随着计算机技术发张日新月异,人们对计算机的安全要求也逐渐严苛起来了。OpenSSH作为文件传输和远程客户端连接的协议实现,其重要性不言而喻。然而就是这么重要的组件,centos7原生自带的OpenSSH却因为其过低的版本而漏洞频出,所以我这里为了方便升级,编写了个shell脚本。
#!/bin/bash set -e # 安装依赖包 tar xf /opt/depends.tar.gz -C /opt rpm -ivh --nodeps --force /opt/depends/*.rpm # 安装openssl mkdir /usr/local/openssl && cd /opt/src && tar xf openssl-1.1.1k.tar.gz cd openssl-1.1.1k/ && ./config --prefix=/usr/local/openssl make && make install mv /usr/bin/openssl /usr/bin/openssl.bak mv /usr/include/openssl /usr/include/openssl.bak unlink /usr/lib64/libssl.so ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl ln -s /usr/local/openssl/include/openssl /usr/include/openssl ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so echo '/usr/local/openssl/lib' >> /etc/ld.so.conf ldconfig -v ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1 ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1 # 部署OpenSSH cd /opt/src cp /etc/ssh/sshd_config sshd_config.backup cp /etc/pam.d/sshd sshd.backup rpm -e --nodeps `rpm -qa | grep openssh` tar xf openssh-9.4p1.tar.gz && cd openssh-9.4p1 ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --without-hardening make make install || true chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key cp -a contrib/redhat/sshd.init /etc/init.d/sshd chmod u+x /etc/init.d/sshd mv -f ../sshd.backup /etc/pam.d/sshd mv -f ../sshd_config.backup /etc/ssh/sshd_config echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config chkconfig --add sshd chkconfig sshd on systemctl restart sshd
参考连接:https://blog.csdn.net/weixin_43741718/article/details/132583582