1.安装步骤
- 安装pam-devel依赖包
- 系统/etc/ssh/sshd_config 这个文件提前放到了/servyou/install/ssh_update下,把之前的换掉
- mkdir -p /servyou/install/ssh_update
- chmod 777 /servyou/install/ssh_update/*
2.先升级openssl
#!/bin/sh
install_path=/servyou/install/ssh_update
#限定启动用户为root
if [ `whoami` != 'root' ]; then
echo -e '\033[32m启动用户错误,请确认。\033[0m'
exit 9
fi
#限定服务器类型为linux6/7 64位
if [[ ! `uname -r` =~ .*x86_64 ]]; then
echo -e '\033[32m您当前的操作系统内核不是7.x86_64,此安装文件仅适用linux6/7 64位系统。\033[0m'
exit 9
fi
#判断当前ssl版本是否需要升级
if [[ `openssl version` =~ 1.1.1l ]]; then
echo -e '\033[32m您当前的ssl版本为已进行过升级,不需要再进行升级。\033[0m'
exit 9
fi
#检查gcc环境
yum -y install gcc* gcc-c++*
if [[ `rpm -qa|grep gcc|wc -l` = '0' ]]; then
echo -e '\033[31m您的环境缺少gcc依赖包,请确认yum源正常并进行安装。\033[0m'
exit 9
fi
#检查zlib环境
yum -y install zlib-devel
if [[ `rpm -qa|grep zlib-devel|wc -l` = '0' ]]; then
echo -e '\033[31m您的环境缺少zlib-devel依赖包,请确认yum源正常并进行安装。\033[0m'
exit 9
fi
#限定已经安装并开启了telnet-server作为ssh安装失败的备用方案
yum -y install zlib
if [ `rpm -qa |grep xinetd |wc -l` -eq 0 ];then
yum -y install xinetd*
fi
if [ `rpm -qa |grep telnet-server |wc -l` -eq 0 ];then
yum -y install telnet-server*
fi
if [ `rpm -qa |grep telnet |grep -v telnet-server |wc -l` -eq 0 ];then
yum -y install telnet*
fi
sed -i 's/disable.*/disable = no/g' /etc/xinetd.d/telnet
sed -i 's/^.*pam_securetty.so/#&/g' /etc/pam.d/login
sed -i 's/^.*pam_securetty.so/#&/g' /etc/pam.d/remote
if [[ `uname -r` =~ el6.*x86_64 ]]; then
service xinetd restart
chkconfig xinetd on
elif [[ `uname -r` =~ el7.*x86_64 ]]; then
systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
else
echo -e '\033[32m您当前的操作系统内核不是x86_64,此安装文件仅适用linux6/7 64位系统。\033[0m'
fi
#判断telnet-server是否启动成功
if [ `ps -ef |grep xinetd |grep -v grep |wc -l` -eq 0 ];then
echo -e '\033[32mtelnet-server安装启动失败,请检查!\033[0m'
exit 9
fi
#开始安装ssl
if [ ! -f $install_path/openssl*.tar.gz ];then
echo -e "\033[31m请确认目录下$install_path下安装包正常。\033[0m"
exit 9
fi
cd $install_path
tar -zxvf openssl*.tar.gz
cd openssl*
./config shared zlib --prefix=/usr/local/openssl && make && make install|tee openssl_install.log
./config -t|tee -a openssl_install.log
make depend|tee -a openssl_install.log
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
mv /usr/local/bin/openssl /usr/local/bin/openssl.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
rm -rf /usr/lib64/libssl.so
ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so
rm -rf /usr/lib64/libcrypto.so
ln -s /usr/local/openssl/lib/libcrypto.so /usr/lib64/libcrypto.so
ln -sf /usr/local/openssl/lib/libcrypto.so.1.0.0 /lib64/libcrypto.so.6
\cp -ra /usr/bin/openssl /usr/local/bin/
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
ldconfig -v|tee -a openssl_install.log
ldd /usr/local/openssl/bin/openssl|tee -a openssl_install.log
which openssl|tee -a openssl_install.log
openssl version|tee -a openssl_install.log
#安装成功与否判断
if [[ `openssl version` =~ 1.1.1q ]]; then
echo -e '\033[32m您当前的ssl版本已完成升级。\033[0m'
else
echo -e '\033[31m您当前的ssl版本升级失败,请检查。\033[0m'
exit 9
fi
3.升级openssh
#!/bin/sh
#限定启动用户为root
install_path=/servyou/install/ssh_update
echo $install_path
if [ `whoami` != 'root' ]; then
echo -e '\033[32m启动用户错误,请确认。\033[0m'
exit 9
fi
#限定服务器类型为linux6/7 64位
if [[ ! `uname -r` =~ .*x86_64 ]]; then
echo -e '\033[32m您当前的操作系统内核不是.x86_64,此安装文件仅适用linux6/7 64位系统。\033[0m'
exit 9
fi
#判断当前ssh版本是否需要升级
if [[ `strings /usr/bin/ssh | grep OpenSSH` =~ OpenSSH_8.8 ]]; then
echo -e '\033[32m您当前的ssh版本为8.6p1,不需要进行升级。\033[0m'
exit 9
fi
#判断当前ssl版本是否适合安装
if [[ ! `openssl version` =~ 1.1.1l ]]; then
echo -e '\033[32m您当前的openssl未进行升级,建议升级后继续升级ssh。\033[0m'
exit 9
fi
#判断ssl动态链接库是否正常
if [ ! -e /usr/lib64/libssl.so ];then
echo "/usr/lib64/libssl.so失效,请检查!"
