文章目录
- 升级背景
- 下载必要软件包
- 安装 zlib
- 创建目录
- 解压文件
- 安装前置依赖
- 离线安装依赖
- 编译安装 zlib
- 安装 OpenSSL
- 检查当前版本
- 创建安装目录
- 下载并解压 OpenSSL
- 配置与安装
- 验证安装
- 解决动态库依赖问题
- 永久更新环境变量
- 安装OpenSSL常见错误
- 离线安装 Telnet 服务端指南
- 1. 在联网机器上下载安装包
- 2. 安装 xinetd和telnetd
- 3. 检查 xinetd 服务状态
- 4. 配置 Telnet 服务
- 5. 重启服务并验证
- 6. 修改默认端口(可选)
- 备份并卸载老版本OpenSSH
- 1. 备份SSH配置文件
- 2. 备份SSH相关可执行文件
- 3. 停止SSH服务
- 4. 查询并卸载现有OpenSSH包
- 5. 执行卸载
- 6. 验证卸载结果
- 升级 OpenSSH
- 源码安装时自启动配置
- 启动配置文件
- 创建符号链接
- 创建系统用户
- 重新加载 systemd 配置
- 更新 SSH 访问端口
- 修改配置文件
- 同步配置文件
- 验证连接
- 配置文件示例
升级背景
SSL/TLS 协议信息泄露漏洞(CVE-2016-2183)
<*来源:Karthik Bhargavan
Gaetan Leurent
链接:https://www.openssl.org/news/secadv/20160922.txt
操作系统信息Ubuntu 18.04.6
*>
cat /etc/os-release
NAME="Ubuntu"
VERSION="18.04.6 LTS (Bionic Beaver)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 18.04.6 LTS"
VERSION_ID="18.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=bionic
UBUNTU_CODENAME=bionic
ssh -V
OpenSSH_7.6p1 Ubuntu-4ubuntu0.7, OpenSSL 1.0.2n 7 Dec 2017
下载必要软件包
cd /usr/local/src/
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
wget https://www.openssl.org/source/openssl-3.2.2.tar.gz
wget https://www.zlib.net/fossils/zlib-1.3.1.tar.gz
安装 zlib
创建目录
mkdir -p /usr/local/zlib
cd /usr/local/src/
解压文件
tar -zxvf zlib-1.3.1.tar.gz
cd zlib-1.3
安装前置依赖
对于联网机器,仅下载所需依赖包:
sudo apt-get install --download-only gcc g++ make libc6-dev -y
此命令仅下载 gcc、g++、make 和 libc6-dev 及其依赖的 .deb 包,适用于离线部署。下载目录为 /var/cache/apt/archives/
root@ubuntu-virtual-machine:/opt/gcc-offline# ls
g++_4%3a7.4.0-1ubuntu2.3_amd64.deb libatomic1_8.4.0-1ubuntu1~18.04_amd64.deb libcilkrts5_7.5.0-3ubuntu1~18.04_amd64.deb libquadmath0_8.4.0-1ubuntu1~18.04_amd64.deb make_4.1-9.1ubuntu1_amd64.deb
g++-7_7.5.0-3ubuntu1~18.04_amd64.deb libc6_2.27-3ubuntu1.6_amd64.deb libgcc-7-dev_7.5.0-3ubuntu1~18.04_amd64.deb libstdc++-7-dev_7.5.0-3ubuntu1~18.04_amd64.deb manpages-dev_4.15-1_all.deb
gcc_4%3a7.4.0-1ubuntu2.3_amd64.deb libc6-dbg_2.27-3ubuntu1.6_amd64.deb libitm1_8.4.0-1ubuntu1~18.04_amd64.deb libtsan0_8.4.0-1ubuntu1~18.04_amd64.deb
gcc-7_7.5.0-3ubuntu1~18.04_amd64.deb libc6-dev_2.27-3ubuntu1.6_amd64.deb liblsan0_8.4.0-1ubuntu1~18.04_amd64.deb libubsan0_7.5.0-3ubuntu1~18.04_amd64.deb
libasan4_7.5.0-3ubuntu1~18.04_amd64.deb libc-dev-bin_2.27-3ubuntu1.6_amd64.deb libmpx2_8.4.0-1ubuntu1~18.04_amd64.deb linux-libc-dev_4.15.0-213.224_amd64.deb
离线安装依赖
tar -xzvf gcc-offline.tar.gz
cd gcc-offline
sudo dpkg -i *.deb
编译安装 zlib
./configure --prefix=/usr/local/zlib
root@ubuntu-virtual-machine:/opt/zlib-1.3.1# ./configure --prefix=/usr/local/zlib
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.3.1 with gcc.
