@Openssh【7.x升级9.0版（Centos7.9，rpm）】

文章目录

- - 1.版本查看
  - 2.配置备份
  - 3.软件包openssh9.0下载
  - 4.升级openssh9.0版本
  - 5.配置备份恢复
  - 6.服务器启动验证及问题排查

1.版本查看

#系统版本
[root@HZLOPENSSHTEST ~]# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)#openssh版本
[root@HZLOPENSSHTEST ~]# rpm -qa |egrep "openssh|openssl"
openssh-clients-7.4p1-21.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
openssl-1.0.2k-19.el7.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
[root@HZLOPENSSHTEST ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

2.配置备份

#备份sshd主配置文件&特权登录用户配置文件
[root@HZLOPENSSHTEST ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/login /etc/pam.d/login.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
[root@HZLOPENSSHTEST ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak#查看备份文件
[root@HZLOPENSSHTEST ~]# ls /etc/pam.d/ | egrep *.bak
login.bak
sshd.bak
system-auth.bak

3.软件包openssh9.0下载

#下载升级的安装包，文件里是封装的rpm软件包
[root@HZLOPENSSHTEST ~]# wget openssh-9.0p1.tar.gz
[root@HZLOPENSSHTEST ~]# tar -xvfz openssh-9.0p1.tar.gz
[root@HZLOPENSSHTEST ~]# ls openssh-9.0p1
openssh-9.0p1-1.el7.x86_64.rpm  openssh-clients-9.0p1-1.el7.x86_64.rpm  openssh-debuginfo-9.0p1-1.el7.x86_64.rpm  openssh-server-9.0p1-1.el7.x86_64.rpm

4.升级openssh9.0版本

#端口检查&服务查看
[root@HZLOPENSSHTEST ~]# ss -ant |grep "22"
LISTEN     0      128          *:22                       *:*
ESTAB      0      0      10.21.25.124:22                 10.21.1.70:51233
ESTAB      0      0      10.21.25.124:22                 10.21.1.70:61866
ESTAB      0      48     10.21.25.124:22                 10.21.1.70:61848
ESTAB      0      0      10.21.25.124:22                 10.21.1.70:61865
LISTEN     0      128       [::]:22                    [::]:*
[root@HZLOPENSSHTEST ~]# systemctl status sshd
● sshd.service - OpenSSH server daemonLoaded: loaded (/usr/lib/systemd/system/sshd.service; enabled; vendor preset: enabled)Active: active (running) since 二 2023-11-28 17:18:23 CST; 18h agoDocs: man:sshd(8)man:sshd_config(5)Main PID: 1123 (sshd)CGroup: /system.slice/sshd.service└─1123 /usr/sbin/sshd -D
[root@HZLOPENSSHTEST ~]# systemctl stop sshd#本地升级openssh
[root@HZLOPENSSHTEST ~]# cd openssh-9.0p1
[root@HZLOPENSSHTEST openssh-9.0p1]# yum upgrade openssh-*
更新安装包:
openssh.x86_64 0:9.0p1-1.el7                      openssh-clients.x86_64 0:9.0p1-1.el7                      openssh-server.x86_64 0:9.0p1-1.el7#检查升级的openssh安装包
[root@HZLOPENSSHTEST openssh-9.0p1]# rpm -qa |grep openssh
openssh-server-9.0p1-1.el7.x86_64
openssh-9.0p1-1.el7.x86_64
openssh-clients-9.0p1-1.el7.x86_64
[root@HZLOPENSSHTEST pam.d]# ssh -V
OpenSSH_9.0p1, OpenSSL 1.0.2k-fips  26 Jan 2017

5.配置备份恢复

#备份openssh9.0的配置，恢复之前的ssh配置文件
[root@HZLOPENSSHTEST openssh-9.0p1]# cd /etc/ssh/
[root@HZLOPENSSHTEST ssh]# mv sshd_config sshd_config_1129.bak
[root@HZLOPENSSHTEST ssh]# cp sshd_config.bak sshd_config
[root@HZLOPENSSHTEST ssh]# cd /etc/pam.d/
[root@HZLOPENSSHTEST pam.d]# mv sshd sshd_1129.bak
[root@HZLOPENSSHTEST pam.d]# cp sshd.bak sshd

