本次测试环境为Redhat 7.6 升级ssh 到8.5p1
在进行升级前需要关闭防火墙,需要设置selinux,需要安装 telnet。具体如下:
1,关闭防火墙
[root@vte ~]# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: inactive (dead) since Tue 2022-02-22 11:43:44 EST; 1 day 22h ago
Docs: man:firewalld(1)
Process: 25375 ExecStart=/usr/sbin/firewalld --nofork --nopid $FIREWALLD_ARGS (code=exited, status=0/SUCCESS)
Main PID: 25375 (code=exited, status=0/SUCCESS)
Feb 22 11:42:46 vte systemd[1]: Starting firewalld - dynamic firewall daemon...
Feb 22 11:42:46 vte systemd[1]: Started firewalld - dynamic firewall daemon.
Feb 22 11:43:44 vte systemd[1]: Stopping firewalld - dynamic firewall daemon...
Feb 22 11:43:44 vte systemd[1]: Stopped firewalld - dynamic firewall daemon.
[root@vte ~]#
2,需要设置selinux disable
[root@vte ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of enforcing.
# disabled - No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@vte ~]# sed -i 's/enforcing/disabled/' /etc/selinux/config
[root@vte ~]# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# disabled - SELinux security policy is enforced.
# permissive - SELinux prints warnings instead of disabled.
# disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of three values:
# targeted - Targeted processes are protected,
# minimum - Modification of targeted policy. Only selected processes are protected.
# mls - Multi Level Security protection.
SELINUXTYPE=targeted
[root@vte ~]#
临时设置:
[root@vte ~]# setenforce 0
[root@vte ~]#
安装Telnet
[root@vte Packages]# rpm -qa | grep -E "xinet|telnet"
[root@vte Packages]# rpm -ivh xinetd-2.3.15-13.el7.x86_64.rpm
warning: xinetd-2.3.15-13.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:xinetd-2:2.3.15-13.el7 ################################# [100%]
[root@vte Packages]# rpm -ivh telnet-
telnet-0.17-64.el7.x86_64.rpm telnet-server-0.17-64.el7.x86_64.rpm
[root@vte Packages]# rpm -ivh telnet-0.17-64.el7.x86_64.rpm
warning: telnet-0.17-64.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:telnet-1:0.17-64.el7 ################################# [100%]
[root@vte Packages]# rpm -ivh telnet-server-0.17-64.el7.x86_64.rpm
warning: telnet-server-0.17-64.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID fd431d51: NOKEY
Preparing... ################################# [100%]
Updating / installing...
1:telnet-server-1:0.17-64.el7 ################################# [100%]
[root@vte Packages]#
[root@vte Packages]# systemctl restart xinetd
[root@vte Packages]# systemctl restart telnet.socket
[root@vte Packages]#
[root@vte Packages]# systemctl status xinetd
● xinetd.service - Xinetd A Powerful Replacement For Inetd
Loaded: loaded (/usr/lib/systemd/system/xinetd.service; enabled; vendor preset: enabled)
Active: active (running) since Thu 2022-02-24 10:17:53 EST; 18s ago
Process: 26248 ExecStart=/usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid $EXTRAOPTIONS (code=exited, status=0/SUCCESS)
Main PID: 26249 (xinetd)
CGroup: /system.slice/xinetd.service
└─26249 /usr/sbin/xinetd -stayalive -pidfile /var/run/xinetd.pid
Feb 24 10:17:53 vte xinetd[26249]: removing discard
Feb 24 10:17:53 vte xinetd[26249]: removing discard
Feb 24 10:17:53 vte xinetd[26249]: removing echo
Feb 24 10:17:53 vte xinetd[26249]: removing echo
Feb 24 10:17:53 vte xinetd[26249]: removing tcpmux
Feb 24 10:17:53 vte xinetd[26249]: removing time
Feb 24 10:17:53 vte xinetd[26249]: removing time
Feb 24 10:17:53 vte xinetd[26249]: xinetd Version 2.3.15 started with libwrap loadavg labeled-networking options compiled in.
