文章目录
-
- 升级背景
- 下载必要软件包
- [安装 zlib](#安装 zlib)
- [安装 OpenSSL](#安装 OpenSSL)
- [离线安装 Telnet 服务端指南](#离线安装 Telnet 服务端指南)
-
- [1. 在联网机器上下载安装包](#1. 在联网机器上下载安装包)
- [2. 安装 xinetd和telnetd](#2. 安装 xinetd和telnetd)
- [3. 检查 xinetd 服务状态](#3. 检查 xinetd 服务状态)
- [4. 配置 Telnet 服务](#4. 配置 Telnet 服务)
- [5. 重启服务并验证](#5. 重启服务并验证)
- [6. 修改默认端口(可选)](#6. 修改默认端口(可选))
- 备份并卸载老版本OpenSSH
-
- [1. 备份SSH配置文件](#1. 备份SSH配置文件)
- [2. 备份SSH相关可执行文件](#2. 备份SSH相关可执行文件)
- [3. 停止SSH服务](#3. 停止SSH服务)
- [4. 查询并卸载现有OpenSSH包](#4. 查询并卸载现有OpenSSH包)
- [5. 执行卸载](#5. 执行卸载)
- [6. 验证卸载结果](#6. 验证卸载结果)
- [升级 OpenSSH](#升级 OpenSSH)
升级背景
SSL/TLS 协议信息泄露漏洞(CVE-2016-2183)
<*来源:Karthik Bhargavan
Gaetan Leurent
链接:https://www.openssl.org/news/secadv/20160922.txt
操作系统信息Ubuntu 18.04.6
*>
bash
cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.7, OpenSSL 1.0.2n 7 Dec 2017下载必要软件包
bash
cd /usr/local/src/
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
wget https://www.openssl.org/source/openssl-3.2.2.tar.gz
wget https://www.zlib.net/fossils/zlib-1.3.1.tar.gz安装 zlib
创建目录
bash
mkdir -p /usr/local/zlib
cd /usr/local/src/解压文件
bash
tar -zxvf zlib-1.3.1.tar.gz
cd zlib-1.3安装前置依赖
对于联网机器,仅下载所需依赖包:
bash
sudo apt-get install --download-only gcc g++ make libc6-dev -y此命令仅下载 gcc、g++、make 和 libc6-dev 及其依赖的 .deb 包,适用于离线部署。下载目录为 /var/cache/apt/archives/
bash
root@ubuntu-virtual-machine:/opt/gcc-offline# ls
g++_4%3a7.4.0-1ubuntu2.3_amd64.deb libatomic1_8.4.0-1ubuntu1~18.04_amd64.deb libcilkrts5_7.5.0-3ubuntu1~18.04_amd64.deb libquadmath0_8.4.0-1ubuntu1~18.04_amd64.deb make_4.1-9.1ubuntu1_amd64.deb
g++-7_7.5.0-3ubuntu1~18.04_amd64.deb libc6_2.27-3ubuntu1.6_amd64.deb libgcc-7-dev_7.5.0-3ubuntu1~18.04_amd64.deb libstdc++-7-dev_7.5.0-3ubuntu1~18.04_amd64.deb manpages-dev_4.15-1_all.deb
gcc_4%3a7.4.0-1ubuntu2.3_amd64.deb libc6-dbg_2.27-3ubuntu1.6_amd64.deb libitm1_8.4.0-1ubuntu1~18.04_amd64.deb libtsan0_8.4.0-1ubuntu1~18.04_amd64.deb
gcc-7_7.5.0-3ubuntu1~18.04_amd64.deb libc6-dev_2.27-3ubuntu1.6_amd64.deb liblsan0_8.4.0-1ubuntu1~18.04_amd64.deb libubsan0_7.5.0-3ubuntu1~18.04_amd64.deb
libasan4_7.5.0-3ubuntu1~18.04_amd64.deb libc-dev-bin_2.27-3ubuntu1.6_amd64.deb libmpx2_8.4.0-1ubuntu1~18.04_amd64.deb linux-libc-dev_4.15.0-213.224_amd64.deb离线安装依赖
bash
tar -xzvf gcc-offline.tar.gz
cd gcc-offline
sudo dpkg -i *.deb编译安装 zlib
bash
./configure --prefix=/usr/local/zlib
bash
root@ubuntu-virtual-machine:/opt/zlib-1.3.1# ./configure --prefix=/usr/local/zlib
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.3.1 with gcc.
