{"id":2999,"date":"2025-11-25T21:40:27","date_gmt":"2025-11-25T13:40:27","guid":{"rendered":"https:\/\/linuxjk.cn\/?p=2999"},"modified":"2025-11-25T21:44:14","modified_gmt":"2025-11-25T13:44:14","slug":"openssh%e5%b9%b3%e6%bb%91%e5%8d%87%e7%ba%a7","status":"publish","type":"post","link":"https:\/\/linuxjk.cn\/?p=2999","title":{"rendered":"openssh\u5e73\u6ed1\u5347\u7ea7"},"content":{"rendered":"\n<p>\u597d\u7684\uff0c\u6839\u636e\u4f60\u7684\u7cfb\u7edf\u662f <strong>Anolis OS 8.10<\/strong>\uff08\u57fa\u4e8e RHEL\/CentOS\uff09\uff0c\u6211\u6765\u63d0\u4f9b\u4e00\u4e2a\u66f4\u9002\u914d\u7684\u5b8c\u5584\u65b9\u6848\u3002<\/p>\n\n\n\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u5f55<\/p>\n<span class=\"ez-toc-title-toggle\"><a href=\"#\" class=\"ez-toc-pull-right ez-toc-btn ez-toc-btn-xs ez-toc-btn-default ez-toc-toggle\" aria-label=\"Toggle Table of Content\"><span class=\"ez-toc-js-icon-con\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #999;color:#999\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #999;color:#999\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/span><\/a><\/span><\/div>\n<nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E5%BD%93%E5%89%8D%E7%8E%AF%E5%A2%83%E5%88%86%E6%9E%90\" >\u5f53\u524d\u73af\u5883\u5206\u6790<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E5%AE%8C%E5%96%84%E7%9A%84%E5%8D%87%E7%BA%A7%E6%96%B9%E6%A1%88\" >\u5b8c\u5584\u7684\u5347\u7ea7\u65b9\u6848<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#1_%E5%87%86%E5%A4%87%E5%B7%A5%E4%BD%9C\" >1. \u51c6\u5907\u5de5\u4f5c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#2_%E5%AE%89%E8%A3%85%E7%BC%96%E8%AF%91%E4%BE%9D%E8%B5%96\" >2. \u5b89\u88c5\u7f16\u8bd1\u4f9d\u8d56<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#3_%E4%B8%8B%E8%BD%BD%E6%BA%90%E7%A0%81\" >3. \u4e0b\u8f7d\u6e90\u7801<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#4_%E9%85%8D%E7%BD%AE%E5%92%8C%E7%BC%96%E8%AF%91\" >4. \u914d\u7f6e\u548c\u7f16\u8bd1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#5_%E5%8F%8C%E7%AB%AF%E5%8F%A3%E5%AE%89%E8%A3%85%E6%B5%8B%E8%AF%95\" >5. \u53cc\u7aef\u53e3\u5b89\u88c5\u6d4b\u8bd5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#6_%E6%B5%8B%E8%AF%95%E6%96%B0%E6%9C%8D%E5%8A%A1\" >6. \u6d4b\u8bd5\u65b0\u670d\u52a1<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#7_%E6%AD%A3%E5%BC%8F%E6%9B%BF%E6%8D%A2\" >7. \u6b63\u5f0f\u66ff\u6362<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E7%AC%AC1%E6%AD%A5%EF%BC%9A%E4%BF%9D%E6%8C%81%E6%96%B0SSH%E6%9C%8D%E5%8A%A1%E8%BF%90%E8%A1%8C%EF%BC%8C%E9%AA%8C%E8%AF%81%E5%8A%9F%E8%83%BD\" >\u7b2c1\u6b65\uff1a\u4fdd\u6301\u65b0SSH\u670d\u52a1\u8fd0\u884c\uff0c\u9a8c\u8bc1\u529f\u80fd<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E7%AC%AC2%E6%AD%A5%EF%BC%9A%E5%A4%87%E4%BB%BD%E5%8E%9F%E6%9C%89%E6%96%87%E4%BB%B6\" >\u7b2c2\u6b65\uff1a\u5907\u4efd\u539f\u6709\u6587\u4ef6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E7%AC%AC3%E6%AD%A5%EF%BC%9A%E6%9B%BF%E6%8D%A2%E4%BA%8C%E8%BF%9B%E5%88%B6%E6%96%87%E4%BB%B6%EF%BC%88%E4%BF%9D%E6%8C%81%E6%9C%8D%E5%8A%A1%E8%BF%90%E8%A1%8C%EF%BC%89\" >\u7b2c3\u6b65\uff1a\u66ff\u6362\u4e8c\u8fdb\u5236\u6587\u4ef6\uff08\u4fdd\u6301\u670d\u52a1\u8fd0\u884c\uff09<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E7%AC%AC7%E6%AD%A5%EF%BC%9A%E9%AA%8C%E8