Feb 24 10:17:53 vte xinetd[26249]: Started working: 0 available services
Feb 24 10:17:53 vte systemd[1]: Started Xinetd A Powerful Replacement For Inetd.
[root@vte Packages]# systemctl status telnet.socket
● telnet.socket - Telnet Server Activation Socket
Loaded: loaded (/usr/lib/systemd/system/telnet.socket; disabled; vendor preset: disabled)
Active: active (listening) since Thu 2022-02-24 10:18:06 EST; 23s ago
Docs: man:telnetd(8)
Listen: [::]:23 (Stream)
Accepted: 0; Connected: 0
Feb 24 10:18:06 vte systemd[1]: Listening on Telnet Server Activation Socket.
[root@vte Packages]#
允许root通过Telnet 登录
[root@vte etc]# cp /etc/pam.d/login /etc/pam.d/login.bak
[root@vte pam.d]# sed -i 's/account required/#account required/' /etc/pam.d/login
[root@vte etc]# mv /etc/securetty /etc/securetty.bak
[root@vte Packages]# echo "pts/0" >> /etc/securetty
[root@vte Packages]# echo "pts/1" >> /etc/securetty
[root@vte Packages]# echo "pts/2" >> /etc/securetty
[root@vte Packages]# echo "pts/3" >> /etc/securetty
1,本机SSh版本
[root@vte ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
[root@vte ~]#
2,本机 SSH包;
[root@vte pam.d]# rpm -qa | grep openssh
openssh-server-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64
openssh-7.4p1-16.el7.x86_64
[root@vte pam.d]#
3,升级
[root@vte ~]#cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
[root@vte openssh8.5p1]# rpm -Uvh openssh-*
Preparing... ################################# [100%]
Updating / installing...
1:openssh-8.5p1-1.el6 ################################# [ 17%]
2:openssh-clients-8.5p1-1.el6 ################################# [ 33%]
3:openssh-server-8.5p1-1.el6 ################################# [ 50%]
Cleaning up / removing...
4:openssh-server-7.4p1-16.el7 ################################# [ 67%]
5:openssh-clients-7.4p1-16.el7 ################################# [ 83%]
6:openssh-7.4p1-16.el7 ################################# [100%]
[root@vte openssh8.5p1]#
[root@vte openssh8.5p1]# rpm -qa | grep openssh
openssh-clients-8.5p1-1.el6.x86_64
openssh-8.5p1-1.el6.x86_64
openssh-server-8.5p1-1.el6.x86_64
[root@vte openssh8.5p1]#
4,更改权限
[root@vte ~]# chmod 600 /etc/ssh/ssh_host_ed25519_key
[root@vte ~]# chmod 600 /etc/ssh/ssh_host_ecdsa_key
[root@vte ~]# chmod 600 /etc/ssh/ssh_host_rsa_key
5,拷贝pam 库文件
[root@vte security]# mkdir /lib/security
[root@vte security]# cp /lib64/security/pam_unix.so /lib/security/pam_pwdb.so
[root@vte security]# cp /lib64/security/pam_nologin.so /lib/security/pam_nologin.so
[root@vte security]# cp /lib64/security/pam_cracklib.so /lib/security/pam_cracklib.so
[root@vte security]# cp /lib64/security/pam_limits.so /lib/security/pam_limits.so
6,重启ssh
[root@vte security]# systemctl restart sshd
7, 验证版本
[root@vte security]# ssh -V
OpenSSH_8.5p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@vte security]#
8,卸载 Telnet
[root@vte ~]# rpm -e telnet-0.17-64.el7.x86_64
[root@vte ~]# rpm -e telnet-server-0.17-64.el7.x86_64
[root@vte ~]# rpm -e xinetd-2.3.15-13.el7.x86_64
[root@vte ~]# cp /etc/pam.d/login.bak /etc/pam.d/login
cp: overwrite ‘/etc/pam.d/login’? y
[root@vte ~]#
[root@vte etc]# mv securetty.bak securetty
