CentOS7升级OpenSSH
Contents
0 问题现象
通过Rancher Kubernetes Engine工具来安装Kubernetes cluster时,遇到下述错误,经过排查是目标服务器172.16.6.74机器的SSH版本过低导致,
$ rke up
INFO[0000] Running RKE version: v1.3.9
INFO[0000] Initiating Kubernetes cluster
INFO[0000] [dialer] Setup tunnel for host [172.16.6.74]
INFO[0000] [dialer] Setup tunnel for host [172.16.11.195]
WARN[0000] Failed to set up SSH tunneling for host [172.16.6.74]: Can't retrieve Docker Info: error during connect: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/info": Unable to access the Docker socket (/var/run/docker.sock). Please check if the configured user can execute `docker ps` on the node, and if the SSH server version is at least version 6.7 or higher. If you are using RedHat/CentOS, you can't use the user `root`. Please refer to the documentation for more instructions. Error: ssh: rejected: administratively prohibited (open failed)
WARN[0000] Removing host [172.16.6.74] from node lists
INFO[0000] Checking if container [cluster-state-deployer] is running on host [172.16.11.195], try #1
检查目标机器172.16.6.74机器的上SSH版本:
[root@test-74 ~]# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@test-74 ~]#
1 OS版本
[root@test-74 ~]# cat /etc/redhat-release
CentOS Linux release 7.2.1511 (Core)
[root@test-74 ~]# uname -rm
3.10.0-327.el7.x86_64 x86_64
[root@test-74 ~]#
2 安装依赖和开发工具包
[root@test-74 ~]# yum groupinstall "Development Tools"
已加载插件:fastestmirror
没有安装组信息文件
Maybe run: yum groups mark convert (see man yum)
Loading mirror speeds from cached hostfile
* base: mirrors.dgut.edu.cn
* epel: mirror.sjtu.edu.cn
* extras: mirrors.dgut.edu.cn
* updates: mirrors.dgut.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 automake.noarch.0.1.13.4-3.el7 将被 安装
...
作为依赖被升级:
cpp.x86_64 0:4.8.5-44.el7 efibootmgr.x86_64 0:17-2.el7 efivar-libs.x86_64 0:36-12.el7 elfutils-devel.x86_64 0:0.176-5.el7
elfutils-libelf.x86_64 0:0.176-5.el7 elfutils-libelf-devel.x86_64 0:0.176-5.el7 elfutils-libs.x86_64 0:0.176-5.el7 gcc.x86_64 0:4.8.5-44.el7
gettext.x86_64 0:0.19.8.1-3.el7 gettext-libs.x86_64 0:0.19.8.1-3.el7 libgcc.x86_64 0:4.8.5-44.el7 libgomp.x86_64 0:4.8.5-44.el7
libstdc++.x86_64 0:4.8.5-44.el7
完毕!
[root@test-74 ~]# yum install zlib-devel openssl-devel
已加载插件:fastestmirror
Loading mirror speeds from cached hostfile
* base: mirrors.dgut.edu.cn
* epel: mirror.sjtu.edu.cn
* extras: mirrors.dgut.edu.cn
* updates: mirrors.dgut.edu.cn
正在解决依赖关系
--> 正在检查事务
---> 软件包 openssl-devel.x86_64.1.1.0.2k-16.el7_6.1 将被 升级
---> 软件包 openssl-devel.x86_64.1.1.0.2k-25.el7_9 将被 更新
...
更新完毕:
openssl-devel.x86_64 1:1.0.2k-25.el7_9 zlib-devel.x86_64 0:1.2.7-19.el7_9
作为依赖被升级:
openssl.x86_64 1:1.0.2k-25.el7_9 openssl-libs.x86_64 1:1.0.2k-25.el7_9 zlib.x86_64 0:1.2.7-19.el7_9
完毕!
[root@test-74 ~]#
3 Install PAM and SELinux Headers
[root@test-74 ~]# yum install pam-devel libselinux-devel
...
已安装:
pam-devel.x86_64 0:1.1.8-23.el7
更新完毕:
libselinux-devel.x86_64 0:2.5-15.el7
作为依赖被升级:
libselinux.x86_64 0:2.5-15.el7 libselinux-python.x86_64 0:2.5-15.el7 libselinux-utils.x86_64 0:2.5-15.el7 pam.x86_64 0:1.1.8-23.el7
完毕!
[root@test-74 ~]#
4 Download the OpenSSH version 8.0
[root@test-74 ~]# wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
--2022-04-15 11:31:51-- https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
正在解析主机 cdn.openbsd.org (cdn.openbsd.org)... 151.101.74.217, 2a04:4e42:1a::729
正在连接 cdn.openbsd.org (cdn.openbsd.org)|151.101.74.217|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1597697 (1.5M) [application/octet-stream]
正在保存至: “openssh-8.0p1.tar.gz”
100%[========================================================================================================================================>] 1,597,697 1.28MB/s 用时 1.2s
2022-04-15 11:31:55 (1.28 MB/s) - 已保存 “openssh-8.0p1.tar.gz” [1597697/1597697])
[root@test-74 ~]#
5 Compile and install SSH from sources.
[root@test-74 ~]# tar -zxvf openssh-8.0p1.tar.gz
...
openssh-8.0p1/ssh_config.0
openssh-8.0p1/configure
openssh-8.0p1/config.h.in
[root@test-74 ~]# cd openssh-8.0p1
[root@test-74 openssh-8.0p1]# ./configure --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh
...
config.status: creating config.h
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/lib/sshd/
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: yes
MD5 password support: yes
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
+for sshd: -lpam -lselinux
+for ssh: -lselinux
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
[root@test-74 openssh-8.0p1]# make && make install
..
/usr/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
[root@test-74 openssh-8.0p1]#
6 Once you have installed OpenSSH, restart SSH and check the version of OpenSSH
[root@test-74 openssh-8.0p1]# ssh -V OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017 [root@test-74 openssh-8.0p1]#
7 参考链接
https://www.ezeelogin.com/kb/article/how-to-upgrade-openssh-in-centos-331.html
