1、安装依赖工具
# CentOS/RHEL
yum install -y gcc make zlib-devel openssl-devel pam-devel
# Ubuntu/Debian
apt install -y gcc make libssl-dev libpam0g-dev
2、备份原有配置(关键,用于回滚)
cp -r /etc/ssh /etc/ssh.bak.$(date +%Y%m%d)
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
3、升级依赖
注意:CentOS 7 自带 OpenSSL 1.0.2,无法直接编译 OpenSSH 10.2+,必须先升级 OpenSSL。
3.1、下载并编译 OpenSSL 1.1.1
cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz
tar -zxvf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
./config --prefix=/usr/local/openssl11 --shared zlib
make -j4 && make install
3.2、配置动态链接器
echo "/usr/local/openssl11/lib" > /etc/ld.so.conf.d/openssl11.conf
ldconfig
4、编译安装 OpenSSH
4.1、下载最新源码
cd /usr/local/src
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz
tar -zxvf openssh-10.2p1.tar.gz
cd openssh-10.2p14.2、配置编译(指定新版 OpenSSL 路径)
./configure --prefix=/usr \
--sysconfdir=/etc/ssh \
--with-ssl-dir=/usr/local/openssl11 \
--with-zlib \
--without-openssl-header-check
4.3、编译与安装
make -j4 && make install
4.4、修复配置与权限(解决 Access denied)
vim /etc/ssh/sshd_config修改以下内容:
4.5、修复密钥权限
chmod 600 /etc/ssh/ssh_host_*_key
chmod 644 /etc/ssh/ssh_host_*_key.pub
chown root:root /etc/ssh/ssh_host_*_key
setenforce 0
ssh-keygen -A
4.6、重启 SSH 服务
systemctl restart sshd4.7、检查状态
systemctl status sshd
ssh -V
4.8、本地测试登录(不要退出当前终端,新开终端测试)
ssh root@localhost