colben/www.colben.cn
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
www.colben.cn/content/post/openssh-upgrade.md
colben 63ff416daf update
2024-10-08 10:41:09 +08:00

184 lines
4.0 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
title: "OpenSSH 升级"
date: 2024-07-02T19:00:00+08:00
lastmod: 2024-07-02T19:00:00+08:00
keywords: []
tags: ["openssh", "ssh"]
categories: ["os"]
---
## 源码包
- [openssh 源码包](https://www.openssh.com/portable.html)
- [openssl 源码包](https://www.openssl.org/source/)
## 不带 openssl不推荐
### 编译 openssh
- 下载 openssh 源码包,解压
```bash
curl -LO https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
tar zxf openssh-9.8p1.tar.gz
cd openssh-9.8p1/
# 版本信息在 version.h
```
- 编译安装 openssh
```bash
mkdir /opt/openssh
./configure --prefix=/opt/openssh --without-openssl
make
make install
```
- 编辑 /opt/openssh/etc/sshd_config修改常用配置
```
# 避免与系统自带的 sshd 端口冲突
Port 22222
# 允许 root 用户登录,允许私钥认证,允许密码认证
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes
# 开启 ssh 转发
AllowTcpForwarding yes
GatewayPorts yes
# ssh 保活
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3
# 禁用 dns 解析
UseDNS no
# 避免与系统自带的 sshd pid 文件冲突
PidFile /var/run/openssh.pid
```
### 创建 systemd 启动文件
- 创建 /opt/openssh/openssh.service内容如下
```
[Unit]
Description=OpenSSH server daemon
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=simple
ExecStart=/opt/openssh/sbin/sshd -D
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
```
### 打包
- 进入 /opt 目录下,打包 openssh 目录
```
cd /opt
tar zcf /tmp/openssh-9.8p1-without-openssl.tgz openssh/
```
## 带 openssl
### 编译 openssl
- 下载 openssl 源码包,解压
```bash
curl -LO https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
tar zxf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w
```
- 编译安装 openssl
```bash
mkdir /opt/openssl
./configure --prefix=/opt/openssl
make
make install
```
### 编译 openssh
- 下载 openssh 源码包,解压,同上
- 编译安装 openssh
```bash
mkdir /opt/openssh
export PATH=/opt/openssl/bin:$PATH
export LD_LIBRARY_PATH=/opt/openssl/lib
./configure --prefix=/opt/openssh --with-ssl-dir=/opt/openssl
make
make install
```
- 编辑 /opt/openssh/etc/sshd_config修改常用配置
```
# 避免与系统自带的 sshd 端口冲突
Port 22222
# 允许 root 用户登录,允许私钥认证,允许密码认证
PermitRootLogin yes
PubkeyAuthentication yes
PasswordAuthentication yes
# 开启 ssh 转发
AllowTcpForwarding yes
GatewayPorts yes
# ssh 保活
TCPKeepAlive yes
ClientAliveInterval 60
ClientAliveCountMax 3
# 禁用 dns 解析
UseDNS no
# 避免与系统自带的 sshd pid 文件冲突
PidFile /var/run/openssh.pid
```
### 创建 systemd 启动文件
- 创建 /opt/openssh/openssh.service内容如下
```
[Unit]
Description=OpenSSH server daemon
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
Type=simple
Environment=LD_LIBRARY_PATH=/opt/openssl/lib
ExecStart=/opt/openssh/sbin/sshd -D
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
```
### 打包
- 进入 /opt 目录下,打包 openssl 和 openssh 目录
```bash
cd /opt
tar zcf /tmp/openssh-9.8p1-with-openssl.tgz openssl/ openssh/
```
## 部署
- 上传部署包到目标服务器中,解压
```bash
tar zxf openssh-9.8p1-with-openssl.tgz -C /opt/
```
- 复制 systemd 启动文件
```bash
cp /opt/openssh/openssh.service /etc/systemd/system/
```
- 启动 openssh并设置开机自动启动
```bash
systemctl daemon-reload
systemctl start openssh
systemctl enable openssh
```
Reference in New Issue View Git Blame Copy Permalink