方案:

保留原openssh 和openssl不变，新编译openssh和openssl，测试完成后逐步替换原版本。

生产环境小心。

操作系统

root@debian138:/etc/init.d# uname -a

Linux debian138 4.9.0-6-amd64 #1 SMP Debian 4.9.82-1+deb9u3 (2018-03-02) x86_64 GNU/Linux

root@debian138:/etc/init.d# lsb_release -a

No LSB modules are available.

Distributor ID: Debian

Description: Debian GNU/Linux 9.4 (stretch)

Release: 9.4

Codename: stretch

资源下载

如果gcc没有先下载

https://packages.debian.org/stretch/amd64/gcc/download

gcc_6.3.0-4_amd64.deb

如果没有Make先下载

https://packages.debian.org/stretch/amd64/make/download

make_4.1-9.1_amd64.deb

zlib1g-dev-需下载

编译openssl时需要：

zlib1g-dev_1.2.8.dfsg-5+deb9u1_amd64.deb

##redhat系列 yum install zlib-devel -y

需要pam开发包

apt install libpam0g-dev

##redhat系列 yum install pam-devel -y ，yum install tcp_wrappers-devel -y

以上过程略。

安装

Openssl新版本l-1.1.1n

自定义到/opt/openssl-1.1.1n。

Configure

root@debian138:~# tar -xzvf openssl-1.1.1n.tar.gz

cd openssl-1.1.1n

root@debian138:~/openssh-8.9p1# pwd

/root/openssl-1.1.1n

root@debian138:~/openssl-1.1.1n# ./config --prefix=/opt/openssl-1.1.1n --openssldir=/opt/openssl-1.1.1n/openssl zlib-dynamic shared -fPIC

Operating system: x86_64-whatever-linux2

Configuring OpenSSL version 1.1.1n (0x101010efL) for linux-x86_64

Using os-specific seed configuration

Creating configdata.pm

Creating Makefile

**********************************************************************

*** ***

*** OpenSSL has been successfully configured ***

*** ***

*** If you encounter a problem while building, please open an ***

*** issue on GitHub <https://github.com/openssl/openssl/issues> ***

*** and include the output from the following command: ***

*** ***

*** perl configdata.pm --dump ***

*** ***

*** (If you are new to OpenSSL, you might want to consult the ***

*** 'Troubleshooting' section in the INSTALL file first) ***

*** ***

Make

#make

。。

Make test

#make test

。。。

make install

。。。

pt/openssl-1.1.1n/share/doc/openssl/html/man7/X25519.html

/opt/openssl-1.1.1n/share/doc/openssl/html/man7/X448.html -> /opt/openssl-1.1.1n/share/doc/openssl/html/man7/X25519.html

/opt/openssl-1.1.1n/share/doc/openssl/html/man7/x509.html

库文件目录添加

root@debian138:/opt/openssl-1.1.1n# echo '/opt/openssl-1.1.1n/lib' >> /etc/ld.so.conf

root@debian138:/opt/openssl-1.1.1n# ldconfig

。。

root@debian138:/opt/openssl-1.1.1n/lib# /opt/openssl-1.1.1n/bin/openssl version

../bin/openssl: /usr/lib/x86_64-linux-gnu/libssl.so.1.1: version `OPENSSL_1_1_1' not found (required by ../bin/openssl)

../bin/openssl: /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1: version `OPENSSL_1_1_1' not found (required by ../bin/openssl)

---

cp /opt/openssl-1.1.1n/lib/libssl.so.1.1 /usr/lib/x86_64-linux-gnu/libssl.so.1.1

cp /opt/openssl-1.1.1n/lib/libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1

root@debian138:/opt/openssl-1.1.1n/lib# /opt/openssl-1.1.1n/bin/openssl version

OpenSSL 1.1.1n 15 Mar 2022

版本已到新版本：

/opt/openssl-1.1.1n/bin/openssl version -a

OpenSSL 1.1.1n 15 Mar 2022

built on: Thu Apr 7 04:31:15 2022 UTC

platform: linux-x86_64

options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)

。。。

openssh-8.9p1

系统自带ssh

root@debian138:~/openssh-8.9p1# ssh -V

OpenSSH_7.4p1 Debian-10+deb9u6, OpenSSL 1.0.2u 20 Dec 2019

Configre

自定义到/opt/openssh8.9：

./configure --prefix=/opt/openssh8.9 --with-ssl-dir=/opt/openssl-1.1.1n --with-pam

。。。

PAM is enabled. You may need to install a PAM control file

for sshd, otherwise password authentication may fail.