Checking for size_t... Yes.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
bash
make && make install
bash
root@ubuntu-virtual-machine:/opt/zlib-1.3.1# make && make install
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o example.o test/example.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inffast.o inffast.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inflate.o inflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inftrees.o inftrees.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o trees.o trees.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o zutil.o zutil.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o compress.o compress.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o uncompr.o uncompr.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzclose.o gzclose.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzlib.o gzlib.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzread.o gzread.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzwrite.o gzwrite.c
ar rc libz.a adler32.o crc32.o deflate.o infback.o inffast.o inflate.o inftrees.o trees.o zutil.o compress.o uncompr.o gzclose.o gzlib.o gzread.o gzwrite.o
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o example example.o -L. libz.a
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o minigzip.o test/minigzip.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzip minigzip.o -L. libz.a
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/adler32.o adler32.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/crc32.o crc32.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/deflate.o deflate.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/infback.o infback.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inffast.o inffast.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inflate.o inflate.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inftrees.o inftrees.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/trees.o trees.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/zutil.o zutil.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/compress.o compress.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/uncompr.o uncompr.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzclose.o gzclose.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzlib.o gzlib.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzread.o gzread.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzwrite.o gzwrite.c
gcc -shared -Wl,-soname,libz.so.1,--version-script,zlib.map -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o libz.so.1.3.1 adler32.lo crc32.lo deflate.lo infback.lo inffast.lo inflate.lo inftrees.lo trees.lo zutil.lo compress.lo uncompr.lo gzclose.lo gzlib.lo gzread.lo gzwrite.lo -lc
rm -f libz.so libz.so.1
ln -s libz.so.1.3.1 libz.so
ln -s libz.so.1.3.1 libz.so.1
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o examplesh example.o -L. libz.so.1.3.1
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzipsh minigzip.o -L. libz.so.1.3.1
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o example64.o test/example.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o example64 example64.o -L. libz.a
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o minigzip64.o test/minigzip.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzip64 minigzip64.o -L. libz.a
rm -f /usr/local/zlib/lib/libz.a
cp libz.a /usr/local/zlib/lib
chmod 644 /usr/local/zlib/lib/libz.a
cp libz.so.1.3.1 /usr/local/zlib/lib
chmod 755 /usr/local/zlib/lib/libz.so.1.3.1
rm -f /usr/local/zlib/share/man/man3/zlib.3
cp zlib.3 /usr/local/zlib/share/man/man3
