1、OpenSSH简介
OpenSSH是SSH(Secure Shell)协议的一个开源实现,SSH协议族可以用来进行远程控制,或在计算机之间传送文件。OpenSSH提供了服务端后台程序和客户端工具,用来加密远程控制和文件传输过程中的数据,并由此来代替原来的类似服务,如telnet、rcp、ftp、rlogin、rsh等(这些传统方式使用明文传送密码,极不安全)。
2、主要功能
1.安全的shell连接:OpenSSH使用SSH协议进行通信,该协议建立在安全的传输层协议(TLS)或安全套接字层(SSL)之上,通过加密和认证机制来保护数据,提供安全的远程登录和管理功能。
2.文件传输:OpenSSH支持SCP(Secure Copy)和SFTP(Secure File Transfer Protocol)协议,实现加密的文件传输,确保文件在传输过程中的安全性。
3.端口转发:OpenSSH的端口转发功能可用于将网络流量从一个端口转发到另一个端口,这对于建立安全的通信通道、绕过防火墙限制或在本地主机上访问远程服务等情况下非常有用。
3、环境准备
检查当前版本
ssh -V
OpenSSH_8.7p1, OpenSSL 3.2.2 4 Jun 2024
openssl version
OpenSSL 3.2.2 4 Jun 2024 (Library: OpenSSL 3.2.2 4 Jun 2024)
3.2、安装依赖
# debian
sudo apt install build-essential zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev-y
# centos
yum install perl-IPC-Cmd perl-Data-Dumper gcc gcc-c++ perl perl-devel zlib-devel openssl-devel pam-devel3.3、安装openssh
备份ssh(可选)
sudo cp -r /etc/ssh /etc/ssh.bak
cp -rf /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp -rf /etc/pam.d/sshd /etc/pam.d/sshd.bak
cp -rf /etc/init.d/ssh /etc/init.d/ssh.bak# 从openssh官网下载最新版安装包
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz
# 解压编译安装
tar zxvf openssh-10.2p1.tar.gz
cd openssh-10.2p1
./configure
# 输出
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wno-error=format-truncation -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=used -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries:
+for channels: -lcrypto -lz
+for sshd: -lcrypt
make && make install3.4、必要配置
# 编辑sshd_config文件,开启root用户登录
PermitRootLogin yes
# 查看service文件
cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon (compiled)
After=network.target
[Service]
Type=exec
ExecStart=/usr/local/sbin/sshd -D -f /usr/local/etc/sshd_config
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
3.5、重启验证
ssh -V
systemctl daemon-reload
systemctl restart sshd