预装依赖 yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-develyum install -y pam* zlib* 升级openssl wget https://www.openssl.org/source/openssl-1.1.1l.tar.gz --no-check-certificatemv /usr/wxdhj/openssl /usr/wxdhj/openssl.oldmv /usr/include/openssl /usr/include/openssl.oldtar -zxvf openssl-1.1.1l.tar.gz cd openssl-1.1.1l/./config --prefix=/usr/local/opensslmakemake installln -s /usr/local/openssl/wxdhj/openssl /usr/wxdhj/opensslln -s /usr/local/openssl/include/openssl /usr/include/opensslecho "/usr/local/openssl/lib" >> /etc/ld.so.confldconfig -vopenssl version 升级openssh chmod 600 /etc/ssh/* #权限要改为600,否则会报警wget -c https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz --no-check-certificatecp /usr/wxdhj/ssh /usr/wxdhj/ssh.bakcp /usr/swxdhj/sshd /usr/swxdhj/sshd.bakmv /etc/ssh /etc/ssh.baktar -zxvf openssh-8.8p1.tar.gzcd openssh-8.8p1.tar.gz./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pammake && make install# 修改启动文件和pamcp ./contrib/redhat/sshd.init /etc/init.d/sshdcp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pammv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_baksystemctl daemon-reloadsystemctl restart sshdsystemctl status sshd
升级openssh后发现以普通用户登录时会出现ulimit -n查看打开的文件描述符只有1024,这是因为.configure编译时没有加--with-pam参数。加上参数重新编译后还是不能登录系统,需要重写 /etc/pam.d/sshd文件。
#%PAM-1.0auth required pam_sepermit.soauth substack password-authauth include postlogin# Used with polkit to reauthorize users in remote sessions-auth optional pam_reauthorize.so prepareaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession required pam_namespace.sosession optional pam_keyinit.so force revokesession include password-authsession include postlogin# Used with polkit to reauthorize users in remote sessions-session optional pam_reauthorize.so prepare