因CentOS 7自带的ssh版本较低,存在高危漏洞,故升级到最新版本 (目前是7.9p1)
Willh的个人博客
telnet等远程服务以防万一openssl和 zlib,不同的 openssh版本依赖的版本不同,太高或者太低的版本都不行下载地址
http://www.zlib.net/
https://www.openssl.org/source/
http://www.openssh.com/portable.html
# yum -y install xinetd telnet-server* telnet
# vi /etc/xinetd.d/telnet #centos7没有这个配置文件
将其中disable#段的yes改为no以启用telnet服务
linux默认情况下root用户使用telnet是登录不了的
需要修改/etc/secruetty文件
允许root 账号登陆
# vi /etc/securetty
末尾添加两行
pts/0
pts/1
# mv /etc/securetty /etc/securetty.old #允许root用户通过telnet登录
centos6:
# service xinetd start #启动telnet服务
# chkconfig xinetd on #使telnet服务开机启动,避免升级过程中服务器意外重启后无法远程登录系统
centos7:
# systemctl enable telnet.socket
# systemctl start telnet.socket
# systemctl enable xinetd
# systemctl start xinetd
切记测试telnet功能正常连接了再继续,还有防火墙相关的端口问题,这里不做说明
# yum install wget vim gcc gcc-c++ zlib zlib-devel
# wget https://www.openssl.org/source/openssl-1.1.1b.tar.gz
# yum remove openssl #卸载系统自带的openssl
# tar -zxvf openssl-1.1.1b.tar.gz
# cd openssl-1.1.1b
# ./config --prefix=/usr --openssldir=/etc/pki/tls
# make && make install_sw #install_sw为只安装组件,如果需要安装文档改为install即可
# openssl version -a #查看是否安装成功
# yum install -y gcc openssl-devel pam-devel rpm-build
# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
# for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps;done #卸载原Openssh
# tar -zxvf openssh-7.9p1.tar.gz
# cd openssh-7.9p1
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam
# make && make install
安装配置
# cp contrib/redhat/sshd.init /etc/init.d/sshd
# chkconfig --add sshd
# chkconfig sshd on
# chkconfig --list|grep sshd
修改配置项
# sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
# sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
# sed -i '/^UsePAM/s/UsePAM yes/#UsePAM yes/' /etc/ssh/sshd_config
# sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
# sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
# service sshd restart
1、如果启用(UsePAM yes)pam管理会话需要创建sshd到/etc/pam.d/目录下,
切记不要用安装包里面自带的
vi /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
2、WARNING: UNPROTECTED PRIVATE KEY FILE!
修改/etc/ssh下三个key文件的权限为600,或直接删除生成
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key
ssh-keygen -t dsa -f /etc/ssh/ssh_host_ed25519_key