Centos7编译安装OpenSSH包含OpenSSL 2025-03-25 linux 暂无评论 114 次阅读 相关下载地址 ``` https://mirrors.aliyun.com/openssh/portable/openssh-9.9p2.tar.gz https://github.com/openssl/openssl/releases/download/openssl-3.4.1/openssl-3.4.1.tar.gz http://www.zlib.net/fossils/zlib-1.3.1.tar.gz ``` 相关包本站下载 [openssh相关源文件.zip](https://blog.moper.net/usr/uploads/2025/03/2602404321.zip) openssh、openssl、zlib三个文件下载到/root 查看当前版本 ``` cat /etc/centos-release cat /etc/redhat-release uname -a ``` centos7改阿里镜像 ``` cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.backup curl -o /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo curl -o /etc/yum.repos.d/epel-7.repo http://mirrors.aliyun.com/repo/epel-7.repo ``` yum安装和更新 ``` yum install -y epel-release yum install -y wget vim yum clean all yum makecache yum update ``` #一、编译安装openssl 可采用下面两个命令查询当前安装地址和版本 ``` which openssl openssl version ``` 切换到root目录 ``` cd /root ``` 1、删除当前openssl ``` yum remove -y openssl ``` 2、安装编译 OpenSSL 所需的包,包括 gcc、make、perl 和 zlib-devel。可以通过运行以下命令完成: ``` yum install -y gcc make perl zlib-devel ``` 3、编译前准备 openssl-1.1.1版本编译前准备: ``` yum -y install perl-IPC-Cmd tar -zxvf openssl-1.1.1w.tar.gz cd openssl-1.1.1w ./config --prefix=/usr/local/openssl111w ``` openssl-3.4.1版本编译前准备: ``` yum -y install perl-I* tar -zxvf openssl-3.4.1.tar.gz cd openssl-3.4.1 ./config --prefix=/usr/local/openssl341 ``` 4、开始编译安装 ``` #-j 加快编译速度,一般 -j${CPU核数} make make install ``` 5、 添加环境变量 openssl-1.1.1版本 ``` vim /etc/profile export PATH=/usr/local/openssl111w/bin:$PATH export LD_LIBRARY_PATH=/usr/local/openssl111w/lib:$LD_LIBRARY_PATH ``` openssl-3.4.1版本 ``` vim /etc/profile export PATH=/usr/local/openssl341/bin:$PATH export LD_LIBRARY_PATH=/usr/local/openssl341/lib:$LD_LIBRARY_PATH ``` ``` source /etc/profile ``` 注册库目录,编辑/etc/ld.so.conf 文件并添加共享库文件所在的目录。例如,在文件中添加一行: ``` vim /etc/ld.so.conf /usr/local/openssl341/lib64 ``` 运行以下命令使配置生效: ``` sudo ldconfig ``` 通过运行以下命令检查当前OpenSSL 版本,确认是否升级成功。 ``` openssl version ``` ##其他注意事项(仅供参考) 如果还是原来的版本,没变成新版本,可以做软连接使其挂用新版本 将原来的openssl,做备份 ``` mv /usr/bin/openssl /usr/bin/openssl_20230525bak mv /usr/lib64/openssl /usr/lib64/openssl_20230525bak ``` 然后将新安装的OpenSSL做软连接到这个路径 ``` ln -s /opt/openssl-1.1.1/bin/openssl /usr/bin/openssl openssl version ``` #二、编译安装zlib ``` cd /root tar -zxvf zlib-1.3.1.tar.gz cd zlib-1.3.1 ./configure --prefix=/usr/local/zlib make && make install ``` #三、升级openssh ``` cd /root tar -zxvf openssh-9.9p2.tar.gz cd openssh-9.9p2 ``` ``` #备份原ssh目录 mv /etc/ssh /etc/ssh_bak #备份原sshd mv /usr/sbin/sshd /opt/sshd_bak //备份原sshd目录 cp -r /etc/pam.d/sshd /etc/pam.d/sshd.pam.bak //备份原pam下的sshd ``` 卸载旧版本 ``` yum remove openssh ``` 也可以参考以下命令卸载 ``` # rpm -qa | grep openssh openssh-clients-5.3p1-84.1.el6.x86_64 openssh-5.3p1-84.1.el6.x86_64 openssh-server-5.3p1-84.1.el6.x86_64 # rpm -e --nodeps openssh-clients-5.3p1-84.1.el6.x86_64 openssh-5.3p1-84.1.el6.x86_64 openssh-server-5.3p1-84.1.el6.x86_64 ``` 编译安装 ``` yum -y install pam-devel #--with-md5-passwords参数失效,暂无影响 #openssl111w版本 ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl111w --without-hardening --with-zlib=/usr/local/zlib #openssl341版本 ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl341 --without-hardening --with-zlib=/usr/local/zlib make && make install ``` 拷贝相关文件 ``` cp -arf /usr/local/openssh/bin/* /usr/bin/ cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd cp /root/openssh-9.9p2/contrib/redhat/sshd.init /etc/init.d/sshd cp /etc/pam.d/sshd.pam.bak /etc/pam.d/sshd ``` 更新相关配置,开启root登录、PAM、X11等。 ``` sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config sed -i -e "s/#X11Forwarding no/X11Forwarding yes/g" /etc/ssh/sshd_config ``` 设定权限 ``` chmod +x /etc/init.d/sshd chmod 600 /etc/ssh/ssh_host_rsa_key chmod 600 /etc/ssh/ssh_host_ecdsa_key chmod 600 /etc/ssh/ssh_host_ed25519_key ``` 解决selinux严格模式 ``` touch /.autorelabel ``` 启动ssh ``` #Centos6 service sshd restart #执行后SSH连接可能会自动中断,建议能到机房条件下或开启telnet下执行 #Centos7或者openEuler systemctl daemon-reload systemctl restart sshd #执行后SSH连接可能会自动中断,建议能到机房条件下或开启telnet下执行 ``` 升级后sshd服务不会自动添加到启动项,可执行`chkconfig –list sshd`查看启动信息。 手动添加自启动: ``` chkconfig --add sshd systemctl enable sshd chkconfig sshd on ``` 重启电脑后,查看验证当前ssh版本 ``` sshd –V ``` #升级常见问题处理 ##升级之后 root 用户无法登录 需要检查 ``` /etc/ssh/sshd_config ``` 这三个配置项: ``` PermitRootLogin yes PubkeyAuthentication yes PasswordAuthentication yes ``` ##升级之后xftp/SFTP连接不上 可以尝试调整`/etc/ssh/sshd_config` ``` Subsystem sftp /usr/libexec/openssh/sftp-server ``` 改为 ``` Subsystem sftp internal-sftp ``` 重启sshd后,sftp正常工作了。 ##在开启SSHD服务时报错 ``` sshd re-exec requires execution with an absolute path ``` 用绝对路径启动,也报错如下: ``` Could not load host key: /etc/ssh/ssh_host_key Could not load host key: /etc/ssh/ssh_host_rsa_key Could not load host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 1. Could not load host key Disabling protocol version 2. Could not load host key sshd: no hostkeys available — exiting ``` 解决过程: ``` ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key /usr/sbin/sshd ``` ##输入密码后链接断掉 安装完成后使用xshell之类的工具登录,发现在输入密码后被拒绝,用下面方法解决 (1)考虑是否是selinux启用了策略,将/etc/selinux/config 文件中的SELINUX=enforcing 修改为 SELINUX=disabled (2)临时关闭严格模式`setenforce 0` 根本方法,执行`touch /.autorelabel` 参考文献 https://blog.csdn.net/daidai353304610/article/details/142249467 https://blog.csdn.net/xiangyong_/article/details/141966231 https://blog.csdn.net/xiangyong_/article/details/141956934 https://blog.csdn.net/wlc_1111/article/details/125228426 https://blog.csdn.net/iceliooo/article/details/103033986 https://blog.csdn.net/m0_63004677/article/details/144024851 https://blog.csdn.net/qq_39150356/article/details/142788797 https://blog.csdn.net/m0_37822085/article/details/136740931 https://www.cnblogs.com/papering/p/17958175 https://blog.csdn.net/hongchen006/article/details/143787983 https://blog.csdn.net/haote_go/article/details/146025653 https://www.cnblogs.com/shaoing/p/17346939.html https://wiki.wabks.com/pages/sn5vkk3259/ https://blog.51cto.com/u_15127629/4548200 https://blog.csdn.net/muxing1998/article/details/131754471 标签: openssl, centos7, openssh 本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可。