OpenSSH升级安装步骤.doc

OpenSSH升级安装步骤(redhat)上一篇 / 下一篇 2010-07-09 11:59:33 / 个人分类：linux&UNIX 查看( 565 ) / 评论( 3 ) / 评分( 8 / 0 ) IXPUB技术博客!u)y-L;-Tp 查询是否安装telnetIXPUB技术博客x3H4_T2OGk# rpm -qa | grep telnet$ dK8D6Xc0telnet-server-0.17-31.EL4.5K9S2z4i D 0telnet-0.17-31.EL4.5j n)#0 s IVHl:#Of09fpoY/Y0打开telnet服务/;JN gU%bj o50修改设置文件/etc/xinetd.d/telnet中disable字段改为no。修改/etc/xinetd.d/krb5-telnet 中disable字段改为no。9w#N2w Ccw _R0启动服务#ntsysv或#service xinetd restart。IXPUB技术博客Gy#V?#Uq2F XsX9Rq*j8go0创建登陆用户IXPUB技术博客X)x*ZP k因为不能直接root telnet登陆,所以创建一个登陆用户.安装完成后可以把该用户删除IXPUB技术博客vx%o!v U*T.x#Wuseradd opensshinstall15H-*S bfRM0(删除用户及/home/opensshinstall目录 userdel -r opensshinstall 删除这个用户的组groupdel opensshinstall)J Zp5(FO0IXPUB技术博客,Plk:v;x 安装源文件在/usr/local/src目录下IXPUB技术博客d Il*e;ezlib和openssl安装在/usr/local目录下IXPUB技术博客u-PESLIXPUB技术博客!_8S9|s;w$.g 安装zlib-1.2.5D(i6L#fol0BPts0#tar -zxvf zlib-1.2.5.tar.gz6_o r0Kr&O;Ia0V0#cd zlib-1.2.5IXPUB技术博客 Qx2yG x6g#./configure -prefix=/usr/local/zlib-1.2.5 -shareIXPUB技术博客)GuWBe*a#make_/M+ U!E0#make testIXPUB技术博客/YWw)n%V|t#make installIXPUB技术博客wEjg9F?#xkD#vi /etc/ld.so.conf 配置库文件搜索路径fZ,qoKIG;p0include ld.so.conf.d/*.confIXPUB技术博客/J$dbu|1X#A k0nJ#add 2010.7.7IXPUB技术博客Ay,Nlc t/usr/local/zlib-1.2.5/libIXPUB技术博客L.oFMSHvY#add end:C9chP6T%ur0#ldconfig -v 刷新缓存文件/etc/ld.so.cacheIXPUB技术博客(oN4sZ6H4p*T#ln -s /usr/local/zlib-1.2.5 /usr/local/zlib#F+PI)|U9$B0IXPUB技术博客*A)?&l#O w IXPUB技术博客BRb!O:R$JWpIXPUB技术博客W(J1S)zw/,D5RC t$m IXPUB技术博客(a5w$r#b-dUN安装openssl|bNu7h:P0#cd /usr/local/srcIXPUB技术博客 YD vlN.q #tar zxvf openssl-1.0.0a.tar.gzeMax2o %3z)Y0#cd openssl-1.0.0a.tiTR*ij%k#ceQq0#./config shared zlib-dynamic -prefix=/usr/local/openssl-1.0.0a -with-zlib-lib=/usr/local/zlib-1.2.5/lib -with-zlib-include=/usr/local/zlib-1.2.5/includeIXPUB技术博客J#xd.A!L gs#makej L :s z$fll0#make test （这一步是进行 SSL 加密协议的完整测试，如果出现错误就要一定先找出原因，否则一味继续可能导致 SSH 不能使用！）IXPUB技术博客5cu#wh%m Hi#make installJ1E,Y1F -W:?&0N2y7k0#vi /etc/ld.so.conf 配置库文件搜索路径IXPUB技术博客b x9fF!t)VK#1 ik/cw.A0# add below line to ld.so.confIXPUB技术博客6Rp+qg3kjgdH Ie/usr/local/openssl-1.0.0a/lib 64位OS 没有生成lib目录，是lib64目录IXPUB技术博客,_44R5iaL M#-J?H%kos0#ldconfig -v 刷新缓存文件/etc/ld.so.cacheIXPUB技术博客u%r%NhPV-b#ln -s /usr/local/openssl-1.0.0a /usr/local/opensslIXPUB技术博客8p K,r HBn O kvXdNK)w G r2f4Av0vi /etc/profileIXPUB技术博客? S6E)b A5a#IXPUB技术博客z&C4ZSF 9(add to end of the file)g:t#c(Obd4m9q0PATH=/usr/local/openssl/bin:$PATH,:I&Qo_:K0export PATHIXPUB技术博客BHQ0c;J8lm!tc#IXPUB技术博客XGIL5QIXPUB技术博客&qlh/P/Ev)h IXPUB技术博客1_W;BSHx39W!u退出，再登录，查看openssl的版本号，以验证是否安装正确IXPUB技术博客.z$i UkLcX.j#openssl version -a0dfy,e+| r*n0OpenSSL 1.0.0a 1 Jun 2010IXPUB技术博客e.G%B2|7l!mbuilt on: Wed Jul 7 17:08:07 CST 2010Q)Mq Eau6OA*r0platform. linux-x86_64?1a_6w!P?1|0options: bn(64,64) rc4(1x,char) des(idx,cisc,16,int) idea(int) blowfish(idx)bQt%ve)z h!fq)u0compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB_SHARED -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DWHIRLPOOL_ASMB!r8i2Qn0OPENSSLDIR: /usr/local/openssl-1.0.0a/sslIXPUB技术博客Zj.Z)FCW6m4k)n3;0IXPUB技术博客m js%y%P.RaVB*h.L,N0eIXPUB技术博客3k6wqrw7np*Thiqb(XD#l%kWw0停止并卸载OpensshIXPUB技术博客9zv b/wF ?_1.停止OpenSSH服务IXPUB技术博客m0iu,tXE4n0j#service sshd stopIXPUB技术博客$B&x gA2|$W!r/M02. 查询并卸载opensshIXPUB技术博客6FgU!Z3HEn# rpm -qa | grep opensshIXPUB技术博客xXGv0lwgopenssh-3.9p1-8.RHEL4.24u&rYg(M9D;C0openssh-askpass-3.9p1-8.RHEL4.24!Y)pX8x N0openssh-clients-3.9p1-8.RHEL4.24IXPUB技术博客6z2%rK Np9MNopenssh-server-3.9p1-8.RHEL4.24IXPUB技术博客;o9$Uk.W-f0EIopenssh-askpass-gnome-3.9p1-8.RHEL4.24-U+;e5Y_C Yjy,h$u0IXPUB技术博客D06F;EAg #rpm -e openssh-3.9p1-8.RHEL4.24 -nodepsX P&A C |4jf#B0#rpm -e openssh-clients-3.9p1-8.RHEL4.24 -nodepsIXPUB技术博客*C9Sph$t警告/etc/ssh/ssh_config 已存为 /etc/ssh/ssh_config.rpmsaveIXPUB技术博客+n e1E#4h+d#rpm -e openssh-askpass-3.9p1-8.RHEL4.247iF6z1s5x6Y&)vn0#rpm -e openssh-server-3.9p1-8.RHEL4.24 -nodepsIXPUB技术博客_:RP(P#rpm -e openssh-askpass-gnome-3.9p1-8.RHEL4.24D8S*c-XM0IXPUB技术博客B-FqGYl #cd /usr/local/srcIXPUB技术博客b+Xb9xW2S1d?#tar zxvf openssh-5.5p1.tar.gzo- &PoL0#cd openssh-5.5p1wf*QK,E&Da0#./configure -prefix=/usr -sysconfdir=/etc/ssh -with-pam -with-ssl-dir=/usr/local/openssl-1.0.0a -with-md5-passwords -mandir=/usr/share/man -with-zlib=/usr/local/zlib-1.2.5IXPUB技术博客 O7f5Z/G CN5wIXPUB技术博客w7y%y96IT,z #makeIXPUB技术博客:KPJW70N#make install+yJ&2j5s|C4H0#IXPUB技术博客Y:1C*?KF h SIXPUB技术博客 q?WN2Ckz 将sshd加入启动服务:$B1GGH6GtfV(nck0进入ssh安装解压目录0?LWb5I0#cp ./contrib/redhat/sshd.init /etc/init.d/sshdIXPUB技术博客THL-e0z NU#chmod +x /etc/init.d/sshdI Zh_ OQ9 Zr0#chkconfig -add sshdIXPUB技术博客f K_ xF3L-J最后，启动 SSH 服务使修改生效：IXPUB技术博客a