本文涉及rpm源码包下载地址:http://mirrors.163.com/centos/6/os/x86\_64/Packages
安装之前配置环境变量 /etc/profile 增加以下几行
export C_INCLUDE_PATH=/usr/local/include:$C_INCLUDE_PATH
export LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH
1.安装Telnet服务
防止升级ssh时意外断开无法再次登陆服务器
###Redhat6
#在其他机器批量安装时,可安装以下两个rpm包以免make install的时候报错
rpm -ivhU --nodeps pam-devel-1.1.1-24.el6.x86_64.rpm
rpm -ivhU --nodeps gcc-4.4.7-18.el6.x86_64.rpm
rpm -ivhU --nodeps glibc-devel-2.12-1.209.el6.x86_64.rpm
#安装Telnet服务
rpm -ivhU xinetd-2.3.14-40.el6.x86_64.rpm
rpm -ivhU telnet-server-0.17-48.el6.x86_64.rpm
rpm -ivhU telnet-0.17-48.el6.x86_64.rpm
###Redhat7
rpm -ivhU --nodeps pam-devel-1.1.8-18.el7.x86_64.rpm
rpm -ivhU --nodeps gcc-4.8.5-16.el7.x86_64.rpm
rpm -ivhU --nodeps glibc-devel-2.17-196.el7.x86_64.rpm
rpm -ivhU xinetd-2.3.15-13.el7.x86_64.rpm
rpm -ivhU telnet-server-0.17-64.el7.x86_64.rpm
rpm -ivhU telnet-0.17-64.el7.x86_64.rpm
将文件/etc/xinetd.d/telnet内容“disable=yes”值改为“no”
#启动Telnet服务
service xinetd restart
2.卸载旧版本openssl和openssh
rpm -qa|grep openssl
rpm -e --nodeps xxx
rpm -qa|grep openssh
rpm -e --nodeps xxx
3.关闭SELinux
# 设置SELinux 成为permissive模式
setenforce 0
将文件/etc/selinux/config内容“SELINUX=enforcing”值改为“disabled”
4.安装openssl-1.0.2m
# 下载 https://www.openssl.org/source/openssl-1.0.2m.tar.gz
# 解压openssl-1.0.2m.tar.gz
tar xvf openssl-1.0.2m.tar.gz
# 进入openssl-1.0.2m目录
cd /openssl-1.0.2m
# 编译安装,编译后在其他机器安装只需执行make install即可
./config shared && make && make install
# 更新ld
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig -v
# 配置openssl库
cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64
cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64
chmod 555 /usr/lib64/libssl.so.1.0.0
chmod 555 /usr/lib64/libcrypto.so.1.0.0
ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10
ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10
ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
# 查看openssl版本
openssl version -a
5.安装openssh-7.6p1
# 下载 http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
# 解压openssh-7.6p1.tar.gz
tar xvf openssh-7.6p1.tar.gz
# 进入openssh-7.6p1目录
cd openssh-7.6p1
# 编译安装,编译后在其他机器安装只需执行make install即可
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --with-ssl-dir=/usr/local/ssl --without-hardening --with-pam && make && make install
5.1编辑/etc/ssh/sshd_config
# 修改配置文件
vi /etc/ssh/sshd_config
将以下内容全部复制到/etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1
Banner /etc/sshbanner
5.2编辑/etc/init.d/sshd
cd openssh-7.6p1/contrib/redhat
cp sshd.init /etc/init.d/sshd
5.3编辑/etc/pam.d/sshd
vi /etc/pam.d/sshd
将以下内容全部复制到/etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
5.4服务配置
# 赋权限
chmod u+x /etc/init.d/sshd
# 服务设置自启动
chkconfig --add sshd
