Redhat 6 升级 openssl-1.0.2m 、openssh-7.6p1 和 ntp-4.2.8p10
2017-03-30 00:00
423 查看
本文涉及rpm源码包下载地址:http://mirrors.163.com/centos/6/os/x86_64/Packages
安装之前配置环境变量 /etc/profile 增加以下几行
将文件/etc/xinetd.d/telnet内容“disable=yes”值改为“no”
将文件/etc/selinux/config内容“SELINUX=enforcing”值改为“disabled”
将以下内容全部复制到/etc/ssh/sshd_config
将以下内容全部复制到/etc/pam.d/sshd
/etc/ntp.conf
安装之前配置环境变量 /etc/profile 增加以下几行
export C_INCLUDE_PATH=/usr/local/include:$C_INCLUDE_PATH export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
1.安装Telnet服务
防止升级ssh时意外断开无法再次登陆服务器###Redhat6 #在其他机器批量安装时,可安装以下两个rpm包以免make install的时候报错 rpm -ivhU --nodeps pam-devel-1.1.1-24.el6.x86_64.rpm rpm -ivhU --nodeps gcc-4.4.7-18.el6.x86_64.rpm rpm -ivhU --nodeps glibc-devel-2.12-1.209.el6.x86_64.rpm #安装Telnet服务 rpm -ivhU xinetd-2.3.14-40.el6.x86_64.rpm rpm -ivhU telnet-server-0.17-48.el6.x86_64.rpm rpm -ivhU telnet-0.17-48.el6.x86_64.rpm ###Redhat7 rpm -ivhU --nodeps pam-devel-1.1.8-18.el7.x86_64.rpm rpm -ivhU --nodeps gcc-4.8.5-16.el7.x86_64.rpm rpm -ivhU --nodeps glibc-devel-2.17-196.el7.x86_64.rpm rpm -ivhU xinetd-2.3.15-13.el7.x86_64.rpm rpm -ivhU telnet-server-0.17-64.el7.x86_64.rpm rpm -ivhU telnet-0.17-64.el7.x86_64.rpm
将文件/etc/xinetd.d/telnet内容“disable=yes”值改为“no”
#启动Telnet服务 service xinetd restart
2.卸载旧版本openssl和openssh
rpm -qa|grep openssl rpm -e --nodeps xxx rpm -qa|grep openssh rpm -e --nodeps xxx
3.关闭SELinux
# 设置SELinux 成为permissive模式 setenforce 0
将文件/etc/selinux/config内容“SELINUX=enforcing”值改为“disabled”
4.安装openssl-1.0.2m
# 下载 https://www.openssl.org/source/openssl-1.0.2m.tar.gz # 解压openssl-1.0.2m.tar.gz tar xvf openssl-1.0.2m.tar.gz # 进入openssl-1.0.2m目录 cd /openssl-1.0.2m # 编译安装,编译后在其他机器安装只需执行make install即可 ./config shared && make && make install # 更新ld echo "/usr/local/ssl/lib" >> /etc/ld.so.conf ldconfig -v # 配置openssl库 cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64 cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64 chmod 555 /usr/lib64/libssl.so.1.0.0 chmod 555 /usr/lib64/libcrypto.so.1.0.0 ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10 ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10 ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl ln -s /usr/local/ssl/include/openssl /usr/include/openssl # 查看openssl版本 openssl version -a
5.安装openssh-7.6p1
# 下载 http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz # 解压openssh-7.6p1.tar.gz tar xvf openssh-7.6p1.tar.gz # 进入openssh-7.6p1目录 cd openssh-7.6p1 # 编译安装,编译后在其他机器安装只需执行make install即可 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --with-ssl-dir=/usr/local/ssl --without-hardening --with-pam && make && make install
5.1编辑/etc/ssh/sshd_config
# 修改配置文件 vi /etc/ssh/sshd_config
将以下内容全部复制到/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 Protocol 2 # HostKey for protocol version 1 #HostKey /etc/ssh/ssh_host_key # HostKeys for protocol version 2 #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_dsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Lifetime and size of ephemeral version 1 server key #KeyRegenerationInterval 1h #ServerKeyBits 1024 # Ciphers and keying #RekeyLimit default none # Logging # obsoletes QuietMode and FascistLogging #SyslogFacility AUTH SyslogFacility AUTHPRIV #LogLevel INFO # Authentication: #LoginGraceTime 2m PermitRootLogin no #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 #RSAAuthentication yes #PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #RhostsRSAAuthentication no # similar for protocol version 2 #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # RhostsRSAAuthentication and HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no PasswordAuthentication yes # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # override default of no subsystems Subsystem sftp /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1 Banner /etc/sshbanner
5.2编辑/etc/init.d/sshd
cd openssh-7.6p1/contrib/redhat cp sshd.init /etc/init.d/sshd
5.3编辑/etc/pam.d/sshd
vi /etc/pam.d/sshd
将以下内容全部复制到/etc/pam.d/sshd
