration file for sshd and enable use of LinuxPAM. Note, ssh only uses PAM to check passwords, if you've disabled password logins these commands are not needed. If you want to use PAM, issue the following commands as the root user:
sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && chmod 644 /etc/pam.d/sshd && echo "UsePAM yes" >> /etc/ssh/sshd_config
Additional configuration information can be found in the man pages for sshd, ssh and ssh-agent.
Boot Script
To start the SSH server at system boot, install the /etc/rc.d/init.d/sshd init script included in the blfs-bootscripts-20190313 package.
make install-sshd
Contents
Short Descriptions
is a file copy program that acts like rcp except it uses an encrypted protocol. | |
is an FTP-like program that works over the SSH1 and SSH2 protocols. | |
is a symlink to ssh. | |
is an rlogin/rsh-like client program except it uses an encrypted protocol. | |
is a daemon that listens for ssh login requests. | |
is a tool which adds keys to the ssh-agent. | |
is an authentication agent that can store private keys. | |
is a script that enables logins on remote machine using local keys. | |
is a key generation tool. | |
is a utility for gathering public host keys from a number of hosts. |
Last updated on 2019-02-22 08:15:58 -0600
OpenSSH-7.9p1升级方案
2038 wget ftp://ftp.yzu.edu.tw/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
2050 yum install gcc gcc-c++ zlib zlib-devel openssl openssl-devel pam-devel -y
2051 yum install -y gcc openssl-devel pam-devel rpm-build pam-devel
2052 yum update zlib openssl pam libedit pam-devel
2053 yum install zlib-devel openssl-devel
2058 cd openssh7.9p1/
2066 rpm -e `rpm -qa | grep openssh` --nodeps
2060 tar zxvf openssh-7.9p1.tar.gz
2062 cd openssh-7.9p1
2064 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
2067 make
2068 make install
2069 cp contrib/redhat/sshd.init /etc/init.d/sshd
2070 chkconfig --add sshd
2071 chkconfig sshd on
2072 sed -i 's/#PermitEmptyPasswords\(.*\)/PermitEmptyPasswords\ no/g' /etc/ssh/sshd_config
[root@cwttagback1 ~]# cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 22
Port 7001
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
注意如果要添加PAM支持,需要修改 UsePAM yes,如果不需要PAM支持,此参数不需要添加。
2102 sed 's@d/login@d/sshd@g' /etc/pam.d/login > /etc/pam.d/sshd && chmod 644 /etc/pam.d/sshd
2103 /etc/init.d/sshd reload
2107 /etc/init.d/sshd restart
目录 返回
首页