Checking for size_t... Yes.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
make && make install
root@ubuntu-virtual-machine:/opt/zlib-1.3.1# make && make install
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o example.o test/example.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o adler32.o adler32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o crc32.o crc32.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o deflate.o deflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o infback.o infback.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inffast.o inffast.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inflate.o inflate.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o inftrees.o inftrees.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o trees.o trees.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o zutil.o zutil.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o compress.o compress.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o uncompr.o uncompr.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzclose.o gzclose.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzlib.o gzlib.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzread.o gzread.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -c -o gzwrite.o gzwrite.c
ar rc libz.a adler32.o crc32.o deflate.o infback.o inffast.o inflate.o inftrees.o trees.o zutil.o compress.o uncompr.o gzclose.o gzlib.o gzread.o gzwrite.o
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o example example.o -L. libz.a
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -c -o minigzip.o test/minigzip.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzip minigzip.o -L. libz.a
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/adler32.o adler32.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/crc32.o crc32.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/deflate.o deflate.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/infback.o infback.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inffast.o inffast.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inflate.o inflate.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/inftrees.o inftrees.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/trees.o trees.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/zutil.o zutil.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/compress.o compress.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/uncompr.o uncompr.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzclose.o gzclose.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzlib.o gzlib.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzread.o gzread.c
gcc -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -DPIC -c -o objs/gzwrite.o gzwrite.c
gcc -shared -Wl,-soname,libz.so.1,--version-script,zlib.map -O3 -fPIC -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o libz.so.1.3.1 adler32.lo crc32.lo deflate.lo infback.lo inffast.lo inflate.lo inftrees.lo trees.lo zutil.lo compress.lo uncompr.lo gzclose.lo gzlib.lo gzread.lo gzwrite.lo -lc
rm -f libz.so libz.so.1
ln -s libz.so.1.3.1 libz.so
ln -s libz.so.1.3.1 libz.so.1
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o examplesh example.o -L. libz.so.1.3.1
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzipsh minigzip.o -L. libz.so.1.3.1
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o example64.o test/example.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o example64 example64.o -L. libz.a
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -I. -D_FILE_OFFSET_BITS=64 -c -o minigzip64.o test/minigzip.c
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o minigzip64 minigzip64.o -L. libz.a
rm -f /usr/local/zlib/lib/libz.a
cp libz.a /usr/local/zlib/lib
chmod 644 /usr/local/zlib/lib/libz.a
cp libz.so.1.3.1 /usr/local/zlib/lib
chmod 755 /usr/local/zlib/lib/libz.so.1.3.1
rm -f /usr/local/zlib/share/man/man3/zlib.3