exit 9
fi
if [ ! -e /usr/lib64/libssl.so.10 ];then
echo "/usr/lib64/libssl.so.10 失效,请检查!"
exit 9
fi
if [ ! -e /usr/lib64/libcrypto.so ];then
echo "/usr/lib64/libcrypto.so 失效,请检查!"
exit 9
fi
if [ ! -e /usr/lib64/libcrypto.so.10 ];then
echo "/usr/lib64/libcrypto.so.10 失效,请检查!"
exit 9
fi
#限定已经安装并开启了telnet-server作为ssh安装失败的备用方案
yum -y install zlib
if [ `rpm -qa |grep xinetd |wc -l` -eq 0 ];then
yum -y install xinetd*
fi
if [ `rpm -qa |grep telnet-server |wc -l` -eq 0 ];then
yum -y install telnet-server*
fi
if [ `rpm -qa |grep telnet |grep -v telnet-server |wc -l` -eq 0 ];then
yum -y install telnet*
fi
sed -i 's/disable.*/disable = no/g' /etc/xinetd.d/telnet
sed -i 's/^.*pam_securetty.so/#&/g' /etc/pam.d/login
sed -i 's/^.*pam_securetty.so/#&/g' /etc/pam.d/remote
if [[ `uname -r` =~ el6.*x86_64 ]]; then
service xinetd restart
chkconfig xinetd on
elif [[ `uname -r` =~ el7.*x86_64 ]]; then
systemctl enable xinetd.service
systemctl enable telnet.socket
systemctl start telnet.socket
systemctl start xinetd
else
echo -e '\033[32m您当前的操作系统内核不是x86_64,此安装文件仅适用linux6/7 64位系统。\033[0m'
fi
#echo "pts/0" >> /etc/securetty
#echo "pts/1" >> /etc/securetty
#判断telnet-server是否启动成功
if [ `ps -ef |grep xinetd |grep -v grep |wc -l` -eq 0 ];then
echo -e '\033[32mtelnet-server安装启动失败,请检查!\033[0m'
exit 9
fi
#进行ssh升级安装:
cd $install_path
pwd
tar -xzvf openssh*.tar.gz
cd openssh*
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=$install_path/openssl-1.1.1l --without-hardening |tee install_ssh.log
if [[ `uname -r` =~ el6.*x86_64 ]]; then
service sshd stop
elif [[ `uname -r` =~ el7.*x86_64 ]]; then
systemctl stop sshd
else
echo -e '\033[32m您当前的操作系统内核不是x86_64,此安装文件仅适用linux6/7 64位系统。\033[0m'
fi
mv /etc/ssh /etc/ssh.bak
rpm -qa|grep openssh|xargs rpm -e --nodeps
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords--with-pam --with-tcp-wrappers --with-ssl-dir=$install_path/openssl-1.1.1l --without-hardening
make && make install|tee -a install_ssh.log
\cp ./contrib/redhat/sshd.init /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
chmod 755 /usr/local/openssl -R
#安装成功判断,成功则关闭telnet-server服务
chkconfig --add sshd
chkconfig sshd on
#sed -i 's/^Subsystem.*$/Subsystem sftp internal-sftp/g' /etc/ssh/sshd_config
#echo 'Protocol 2'>>/etc/ssh/sshd_config
#echo 'UseLogin yes'>>/etc/ssh/sshd_config
#echo 'PermitRootLogin yes'>>/etc/ssh/sshd_config
#echo 'IgnoreRhosts yes'>>/etc/ssh/sshd_config
#echo 'X11Forwarding yes'>>/etc/ssh/sshd_config
\cp -ra /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
\cp -ra $install_path/sshd_config /etc/ssh/sshd_config
ssh -V
#service sshd restart
if [[ `uname -r` =~ el6.*x86_64 ]]; then
/etc/init.d/sshd restart >/dev/null 2>&1 &
elif [[ `uname -r` =~ el7.*x86_64 ]]; then
systemctl restart sshd
else
echo -e '\033[32m您当前的操作系统内核不是x86_64,此安装文件仅适用linux6/7 64位系统。\033[0m'
fi