SUSE Linux Enterprise Server 11 SP4 (x86_64) upgrade openssh8.4p1
Site environment:
SUSE Linux Enterprise Server 11 SP4 (x86_64)
SSH version: OpenSSH_6.6.1p1, OpenSSL 0.9.8j-fips 07 Jan 2009
Upgrade preparation-download the installation package and dependent packages
libopenssl-devel-1.1.0i-lp151.1.1.noarch.rpm
pam-devel-1.3.0-lp151.8.6.1.x86_64.rpm
telnet-server-1.2-lp150.1.11.x86_64.rpm
zlib-devel-1.2.11-lp152.8.6.1.x86_64.rpm
http://www.rpmfind.net/linux/opensuse/update/leap/15.2/oss/x86_64/zlib-devel-1.2.11-lp152.8.6.1.x86_64.rpm
#http://www.zlib.net/
zlib-1.2.11.tar.gz
#https://www.openssl.org/source/
openssl-1.1.1h.tar.gz
openssl-fips-2.0.16.tar.gz
#https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/
openssh-8.4p1.tar.gz
Upgrade preparation-upgrade dependent packages
1. After preparing the installation package and dependent packages, create a temporary directory for upgrading openssh on the server
zpic1@linux-qsh9:~> mkdir openssh_tmp2. Upload the installation package and dependent packages
3. Install dependency packages
#赋权
zpic1@linux-qsh9:~> cd openssh_tmp/
zpic1@linux-qsh9:~/openssh_tmp> sudo chmod +x *.rpm
#执行安装命令
sudo rpm -ivh telnet-server-1.2-lp150.1.11.x86_64.rpm --nodeps
sudo rpm -ivh libopenssl-devel-1.1.0i-lp151.1.1.noarch.rpm --nodeps
sudo rpm -ivh zlib-devel-1.2.11-lp152.8.6.1.x86_64.rpm --nodeps
sudo rpm -ivh pam-devel-1.3.0-lp151.8.6.1.x86_64.rpm --nodeps
Upgrade preparation-open telnet
Telnet is started to prevent the failure to connect to the server after the upgrade of SSH fails. If it is a virtual machine, you can skip this step:
1. The telnet service is not installed by default, so check whether telnet is installed:
linux-qsh9:/home/zpic1/openssh_tmp # chkconfig -list|grep telnetIf the following display appears, it indicates that telnet has been installed
telnet: on
Otherwise, it is not installed and you need to install the telnet service according to the following steps.
Note: If the above command returns as follows, it means that the system has installed telnet that relies on krb5 Server login
ktelnet: onIf krb5 Server is not set, it will be unable to log in. The solution is to close it with the following command
linux-qsh9:/home/zpic1/openssh_tmp # chkconfig ktelnet off
linux-qsh9:/home/zpic1/openssh_tmp # chkconfig -list |grep telnet
ktelnet: off
telnet: on2. Install telnet service:
Enter "yast2 inetd":
linux-qsh9:/home/zpic1/openssh_tmp # yast2 inetdSelect telnet service:
Note that after installing the above, use the tab key to jump out of the selection list and select edit:
If you make a mistake in this interface and need to delete it, you need to use the key combination ctrl+backspace
Then, select "Edit" and follow the prompts to insert the CD
Choose accept:
Then choose finish.
3. Open firewall port 23
Enter "yast2 firewall" to start the firewall configuration
linux-qsh9:/home/zpic1/openssh_tmp # yast2 firewall Select "Allowed Services", then select the "Telnet Server" option
Join the allow list via add:
Add the port by selecting "Advanced". If you select a service, you can leave it alone. If you don't select a service, you can set the port here;
Enter port number: 23:
Note that if multiple ports are required, use spaces to separate the port numbers
4. Delete /etc/securetty
linux-qsh9:/home/zpic1/openssh_tmp # mv /etc/securetty /etc/securetty.bak5. Restart the xinetd service
linux-qsh9:/home/zpic1/openssh_tmp # service xinetd restart
Shutting down xinetd: (waiting for all children to terminate) done
Starting INET services. (xinetd) done
linux-qsh9:/home/zpic1/openssh_tmp # 6. Then whether you can log in to this server through the telnet link, if you cannot log in by telnet, comment out the line containing pam_securetty.so under /etc/pam.d/login and restart the xinetd service.
