From ad2fb67320e365397f41818251ad2fa11e2b190d Mon Sep 17 00:00:00 2001
From: colben <colbenlee@outlook.com>
Date: Mon, 13 Apr 2026 19:44:43 +0800
Subject: [PATCH] update

---
 content/post/openssh-upgrade.md | 57 +++++++++++----------------------
 1 file changed, 18 insertions(+), 39 deletions(-)

diff --git a/content/post/openssh-upgrade.md b/content/post/openssh-upgrade.md
index 4843497..8b61aa9 100644
--- a/content/post/openssh-upgrade.md
+++ b/content/post/openssh-upgrade.md
@@ -1,7 +1,7 @@
 ---
 title: "OpenSSH 升级"
 date: 2024-07-02T19:00:00+08:00
-lastmod: 2024-07-02T19:00:00+08:00
+lastmod: 2026-04-13T19:00:00+08:00
 keywords: []
 tags: ["openssh", "ssh"]
 categories: ["os"]
@@ -15,15 +15,14 @@ categories: ["os"]
 ### 编译 openssh
 - 下载 openssh 源码包，解压
     ```bash
-    curl -LO https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
-    tar zxf openssh-9.8p1.tar.gz
-    cd openssh-9.8p1/
+    curl -LO https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.3p1.tar.gz
+    tar zxf openssh-10.3p1.tar.gz
+    cd openssh-10.3p1/
     # 版本信息在 version.h
     ```
 
 - 编译安装 openssh
     ```bash
-    mkdir /opt/openssh
     ./configure --prefix=/opt/openssh --without-openssl
     make
     make install
@@ -34,6 +33,11 @@ categories: ["os"]
     # 避免与系统自带的 sshd 端口冲突
     Port 22222
 
+    #(可选)配置原 ssh hostKey，避免其他服务器登录时校验失败
+    HostKey /etc/ssh/ssh_host_rsa_key
+    HostKey /etc/ssh/ssh_host_ecdsa_key
+    HostKey /etc/ssh/ssh_host_ed25519_key
+
     # 允许 root 用户登录，允许私钥认证，允许密码认证
     PermitRootLogin yes
     PubkeyAuthentication yes
@@ -85,15 +89,14 @@ categories: ["os"]
 ### 编译 openssl
 - 下载 openssl 源码包，解压
     ```bash
-    curl -LO https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
-    tar zxf openssl-1.1.1w.tar.gz
-    cd openssl-1.1.1w
+    curl -LO https://github.com/openssl/openssl/releases/download/openssl-3.5.5/openssl-3.5.5.tar.gz
+    tar zxf openssl-3.5.5.tar.gz
+    cd openssl-3.5.5
     ```
 
 - 编译安装 openssl
     ```bash
-    mkdir /opt/openssl
-    ./configure --prefix=/opt/openssl 
+    ./Configure --prefix=/opt/openssl 
     make
     make install
     ```
@@ -104,37 +107,13 @@ categories: ["os"]
     ```bash
     mkdir /opt/openssh
     export PATH=/opt/openssl/bin:$PATH
-    export LD_LIBRARY_PATH=/opt/openssl/lib
+    export LD_LIBRARY_PATH=/opt/openssl/lib64
     ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl
     make
     make install
     ```
 
-- 编辑 /opt/openssh/etc/sshd_config，修改常用配置
-    ```
-    # 避免与系统自带的 sshd 端口冲突
-    Port 22222
-
-    # 允许 root 用户登录，允许私钥认证，允许密码认证
-    PermitRootLogin yes
-    PubkeyAuthentication yes
-    PasswordAuthentication yes
-
-    # 开启 ssh 转发
-    AllowTcpForwarding yes
-    GatewayPorts yes
-
-    # ssh 保活
-    TCPKeepAlive yes
-    ClientAliveInterval 60
-    ClientAliveCountMax 3
-
-    # 禁用 dns 解析
-    UseDNS no
-
-    # 避免与系统自带的 sshd pid 文件冲突
-    PidFile /var/run/openssh.pid
-    ```
+- 编辑 /opt/openssh/etc/sshd_config，修改常用配置，同上
 
 ### 创建 systemd 启动文件
 - 创建 /opt/openssh/openssh.service，内容如下
@@ -146,7 +125,7 @@ categories: ["os"]
 
     [Service]
     Type=simple
-    Environment=LD_LIBRARY_PATH=/opt/openssl/lib
+    Environment=LD_LIBRARY_PATH=/opt/openssl/lib64
     ExecStart=/opt/openssh/sbin/sshd -D
     KillMode=process
     Restart=on-failure
@@ -160,13 +139,13 @@ categories: ["os"]
 - 进入 /opt 目录下，打包 openssl 和 openssh 目录
     ```bash
     cd /opt
-    tar zcf /tmp/openssh-9.8p1-with-openssl.tgz openssl/ openssh/
+    tar zcf /tmp/openssh-10.3p1-with-openssl.tgz openssl/ openssh/
     ```
 
 ## 部署
 - 上传部署包到目标服务器中，解压
     ```bash
-    tar zxf openssh-9.8p1-with-openssl.tgz -C /opt/
+    tar zxf openssh-10.3p1-with-openssl.tgz -C /opt/
     ```
 
 - 复制 systemd 启动文件