部署前准备
- 安装依赖
zypper install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
zypper install -y pam* zlib*
- SUSE的pam模块支持与其他Linux不同,请按需检查
- openssh-9.6p1.tar.gz
- openssl-3.2.0.tar.gz
- zlib-1.3.1.tar.gz(openssh支持包)
- ntp-4.2.8p17.tar.gz
- 备份文件
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
安装zlib支持包
解压安装包
tar zxvf zlib-1.3.1.tar.gz
cd zlib-1.3.1
编译安装zlib
./configure --prefix=/usr/local/zlib
make && make install
此处将zlib安装到服务器 /usr/local/zlib
下
升级Openssl
解压openssl安装包
tar zxvf openssl-3.1.0.tar.gz
cd openssl-3.1.0
备份旧Openssl
mv /usr/bin/openssl /usr/bin/openssl_old
mv /usr/include/openssl /usr/include/openssl_old
编译安装Openssl
./config --prefix=/usr/local/openssl && make && make install
创建操作系统软链接
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
设置加载库
- 注意:lib库名称,旧版本是'lib',新版本编译后是'lib64',故 编译完成后检查自己安装的路径lib库名称
echo "/usr/local/openssl/lib64" >> /etc/ld.so.conf
ldconfig -v
检查Openssl版本
openssl version
升级Openssh
解压openssh安装包
tar zxvf openssh-9.3p1.tar.gz
cd openssh-9.3p1/
备份旧openssh目录
mv /etc/ssh /etc/ssh_old
编译安装Openssh
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --without-hardening
make && make install
备份旧文件
mv /usr/sbin/sshd /usr/sbin/sshd_old
mv /etc/sysconfig/sshd /etc/sysconfig/sshd_old
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_old
卸载openssh
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
还原openssh配置文件
cp -a /etc/ssh_old/sshd_config /etc/ssh/sshd_config
mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli
cp /etc/pam.d/sshd.bak /etc/pam.d/sshd
替换新版本openssh相关命令
cp -arf /usr/local/openssh/bin/* /usr/bin/
cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
拷贝启动脚本
cp -a contrib/suse/rc.sshd /etc/init.d/sshd
cp -a contrib/suse/sysconfig.ssh /etc/sysconfig/ssh
chmod +x /etc/init.d/sshd
设置开机启动,并验证版本
systemctl daemon-reload
chkconfig --add sshd && chkconfig sshd on
systemctl start sshd
ssh -V
设置安全性
sed -ie ''$(grep -rn 'Ciphers and keying' /etc/ssh/sshd_config | cut -d ':' -f1)'a Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n\nMACs hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com \n\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 \n' /etc/ssh/sshd_config
检查配置并注释不支持的参数
sshd -t
更新ntp服务
解压ntp安装包
tar -zxvf ntp-4.2.8p17.tar.gz
cd ntp-4.2.8p17
卸载旧版本ntp服务
rpm -e ntp
编译安装ntp服务
./configure --prefix=/usr/local/ntp --with-openssl-libdir=/usr/local/openssl/lib64 --enable-all-clocks --enable-parse-clocks CFLAGS=-fPIC
make && make install
拷贝配置文件
cp /usr/local/ntp-4.2.8p17/bin/ntp* /usr/bin/
mv /etc/ntp.conf.rpmsave /etc/ntp.conf
拷贝服务启动文件
cp /usr/local/ntp/bin/ntpd /etc/init.d/ntpd
配置开机启动检查服务器是否启动成功
systemctl daemon-reload
chkconfig --add ntpd && chkconfig ntpd on
systemctl restart ntpd
systemctl status ntpd
查看ntp版本
ntpd --version