升级步骤
1、查看版本
[root@localhost openssh-8.8p1]# ssh -V
OpenSSH_8.8p1, OpenSSL 1.0.2k-fips 26 Jan 2017
2、下载安装包
cd /usr/local/src
wget https://www.zlib.net/zlib-1.3.1.tar.gz
wget https://www.openssl.org/source/openssl-3.2.1.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
3、配置备份
cp -rf /etc/ssh /etc/ssh.bak
cp -rf /usr/bin/openssl /usr/bin/openssl.bak
cp -rf /etc/pam.d /etc/pam.d.bak
cp -rf /usr/lib/systemd/system /usr/lib/systemd/system.bak
rm -rf /etc/ssh/*
4、解压
cd /usr/local/src/
tar -zxvf zlib-1.3.1.tar.gz
tar -zxvf openssl-3.2.1.tar.gz
tar -zxvf openssh-9.8p1.tar.gz
5、安装zlib
cd /usr/local/src/zlib-1.3.1
./configure --prefix=/usr/local/src/zlib
make -j 4 && make test && make install
6、安装openssl
需要额外安装依赖
yum install -y perl-IPC-Cmd
cd /usr/local/src/openssl-3.2.1
./config --prefix=/usr/local/src/openssl
make -j 4 && make install
mv /usr/bin/openssl /usr/bin/oldopenssl
ln -s /usr/local/src/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/src/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -s /usr/local/src/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
7、安装openssh
cd /usr/local/src/openssh-9.8p1/
./configure --prefix=/usr/local/src/ssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/src/openssl --with-zlib=/usr/local/src/zlib
make -j 4 && make install
#查看目录版本
/usr/local/src/ssh/bin/ssh -V
#复制新ssh文件
cp -rf /usr/local/src/openssh-9.8p1/contrib/redhat/sshd.init /etc/init.d/sshd
cp -rf /usr/local/src/ssh/sbin/sshd /usr/sbin/sshd
cp -rf /usr/local/src/ssh/bin/ssh /usr/bin/ssh
cp -rf /usr/local/src/ssh/bin/ssh-keygen /usr/bin/ssh-keygen
8、启动服务
手动更新/etc/ssh/sshd_config
#重启sshd服务
/etc/init.d/sshd restart
#查看服务运行状态
/etc/init.d/sshd status
#添加开机启动
chkconfig --add sshd
#查看升级后ssh版本
[root@localhost ssh]# ssh -V
OpenSSH_9.8p1, OpenSSL 3.2.1 30 Jan 2024
查看Linux系统是否开通sshd服务
方法1、查看Linux系统是否开通sshd服务:systemctl status sshd.service或者service sshd status
如果该命令返回类似于active (running)的结果,则表示sshd服务已经在运行中。
[root@sr var]# systemctl status sshd.service # 查看Linux系统是否开通sshd服务
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-06-05 09:59:11 CST; 2 years 8 months ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1138 (sshd)
Tasks: 1
Memory: 7.8M
CGroup: /system.slice/sshd.service
└─1138 /usr/sbin/sshd -D
Mar 01 11:29:45 sr sshd[17514]: Did not receive identification string from XXX.XXX.XXX.XXX port 43992
Mar 01 12:01:05 sr sshd[20428]: Did not receive identification string from XXX.XXX.XXX.XXX port 59472
Mar 01 12:39:53 sr sshd[23931]: Connection closed by XXX.XXX.XXX.XXX port 52504 [preauth]
Mar 01 12:39:55 sr sshd[23934]: Connection closed by XXX.XXX.XXX.XXX port 52518 [preauth]
Mar 01 12:39:56 sr sshd[23937]: Connection closed by XXX.XXX.XXX.XXX port 52524 [preauth]
Mar 01 13:59:54 sr sshd[31209]: Did not receive identification string from XXX.XXX.XXX.XXX port 64001
Mar 01 14:52:51 sr sshd[3621]: Did not receive identification string from XXX.XXX.XXX.XXX port 57980