#%PAM-1.0 auth required pam_sepermit.so auth include password-auth account required pam_nologin.so account include password-auth password include password-auth # pam_selinux.so close should be the first session rule session required pam_selinux.so close session required pam_loginuid.so # pam_selinux.so open should only be followed by sessions to be executed in the user context session required pam_selinux.so open env_params session optional pam_keyinit.so force revoke session include password-auth
5.4服务配置
# 赋权限 chmod u+x /etc/init.d/sshd # 服务设置自启动 chkconfig --add sshd chkconfig sshd on chkconfig --list|grep sshd # 重启服务 service sshd restart # 查看版本 ssh -V
6.测试ssh服务是否正常
测试ssh服务正常后将Telnet服务卸载rpm -e telnet-server-0.17-48.el6.x86_64 xinetd-2.3.14-40.el6.x86_64
7.安装ntp服务
,由于升级完openssl会导致ntpd服务无法启动,报错原因为:ntpd: OpenSSL version mismatch. Built against 10000003, you have 100020bf,所以需要重新编译ntpd。7.1编译安装
#卸载老版本 rpm -qa|grep ntpdate rpm -e xxx --nodeps rpm -qa|grep ntp- rpm -e xxx --nodeps #安装所需库文件 rpm -qa|grep libcap rpm -ivh libcap-2.16-5.5.el6.x86_64.rpm rpm -ivh libcap-devel-2.16-5.5.el6.x86_64.rpm find / -name libcap* /usr/local/ssl/lib/engines/libcapi.so ln -s /usr/local/ssl/lib/engines/libcapi.so /lib64/libcap.so #下载 http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz tar xvf ntp-4.2.8p10.tar.gz cd ntp-4.2.8p10 ./configure --prefix=/usr --enable-all-clocks --enable-parse-clocks --enable-linuxcaps --disable-ipv6 --without-ntpsnmpd make make install
7.2修改配置文件
vi /etc/init.d/ntpd#!/bin/sh NTPD=/usr/bin/ntpd PIDFILE=/var/run/ntpd.pid USER=ntp GROUP=ntp NTPD_OPTS="-g -u $USER:$GROUP -p $PIDFILE" ntpd_start() { if [ -r $PIDFILE ]; then echo "ntpd seems to be already running under pid `cat $PIDFILE`." echo "Delete $PIDFILE if this is not the case."; return 1; fi echo -n "Starting NTP daemon... " $NTPD $NTPD_OPTS # You can't always rely on the ntpd exit code, see Bug #2420 # case "$?" in # 0) echo "OK!" # return 0;; # *) echo "FAILED!" # return 1;; # esac sleep 1 if ps -Ao args|grep -q "^$NTPD $NTPD_OPTS"; then echo "OK!" return 0 else echo "FAILED!" [ -e $PIDFILE ] && rm $PIDFILE return 1 fi } ntpd_stop() { if [ ! -r $PIDFILE ]; then echo "ntpd doesn't seem to be running, cannot read the pid file." return 1; fi echo -n "Stopping NTP daemon..."; PID=`cat $PIDFILE` if kill -TERM $PID 2> /dev/null;then # Give ntp 15 seconds to exit for i in `seq 1 15`; do if [ -n "`ps -p $PID|grep -v PID`" ]; then echo -n . sleep 1 else echo " OK!" rm $PIDFILE return 0 fi done fi echo " FAILED! ntpd is still running"; return 1 } ntpd_status() { if [ -r $PIDFILE ]; then echo "NTP daemon is running as `cat $PIDFILE`" else echo "NTP daemon is not running" fi } case "$1" in 'start') ntpd_start ;; 'stop') ntpd_stop ;; 'restart') ntpd_stop && ntpd_start ;; 'status') ntpd_status ;; *) echo "Usage: $0 (start|stop|restart|status)" esac
/etc/ntp.conf
restrict default ignore #默认不允许修改或者查询ntp,并且不接收特殊封包 restrict 127.0.0.1 #给于本机所有权限 restrict 192.168.1.0 mask 255.255.255.0 notrap nomodify #给于局域网机的机器有同步时间的权限 server 192.168.26.11 prefer #设置时间服务器,加prefer表示优先 server 127.127.1.0 # local clock fudge 127.127.1.0 stratum 10 driftfile /var/lib/ntp/drift keys /etc/ntp/keys
7.3启动服务
chmod 755 /etc/init.d/ntpd service ntpd restart chkconfig ntpd on
相关文章推荐
- RedHat 7编译升级OpenSSL、OpenSSH及NTP
- RedHat 6编译升级OpenSSL、OpenSSH及NTP
- redhat7.2升级openssl、openssh
- openssl+openssh源码升级详细配置(Redhat)
- [服务器安全]升级OpenSSH,OpenSSL,vsftp,关闭NTP服务
- 【新手实战】redhat 6.2 升级openSSH (配合安装GCC,升级openSSL)
- 升级OpenSSH7.2p1到OpenSSH7.6P1,升级openssl
- redhat6.4升级openssh至6.7
- 解决openssh,openssl升级出现的坑
- OpenSSH升级安装步骤(redhat)
- CentOS6.3升级openssl和openssh
- CentOS 5.4 32位 OpenSSl OpenSSH升级过程.
- HP Unix openssl、openssh 升级
- openssl&&openssh平滑升级
- openssl、openssh升级
- redhat6.5 OpenSSH5.3p1升级到OpenSSH7.5p1
- OpenSSL、OpenSSH和NTP获得Core Infrastructure Initiative的资助
- CentOS 5 中OpenSSL和OpenSSH升级
- RedHat Enterprise Linux 5.8 升级openssl
- CentOS5.x下用YUM升级OpenSSH和OpenSSL