cp zlib.3 /usr/local/zlib/share/man/man3
chmod 644 /usr/local/zlib/share/man/man3/zlib.3
rm -f /usr/local/zlib/lib/pkgconfig/zlib.pc
cp zlib.pc /usr/local/zlib/lib/pkgconfig
chmod 644 /usr/local/zlib/lib/pkgconfig/zlib.pc
rm -f /usr/local/zlib/include/zlib.h /usr/local/zlib/include/zconf.h
cp zlib.h zconf.h /usr/local/zlib/include
chmod 644 /usr/local/zlib/include/zlib.h /usr/local/zlib/include/zconf.h
安装 OpenSSL
检查当前版本
openssl version
# 输出:OpenSSL 1.1.1 11 Sep 2018
创建安装目录
mkdir -p /usr/local/ssl
下载并解压 OpenSSL
cd /usr/local/src
tar zxvf openssl-3.2.2.tar.gz
cd openssl-3.2.2
配置与安装
./config --prefix=/usr/local/ssl --shared
make && make install
# 安装过程约需 30 分钟
验证安装
openssl version
# 发现版本未更新
解决动态库依赖问题
/usr/local/ssl/bin/openssl version
# 报错:./openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
# 解决方法:
echo '/usr/local/ssl/lib64' >> /etc/ld.so.conf
ldconfig
# 再次验证
/usr/local/ssl/bin/openssl version
# 输出:OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
永久更新环境变量
-
确认安装
ls /usr/local/ssl/bin/ # 确认存在新的 openssl 可执行文件 -
更新环境变量
编辑.bashrc或.bash_profile文件:nano ~/.bashrc在文件末尾添加:
export PATH=/usr/local/ssl/bin:$PATH export LD_LIBRARY_PATH=/usr/local/ssl/lib:$LD_LIBRARY_PATH保存并应用更改:
source ~/.bashrc -
更新共享库缓存
sudo ldconfig -
验证 OpenSSL 版本
openssl version # 输出:OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
安装OpenSSL常见错误
./config --prefix=/usr/local/ssl --shared 时,报错Setting locale failed。
root@dwork:/usr/local/src/openssl-3.2.2# ./config --prefix=/usr/local/ssl --shared
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "”en_US:en”",
LC_ALL = (unset),
LANG = "”en_US.UTF-8″"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Configuring OpenSSL version 3.2.2 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
LANGUAGE = "”en_US:en”",
LC_ALL = (unset),
LANG = "”en_US.UTF-8″"
are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************
解决方案
# 使用编辑器打开配置文件
sudo nano ~/.bashrc
# 添加以下内容
LANGUAGE="en_US:en"
LANG="en_US.UTF-8"
# 使配置立即生效
source ~/.bashrc
# 1. 安装 locales 工具包(如未安装)
sudo apt-get update && sudo apt-get install -y locales
# 2. 生成 en_US.UTF-8 语言环境
sudo locale-gen en_US.UTF-8
# 3. 验证语言环境是否生成成功
locale -a | grep en_US.UTF-8
离线安装 Telnet 服务端指南
1. 在联网机器上下载安装包
sudo apt-get install --download-only telnetd xinetd -y
2. 安装 xinetd和telnetd
dpkg -i xinetd_1%3a2.3.15.3-1_amd64.deb
dpkg -i telnetd_0.17-41_amd64.deb
3. 检查 xinetd 服务状态
systemctl status xinetd
输出示例:
● xinetd.service - LSB: Starts or stops the xinetd daemon.
Loaded: loaded (/etc/init.d/xinetd; generated)
Active: active (running) since Wed 2025-05-07 15:52:38 CST; 4 days ago
Docs: man:systemd-sysv-generator(8)
Process: 27492 ExecStop=/etc/init.d/xinetd stop (code=exited, status=0/SUCCESS)
Process: 27499 ExecStart=/etc/init.d/xinetd start (code=exited, status=0/SUCCESS)
Tasks: 3 (limit: 4915)
CGroup: /system.slice/xinetd.service
├─20505 in.telnetd: 10.252.248.10
├─27527 /usr/sbin/xinetd -pidfile /run/xinetd.pid -stayalive -inetd_compat -inetd_ipv6
└─27680 in.telnetd: 10.252.248.20
4. 配置 Telnet 服务
sudo nano /etc/xinetd.d/telnet
配置文件内容:
service telnet
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/in.telnetd
port = 23
log_on_failure += USERID
}
5. 重启服务并验证
sudo systemctl restart xinetd
sudo systemctl status xinetd
lsof -i :23
6. 修改默认端口(可选)
若要修改 Telnet 服务端口(例如改为 123):
- 编辑
/etc/services文件:
telnet 123/tcp # 自定义 Telnet 服务端口
- 编辑
/etc/xinetd.d/telnet文件:
service telnet
{
disable = no
socket_type = stream
protocol = tcp
wait = no
user = root
server = /usr/sbin/in.telnetd
port = 123
log_on_failure += USERID
}
- 重启服务并测试:
sudo systemctl restart xinetd
telnet <服务器IP> 123
备份并卸载老版本OpenSSH
1. 备份SSH配置文件
cp -r /etc/ssh /etc/ssh.old
2. 备份SSH相关可执行文件
cp -p /usr/sbin/sshd /usr/sbin/sshd.bak
cp -p /usr/bin/ssh /usr/bin/ssh.bak
cp -p /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
3. 停止SSH服务
systemctl status sshd
systemctl stop sshd
注意:请确保不要关闭远程连接
4. 查询并卸载现有OpenSSH包
dpkg -l | grep openssh
输出示例:
ii openssh-client 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) client, for secure access to remote machines