6.服务器启动验证及问题排查

#服务启动失败，如下所示（根据系统提示日志，可确认为密钥文件权限问题，修改文件权限）
[root@HZLOPENSSHTEST ~]# systemctl status  sshd
● sshd.service - SYSV: OpenSSH server daemonLoaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)Active: failed (Result: exit-code) since 三 2023-11-29 11:46:02 CST; 11s agoDocs: man:systemd-sysv-generator(8)Process: 16106 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=1/FAILURE)Main PID: 11868 (code=exited, status=0/SUCCESS)11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: It is required that your private key files are NOT accessible by others.
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: This private key will be ignored.
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: sshd: no hostkeys available -- exiting.
11月 29 11:46:02 HZLOPENSSHTEST sshd[16106]: [失败]
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: sshd.service: control process exited, code=exited status=1
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: Failed to start SYSV: OpenSSH server daemon.
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: Unit sshd.service entered failed state.
11月 29 11:46:02 HZLOPENSSHTEST systemd[1]: sshd.service failed.#查看密钥文件权限
[root@HZLOPENSSHTEST ~]# ll /etc/ssh/ssh_host_*
-rw-------. 1 root root     1393 11月 29 11:46 /etc/ssh/ssh_host_dsa_key
-rw-r--r--. 1 root root      609 11月 29 11:46 /etc/ssh/ssh_host_dsa_key.pub
-rw-r-----. 1 root ssh_keys  227 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key
-rw-r--r--. 1 root root      162 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-r-----. 1 root ssh_keys  387 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key
-rw-r--r--. 1 root root       82 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key.pub
-rw-r-----. 1 root ssh_keys 1675 11月 28 17:18 /etc/ssh/ssh_host_rsa_key
-rw-r--r--. 1 root root      382 11月 28 17:18 /etc/ssh/ssh_host_rsa_key.pub
[root@HZLOPENSSHTEST ~]#  chmod 600 /etc/ssh/ssh_host_*
[root@HZLOPENSSHTEST ~]# ll /etc/ssh/ssh_host_*
-rw-------. 1 root root     1393 11月 29 11:46 /etc/ssh/ssh_host_dsa_key
-rw-------. 1 root root      609 11月 29 11:46 /etc/ssh/ssh_host_dsa_key.pub
-rw-------. 1 root ssh_keys  227 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key
-rw-------. 1 root root      162 11月 28 17:18 /etc/ssh/ssh_host_ecdsa_key.pub
-rw-------. 1 root ssh_keys  387 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key
-rw-------. 1 root root       82 11月 28 17:18 /etc/ssh/ssh_host_ed25519_key.pub
-rw-------. 1 root ssh_keys 1675 11月 28 17:18 /etc/ssh/ssh_host_rsa_key
-rw-------. 1 root root      382 11月 28 17:18 /etc/ssh/ssh_host_rsa_key.pub#重启后服务正常
[root@HZLOPENSSHTEST ~]# systemctl restart sshd#测试登录验证（验证登录时拒绝，拒绝使用root用户直接登录，查看服务日志状态）
[root@HZLOPENSSHTEST ~]# ssh 10.21.25.124
root@10.21.25.124's password:
Permission denied, please try again.
[root@HZLOPENSSHTEST ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemonLoaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)Active: active (running) since 三 2023-11-29 11:50:36 CST; 1min 58s agoDocs: man:systemd-sysv-generator(8)Process: 17740 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)Main PID: 17748 (sshd)CGroup: /system.slice/sshd.service├─17748 sshd: /usr/sbin/sshd [listener] 1 of 10-100 startups├─18377 sshd: root [priv]└─18378 sshd: root [net]11月 29 11:50:36 HZLOPENSSHTEST sshd[17748]: Server listening on :: port 22.
11月 29 11:50:36 HZLOPENSSHTEST systemd[1]: Started SYSV: OpenSSH server daemon.
11月 29 11:52:23 HZLOPENSSHTEST sshd[18374]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.1.70  user=root
11月 29 11:52:23 HZLOPENSSHTEST sshd[18374]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
11月 29 11:52:25 HZLOPENSSHTEST sshd[18374]: Failed password for root from 10.21.1.70 port 62880 ssh2
11月 29 11:52:25 HZLOPENSSHTEST sshd[18374]: Connection closed by authenticating user root 10.21.1.70 port 62880 [preauth]
11月 29 11:52:26 HZLOPENSSHTEST unix_chkpwd[18379]: password check failed for user (root)
11月 29 11:52:26 HZLOPENSSHTEST sshd[18377]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.21.1.70  user=root
11月 29 11:52:26 HZLOPENSSHTEST sshd[18377]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
11月 29 11:52:28 HZLOPENSSHTEST sshd[18377]: Failed password for root from 10.21.1.70 port 62881 ssh2#问题
“pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"”
由上可见，主要由于使用root用户认证，在openssh9.0配置，默认拒绝root直接登录服务器，需修改pam下auth的权限限制和sshd
检查sshd配置文件中的root登录限制。#检查排查相关配置；
[root@HZLOPENSSHTEST ~]# vim /etc/pam.d/system-auth
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success   #权限限制，注释或删除
[root@HZLOPENSSHTEST ~]# vim /etc/ssh/sshd_config
PermitRootLogin yes    #允许root登录配置#重启sshd后，手动验证，登录正常
[root@HZLOPENSSHTEST ~]# systemctl restart sshd
[root@HZLOPENSSHTEST ~]# ssh 10.21.25.124
root@10.21.25.124's password:
Last failed login: Wed Nov 29 11:53:23 CST 2023 from 10.21.25.124 on ssh:notty
There were 4 failed login attempts since the last successful login.
Last login: Wed Nov 29 11:17:50 2023 from 10.21.1.70