CentOS7.8升级openssh1.0.2k-fips到9.8p1

基于安全原因需升级openssh版本到最新版，同时需对openssl的版本进行升级。为防止卸载ssh后可能无法访问服务器，需安装telnet-server保证ssh升级失败后可继续远程连接。（建议同时开启多个ssh窗口）

将 OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 升级为 OpenSSH_9.8p1, OpenSSL 1.1.1w 11 Sep 2023

升级openssh

openssl 1.1.1w
openssh 9.8p

• 数据备份或创建快照
• 查看现有系统版本
  ssh -V
  OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
  cat /etc/redhat-release
  CentOS Linux release 7.8.2003 (Core)
• 设置yum源
  sudo cp /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo.bak
sudo wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
sudo yum makecache
• 安装依赖
  yum install -y vim gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers libedit-devel perl-IPC-Cmd wget tar lrzsz1

• 备份、卸载原有的openssl

  whereis openssl
  
  # openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/local/openssl /usr/share/man/man1/openssl.1ssl.gz
  
  mv /usr/bin/openssl /usr/bin/openssl.bak
  mv /usr/lib64/openssl /usr/lib64/openssl.bak
  mv /usr/include/openssl /usr/include/openssl.bak
  mv /usr/local/openssl /usr/local/openssl.bak
  
  #yum deplist openssl
  #yum remove openssl（考虑依赖，暂不处理）

• 下载软件
  cd /usr/local/src
wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz --no-check-certificate

• 安装openssl

  tar -xzvf openssl-1.1.1w.tar.gz
  cd openssl-1.1.1w/
  ./config --prefix=/usr/local/openssl
  make && make install
  
  ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
  ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib/libssl.so.1.1
  ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib/libcrypto.so.1.1
  echo '/usr/local/openssl/lib' >> /etc/ld.so.conf.d/ssl.conf
  ldconfig -v

• 验证
  whereis openssl
openssl version
• 安装telnet-server
  yum install telnet* -y
systemctl start telnet.socket
systemctl enable telnet.socket
• 关闭临时登录（默认不允许root使用telnet登录）
  mv /etc/securetty /etc/securetty.bak
• 关闭防火墙
  firewall-cmd --state
systemctl stop firewalld.service
• 测试telnet远程登录（内网地址）
  telnet 192.168.10.110
• 使用telnet连接进行操作

• 备份ssh

  whereis ssh sshd
  mv /etc/ssh /etc/ssh.bak
  mv /usr/bin/ssh /usr/bin/ssh.bak
  mv /usr/sbin/sshd /usr/sbin/sshd.bak

• 备份pam验证文件
  mv /etc/pam.d/sshd /etc/pam.d/sshd.old

• 卸载旧版ssh（防止卸载不必要的依赖，此步骤不卸载）

  #yum deplist openssh
  #yum remove openssh

暂不考虑卸载，执行停用：systemctl stop sshd.service

• 下载openssh
  cd /usr/local/src
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz

• 安装新版OpenSSH

  tar xzvf openssh-9.8p1.tar.gz
  cd openssh-9.8p1/
  ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl/
  
  make && make install

• 配置sshd服务

  mv /etc/init.d/sshd /etc/init.d/sshd.bak
  cp contrib/redhat/sshd.init /etc/init.d/sshd
  cp /usr/local/openssh/sbin/sshd /usr/sbin/
  cp /usr/local/openssh/bin/ssh /usr/bin/
  mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
  cp /usr/local/openssh/bin/ssh-keygen /usr/bin/
  ll /etc/init.d/
  chkconfig --add sshd
  
  echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
  echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
  echo 'UsePAM yes' >> /etc/ssh/sshd_config

• 配置PAM模块
  mv /etc/pam.d/sshd.old /etc/pam.d/sshd
• 启动sshd
  /etc/init.d/sshd restart

• 验证
  sshd -V
ssh -V
systemctl status sshd

  测试ssh连接是否可用

• 后续

  mv /etc/securetty.bak /etc/securetty
  systemctl start firewalld.service
  systemctl disable telnet.socket
  systemctl stop telnet.socket
  yum remove telnet-server

• 重新编译安装php或更新php
  暂定使用以下创建链接方式解决php无法启动问题（非使用时间可考虑编译php）
  ldd /www/server/php/74/sbin/php-fpm
ln -s /usr/local/openssl.bak/lib/libssl.so.1.0.0 /lib64/libssl.so.1.0.0
ln -s /usr/local/openssl.bak/lib/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0