jH!R4meH.D# service sshd startu,b;sQa5-U0重启后确认一下当前的 OpenSSH 和 OpenSSL 是否正确：|7w;SS e+ PO|*G0# ssh -vIXPUB技术博客6Q lP UOpenSSH_5.5p1, OpenSSL 1.0.0a 1 Jun 2010$eQuee7g sl0usage: ssh -1246AaCfgKkMNnqsTtVvXxYy -b bind_address -c cipher_specIXPUB技术博客YdCh z -D bind_address:port -e escape_char -F configfileIXPUB技术博客;g-o-G3k#?3G$J;h -I pkcs11 -i identity_fileIXPUB技术博客W:P F4p -L bind_address:port:host:hostportIXPUB技术博客yl0Z y1W Xc-w:mP -l login_name -m mac_spec -O ctl_cmd -o option -p portIXPUB技术博客6z4w2l,K$V$c -R bind_address:port:host:hostport -S ctl_pathIXPUB技术博客w/M Pmc!q -W host:port -w local_tun:remote_tuncwShkTqB5G r0 userhostname commands4pA1S(wL14j0 KLzcX9fhr4t0如果看到了新的版本号就没问题啦！IXPUB技术博客k GIO,./_IXPUB技术博客h_d m Q 关闭telnet服务A;IshS0v|u0修改设置文件/etc/xinetd.d/telnet中disable字段改为yes。IXPUB技术博客;a SH!Z&j_1b%启动服务#ntsysv或#service xinetd restart。IXPUB技术博客eq9Pl!nIXPUB技术博客N-Ke4I:f;R rc 注意问题IXPUB技术博客z Mi/Gi!jGi1.在安装openssh, ./configure 时，报下面错误：IXPUB技术博客D&cj+w/*k.myconfigure: error: PAM headers not found2v_d.R!Z0运行# rpm -qa | grep pam/mm-2k+RvPf0 pam_smb-1.1.7-5IXPUB技术博客!l G FNOvI5W pam_ccreds-1-34WKX:UGy0 pam_passwdqc-0.7.5-2IXPUB技术博客fkY/A!D pam-0.77-66.17*bKPcQ_5| V#o0 pam_krb5-2.1.8-1IXPUB技术博客 Mvvx;QAM F%P spamassassin-3.0.6-1.el4uJL0w(P0发现有 pam-0.77-66.17，从网上找到 pam-devel-0.77-66.17.i386.rpm，IXPUB技术博客RIy%hm运行rpm -ivh pam-devel-0.77-66.17.i386.rpm后，./configure正常Y.tni T J0版本号0.77-66.17必须一样。)L#g|!leG0IXPUB技术博客EHXu,O+s:-g 2.在安装openssh时,configure报错:OKlv d4kf0./configure -prefix=/usr -sysconfdir=/etc/ssh -with-pam -with-zlib -with-ssl-dir=/usr/include/openssl -with-md5-passwords -mandir=/usr/share/manIXPUB技术博客Mv8Ue,X.IXPUB技术博客$C&S;LG f configure: error: * zlib too old - check config.log *H!voT8H.G(M?T0Your reported zlib version has known security problems. Its possible yourIXPUB技术博客+R9K n W-RMl/Yvendor has fixed these problems without changing the version number. If you9T5vEM(M:Hk%$zj;G0are sure this is the case, you can disable the check by runningIXPUB技术博客1AJ-;a n./configure -without-zlib-version-check.IXPUB技术博客 E!W36eIf you are in doubt, upgrade zlib to version 1.2.3 or greater.A!j*Fo)_y Q0See/zlib/for details.IXPUB技术博客_ szT#XU因此需要升级zlib.%j&J(x q$F3i0IXPUB技术博客3_u9t5p:g$rN 3. 如果操作系统是64位的，openssl-1.0.0a只生成了lib64，没有生成lib目录。