升级OpenSSH 8.8（修复OpenSSH CVE-2021-41617漏洞）

1、查看openssh版本
ssh -V
openssl version
cat /etc/redhat-release

2、#安装telnet-server以及xinetd 为防止升级过程中意外中断（备用方式）
yum install xinetd telnet-server -y

3、#配置telnet登录的终端类型，在/etc/securetty文件末尾增加一些pts终端，如下
cat >> /etc/securetty << eof
pts/0
pts/1
pts/2
pts/3
eof

4、启动服务
systemctl enable xinetd
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
ss -lntp|grep 23

5、#开放端口
#iptables -L -nv
#iptables -A INPUT -p tcp -m state —state NEW -m tcp —dport 23 -j ACCEPT
#service iptables reload && iptables -L -nv
#或
centos 7用这个：
#firewall-cmd —zone=public —add-port=23/tcp —permanent
#firewall-cmd —reload
#firewall-cmd —zone=public —query-port=23/tcp
#firewall-cmd —zone=public —remove-port=80/tcp —permanent

6、#升级需要几个组件，有些是和编译相关的等
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
yum install -y pam zlib
#可以手动去官网下载
mkdir /usr/soft/ -p && cd /usr/soft/
wget https://mirror.leaseweb.com/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
wget https://www.openssl.org/source/openssl-1.1.1m.tar.gz
tar xfz openssl-1.1.1m.tar.gz
#备份下面2个文件或目录（如果存在的话就执行）
mv /usr/bin/openssl /usr/bin/opensslbak
mv /usr/include/openssl /usr/include/openssl_bak
**通过源码安装_*
安装 gcc（上传gcc源码包）
# sudo tar zxf gcc_rpm.tar.gz
# cd gcc/
# sudo rpm -ivh .rpm —nodeps —force
# cd
安装zlib
# sudo tar zxf zlib.tar.gz
# cd zlib/
# sudo ./configure
# sudo make test
# sudo make install
# sudo make clean
# sudo ./configure —shared
# sudo make test
# sudo make install
# sudo cp zutil.h /usr/local/include/
# sudo cp zutil.c /usr/local/include/
# cd

7、#编译安装新版本的openssl
#配置、编译、安装3个命令一起执行
cd /usr/soft/openssl-1.1.1m/
./config —prefix=/usr/local/openssl shared && make -j2 && make install
echo $?

8、#下面文件或者目录做软链接 （刚才前面的步骤mv备份过原来的）
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
#目录软链接
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

9、查看连接情况
ll /usr/bin/openssl
lrwxrwxrwx 1 root root 26 Aug 9 14:52 /usr/bin/openssl -> /usr/local/ssl/bin/openssl
ll /usr/include/openssl -ld
lrwxrwxrwx 1 root root 30 Aug 9 14:52 /usr/include/openssl -> /usr/local/ssl/include/openssl

10、#命令行执行下面2个命令加载新配置
echo “/usr/local/openssl/lib” >> /etc/ld.so.conf
/sbin/ldconfig
#查看确认版本。没问题
[root@testssh ~]# openssl version
OpenSSL 1.1.1m 14 Dec 2021

11、cd /usr/soft/
tar xfz openssh-8.8p1.tar.gz
cd openssh-8.8p1
chown -R root.root /usr/soft/openssh-8.8p1

12、#命令行删除原先ssh的配置文件和目录、然后配置、编译、安装
mv /etc/ssh/ /etc/sshbak/
./configure —prefix=/usr/ —sysconfdir=/etc/ssh —with-openssl-includes=/usr/local/openssl/include —with-ssl-dir=/usr/local/openssl —with-zlib —with-md5-passwords —with-pam && make -j2&& make install
grep “^PermitRootLogin” /etc/ssh/sshd_config
grep “UseDNS” /etc/ssh/sshd_config
echo “PermitRootLogin yes” >> /etc/ssh/sshd_config
echo “UseDNS no” >> /etc/ssh/sshd_config
#mv /etc/init.d/sshd /etc/pam.d/sshd.pam/tmp/
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig —add sshd
systemctl enable sshd

13、#把原先的systemd管理的sshd文件删除或者移走或者删除，不移走的话影响我们重启sshd服务
mv /usr/lib/systemd/system/sshd.service /root/
chkconfig sshd on

14、修改sshd配置
vi /etc/ssh/sshd_config
在结尾处添加：
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
重启sshd服务：
/etc/init.d/sshd restart
ss -lntp
ssh -V

15、#重启服务器
#关闭telent和端口23
systemctl disable xinetd.service
systemctl stop xinetd.service
systemctl disable telnet.socket
systemctl stop telnet.socket
ss -lntp
或者使用（根据操作系统版本而定）：
#vi /etc/sysconfig/iptables
#-A INPUT -p tcp -m state —state NEW -m tcp —dport 23 -j ACCEPT
#service iptables reload && iptables -L -nv