Shulou(Shulou.com)06/01 Report--

OpenSSH

OpenSSH is a secure network connection tool for remote control and remote encryption of data transmission, that is, a program that provides ssh services for us. SSH consists of a server and a client. The server is a daemon (sshd) that runs in the background and responds to the connection requests of the client. The client includes ssh (openssh-clients), scp, slogin, sftp and other applications.

The SSH service itself provides a secure and encrypted way of data transmission. In some older versions of Linux systems, most of them are openssh 5. At present, OpenSSH has been updated to OpenSSH 7.x version, which fixes many existing security vulnerabilities, which is also a more secure version. OpenSSH official website: http://www.openssh.com

This article mainly records the upgrade process of OpenSSH 7 on SLES (SuSe 11).

Prepare to install the package:

Openssh-7.1p1.tar.gz

Openssl-1.0.2h.tar.gz

Libopenssl-devel-1.0.2h-1.3.x86_64.rpm

Pam-devel-1.1.8-6.1.x86_64.rpm

Zlib-devel-1.2.7-2.1.2.x86_64.rpm

System version:

SUSE Linux Enterprise Server 11 (x86 / 64)

First, install dependent software

1. Install the necessary gcc, gcc-c++ compilation tools and libopenssl-devel, pam-devel, zlib-devel

Hm:~ # zypper in-y gcc gcc-c++hm:/usr/local/src # rpm-ivh libopenssl-devel-1.0.2h-1.3.x86_64.rpm-nodeps-- forcehm:/usr/local/src # rpm-ivh pam-devel-1.1.8-6.1.x86_64.rpm-- nodeps-- forcehm:/usr/local/src # rpm-ivh zlib-devel-1.2.7-2.1.2.x86_64.rpm

Second, install OpenSSL

1. Check the openssl that comes with the system

Hm:/usr/local/src # rpm-Q opensslopenssl-0.9.8j-0.50.1# because openssl relies on too much software, you don't have to uninstall the old version when upgrading openssl. If you force uninstall, the system may not be able to run hm:/usr/local/src # openssl versionOpenSSL 0.9.8j-fips 07 Jan 200 check the directory of openssl hm:/usr/local/src # which openssl/usr/bin/openssl# to back up the related files of the old version during the upgrade process After upgrading the new version, re-link and replace it with the corresponding file directory hm:/usr/local/src # whereis opensslopenssl: / usr/bin/openssl / usr/bin/X11/openssl / usr/include/openssl / usr/share/man/man1/openssl.1ssl.gzhm:/usr/local/src # ls / etc/ssl/certs openssl.cnf private servercerts# to back up the above files Soft link hm:/usr/local/src # mkdir / home/ssl_bakhm:/usr/local/src # mv / usr/bin/openssl / home/ssl_bak/hm:/usr/local/src # mv / etc/ssl / home/ssl_bak/etc_sslhm:/usr/local/src # mv / usr/include/openssl / home/ssl_bak/include_openssl with / usr/bin/X11/openssl / usr/bin/openssl

2. Upgrade openssl

# 1) install openssl-1.0.2h.tar.gzhm:/usr/local/src # tar-zxf openssl-1.0.2h.tar.gzhm:/usr/local/src # cd openssl-1.0.2h/hm:/usr/local/src/openssl-1.0.2h #. / config-- prefix=/usr/local/openssl-- openssldir=/etc/ssl shared zlibhm:/usr/local/src/openssl-1.0.2h # makehm:/usr/local/src/ Openssl-1.0.2h # make install# View the installed / usr/local/openssl directory file hm:/usr/local/src/openssl-1.0.2h # ls / usr/local/openssl/ {bin Include Lib} / usr/local/openssl/bin:c_rehash fips_standalone_sha1 fipsld openssl/usr/local/openssl/include:openssl/usr/local/openssl/lib:engines fips_premain.c.sha1 fipscanister.o.sha1 libcrypto.so libssl.a libssl.so.1.0.0fips_premain.c fipscanister.o libcrypto.a libcrypto.so.1.0.0 libssl.so pkgconfig# View / etc/ssl directory hm:/usr / local/src/openssl-1.0.2h # ls / etc/ssl/certs man misc openssl.cnf private

3. Configure the relevant directories of the upgraded openssl (link the openssl program)

Hm:/usr/local/src # ln-s / usr/local/openssl/bin/openssl / usr/bin/opensslhm:/usr/local/src # ln-s / usr/local/openssl/include/openssl / usr/include/opensslhm:/usr/local/src # echo "/ usr/local/openssl/lib" > > / etc/ld.so.confhm:/usr/local/src # ldconfig # View the upgraded openssl version hm:/usr/local/src # openssl versionOpenSSL 1.0.2h 3 May 2016

