openssh编译升级（openssh7.4升级到8.0）

openssh下载链接：https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz

1.备份原来的pam.d下的sshd文件

mv /etc/pam.d/sshd /etc/pam.d/sshd-bak && ls -l /etc/pam.d/sshd* && cp -r /etc/ssh /etc/ssh-bak

当备份pam.d下的sshd文件时，发现该路径下没有此文件，可以从其他服务器拷贝一个过来，或是执行vi /etc/pam.d/sshd，输入如下内容

cat <<EOF>  /etc/pam.d/sshd
#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin
EOF

2.解决依赖关系

Linux7.x

yum -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel tar net-tools telnet \
telnet-server xinetd make cmake 

Linux8.x

dnf -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel tar net-tools telnet \
telnet-server xinetd make cmake 

Linux9.x

dnf -y install wget gcc zlib-devel openssl-devel pam-devel libselinux-devel tar net-tools telnet \
telnet-server make cmake 

3.设置telnet开机启动,是为了防止在卸载旧版ssh的时候出现中断后无法连接服务器

Linux9.x系统，需要下载一个Linux7.0或Linux8.x的xinetd文件安装

wget https://dl.rockylinux.org/pub/rocky/8/AppStream/x86_64/os/Packages/x/xinetd-2.3.15-25.el8.x86_64.rpm && \
dnf -y localinstall xinetd-2.3.15-25.el8.x86_64.rpm

修改xientd配置文件

touch /etc/xinetd.d/telnet && \
cat <<EOF> /etc/xinetd.d/telnet
service telnet
{
        flags = REUSE
        socket_type = stream
        wait = no
        user = root
        server = /usr/sbin/in.telnetd
        log_on_failure += USERID
        disable = no
}
EOF

加入开机自启并启动telnet服务

systemctl daemon-reload && systemctl enable xinetd && systemctl start xinetd

4.卸载原来的openssh

rpm -e --nodeps `rpm -qa | grep openssh`

5.解决在编译的时候提示权限过高

chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key

6.下载并解压最新的openssh

cd /tmp && wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.7p1.tar.gz && \
tar xf openssh-9.7p1.tar.gz && \
cd openssh-9.7p1 && \
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam \
--with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib \
--without-hardening && make && make install

7.复制配置文件并设置允许root用户远程登录

Linux7.x 或 Linux8.x添加如下内容

#Linux7.x 或 Linux8.x添加如下内容
cd /tmp/openssh-9.7p1 && \
cp -a contrib/redhat/sshd.init /etc/init.d/sshd && \
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam && \
chown -R root.root /etc/init.d/sshd && \
chmod u+x /etc/init.d/sshd

Linux9.x系统添加如下内容

cat <<EOF>/usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
After=network.target

[Service]
Type=forcking
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecStop=/bin/kill-s QUIT $MAINPID
ExecReload=/usr/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
EOF

8.修改配置文件/etc/ssh/sshd_config

#1.修改#PermitRootLogin prohibit-password项，去掉注释#并把prohibit-password改为yes，修改后即为PermitRootLogin yes
#2.去掉注释#PasswordAuthentication yes变为PasswordAuthentication yes

sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config && \
sed -i "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config

9.添加添加自启服务ssh到开机启动项

Linux7.x或Linux8.x

chkconfig --add sshd && chkconfig sshd on

Linux9.x

systemctl daemon-reload && systemctl enable sshd && systemctl restart sshd

10.验证结果

ssh -V

如果重启发现sshd无法启动，如下图所示

解决：

是因为selinux开启的原因，只要将selinux关闭，重启下即可

#临时关闭
setenforce 0

#永久关闭需要修改/etc/selinux/config文件，将SELINUX=enforcing或者SELINUX=permissive修改为如下
SELINUX=disabled

systemctl restart sshd

在linux9.x环境下，记得一定要把selinux关闭，不然，输入用户名后会被一直提示密码错误

11.重启服务器

reboot

12.卸载telnet

dnf -y remove telnet telnet-server xinetd