centos7自带的openssh版本为7系列,漏洞比较多需要升级至最新9系列

制作rpm包（需联网）

1.yum安装所需要的包

yum install -y rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl prce pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel xmkmf libXt-devel initscripts libXt-devel imake gtk2-devel lrzsz

2.建立编译目录

mkdir -pv /root/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

3.下载源码包并解压

cd /root/rpmbuild/SOURCES/
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz
tar -xf openssh-9.1p1.tar.gz

4.复制编译文件

cp /root/rpmbuild/SOURCES/openssh-9.1p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/openssh.spec

5.修改 /root/rpmbuild/SPECS/openssh.spec 不生成askpass 并且去掉openssl-devel < 1.1的限制

手动修改

# Do we want to disable building of x11-askpass? (1=yes 0=no)
%global no_x11_askpass 1

# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 1

# 此行一定要注释掉
#BuildRequires: openssl-devel < 1.1

或者命令行修改(不推荐)

sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" openssh.spec
sed -i '/openssl-devel < 1.1/s/^/#/' openssh.spec

6.编译rpm包

rpmbuild -bb /root/rpmbuild/SPECS/openssh.spec

在 /root/rpmbuild/RPMS/x86_64/下会生成4个rpm包

openssh-9.1p1-1.el7.x86_64.rpm  openssh-clients-9.1p1-1.el7.x86_64.rpm  openssh-debuginfo-9.1p1-1.el7.x86_64.rpm  openssh-server-9.1p1-1.el7.x86_64.rpm

升级openssh（不需联网）

1.升级openssh

将4个rpm包拷贝到一个空目录下此处为 /root/rpm/

cd /root/rpm
rpm -Uvh *.rpm

2.修改/etc/ssh/sshd_config

#允许root登录 
PermitRootLogin yes

#开启密码方式登录 
PasswordAuthentication yes

#开启pam
usePAM yes

# 开启tunnel 通道连接mysql需要
PermitTunnel yes

# 这个加在最后
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

3.修改/etc/pam.d/sshd将内容替换为

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

4.修改 /etc/ssh/*的权限

chmod 600 /etc/ssh/*

5.重启sshd服务

systemctl restart sshd