升级openssl
openssh 10.0p1 需要更高级版本的openssl 这里提供 OpenSSL-3.4.1 的相关rpm包
openssl-devel-3.4.1-1.el7.x86_64.rpm
openssl-3.4.1-1.el7.x86_64.rpm
openssl-libs-3.4.1-1.el7.x86_64.rpm
#安装OpenSSL
rpm -ivh --nodeps --force /opt/openssl-3.4.1*/openssl-{3,d}*.rpm #只装了openssl和openssl-devel,libs自己看着来,悠着点升级Openssh
openssh 10.0p1 rpm包
openssh-10.0p1-1.el7.x86_64.rpm
openssh-server-10.0p1-1.el7.x86_64.rpm
openssh-clients-10.0p1-1.el7.x86_64.rpm
升级前备份sshd 配置文件,升级过程中不要关闭SSH连接窗口,打开新的连接窗口确定升级成功之后才能断开!(有概率失败,请提前做系统快照等备份)
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak不推荐卸载再安装的方式,可能会导致sshd服务不能自动启动
yum -y localinstall openssh*.rpm
若失败可执行:rpm -ivh --force --nodeps --replacepkgs --replacefiles openssh-*.rpm恢复sshd配置文件
cp /etc/ssh/sshd_config.bak /etc/ssh/sshd_config#启用PAM
sed -i 's/#UsePAM.*/UsePAM yes/' /etc/ssh/sshd_config#修改 pam.d/sshd 配置
cat > /etc/pam.d/sshd << EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
session required pam_limits.so
session required pam_selinux.so close
session required pam_loginuid.so
session optional pam_keyinit.so force revoke
session include password-auth
EOF由于openssh版本较高,部分设备如果无法链接,请将以下代码加入sshd_config:
KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512#重启sshd服务
systemctl restart sshd安装完成后,您可以使用以下命令启检查 OpenSSH 服务是否开启自启动,如果没有加入开机启动项
systemctl is-enabled sshd
systemctl enable sshd