openssh configure时，还是连接的老版本的openssl,IXPUB技术博客3o#z3g,cr GC%需要做下面的配置。T.n9PCU(0#vi /etc/ld.so.conf 配置库文件搜索路径0z4LcnJ v0#H$*d%JX wD3_$d1r0# add below line to ld.so.confqfuX)h0/usr/local/openssl-1.0.0a/lib64 64位OS 没有生成lib目录，是lib64目录h,#k#A3e+U:eF0#IXPUB技术博客#,Yq+GJq8s5csO,C(OW8M0#mv /usr/bin/openssl /usr/bin/openssl.OFFuN9N|Tf JC6S0#mv /usr/include/openssl /usr/include/openssl.OFFIXPUB技术博客J/ U-#ln -s /usr/local/openssl-1.0.0a/bin/openssl /usr/bin/openssl6m PXA3GM#JS0#ln -s /usr/local/openssl-1.0.0a/include/openssl /usr/include/opensslIXPUB技术博客U(g6v wo#mv /lib64/libcrypto.so.4 /lib64/libcrypto.so.4.OFFIXPUB技术博客7E:aHp#mv /lib64/libssl.so.4 /lib64/libssl.so.4.OFFIXPUB技术博客0X,vfy#ln -s /usr/local/openssl-1.0.0a/lib64/libcrypto.so.1.0.0 /lib64/libcrypto.so.4IXPUB技术博客b$mq,w|0h&hG#ln -s /usr/local/openssl-1.0.0a/lib64/libssl.so.1.0.0 /lib64/libssl.so.4IXPUB技术博客;yXo&m#mv /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.OFFaR0e(Ek0#mv /usr/lib64/libssl.so /usr/lib64/libssl.so.OFFIXPUB技术博客.S|5Kl!gKG+m$?La#ln -s /usr/local/openssl-1.0.0a/lib64/libcrypto.so /usr/lib64/libcrypto.soIXPUB技术博客t7bz&4w;#ln -s /usr/local/openssl-1.0.0a/lib64/libssl.so /usr/lib64/libssl.so4r0Yy:S,O)Rz0#ldconfig -v 刷新缓存文件/etc/ld.so.cacheq%Ru)htf*Fb8xL0IXPUB技术博客nnIbP:O&MS?,C;M K-i M RX#I0 c+M(H0D&iwG04.openssl安装./configure显示部分信息:f1QgH(Ww%SX Um0。IXPUB技术博客&a+om5z7&K E bOpenSSL shared libraries have been installed in:IXPUB技术博客0K_od#y/c /usr/local/openssl-1.0.0as,b3)R H6W1Qh0 b;U3Y%G p0If this directory is not in a standard system path for dynamic/shared3|m Z-AQJ0libraries, then you will have problems linking and executingIXPUB技术博客.U( D s1F vMapplications that use OpenSSL libraries UNLESS:IXPUB技术博客z-!QWVLn:f1NIXPUB技术博客0J7x+Gtn * you link with static (archive) libraries. If you are truly:AKEV9P0 paranoid about security, you should use static libraries.IXPUB技术博客6_Q,m*j J* you use the GNU libtool code during linkingC31Pbr8w0aG*z10L0 (/software/libtool/libtool.html)IXPUB技术博客b+_ FvR* you use pkg-config during linking (this requires that?(J#T Uf0 PKG_CONFIG_PATH includes the path to the OpenSSL sharedIXPUB技术博客 F PDQl8V0IB; library directory), and make use of -R or -rpath.IXPUB技术博客aar$oX (/software/pkgconfig/)IXPUB技术博客fJ .FZsHcW)m5a* you specify the system-wide link path via a command suchIXPUB技术博客2aSbS0TsppH as crle(1) on Solaris systems.I u+dw:j0* you add the OpenSSL shared library directory to /etc/ld.so.confRoZ#q&Mik0 and run ldconfig(8) on Linux systems.