chmod 644 /usr/local/zlib/share/man/man3/zlib.3
rm -f /usr/local/zlib/lib/pkgconfig/zlib.pc
cp zlib.pc /usr/local/zlib/lib/pkgconfig
chmod 644 /usr/local/zlib/lib/pkgconfig/zlib.pc
rm -f /usr/local/zlib/include/zlib.h /usr/local/zlib/include/zconf.h
cp zlib.h zconf.h /usr/local/zlib/include
chmod 644 /usr/local/zlib/include/zlib.h /usr/local/zlib/include/zconf.h安装 OpenSSL
检查当前版本
bash
openssl version
# 输出:OpenSSL 1.1.1 11 Sep 2018创建安装目录
bash
mkdir -p /usr/local/ssl下载并解压 OpenSSL
bash
cd /usr/local/src
tar zxvf openssl-3.2.2.tar.gz
cd openssl-3.2.2配置与安装
bash
./config --prefix=/usr/local/ssl --shared
make && make install
# 安装过程约需 30 分钟验证安装
bash
openssl version
# 发现版本未更新解决动态库依赖问题
bash
/usr/local/ssl/bin/openssl version
# 报错:./openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
# 解决方法:
echo '/usr/local/ssl/lib64' >> /etc/ld.so.conf
ldconfig
# 再次验证
/usr/local/ssl/bin/openssl version
# 输出:OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)永久更新环境变量
-
确认安装
bashls /usr/local/ssl/bin/ # 确认存在新的 openssl 可执行文件 -
更新环境变量
编辑
.bashrc或.bash_profile文件:bashnano ~/.bashrc在文件末尾添加:
bashexport PATH=/usr/local/ssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH保存并应用更改:
bashsource ~/.bashrc -
更新共享库缓存
bashsudo ldconfig -
验证 OpenSSL 版本
bashopenssl version # 输出:OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
安装OpenSSL常见错误
./config --prefix=/usr/local/ssl --shared 时,报错Setting locale failed。
bash
root@dwork:/usr/local/src/openssl-3.2.2# ./config --prefix=/usr/local/ssl --shared
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = ""en_US:en"",
LC_ALL = (unset),
LANG = ""en_US.UTF-8″"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Configuring OpenSSL version 3.2.2 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = ""en_US:en"",
LC_ALL = (unset),
LANG = ""en_US.UTF-8″"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************解决方案
bash
# 使用编辑器打开配置文件
sudo nano ~/.bashrc
# 添加以下内容
LANGUAGE="en_US:en"
LANG="en_US.UTF-8"
# 使配置立即生效
source ~/.bashrc
# 1. 安装 locales 工具包(如未安装)
sudo apt-get update && sudo apt-get install -y locales
# 2. 生成 en_US.UTF-8 语言环境
sudo locale-gen en_US.UTF-8
# 3. 验证语言环境是否生成成功
locale -a | grep en_US.UTF-8离线安装 Telnet 服务端指南
1. 在联网机器上下载安装包
bash
sudo apt-get install --download-only telnetd xinetd -y2. 安装 xinetd和telnetd
bash
dpkg -i xinetd_1%3a2.3.15.3-1_amd64.deb
dpkg -i telnetd_0.17-41_amd64.deb3. 检查 xinetd 服务状态
bash
systemctl status xinetd输出示例:
● xinetd.service - LSB: Starts or stops the xinetd daemon.
Loaded: loaded (/etc/init.d/xinetd; generated)
Active: active (running) since Wed 2025-05-07 15:52:38 CST; 4 days ago
Docs: man:systemd-sysv-generator(8)
Process: 27492 ExecStop=/etc/init.d/xinetd stop (code=exited, status=0/SUCCESS)
Process: 27499 ExecStart=/etc/init.d/xinetd start (code=exited, status=0/SUCCESS)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/xinetd.service
├─20505 in.telnetd: 10.252.248.10
├─27527 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
└─27680 in.telnetd: 10.252.248.204. 配置 Telnet 服务
bash
sudo nano /etc/xinetd.d/telnet配置文件内容:
bash
service telnet
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/in.telnetd
port = 23
log_on_failure += USERID
} 5. 重启服务并验证
bash
sudo systemctl restart xinetd
sudo systemctl status xinetd
lsof -i :236. 修改默认端口(可选)
若要修改 Telnet 服务端口(例如改为 123):
- 编辑
/etc/services文件:
bash
telnet 123/tcp # 自定义 Telnet 服务端口- 编辑
/etc/xinetd.d/telnet文件:
bash
service telnet
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/in.telnetd
port = 123
log_on_failure += USERID
} - 重启服务并测试:
bash
sudo systemctl restart xinetd
telnet <服务器IP> 123备份并卸载老版本OpenSSH
1. 备份SSH配置文件
bash
cp -r /etc/ssh /etc/ssh.old2. 备份SSH相关可执行文件
bash
cp -p /usr/sbin/sshd /usr/sbin/sshd.bak