Example PAM control files can be found in the contrib/

subdirectory

Make

#make

。。

cc -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -I/opt/openssl-1.1.1n/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -DSSHDIR=\"/opt/openssh8.9/etc\"

...

cc -o ssh-sk-helper ssh-sk-helper.o ssh-sk.o sk-usbhid.o -L. -Lopenbsd-compat/ -L/opt/openssl-1.1.1n/lib -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz -lcrypt -lresolv

Make install

root@debian138:~/openssh-8.9p1# make install

...

ssh-keygen: generating new host keys: RSA DSA ECDSA ED25519

/opt/openssh8.9/sbin/sshd -t -f /opt/openssh8.9/etc/sshd_config

设置路径

echo 'export PATH=/opt/openssh8.9/bin:/opt/openssh8.9/sbin:$PATH' >> /etc/profile.d/path.sh

chmod u+x /etc/profile.d/path.sh

. /etc/profile.d/path.sh

新版本：

/opt/openssh8.9/bin# /opt/openssh8.9/bin/ssh -V

OpenSSH_8.9p1, OpenSSL 1.1.1n 15 Mar 2022

sshd_config

惯例修改root远程，生成环境应禁用root直接登录：

cd /opt/openssh8.9/etc/

cp -p /opt/openssh8.9/etc/sshd_config /opt/openssh8.9/etc/sshd_config.bk

vi sshd_config

#Port 22

Port 22022

PermitRootLogin yes

#PermitRootLogin prohibit-password

#PasswordAuthentication yes

PasswordAuthentication yes

#UsePAM no

UsePAM yes

#AllowAgentForwarding yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

X11Forwarding yes

或者

cat<<eof >>/opt/openssh8.9/etc/sshd_config

Port 22022

PermitRootLogin yes

PasswordAuthentication yes

UsePAM yes

X11Forwarding yes

eof

开机自启动

复制原ssh启动文件并修改

原启动文件：

more /etc/init.d/ssh

cp -p /etc/init.d/ssh /etc/init.d/ssh.89

vi /etc/init.d/ssh.89

替换所有/usr/sbin/sshd为/opt/openssh8.9/sbin/sshd

:%s+/usr/sbin/sshd+/opt/openssh8.9/sbin/sshd+g

开机自启动制作

新建/etc/rc.local

vi /etc/rc.local

# By default this script does nothing.

/etc/init.d/ssh.89 start

exit 0

保存退出。

chmod u+x /etc/rc.local

客户端连接：

----都勾选

通过新版本ssh已登录成功：

停原系统自带ssh服务

# netstat -lantp4

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 511/sshd

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 940/exim4

tcp 0 0 0.0.0.0:22022 0.0.0.0:* LISTEN 709/sshd: /opt/open

tcp 0 624 192.168.111.138:22 192.168.111.1:5066 ESTABLISHED 1868/sshd: root@pts

tcp 0 0 192.168.111.138:22 192.168.111.1:1032 ESTABLISHED 1880/sshd: root@pts

tcp 0 0 192.168.111.138:22022 192.168.111.1:16738 ESTABLISHED 1447/sshd: root@pt

禁用系统自带的ssh，仅保留新版本22022端口：

systemctl disable ssh

Removed /etc/systemd/system/sshd.service.

Removed /etc/systemd/system/multi-user.target.wants/ssh.service.

root@debian138:~# netstat -lantp4

Active Internet connections (servers and established)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 964/exim4

tcp 0 0 0.0.0.0:22022 0.0.0.0:* LISTEN 732/sshd: /opt/open

tcp 0 624 192.168.111.138:22022 192.168.111.1:3926 ESTABLISHED 1039/sshd: root@pts

已停掉原22端口。

总结

编译环境

Gcc单独安装会有大量依赖，建议在线安装或光驱iso做本地仓库源。

Make可以使用make_4.1-9.1_amd64.deb直接安装，无依赖

所需包

openssh-8.9p1.tar.gz

openssl-1.1.1n.tar.gz

openssl需要zlib1g-dev开发包，openssh需要pam开发包

先安装zlib1g-dev和libpam0g-dev_1.1.8-3.6_amd64.deb

openssl

./config --prefix=/opt/openssl-1.1.1n --openssldir=/opt/openssl-1.1.1n/openssl zlib-dynamic shared -fPIC

make

make test

make install

openssh

./configure --prefix=/opt/openssh8.9 --with-ssl-dir=/opt/openssl-1.1.1n --with-pam

make

make install

配置ssh

cp -p /etc/init.d/ssh /etc/init.d/ssh.89

vi /etc/init.d/ssh.89

替换所有/usr/sbin/sshd为/opt/openssh8.9/sbin/sshd

:%s+/usr/sbin/sshd+/opt/openssh8.9/sbin/sshd+g

自启动

vi /etc/rc.local

/etc/init.d/ssh.89 start

exit 0

chmod u+x /etc/rc.local

systemctl start rc.local

停原ssh

systemctl disable ssh