chkconfig sshd on
chkconfig --list|grep sshd
# 重启服务
service sshd restart
# 查看版本
ssh -V
6.测试ssh服务是否正常
测试ssh服务正常后将Telnet服务卸载
rpm -e telnet-server-0.17-48.el6.x86_64 xinetd-2.3.14-40.el6.x86_64
7.安装ntp服务
,由于升级完openssl会导致ntpd服务无法启动,报错原因为:ntpd: OpenSSL version mismatch. Built against 10000003, you have 100020bf,所以需要重新编译ntpd。
7.1编译安装
#卸载老版本
rpm -qa|grep ntpdate
rpm -e xxx --nodeps
rpm -qa|grep ntp-
rpm -e xxx --nodeps
#安装所需库文件
rpm -qa|grep libcap
rpm -ivh libcap-2.16-5.5.el6.x86_64.rpm
rpm -ivh libcap-devel-2.16-5.5.el6.x86_64.rpm
find / -name libcap*
/usr/local/ssl/lib/engines/libcapi.so
ln -s /usr/local/ssl/lib/engines/libcapi.so /lib64/libcap.so
#下载 http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gz
tar xvf ntp-4.2.8p10.tar.gz
cd ntp-4.2.8p10
./configure --prefix=/usr --enable-all-clocks --enable-parse-clocks --enable-linuxcaps --disable-ipv6 --without-ntpsnmpd
make
make install
7.2修改配置文件
vi /etc/init.d/ntpd
#!/bin/sh
NTPD=/usr/bin/ntpd
PIDFILE=/var/run/ntpd.pid
USER=ntp
GROUP=ntp
NTPD_OPTS="-g -u $USER:$GROUP -p $PIDFILE"
ntpd_start() {
if [ -r $PIDFILE ]; then
echo "ntpd seems to be already running under pid `cat $PIDFILE`."
echo "Delete $PIDFILE if this is not the case.";
return 1;
fi
echo -n "Starting NTP daemon... "
$NTPD $NTPD_OPTS
# You can't always rely on the ntpd exit code, see Bug #2420
# case "$?" in
# 0) echo "OK!"
# return 0;;
# *) echo "FAILED!"
# return 1;;
# esac
sleep 1
if ps -Ao args|grep -q "^$NTPD $NTPD_OPTS"; then
echo "OK!"
return 0
else
echo "FAILED!"
[ -e $PIDFILE ] && rm $PIDFILE
return 1
fi
}
ntpd_stop() {
if [ ! -r $PIDFILE ]; then
echo "ntpd doesn't seem to be running, cannot read the pid file."
return 1;
fi
echo -n "Stopping NTP daemon...";
PID=`cat $PIDFILE`
if kill -TERM $PID 2> /dev/null;then
# Give ntp 15 seconds to exit
for i in `seq 1 15`; do
if [ -n "`ps -p $PID|grep -v PID`" ]; then
echo -n .
sleep 1
else
echo " OK!"
rm $PIDFILE
return 0
fi
done
fi
echo " FAILED! ntpd is still running";
return 1
}
ntpd_status() {
if [ -r $PIDFILE ]; then
echo "NTP daemon is running as `cat $PIDFILE`"
else
echo "NTP daemon is not running"
fi
}
case "$1" in
'start')
ntpd_start
;;
'stop')
ntpd_stop
;;
'restart')
ntpd_stop && ntpd_start
;;
'status')
ntpd_status
;;
*)
echo "Usage: $0 (start|stop|restart|status)"
esac
/etc/ntp.conf
restrict default ignore #默认不允许修改或者查询ntp,并且不接收特殊封包
restrict 127.0.0.1 #给于本机所有权限
restrict 192.168.1.0 mask 255.255.255.0 notrap nomodify #给于局域网机的机器有同步时间的权限
server 192.168.26.11 prefer #设置时间服务器,加prefer表示优先
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
driftfile /var/lib/ntp/drift
keys /etc/ntp/keys
7.3启动服务
chmod 755 /etc/init.d/ntpd
service ntpd restart
chkconfig ntpd on