-Q D5Hff3d0* you define the LD_LIBRARY_PATH, LIBPATH, SHLIB_PATH (HP),W*JI/?0 DYLD_LIBRARY_PATH (MacOS X) or PATH (Cygwin and DJGPP),B!Yd:E0 environment variable and add the OpenSSL shared libraryIXPUB技术博客UvcY s,2#t directory to it.1m7y$L9Y+|a;l+j+D0 2ed+v.gTX,g0One common tool to check the dynamic dependencies of an executablek,Y+b&Ke)l-x20or dynamic library is ldd(1) on most UNIX systems.IXPUB技术博客_.y;W)z J:MIXPUB技术博客&n/|5NGgV See any operating system documentation and manpages about sharedIXPUB技术博客t V)I%Nplibraries for your version of UNIX. The following manpages may beIXPUB技术博客x7DWvA7p| G NAVhelpful: ld(1), ld.so(1), ld.so.1(1) Solaris, dld.sl(1) HP,IXPUB技术博客w4iQ-nK*a3u)x+Qldd(1), crle(1) Solaris, pldd(1) Solaris, ldconfig(8) Linux,Og!n5d30chatr(1) HP.QqU?1gq0cp libcrypto.pc /usr/local/openssl-1.0.0a/lib/pkgconfigZ$v%nb70chmod 644 /usr/local/openssl-1.0.0a/lib/pkgconfig/libcrypto.pcIXPUB技术博客:uQZ gI KB3ecp libssl.pc /usr/local/openssl-1.0.0a/lib/pkgconfigIXPUB技术博客a!)BkIchmod 644 /usr/local/openssl-1.0.0a/lib/pkgconfig/libssl.pc/I.o7t9W6T0cp openssl.pc /usr/local/openssl-1.0.0a/lib/pkgconfigIXPUB技术博客iamBT$1chmod 644 /usr/local/openssl-1.0.0a/lib/pkgconfig/openssl.pcIXPUB技术博客aGCZiQ7IXPUB技术博客#j+BywEKZFn IXPUB技术博客!iHb.v;k9fu FX5.openssh安装./configure显示信息：IXPUB技术博客L$Kx6W e!r-N./configure -prefix=/usr -sysconfdir=/etc/ssh -with-pam -with-ssl-dir=/usr/local/openssl-1.0.0a -with-md5-passwords -mandir=/usr/share/man -with-zlib=/usr/local/zlib-1.2.5IXPUB技术博客 q.D*A&F z,Q显示信息：%#t id#mb G0OpenSSH has been configured with the following options:z-RB0qq0-VX$k0 User binaries: /usr/bino jqE%-eM&h5Y7Q8k0 System binaries: /usr/sbinIXPUB技术博客#B fhE/i!Z1l Configuration files: /etc/sshIXPUB技术博客:A h,Z&J#ee9T Askpass program: /usr/libexec/ssh-askpassIXPUB技术博客q#kb&D!m)Gf Manual pages: /usr/share/man/manXd6xFT.0 PID file: /var/runST!|ri0 Privilege separation chroot path: /var/empty| OGy P!|IR7e0 sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbinIXPUB技术博客 xMR4TtP1Jew Manpage format: docRx4u3d0 PAM support: yes4uos$W/a*p3N1d P2If0 OSF SIA support: no&Zp:pk)m9i 0 KerberosV su