CentOS 7 升级 OpenSSH 8.4

最新推荐文章于 2025-05-18 18:57:32 发布

二流人物

最新推荐文章于 2025-05-18 18:57:32 发布

阅读量2.2k

点赞数

CC 4.0 BY-SA版权

分类专栏： System 文章标签： openssh ssh pam

本文链接：https://blog.youkuaiyun.com/wzfgd/article/details/114129627

本文档详细介绍了如何在 CentOS 7 系统中将 OpenSSH 从旧版本升级到 8.4，包括升级前的测试、备份、安装编译工具、依赖软件，以及升级过程和 PAM 保护的测试。在升级过程中，涉及了卸载自带 SSH 组件、安装 OpenSSH 8.4、配置 SSH 服务和恢复 PAM 配置，以确保 SSH 功能和 PAM 模块的正常运行。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

环境说明

系统镜像：CentOS-7-x86_64-DVD-1804.iso

系统版本：

[ft@bogon /]$ cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)

内核版本：

[ft@bogon ~]$ uname -a
Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

OpenSSL：

[ft@bogon ~]$ openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017

OpenSSH：

[ft@bogon ~]$ ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[ft@bogon ~]$ rpm -qa | grep openssh
openssh-clients-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
openssh-7.4p1-21.el7.x86_64

升级前准备

测试 SSH 远程连接

升级前首先确认当前版本 OpenSSH 是否可以正常使用：

C:\Users\Sunny>ssh ft@192.168.16.22
ft@192.168.16.22's password:
Last login: Wed Feb 24 22:19:47 2021 from 192.168.16.70
Last login: Wed Feb 24 22:19:47 2021 from 192.168.16.70
[ft@bogon ~]$ uname -a
Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.

测试结果：OpenSSH 功能正常

测试 PAM 保护

安装自定义的 PAM 模块，然后在 /etc/pam.d/sshd 配置文件添加自定义的 PAM 模块：

#%PAM-1.0
# 自定义 PMA 模块 pam_otp.so
auth       required     pam_otp.so
# ---------------------------------------------------------------
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

SSH 连接测试：

C:\Users\Sunny>ssh ft@192.168.16.22
Password:
PassCode:
Last login: Wed Feb 24 22:22:19 2021 from 192.168.16.70
Last login: Wed Feb 24 22:22:19 2021 from 192.168.16.70
[ft@bogon ~]$ uname -a
Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.

测试结果：OpenSSH PAM 模块功能正常

备份文件

备份 /etc/pam.d/sshd 文件

[root@bogon ~]# mv /etc/pam.d/sshd /etc/pam.d/sshd-bak
[root@bogon ~]# ls -l /etc/pam.d/sshd*
-rw-r--r--. 1 root root 939 Feb 24 22:29 /etc/pam.d/sshd-bak

安装编译工具

需要安装 gcc、gcc-c++、make 工具（如果已经安装请忽略此步骤）：

# 安装 gcc
[root@bogon ~]# yum -y install gcc
...
...
...
[root@bogon ~]# gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

# 安装 gcc