CentOS 7 升级 OpenSSH 8.4
环境说明
-
系统镜像:CentOS-7-x86_64-DVD-1804.iso
-
系统版本:
[ft@bogon /]$ cat /etc/redhat-release CentOS Linux release 7.9.2009 (Core)
-
内核版本:
[ft@bogon ~]$ uname -a Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
-
OpenSSL:
[ft@bogon ~]$ openssl version OpenSSL 1.0.2k-fips 26 Jan 2017
-
OpenSSH:
[ft@bogon ~]$ ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 [ft@bogon ~]$ rpm -qa | grep openssh openssh-clients-7.4p1-21.el7.x86_64 openssh-server-7.4p1-21.el7.x86_64 openssh-7.4p1-21.el7.x86_64
升级前准备
测试 SSH 远程连接
升级前首先确认当前版本 OpenSSH 是否可以正常使用:
C:\Users\Sunny>ssh ft@192.168.16.22
ft@192.168.16.22's password:
Last login: Wed Feb 24 22:19:47 2021 from 192.168.16.70
Last login: Wed Feb 24 22:19:47 2021 from 192.168.16.70
[ft@bogon ~]$ uname -a
Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.
测试结果:OpenSSH 功能正常
测试 PAM 保护
安装自定义的 PAM 模块,然后在 /etc/pam.d/sshd 配置文件添加自定义的 PAM 模块:
#%PAM-1.0
# 自定义 PMA 模块 pam_otp.so
auth required pam_otp.so
# ---------------------------------------------------------------
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
SSH 连接测试:
C:\Users\Sunny>ssh ft@192.168.16.22
Password:
PassCode:
Last login: Wed Feb 24 22:22:19 2021 from 192.168.16.70
Last login: Wed Feb 24 22:22:19 2021 from 192.168.16.70
[ft@bogon ~]$ uname -a
Linux bogon 3.10.0-1160.15.2.el7.x86_64 #1 SMP Wed Feb 3 15:06:38 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
[ft@bogon ~]$ exit
logout
Connection to 192.168.16.22 closed.
测试结果:OpenSSH PAM 模块功能正常
备份文件
备份 /etc/pam.d/sshd 文件
[root@bogon ~]# mv /etc/pam.d/sshd /etc/pam.d/sshd-bak
[root@bogon ~]# ls -l /etc/pam.d/sshd*
-rw-r--r--. 1 root root 939 Feb 24 22:29 /etc/pam.d/sshd-bak
安装编译工具
需要安装 gcc、gcc-c++、make 工具(如果已经安装请忽略此步骤):
# 安装 gcc
[root@bogon ~]# yum -y install gcc
...
...
...
[root@bogon ~]# gcc --version
gcc (GCC) 4.8.5 20150623 (Red Hat 4.8.5-44)
Copyright (C) 2015 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
# 安装 gcc