之前因為漏洞問題，做安全加固的時候參考了百度的一些教程，裡面有些地方很坑，寫的亂七八糟，導緻升級失敗了，所以今天才抽空測試了下下面3種方式，都是沒什麼問題的，整理一下分享給大家。

下面實驗是基于redhat6.8 64位系統做測試（7的版本有比較多注意的點，後面有空再整）

這裡提供3個方式：1個是rpm包手動升級，一個是rpm包腳本升級，一個是腳本yum一鍵升級。（這裡的rpm包隻需要在openssh升級成功後的系統制作rpm包就可以了，篇幅有限，就不介紹這塊了）

1、查看當前openssh版本

2、備份

[root@localhost ~]# cp /etc/pam.d/sshd /etc/pam.d/sshd_bak181225 [root@localhost ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak181225 [root@localhost ~]# cp /etc/init.d/sshd /etc/init.d/sshd_bak1812

3、執行rpm包

根據rpm -qa|grep openssh找對應的rpm包

# rpm -Uvh openssh-askpass-7.9p1-1.el6.x86_64.rpm openssh-clients-7.9p1-1.el6.x86_64.rpm openssh-7.9p1-1.el6.x86_64.rpm openssh-server-7.9p1-1.el6.x86_64.rpm

4、配置允許root登錄

sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config

5、改權限

# chmod 600 /etc/ssh/ssh_host_ed25519_key

6、恢複 pam sshd config

cp /etc/pam.d/sshd_bak181225 /etc/pam.d/sshd

7、安裝 ssh-copy-id

（ssh-copy-id 将本機的公鑰複制到遠程機器的authorized_keys文件中，ssh-copy-id也能讓你有到遠程機器的home, ~./ssh , 和 ~/.ssh/authorized_keys的權利）

install -v -m755 ssh-copy-id /usr/bin

install -v -m644 ssh-copy-id.1 /usr/share/man/man1

8、重啟ssh服務

/etc/init.d/sshd restart

9、測試是否升級成功

ssh -V

根據前面的步驟簡單整理如下：

PS：這裡測試的時候漏了一步，應該先斷開連接再重連測試下的，懶得恢複快照測試了，有空的朋友可以幫忙測試下，這裡查看版本已經升級成功了。

#!/bin/bash # update openssh to 7.9 on centos6.x or rhel 6.x # 前提條件：需要跟rpm包同個目錄 # 1、backup pam sshd config cp -fp /etc/pam.d/sshd /tmp/sshd_bak # 2、rpm install rpm -Uvh openssh-askpass-7.9p1-1.el6.x86_64.rpm openssh-clients-7.9p1-1.el6.x86_64.rpm openssh-7.9p1-1.el6.x86_64.rpm openssh-server-7.9p1-1.el6.x86_64.rpm # 2、config root ssh to server # vi /etc/ssh/sshd_config # PermitRootLogin yes sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config # 3、change permit chmod 600 /etc/ssh/ssh_host_ed25519_key # 4、restore pam sshd config cp -fp /tmp/sshd_bak /etc/pam.d/sshd # 5、install ssh-copy-id install -v -m755 ssh-copy-id /usr/bin install -v -m644 ssh-copy-id.1 /usr/share/man/man1 # 6、restart sshd service /etc/init.d/sshd restart #7、test ssh version ssh -V

前提條件：配置好yum源，openssh-7.9p1.tar.gz安裝包跟腳本同一層目錄就可以了

#!/bin/bash #前提條件：配置好yum源 if [ $UID -ne 0 ];then echo "please run this script as root !" exit 1 fi #安裝依賴包 yum -y install gcc gcc-c pam-devel zlib-devel xinetd openssl-devel sleep 2 #備份原ssh today=$(date %Y%m%d) mkdir /tmp/$today cp -a /etc/ssh /tmp/$today cp -a /etc/rc.d/init.d/sshd /tmp/$today/sshd_init cp -a /etc/pam.d/ssh-keycat /tmp/$today cp -a /etc/pam.d/sshd /tmp/$today/sshd_pam cp -a /etc/sysconfig/sshd /tmp/$today/sshd_configure #配置telnet登陸 start_telnet () { cat >>/etc/securetty<<EOF pts/0 pts/1 pts/2 EOF #sed -i 's/yes/no/g' /etc/xinetd.d/telnet yum install -y telnet-server sed -i '/disable/s/yes/no/g' /etc/xinetd.d/telnet /etc/init.d/xinetd restart } #卸載舊版本openssh /etc/init.d/sshd stop rpm -e --nodeps openssh openssh-server openssh-clients #rpm -e --nodeps openssh-askpass #rpm -qa |grep openssh|xargs -i rpm -e --nodeps {} #安裝openssh7.9 echo "start update openssh . . . " sleep 2 tar xf openssh-7.9p1.tar.gz cd openssh-7.9p1 ./configure --prefix=/usr \ --sysconfdir=/etc/ssh \ --with-md5-passwords \ --with-pam \ --with-zlib \ --with-openssl-includes=/usr \ --with-privsep-path=/var/empty/sshd make && make install sleep 2 install -v -m755 contrib/ssh-copy-id /usr/bin install -v -m644 contrib/ssh-copy-id.1 /usr/share/man/man1 install -v -m755 -d /usr/share/doc/openssh-7.9p1 install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.9p1 #配置ssh cp -p contrib/redhat/sshd.init /etc/rc.d/init.d/sshd cp -p /tmp/$today/sshd_pam /etc/pam.d/sshd cp -p /tmp/$today/ssh-keycat /etc/pam.d chkconfig --add sshd sed -i '33 aPermitRootLogin yes' /etc/ssh/sshd_config sed -i '83 aUsePAM yes' /etc/ssh/sshd_config clear /etc/init.d/sshd start sleep 1 if [ $(pgrep sshd |wc -l) -eq 0 ];then start_telnet echo -e "\033[31m failed to start ssh,please use telnet to connetion . . . \033[0m" else # sed -i '/pts/d' /etc/securetty echo "openssh success update to 7.9p1 ! " fi

以上是小編花了幾個小時測試後整理的，覺得還行的幫忙點個贊哩~

後面會分享更多devops和DBA方面的内容，感興趣的朋友可以關注下！！

更多精彩资讯请关注tft每日頭條，我们将持续为您更新最新资讯!