Uninstall the original OpenSSH of the system

# stop sshd service hm:~ # service sshd stopShutting down the listening SSH daemon done# Uninstall opensshhm:~ # zypper rm opensshhm:~ # rpm-qa | grep opensshhm:~ # mv / etc/ssh / home/ssl_bak/

IV. Upgrade OpenSSH

Hm:/usr/local/src # gzip-d openssh-7.1p1.tar.gz hm:/usr/local/src # tar xf openssh-7.1p1.tar hm:/usr/local/src # cd openssh-7.1p1/# compilation parameter hm:/usr/local/src/openssh-7.1p1. / configure-- prefix=/usr-- sysconfdir=/etc/ssh-- with-pam-- with-openssl-- with-md5-passwords-- mandir=/usr/share/man-- With-zlib-- with-ssl-engine-- with-ssl-dir=/usr/local/opensslhm:/usr/local/src/openssh-7.1p1 # makehm:/usr/local/src/openssh-7.1p1 # make install# View the upgraded version hm:~ # ssh- VOpenSSH_7.1p1 OpenSSL 1.0.2h 3 May 2011copy sshd startup script The startup script hm:/usr/local/src/openssh-7.1p1 # cd contrib/hm:/usr/local/src/openssh-7.1p1/contrib # lsMakefile aix findssl.sh gnome-ssh-askpass2.c redhat ssh-copy-id sshd.pam.freebsd suseREADME cygwin gnome-ssh-askpass1.c hpux solaris ssh-copy-id.1 sshd.pam.generichm:/usr/local/src of the corresponding system in the contrib/ directory / openssh-7.1p1/contrib # cp suse/rc.sshd / etc/init.d/sshdhm:/usr/local/src/openssh-7.1p1/contrib # chmod 755 / etc/init.d/sshd # launch and set boot hm:/usr/local/src/openssh-7.1p1/contrib # chkconfig-- add sshdsshd 0:off 1:off 2:off 3:on 4:off 5:on 6:offhm:/usr/local / src/openssh-7.1p1/contrib # chkconfig sshd onhm:/usr/local/src/openssh-7.1p1/contrib # service sshd startStarting SSH daemon done

5. Log in to the server again

Note a few points:

1. OpenSSH 7 version does not allow root login by default. You need to modify PermitRootLogin and PasswordAuthentication to allow.

2. There is an error configure: error: * Can't find recent OpenSSL libcrypto (see config.log for details) * in the process of compiling openssh. This is the error caused by the failure to install and configure OpenSSL.

Verify ssh key configuration

1. Log in to the local machine remotely through the client (log in to the SuSe server after upgrading OpenSSH by using key verification from the client)

# create key [root@node4 ~] # ssh-keygen# send the public key to the SuSe server [root@node4 ~] # ssh-copy-id-I ~ / .ssh/id_rsa.pub 10.0.0.13login verification [root@node4 ~] # ssh 10.0.0.130Last login: Sat Jul 23 07:18:09 2016 from 10.0.0.14hmSuSe ~ # ssh- VOpenSSH_7.1p1, OpenSSL 1.0.2h 3 May 2016hmSuSe ~ # exit

2. Configure local key to log in to other servers remotely

Hm:~ # ssh-keygen hm:~ # ssh-copy-id-I ~ / .ssh/id_rsa.pub 10.0.0.14/usr/bin/ssh-copy-id: INFO: Source of key (s) to be installed: "/ root/.ssh/id_rsa.pub" The authenticity of host '10.0.0.14 (10.0.0.14)' can't be established.RSA key fingerprint is SHA256:ov9sIuzLGQyS2FaJa4hY/SKSZ4YenjXBULFLYauDUz8.Are you sure you want to continue connecting (yes/no)? Yes/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key (s), to filter out any that are already installed/usr/bin/ssh-copy-id: INFO: 1 key (s) remain to be installed-- if you are prompted now it is to install the new keysroot@10.0.0.14's password: Number of key (s) added: 1Now try logging into the machine With: "ssh '10.0.0.14'" and check to make sure that only the key (s) you wanted were added.hm:~ # ssh 10.0.0.14Last login: Thu Aug 11 23:30:24 2016 from 10.0.0.130 [root@node4 ~] # exit

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.