cp -p /usr/bin/ssh /usr/bin/ssh.bak
cp -p /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak3. 停止SSH服务
bash
systemctl status sshd
systemctl stop sshd注意:请确保不要关闭远程连接
4. 查询并卸载现有OpenSSH包
bash
dpkg -l | grep openssh输出示例:
ii openssh-client 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines5. 执行卸载
bash
apt purge openssh-server openssh-client openssh-sftp-server卸载报错,提示缺少依赖包。
下载并安装缺失包:
sudo apt-get install --download-only curl libcurl4 -y
6. 验证卸载结果
bash
dpkg -l | grep openssh升级 OpenSSH
首先,创建 OpenSSH 的安装目录:
bash
mkdir -p /usr/local/openssh进入 /usr/local/src 目录并下载 OpenSSH 源码包:
bash
cd /usr/local/src
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz解压下载的源码包:
bash
tar zxvf openssh-9.8p1.tar.gz进入解压后的目录:
bash
cd openssh-9.8p1配置编译选项,指定安装路径、zlib 和 SSL 的路径:
bash
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl成功配置后,输出如下:
bash
root@ubuntu-virtual-machine:/opt/openssh-9.8p1# ./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
checking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether cc accepts -g... yes
checking for cc option to enable C11 features... none needed
checking if cc supports C99-style variadic macros... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
......
checking for dropbearconvert... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h
OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /usr/local/openssh/etc
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wno-error=format-truncation -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/zlib/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L
Linker flags: -L/usr/local/ssl/lib64 -L/usr/local/zlib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -ldl -lutil -lresolv
+for channels: -lcrypto -lz
+for sshd: -lcrypt
root@ubuntu-virtual-machine:/opt/openssh-9.8p1# systemctl status sshd
Unit sshd.service could not be found.执行 make && make install 命令后,系统输出如下安装信息:
/usr/bin/install -c -m 644 sshd.8.out /usr/local/openssh/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/openssh/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/openssh/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/openssh/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/openssh/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh/share/man/man8/ssh-sk-helper.8
/bin/mkdir -p /usr/local/openssh/etc
ssh-keygen: generating new host keys: RSA ECDSA ED25519
/usr/local/openssh/sbin/sshd -t -f /usr/local/openssh/etc/sshd_config
Privilege separation user sshd does not exist
Makefile:396: recipe for target 'check-config' failed
make: [check-config] Error 255 (ignored)由于 SSH 默认禁止 root 用户登录,此处我们保持默认配置不变。
接下来,将编译安装生成的新配置文件复制到系统默认路径:
bash
mkdir -p /etc/ssh/
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub通过以下命令验证 SSH 版本升级是否成功:
bash
ssh -V
OpenSSH_9.8p1, OpenSSL 3.2.2 4 Jun 2024源码安装时自启动配置
启动配置文件
路径:/lib/systemd/system/ssh.service
ini
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd.service创建符号链接
bash
sudo ln -s /lib/systemd/system/ssh.service /etc/systemd/system/sshd.service创建系统用户
bash
sudo useradd -r -u 122 -g 65534 -d /run/sshd -s /usr/sbin/nologin sshd重新加载 systemd 配置
bash
sudo systemctl daemon-reload
sudo systemctl status ssh
sudo systemctl enable ssh
sudo journalctl -xe | grep sshd更新 SSH 访问端口
修改配置文件
路径:/usr/local/openssh/etc/sshd_config
ini
Port 5000
#PermitRootLogin yes同步配置文件
bash
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
sudo systemctl daemon-reload
sudo systemctl restart ssh验证连接
bash
ssh -P 5000 IP配置文件示例
bash
root@dwork:/etc/ssh# cat /etc/ssh.old/sshd_config
#$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 5000
#PermitRootLogin yes
......至此,OpenSSH 升级顺利完成。如有任何建议,欢迎指教。