Linuxopenssh升级方案.doc

Openssh升级方案一、准备安装包1、确定操作系统uname -a cat /etc/redhat-release2、将安装包和系统ISO镜像上传服务器zlib-1.2.8.tar.gz openssl-1.0.1p.tar.gz openssh-7.1p1.tar.gzrhel-server-6.5-x86_64-dvd.iso修改yum配置文件vi /etc/yum.repos.d/local.repo粘贴以下内容并保存Servername=Serverbaseurl=file:/xxxx/iso/Server (xxxx/iso为新建的iso目录来存放挂载后的操作系统镜像)enabled=1gpgcheck=0挂载redhat6.5的iso安装包(在xxxx目录下新建iso文件夹)mount t iso9660 /dev/cdrom /xxxx/iso安装必要的软件包gcc、telnet、xinetd、make、pam-devel、zlib等yum y install *gcc*yum y install *telnet*yum y install *xinetd*yum y install *make*yum y install *pam-devel*yum y install *zlib*3、准备其他远程方式telnet或者vnc修改telnet配置文件vi /etc/xinetd.d/telnet disable = yes 改成noservice xinetd restart重启服务创建telnet远程用户userdel weihupasswd weihucqep1234或者修改配置保证root用户可以telnet,保证后续远程配置正常进行vi /etc/pam.d/login文件注释掉：#auth user_unknown=ignore success=ok ignore=ignore #auth_err=die default=bad pam_securetty.so 测试telnet正常登录后进行下一步 4、拷贝安装包至/usr/local/src目录，并解压修改权限cp zlib-1.2.8.tar.gz /usr/local/srccp openssh-6.8p1.tar.gz /usr/local/srccp openssl-1.0.2a.tar.gz /usr/local/srccd /usr/local/src/tar zxvf openssh-6.8p1.tar.gztar zxvf openssl-1.0.2a.tar.gztar zxvf zlib-1.2.8.tar.gzchmod 777 -R openssh-6.8p1chmod 777 -R openssl-1.0.2achmod 777 R zlib-1.2.81、 检查系统是否缺包rpm -qa | egrep gcc|make|perl|pam|pam-devel如缺包请自行设置本地Yum源进行安装yum -y install gcc* make perl pam pam-devel如果报public key for sinjdoc-0.5-9.1.el6.x86_64.rpm is not installed这样的错误，则执行如下命令：（需要导入rpm的签名信息）#rpm -import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release二、程序升级1、停止ssh服务service sshd stop2、备份脚本和程序cp /etc/init.d/sshd root3、卸载原openssh# rpm -qa|grep openssh /查询系统原安装的openssh包全部卸载。根据查出的结果使用如下进行删除。（# rpm -e openssh -nodeps# rpm -e openssh-server -nodeps# rpm -e openssh-clients -nodeps# rpm -e openssh-askpass rpm -e openssl -nodeps）或rpm -e -nodeps rpm -qa |grep openssh4、安装zlib包cd /usr/local/src/zlib-1.2.8 ./configure makemake install5、安装openssl包cd /usr/local/src/openssl-1.0.1p./config shared zlibmakemake testmake installmv /usr/bin/openssl /usr/bin/openssl.OFFmv /usr/include/openssl /usr/include/openssl.OFF/该步骤可能提示无文件，忽略即可ln -s /usr/local/ssl/bin/openssl /usr/bin/opensslln -s /usr/local/ssl/include/openssl /usr/include/openssl/移走原先系统自带的openssl，将自己编译产生的新文件进行链接/配置库文件搜索路径echo /usr/local/ssl/lib /etc/ld.so.conf /sbin/ldconfig -v openssl version -a6、安装opensshcd /usr/local/src/openssh-7.1p1mv /etc/ssh /etc/sshbak./configure -prefix=/usr -sysconfdir=/etc/ssh -with-zlib -with-ssl-dir=/usr/local/ssl -with-md5-passwords -mandir=/usr/share/man makemake installcp /usr/local/src/openssh-6.8p1/contrib/redhat/sshd.init /etc/init.d/sshd 修改/etc/ssh/sshd_config配置文件项PermitRootLogin去掉注释符号，修改后缀为yesvi /etc/ssh/sshd_configservice sshd startservice sshd restartssh -V/usr/sbin/sshd d7、安装后检查和配置添加ssh自启动chkconfig -add sshdchkconfig sshd onchkconfig -list sshd检查iptables、ip6tables、selinux防火墙是否完全关闭chkconfig -list | grep iptableschkconfig -list | grep ip6tablesservice iptables statusservice ip6tables statuscat /etc/selinux/config是否为disabled恢复升级前配置，删除用户