本文涉及rpm源码包下载地址：http://mirrors.163.com/centos/6/os/x86_64/Packages

安装之前配置环境变量 /etc/profile 增加以下几行

export C_INCLUDE_PATH=/usr/local/include:$C_INCLUDE_PATHexport LD_LIBRARY_PATH=/usr/local/lib:$LD_LIBRARY_PATH

 

1.安装Telnet服务

防止升级ssh时意外断开无法再次登陆服务器

###Redhat6#在其他机器批量安装时，可安装以下两个rpm包以免make install的时候报错rpm -ivhU --nodeps pam-devel-1.1.1-24.el6.x86_64.rpmrpm -ivhU --nodeps gcc-4.4.7-18.el6.x86_64.rpmrpm -ivhU --nodeps glibc-devel-2.12-1.209.el6.x86_64.rpm#安装Telnet服务rpm -ivhU xinetd-2.3.14-40.el6.x86_64.rpmrpm -ivhU telnet-server-0.17-48.el6.x86_64.rpmrpm -ivhU telnet-0.17-48.el6.x86_64.rpm###Redhat7rpm -ivhU --nodeps pam-devel-1.1.8-18.el7.x86_64.rpm rpm -ivhU --nodeps gcc-4.8.5-16.el7.x86_64.rpm rpm -ivhU --nodeps glibc-devel-2.17-196.el7.x86_64.rpm rpm -ivhU xinetd-2.3.15-13.el7.x86_64.rpm rpm -ivhU telnet-server-0.17-64.el7.x86_64.rpm rpm -ivhU telnet-0.17-64.el7.x86_64.rpm

将文件/etc/xinetd.d/telnet内容“disable=yes”值改为“no”

#启动Telnet服务service xinetd restart

2.卸载旧版本openssl和openssh

rpm -qa|grep opensslrpm -e --nodeps xxxrpm -qa|grep opensshrpm -e --nodeps xxx

3.关闭SELinux

# 设置SELinux 成为permissive模式setenforce 0

将文件/etc/selinux/config内容“SELINUX=enforcing”值改为“disabled”

4.安装openssl-1.0.2m

# 下载 https://www.openssl.org/source/openssl-1.0.2m.tar.gz# 解压openssl-1.0.2m.tar.gztar xvf openssl-1.0.2m.tar.gz# 进入openssl-1.0.2m目录cd /openssl-1.0.2m# 编译安装，编译后在其他机器安装只需执行make install即可./config shared && make && make install# 更新ldecho "/usr/local/ssl/lib" >> /etc/ld.so.confldconfig -v# 配置openssl库cp /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64cp /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64chmod 555 /usr/lib64/libssl.so.1.0.0chmod 555 /usr/lib64/libcrypto.so.1.0.0ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so.10ln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.so.10ln -s /usr/lib64/libcrypto.so.1.0.0 /usr/lib64/libcrypto.soln -s /usr/lib64/libssl.so.1.0.0 /usr/lib64/libssl.soln -s /usr/local/ssl/bin/openssl /usr/bin/opensslln -s /usr/local/ssl/include/openssl /usr/include/openssl# 查看openssl版本openssl version -a

5.安装openssh-7.6p1

# 下载 http://mirror.internode.on.net/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz# 解压openssh-7.6p1.tar.gztar xvf openssh-7.6p1.tar.gz # 进入openssh-7.6p1目录cd openssh-7.6p1# 编译安装，编译后在其他机器安装只需执行make install即可./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-zlib --with-ssl-dir=/usr/local/ssl --without-hardening --with-pam && make && make install

5.1编辑/etc/ssh/sshd_config

# 修改配置文件vi /etc/ssh/sshd_config

将以下内容全部复制到/etc/ssh/sshd_config

#       $OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp $# This is the sshd server system-wide configuration file.  See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented.  Uncommented options override the# default value.#Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# The default requires explicit activation of protocol 1Protocol 2# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2#HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_key#HostKey /etc/ssh/ssh_host_ecdsa_key#HostKey /etc/ssh/ssh_host_ed25519_key# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h#ServerKeyBits 1024# Ciphers and keying#RekeyLimit default none# Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2mPermitRootLogin no#StrictModes yes#MaxAuthTries 6#MaxSessions 10#RSAAuthentication yes#PubkeyAuthentication yes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2# but this is overridden so installations will only check .ssh/authorized_keysAuthorizedKeysFile      .ssh/authorized_keys#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no# GSSAPI options#GSSAPIAuthentication no#GSSAPICleanupCredentials yes# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication.  Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.UsePAM yes#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts no#X11Forwarding no#X11DisplayOffset 10#X11UseLocalhost yes#PermitTTY yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin no#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3UseDNS no#PidFile /var/run/sshd.pid#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none#VersionAddendum none# no default banner path#Banner none# override default of no subsystemsSubsystem       sftp    /usr/libexec/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs#       X11Forwarding no#       AllowTcpForwarding no#       PermitTTY no#       ForceCommand cvs serverKexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1Banner /etc/sshbanner

