升级OpenSSH最新版9.3 / Rocky CentOS Linux

1、查看操作系统、OpenSSH版本信息：

[root@test-OpenSSH ~]# cat /etc/redhat-release
Rocky Linux release 8.8 (Green Obsidian)
[root@test-OpenSSH ~]# telnet localhost 22
Trying ::1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.0
^]
telnet> quit
Connection closed.
[root@test-OpenSSH ~]#

2、安装相关依赖包：

2.1、配置本地源：Rocky_Linux_8.7

echo "# Rocky-Media.repo
#
# You can use this repo to install items directly off the installation media.
# Verify your mount point matches one of the below file:// paths.

[media-baseos]
name=Rocky Linux $releasever - Media - BaseOS
baseurl=file:///run/media/root/Rocky-8-7-x86_64-dvd/BaseOS
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial

[media-appstream]
name=Rocky Linux $releasever - Media - AppStream
baseurl=file:///run/media/root/Rocky-8-7-x86_64-dvd/AppStream
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-rockyofficial" > /etc/yum.repos.d/Rocky-Media.repo

2.2、配置本地源：CentOS 8.2

echo "# CentOS-Media.repo
#
#  This repo can be used with mounted DVD media, verify the mount point for
#  CentOS-8.  You can use this repo and yum to install items directly off the
#  DVD ISO that we release.
#
# To use this repo, put in your DVD and use it with the other repos too:
#  yum --enablerepo=c8-media [command]
#
# or for ONLY the media repo, do this:
#
#  yum --disablerepo=\* --enablerepo=c8-media [command]

[c8-media-BaseOS]
name=CentOS-BaseOS-$releasever - Media
baseurl=file:///media/BaseOS
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

[c8-media-AppStream]
name=CentOS-AppStream-$releasever - Media
baseurl=file:///media/AppStream
gpgcheck=0
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
" > /etc/yum.repos.d/CentOS-Media.repo

2.3、安装依赖包：

yum -y groupinstall "Development Tools"
yum -y install zlib-devel openssl-devel pam-devel libselinux-devel

3、备份配置文件：

mkdir /etc/ssh_old
mv /etc/ssh/* /etc/ssh_old/

4、下载安装包（可以提前在外网下载，上传到服务器上）,开始编译安装：

https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/

wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz?spm=a2c6h.25603864.0.0.686840adoiO9Tt -O openssh-9.3p2.tar.gz
tar zxf openssh-9.3p2.tar.gz
cd openssh-9.3p2/
./configure --prefix=/usr/ --sysconfdir=/etc/ssh -with-pam=enable --with-selinux
make && make install

ssh -V
/usr/sbin/sshd -t -f /etc/ssh/sshd_config

5、配置 sshd 服务：

rm -rf /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /etc/ssh_old/sshd.service
mv /usr/lib/systemd/system/sshd.socket /etc/ssh_old/sshd.socket

\cp -p contrib/redhat/sshd.init /etc/init.d/sshd
\cp -p contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
chkconfig --add sshd
systemctl enable sshd.service

echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
service sshd restart
systemctl daemon-reload
systemctl list-unit-files --type=service | grep sshd

touch /etc/ssh/ssh_host_dsa_key.pub

systemctl restart sshd
systemctl status sshd

6、远程telnet，验证 sshd 服务的版本：

telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
SSH-2.0-OpenSSH_9.3
^]

telnet> quit
Connection closed.

6、添加测试端口1022，配置防火墙【本步骤，可忽略】：

nohup /usr/sbin/sshd  -D -p 1022 &

firewall-cmd --zone=public --add-port=1022/tcp --permanent
firewall-cmd --reload

7、其他报错问题解决：

7.1、error: PAM: Authentication failure for root from

tail -f /var/log/message
sshd[482236]: error: PAM: Authentication failure for root from

echo "
#%PAM-1.0
auth       required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
" >  /etc/pam.d/sshd

systemctl restart sshd

7.2、启用操作系统防火墙：

systemctl enable firewalld
systemctl start  firewalld
firewall-cmd --list-all