diff --git a/content/post/openssh-upgrade.md b/content/post/openssh-upgrade.md new file mode 100644 index 0000000..290698d --- /dev/null +++ b/content/post/openssh-upgrade.md @@ -0,0 +1,165 @@ +--- +title: "OpenSSH 升级" +date: 2024-07-02T19:00:00+08:00 +lastmod: 2024-07-02T19:00:00+08:00 +keywords: [] +tags: ["openssh", "ssh"] +categories: ["os"] +--- + +## 源码包 +- [openssh 源码包](https://www.openssh.com/portable.html) +- [openssl 源码包](https://www.openssl.org/source/) + +## 不带 openssl +### 编译 openssh +- 下载 openssh 源码包,解压 + ```bash + curl -LO https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz + tar zxf openssh-9.8p1.tar.gz + cd openssh-9.8p1/ + # 版本信息在 version.h + ``` + +- 编译安装 openssl + ```bash + mkdir /opt/openssh + ./configure --prefix=/opt/openssh --without-openssl + make + make install + ``` + +- 编辑 /opt/openssh/etc/sshd_config,修改常用配置 + ``` + # 避免与系统自带的 sshd 端口冲突 + Port 22222 + + # 允许 root 用户登录,允许私钥认证,允许密码认证 + PermitRootLogin yes + PubkeyAuthentication yes + PasswordAuthentication yes + + # 开启 ssh 转发 + AllowTcpForwarding yes + GatewayPorts yes + + # ssh 保活 + TCPKeepAlive yes + ClientAliveInterval 60 + ClientAliveCountMax 3 + + # 禁用 dns 解析 + UseDNS no + + # 避免与系统自带的 sshd pid 文件冲突 + PidFile /var/run/openssh.pid + ``` + +### 启动 openssh +- 创建 /etc/systemd/system/openssh.service,内容如下 + ``` + [Unit] + Description=OpenSSH server daemon + After=network.target sshd-keygen.service + Wants=sshd-keygen.service + + [Service] + Type=simple + ExecStart=/opt/openssh/sbin/sshd -D + KillMode=process + Restart=on-failure + RestartSec=42s + + [Install] + WantedBy=multi-user.target + ``` + +- 启动 openssh,并设置开机自动启动 + ```bash + systemctl daemon-reload + systemctl start openssh + systemctl enable openssh + ``` + +## 带 openssl +### 编译 openssl +- 下载 openssl 源码包,解压 + ```bash + curl -LO https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz + tar zxf openssl-1.1.1w.tar.gz + cd openssl-1.1.1w + ``` + +- 编译安装 openssl + ```bash + mkdir /opt/openssl + ./configure --prefix=/opt/openssl + make + make install + ``` + +### 编译 openssh +- 下载 openssh 源码包,解压,同上 +- 编译安装 openssh + ```bash + mkdir /opt/openssh + export PATH=/opt/openssl/bin:$PATH + export LD_LIBRARY_PATH=/opt/openssl/lib + ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl + make + make install + ``` + +- 编辑 /opt/openssh/etc/sshd_config,修改常用配置 + ``` + # 避免与系统自带的 sshd 端口冲突 + Port 22222 + + # 允许 root 用户登录,允许私钥认证,允许密码认证 + PermitRootLogin yes + PubkeyAuthentication yes + PasswordAuthentication yes + + # 开启 ssh 转发 + AllowTcpForwarding yes + GatewayPorts yes + + # ssh 保活 + TCPKeepAlive yes + ClientAliveInterval 60 + ClientAliveCountMax 3 + + # 禁用 dns 解析 + UseDNS no + + # 避免与系统自带的 sshd pid 文件冲突 + PidFile /var/run/openssh.pid + ``` + +### 启动 openssh +- 创建 /etc/systemd/system/openssh.service,内容如下 + ``` + [Unit] + Description=OpenSSH server daemon + After=network.target sshd-keygen.service + Wants=sshd-keygen.service + + [Service] + Type=simple + Environment=LD_LIBRARY_PATH=/opt/openssl/lib + ExecStart=/opt/openssh/sbin/sshd -D + KillMode=process + Restart=on-failure + RestartSec=42s + + [Install] + WantedBy=multi-user.target + ``` + +- 启动 openssh,并设置开机自动启动 + ```bash + systemctl daemon-reload + systemctl start openssh + systemctl enable openssh + ``` + diff --git a/content/post/ssh.md b/content/post/ssh.md index d067464..4a58244 100644 --- a/content/post/ssh.md +++ b/content/post/ssh.md @@ -7,17 +7,8 @@ tags: ["ssh", "隧道", "转发"] categories: ["shell"] --- -## sshd 常规设置 -- 禁用 root 远程登陆 - ``` - PermitRootLogin no - ``` -- 只允许私钥登陆 - ``` - PubkeyAuthentication yes - PasswordAuthentication no - ``` -- 开启端口转发功能 +## 开启端口转发配置 +- 修改 sshd 配置 ``` AllowTcpForwarding yes GatewayPorts yes @@ -27,7 +18,7 @@ categories: ["shell"] ClientAliveCountMax 3 ``` -## ssh 参数 +## ssh 转发用到的参数 - -f 后台运行 - -N 仅作端口转发,不执行任何命令 - -g 绑定端口到全部网卡