5.2编辑/etc/init.d/sshd

cd openssh-7.6p1/contrib/redhatcp sshd.init /etc/init.d/sshd

5.3编辑/etc/pam.d/sshd

vi /etc/pam.d/sshd

将以下内容全部复制到/etc/pam.d/sshd

#%PAM-1.0auth       required pam_sepermit.soauth       include      password-authaccount    required     pam_nologin.soaccount    include      password-authpassword   include      password-auth# pam_selinux.so close should be the first session rulesession    required     pam_selinux.so closesession    required     pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession    required     pam_selinux.so open env_paramssession    optional     pam_keyinit.so force revokesession    include      password-auth

 5.4服务配置

# 赋权限chmod u+x /etc/init.d/sshd# 服务设置自启动chkconfig --add sshdchkconfig sshd onchkconfig --list|grep sshd# 重启服务service sshd restart# 查看版本ssh -V

6.测试ssh服务是否正常

测试ssh服务正常后将Telnet服务卸载

rpm -e telnet-server-0.17-48.el6.x86_64 xinetd-2.3.14-40.el6.x86_64

7.安装ntp服务

，由于升级完openssl会导致ntpd服务无法启动，报错原因为：ntpd: OpenSSL version mismatch. Built against 10000003, you have 100020bf，所以需要重新编译ntpd。

7.1编译安装

#卸载老版本rpm -qa|grep ntpdaterpm -e xxx --nodepsrpm -qa|grep ntp-rpm -e xxx --nodeps#安装所需库文件rpm -qa|grep libcaprpm -ivh libcap-2.16-5.5.el6.x86_64.rpmrpm -ivh libcap-devel-2.16-5.5.el6.x86_64.rpmfind / -name libcap*/usr/local/ssl/lib/engines/libcapi.soln -s /usr/local/ssl/lib/engines/libcapi.so /lib64/libcap.so#下载 http://www.eecis.udel.edu/~ntp/ntp_spool/ntp4/ntp-4.2/ntp-4.2.8p10.tar.gztar xvf ntp-4.2.8p10.tar.gzcd ntp-4.2.8p10./configure --prefix=/usr --enable-all-clocks --enable-parse-clocks --enable-linuxcaps --disable-ipv6 --without-ntpsnmpdmakemake install

7.2修改配置文件

vi /etc/init.d/ntpd

#!/bin/shNTPD=/usr/bin/ntpdPIDFILE=/var/run/ntpd.pidUSER=ntpGROUP=ntpNTPD_OPTS="-g -u $USER:$GROUP -p $PIDFILE"ntpd_start() {    if [ -r $PIDFILE ]; then        echo "ntpd seems to be already running under pid `cat $PIDFILE`."        echo "Delete $PIDFILE if this is not the case.";        return 1;    fi    echo -n "Starting NTP daemon... "    $NTPD $NTPD_OPTS    # You can't always rely on the ntpd exit code, see Bug #2420    # case "$?" in    #     0) echo "OK!"    #         return 0;;    #     *) echo "FAILED!"    #         return 1;;    # esac    sleep 1    if ps -Ao args|grep -q "^$NTPD $NTPD_OPTS"; then        echo "OK!"        return 0    else        echo "FAILED!"        [ -e $PIDFILE ] && rm $PIDFILE        return 1    fi}ntpd_stop() {    if [ ! -r $PIDFILE ]; then        echo "ntpd doesn't seem to be running, cannot read the pid file."        return 1;    fi    echo -n "Stopping NTP daemon...";    PID=`cat $PIDFILE`    if kill -TERM $PID 2> /dev/null;then        # Give ntp 15 seconds to exit        for i in `seq 1 15`; do            if [ -n "`ps -p $PID|grep -v PID`" ]; then                echo -n .                sleep 1            else                echo " OK!"                rm $PIDFILE                return 0            fi        done    fi    echo " FAILED! ntpd is still running";    return 1}ntpd_status() {    if [ -r $PIDFILE ]; then        echo "NTP daemon is running as `cat $PIDFILE`"    else        echo "NTP daemon is not running"    fi}case "$1" in    'start')        ntpd_start        ;;    'stop')        ntpd_stop        ;;    'restart')        ntpd_stop && ntpd_start        ;;    'status')        ntpd_status        ;;    *)        echo "Usage: $0 (start|stop|restart|status)"esac

/etc/ntp.conf

restrict default ignore   #默认不允许修改或者查询ntp,并且不接收特殊封包restrict 127.0.0.1        #给于本机所有权限restrict 192.168.1.0 mask 255.255.255.0 notrap nomodify  #给于局域网机的机器有同步时间的权限server 192.168.26.11 prefer   #设置时间服务器，加prefer表示优先server  127.127.1.0     # local clockfudge   127.127.1.0 stratum 10driftfile /var/lib/ntp/driftkeys /etc/ntp/keys

7.3启动服务

chmod 755 /etc/init.d/ntpdservice ntpd restartchkconfig ntpd on