ii openssh-server 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) server, for secure access from remote machines
ii openssh-sftp-server 1:7.6p1-4ubuntu0.7 amd64 secure shell (SSH) sftp server module, for SFTP access from remote machines
5. 执行卸载
apt purge openssh-server openssh-client openssh-sftp-server
卸载报错,提示缺少依赖包。
下载并安装缺失包:sudo apt-get install --download-only curl libcurl4 -y
6. 验证卸载结果
dpkg -l | grep openssh
升级 OpenSSH
首先,创建 OpenSSH 的安装目录:
mkdir -p /usr/local/openssh
进入 /usr/local/src 目录并下载 OpenSSH 源码包:
cd /usr/local/src
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
解压下载的源码包:
tar zxvf openssh-9.8p1.tar.gz
进入解压后的目录:
cd openssh-9.8p1
配置编译选项,指定安装路径、zlib 和 SSL 的路径:
./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
成功配置后,输出如下:
root@ubuntu-virtual-machine:/opt/openssh-9.8p1# ./configure --prefix=/usr/local/openssh --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/ssl
checking for cc... cc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether the compiler supports GNU C... yes
checking whether cc accepts -g... yes
checking for cc option to enable C11 features... none needed
checking if cc supports C99-style variadic macros... yes
checking build system type... x86_64-pc-linux-gnu
checking host system type... x86_64-pc-linux-gnu
checking for stdio.h... yes
checking for stdlib.h... yes
checking for string.h... yes
……
checking for dropbearconvert... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h
OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /usr/local/openssh/etc
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wno-error=format-truncation -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/ssl/include -I/usr/local/zlib/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L
Linker flags: -L/usr/local/ssl/lib64 -L/usr/local/zlib/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -ldl -lutil -lresolv
+for channels: -lcrypto -lz
+for sshd: -lcrypt
root@ubuntu-virtual-machine:/opt/openssh-9.8p1# systemctl status sshd
Unit sshd.service could not be found.
执行 make && make install 命令后,系统输出如下安装信息:
/usr/bin/install -c -m 644 sshd.8.out /usr/local/openssh/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/openssh/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/openssh/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/openssh/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/openssh/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/openssh/share/man/man8/ssh-sk-helper.8
/bin/mkdir -p /usr/local/openssh/etc
ssh-keygen: generating new host keys: RSA ECDSA ED25519
/usr/local/openssh/sbin/sshd -t -f /usr/local/openssh/etc/sshd_config
Privilege separation user sshd does not exist
Makefile:396: recipe for target 'check-config' failed
make: [check-config] Error 255 (ignored)
由于 SSH 默认禁止 root 用户登录,此处我们保持默认配置不变。
接下来,将编译安装生成的新配置文件复制到系统默认路径:
mkdir -p /etc/ssh/
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
通过以下命令验证 SSH 版本升级是否成功:
ssh -V
OpenSSH_9.8p1, OpenSSL 3.2.2 4 Jun 2024
源码安装时自启动配置
启动配置文件
路径:/lib/systemd/system/ssh.service
[Unit]
Description=OpenBSD Secure Shell server
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run
[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755
[Install]
WantedBy=multi-user.target
Alias=sshd.service
创建符号链接
sudo ln -s /lib/systemd/system/ssh.service /etc/systemd/system/sshd.service
创建系统用户
sudo useradd -r -u 122 -g 65534 -d /run/sshd -s /usr/sbin/nologin sshd
重新加载 systemd 配置
sudo systemctl daemon-reload
sudo systemctl status ssh
sudo systemctl enable ssh
sudo journalctl -xe | grep sshd
更新 SSH 访问端口
修改配置文件
路径:/usr/local/openssh/etc/sshd_config
Port 5000
#PermitRootLogin yes
同步配置文件
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
sudo systemctl daemon-reload
sudo systemctl restart ssh
验证连接
ssh -P 5000 IP
配置文件示例
root@dwork:/etc/ssh# cat /etc/ssh.old/sshd_config
#$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Port 5000
#PermitRootLogin yes
……
至此,OpenSSH 升级顺利完成。如有任何建议,欢迎指教。