It should be noted that the installation of telnet here is a selective installation, to avoid unnecessary troubles due to upgrade failure, ssh disconnection and inaccessibility. If it is a virtual machine or can easily enter the server, the telnet installation here, zlib and Openssl-devel is required to be compiled later, so install it in advance.
Upgrade preparation-backup
openssl version
whereis openssl
#将查找出来的openssl路径的内容做备份
cp -r /etc/ssl /etc/ssl-bak
cp -r /usr/bin/openssl /usr/bin/openssl-bak
cp -r /usr/include/openssl /usr/include/openssl-bak
cp -r /etc/ssh /etc/ssh-bak
cp -r /etc/init.d/sshd /etc/init.d/sshd-bak
Upgrade preparation-compile zlib
linux-qsh9:/home/zpic1/openssh_tmp # tar xzf zlib-1.2.11.tar.gz
linux-qsh9:/home/zpic1/openssh_tmp # cd zlib-1.2.11/
linux-qsh9:/home/zpic1/openssh_tmp/zlib-1.2.11 # ./configure --shared
linux-qsh9:/home/zpic1/openssh_tmp/zlib-1.2.11 # make && make installUpgrade preparation-compile openssl-fips
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # cd ..
linux-qsh9:/home/zpic1/openssh_tmp # tar xzf openssl-fips-2.0.16.tar.gz
linux-qsh9:/home/zpic1/openssh_tmp # cd openssl-fips-2.0.16/
linux-qsh9:/home/zpic1/openssh_tmp/openssl-fips-2.0.16 # ./config --prefix=/usr/local/openssl --openssldir=/etc/ssl shared
linux-qsh9:/home/zpic1/openssh_tmp/openssl-fips-2.0.16 # make && make installUpgrade preparation-compile openssl
linux-qsh9:/home/zpic1/openssh_tmp/zlib-1.2.11 # cd ..
linux-qsh9:/home/zpic1/openssh_tmp # tar xzf openssl-
openssl-1.1.1h.tar.gz openssl-fips-2.0.16.tar.gz
linux-qsh9:/home/zpic1/openssh_tmp # tar xzf openssl-1.1.1h.tar.gz
linux-qsh9:/home/zpic1/openssh_tmp # cd openssl-1.1.1h/
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # ./config --prefix=/usr/local/openssl --openssldir=/etc/ssl shared zlib
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # make && make install
#创建openssl的链接目录
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
(我这里报错说文件存在,因为之前备份的时候是cp的,所以这里直接把这个/usr/bin/openssl 删掉,然后重新链接)
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # ln -s /usr/local/openssl/include/openssl /usr/include/openssl
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
#刷新链接库
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # ldconfig
#查看版本信息是否变为1.0.2s
linux-qsh9:/home/zpic1/openssh_tmp/openssl-1.1.1h # openssl version 
Upgrade openssh
linux-qsh9:/home/zpic1/openssh_tmp/openssl-fips-2.0.16 # cd ..
linux-qsh9:/home/zpic1/openssh_tmp # tar xzf openssh-8.4p1.tar.gz
linux-qsh9:/home/zpic1/openssh_tmp # cd openssh-8.4p1/
#停止sshd服务并卸载旧版本
linux-qsh9:/home/zpic1/openssh_tmp # service sshd stop
linux-qsh9:/home/zpic1/openssh_tmp # zypper rm openssh
#编译新版本
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1 # ./configure --prefix=/usr --with-md5-passwords --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1 # make && make install
#查看新安装的版本
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1 # ssh -V
#复制启动脚本
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1 # cd contrib/suse
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1/contrib/suse # cp rc.sshd /etc/init.d/sshd
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1/contrib/suse # chmod 755 /etc/init.d/sshd
#修改ssh配置文件,允许root登陆和密码验证
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1/contrib/suse # vim /etc/ssh/sshd_config
#修改PermitRootLogin yes
#去掉注释 PasswordAuthentication
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1/contrib/suse # /etc/init.d/sshd start
#尝试登陆是否正常
#增加开机启动
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1/contrib/suse # chkconfig --add sshd
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1/contrib/suse # chkconfig sshd on
#关闭telnet服务,避免开放多余端口,也避免后期被扫出来telnet上面的漏洞
linux-qsh9:/home/zpic1/openssh_tmp/openssh-8.4p1/contrib/suse # /etc/init.d/xinetd stop
#编辑/etc/xinetd.d/telnet将disable 改为no