Mar 01 16:01:59 sr sshd[10113]: Accepted password for root from XXX.XXX.XXX.XXX port 18389 ssh2
Mar 01 16:42:55 sr sshd[13858]: Connection closed by XXX.XXX.XXX.XXX port 36434 [preauth]
Mar 01 16:44:21 sr sshd[14021]: Did not receive identification string from XXX.XXX.XXX.XXX port 10000
[root@sr var]# service sshd status # 查看Linux系统是否开通sshd服务
● sshd.service - OpenSSH server daemon
Loaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2021-06-05 09:59:11 CST; 2 years 8 months ago
Docs: man:sshd(8)
man:sshd_config(5)
Main PID: 1138 (sshd)
Tasks: 1
Memory: 7.8M
CGroup: /system.slice/sshd.service
└─1138 /usr/sbin/sshd -D
Mar 01 11:29:45 sr sshd[17514]: Did not receive identification string from XXX.XXX.XXX.XXX port 43992
Mar 01 12:01:05 sr sshd[20428]: Did not receive identification string from XXX.XXX.XXX.XXX port 59472
Mar 01 12:39:53 sr sshd[23931]: Connection closed by XXX.XXX.XXX.XXX port 52504 [preauth]
Mar 01 12:39:55 sr sshd[23934]: Connection closed by XXX.XXX.XXX.XXX port 52518 [preauth]
Mar 01 12:39:56 sr sshd[23937]: Connection closed by XXX.XXX.XXX.XXX port 52524 [preauth]
Mar 01 13:59:54 sr sshd[31209]: Did not receive identification string from XXX.XXX.XXX.XXX port 64001
Mar 01 14:52:51 sr sshd[3621]: Did not receive identification string from XXX.XXX.XXX.XXX port 57980
Mar 01 16:01:59 sr sshd[10113]: Accepted password for root from XXX.XXX.XXX.XXX port 18389 ssh2
Mar 01 16:42:55 sr sshd[13858]: Connection closed by XXX.XXX.XXX.XXX port 36434 [preauth]
Mar 01 16:44:21 sr sshd[14021]: Did not receive identification string from XXX.XXX.XXX.XXX port 10000
方法2、检查服务器的22端口是否处于监听状态(SSH默认使用22端口):netstat -tuln | grep 22或者netstat -an | grep 22
[root@sr var]# netstat -tuln | grep 22 # 检查服务器的22端口是否处于监听状态
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
[root@sr var]# netstat -an | grep 22 # 检查服务器的22端口是否处于监听状态
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:60119 127.0.0.1:35322 TIME_WAIT
tcp 0 52 XXX.XXX.XXX.XXX:22 XXX.XXX.XXX.XXX:18389 ESTABLISHED
tcp 0 0 XXX.XXX.XXX.XXX:39116 XXX.XXX.XXX.XXX:60101 ESTABLISHED
tcp 0 0 XXX.XXX.XXX.XXX:32792 XXX.XXX.XXX.XXX:60101 ESTABLISHED
unix 2 [ ACC ] STREAM LISTENING 12258 /run/dbus/system_bus_socket
unix 2 [ ] DGRAM 14221
unix 3 [ ] STREAM CONNECTED 21885622
方法3、查看是否有sshd进程:ps -ef | grep sshd`
[root@sr var]# ps -ef | grep sshd # 查看是否有 sshd 进程
root 1138 1 0 2021 ? 00:01:18 /usr/sbin/sshd -D
root 10113 1138 0 16:01 ? 00:00:00 sshd: root@pts/0
root 18104 10115 0 17:27 pts/0 00:00:00 grep --color=auto sshd
报错处理
启动sshd后会报错:
"/sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory"
查看资料后知晓
从官方文档中可查,dsa从openssh 9.0就不再使用,rsa从openssh 9.3开始就不再使用
解决办法更改/etc/init.d/sshd
将此行注释掉 #/sbin/restorecon /etc/ssh/ssh_host_dsa_key.pub
重新加载启动即可
systemctl daemon-reload
systemctl restart sshd
报错没有权限
处理方式
vim /etc/ssh/sshd_config
将PermitRootLogin修改成yes
再次执行chmod 777 sshd_config
