---
title: "OpenSSH 升级"
date: 2024-07-02T19:00:00+08:00
lastmod: 2024-07-02T19:00:00+08:00
keywords: []
tags: ["openssh", "ssh"]
categories: ["os"]
---

## 源码包
- [openssh 源码包](https://www.openssh.com/portable.html)
- [openssl 源码包](https://www.openssl.org/source/)

## 不带 openssl（不推荐）
### 编译 openssh
- 下载 openssh 源码包，解压
    ```bash
    curl -LO https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
    tar zxf openssh-9.8p1.tar.gz
    cd openssh-9.8p1/
    # 版本信息在 version.h
    ```

- 编译安装 openssh
    ```bash
    mkdir /opt/openssh
    ./configure --prefix=/opt/openssh --without-openssl
    make
    make install
    ```

- 编辑 /opt/openssh/etc/sshd_config，修改常用配置
    ```
    # 避免与系统自带的 sshd 端口冲突
    Port 22222

    # 允许 root 用户登录，允许私钥认证，允许密码认证
    PermitRootLogin yes
    PubkeyAuthentication yes
    PasswordAuthentication yes

    # 开启 ssh 转发
    AllowTcpForwarding yes
    GatewayPorts yes

    # ssh 保活
    TCPKeepAlive yes
    ClientAliveInterval 60
    ClientAliveCountMax 3

    # 禁用 dns 解析
    UseDNS no

    # 避免与系统自带的 sshd pid 文件冲突
    PidFile /var/run/openssh.pid
    ```

### 创建 systemd 启动文件
- 创建 /opt/openssh/openssh.service，内容如下
    ```
    [Unit]
    Description=OpenSSH server daemon
    After=network.target sshd-keygen.service
    Wants=sshd-keygen.service

    [Service]
    Type=simple
    ExecStart=/opt/openssh/sbin/sshd -D
    KillMode=process
    Restart=on-failure
    RestartSec=42s

    [Install]
    WantedBy=multi-user.target
    ```

### 打包
- 进入 /opt 目录下，打包 openssh 目录
    ```
    cd /opt
    tar zcf /tmp/openssh-9.8p1-without-openssl.tgz openssh/
    ```

## 带 openssl
### 编译 openssl
- 下载 openssl 源码包，解压
    ```bash
    curl -LO https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
    tar zxf openssl-1.1.1w.tar.gz
    cd openssl-1.1.1w
    ```

- 编译安装 openssl
    ```bash
    mkdir /opt/openssl
    ./configure --prefix=/opt/openssl 
    make
    make install
    ```

### 编译 openssh
- 下载 openssh 源码包，解压，同上
- 编译安装 openssh
    ```bash
    mkdir /opt/openssh
    export PATH=/opt/openssl/bin:$PATH
    export LD_LIBRARY_PATH=/opt/openssl/lib
    ./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl
    make
    make install
    ```

- 编辑 /opt/openssh/etc/sshd_config，修改常用配置
    ```
    # 避免与系统自带的 sshd 端口冲突
    Port 22222

    # 允许 root 用户登录，允许私钥认证，允许密码认证
    PermitRootLogin yes
    PubkeyAuthentication yes
    PasswordAuthentication yes

    # 开启 ssh 转发
    AllowTcpForwarding yes
    GatewayPorts yes

    # ssh 保活
    TCPKeepAlive yes
    ClientAliveInterval 60
    ClientAliveCountMax 3

    # 禁用 dns 解析
    UseDNS no

    # 避免与系统自带的 sshd pid 文件冲突
    PidFile /var/run/openssh.pid
    ```

### 创建 systemd 启动文件
- 创建 /opt/openssh/openssh.service，内容如下
    ```
    [Unit]
    Description=OpenSSH server daemon
    After=network.target sshd-keygen.service
    Wants=sshd-keygen.service

    [Service]
    Type=simple
    Environment=LD_LIBRARY_PATH=/opt/openssl/lib
    ExecStart=/opt/openssh/sbin/sshd -D
    KillMode=process
    Restart=on-failure
    RestartSec=42s

    [Install]
    WantedBy=multi-user.target
    ```

### 打包
- 进入 /opt 目录下，打包 openssl 和 openssh 目录
    ```bash
    cd /opt
    tar zcf /tmp/openssh-9.8p1-with-openssl.tgz openssl/ openssh/
    ```

## 部署
- 上传部署包到目标服务器中，解压
    ```bash
    tar zxf openssh-9.8p1-with-openssl.tgz -C /opt/
    ```

- 复制 systemd 启动文件
    ```bash
    cp /opt/openssh/openssh.service /etc/systemd/system/
    ```

- 启动 openssh，并设置开机自动启动
    ```bash
    systemctl daemon-reload
    systemctl start openssh
    systemctl enable openssh
    ```