%AF%81%E6%9B%BF%E6%8D%A2%E7%BB%93%E6%9E%9C\" >\u7b2c7\u6b65\uff1a\u9a8c\u8bc1\u66ff\u6362\u7ed3\u679c<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E7%AC%AC8%E6%AD%A5%EF%BC%9A%E6%B8%85%E7%90%86%E5%92%8C%E6%9C%80%E7%BB%88%E9%AA%8C%E8%AF%81\" >\u7b2c8\u6b65\uff1a\u6e05\u7406\u548c\u6700\u7ec8\u9a8c\u8bc1<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#8_%E5%9B%9E%E6%BB%9A%E6%96%B9%E6%A1%88\" >8. \u56de\u6eda\u65b9\u6848<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E6%B3%A8%E6%84%8F%E4%BA%8B%E9%A1%B9\" >\u6ce8\u610f\u4e8b\u9879<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-17\" href=\"https:\/\/linuxjk.cn\/?p=2999\/#%E8%87%AA%E5%8A%A8%E5%8C%96%E8%84%9A%E6%9C%AC\" >\u81ea\u52a8\u5316\u811a\u672c<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%BD%93%E5%89%8D%E7%8E%AF%E5%A2%83%E5%88%86%E6%9E%90\"><\/span>\u5f53\u524d\u73af\u5883\u5206\u6790<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u7cfb\u7edf: Anolis OS 8.10 (RHEL-like)<\/li>\n\n\n\n<li>\u9700\u4e0b\u8f7d:\n<ul class=\"wp-block-list\">\n<li>https:\/\/mirrors.aliyun.com\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-10.2p1.tar.gz<br>https:\/\/mirrors.aliyun.com\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-10.2p1.tar.gz.asc<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>\u9700\u8981\u4fee\u590d: CVE-2019-16905<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E5%AE%8C%E5%96%84%E7%9A%84%E5%8D%87%E7%BA%A7%E6%96%B9%E6%A1%88\"><\/span>\u5b8c\u5584\u7684\u5347\u7ea7\u65b9\u6848<span class=\"ez-toc-section-end\"><\/span><\/h2>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"1_%E5%87%86%E5%A4%87%E5%B7%A5%E4%BD%9C\"><\/span>1. \u51c6\u5907\u5de5\u4f5c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u9996\u5148\u68c0\u67e5\u5f53\u524dSSH\u7248\u672c\u548c\u914d\u7f6e<br>ssh -V<br>systemctl status sshd<br>ss -tlnp | grep :22<br>\u200b<br># \u521b\u5efa\u5de5\u4f5c\u76ee\u5f55\u548c\u5907\u4efd<br>mkdir -p \/data\/backup\/ssh-upgrade-$(date +%Y%m%d-%H%M)<br>BACKUP_DIR=\"\/data\/backup\/ssh-upgrade-$(date +%Y%m%d-%H%M)\"<br>\u200b<br># \u5907\u4efd\u5173\u952e\u914d\u7f6e<br>cp -r \/etc\/ssh\/ $BACKUP_DIR\/<br>cp \/etc\/passwd $BACKUP_DIR\/<br>cp \/etc\/shadow $BACKUP_DIR\/<br>cp \/etc\/group $BACKUP_DIR\/<br>systemctl list-unit-files | grep ssh &gt; $BACKUP_DIR\/ssh-services.txt<br>\u200b<br># \u8bb0\u5f55\u5f53\u524dSSH\u4e3b\u673a\u5bc6\u94a5\u72b6\u6001\uff08\u7528\u4e8e\u540e\u7eed\u5bf9\u6bd4\uff09<br>ls -la \/etc\/ssh\/ssh_host_*_key* &gt; $BACKUP_DIR\/original-key-permissions.txt<br>echo \"\u5f53\u524dSSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650\u5df2\u8bb0\u5f55\u5230\u5907\u4efd\u76ee\u5f55\"<br>\u200b<br># \u68c0\u67e5\u5e76\u4fee\u590dSSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650<br>echo \"\u68c0\u67e5\u5e76\u4fee\u590dSSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650...\"<br>for key in \/etc\/ssh\/ssh_host_*_key; do<br> &nbsp; &nbsp;if [ -f \"$key\" ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;chmod 600 \"$key\"<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u4fee\u590d $key \u6743\u9650\u4e3a 600\"<br> &nbsp; &nbsp;fi<br>done<br>\u200b<br>for key in \/etc\/ssh\/ssh_host_*_key.pub; do<br> &nbsp; &nbsp;if [ -f \"$key\" ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;chmod 644 \"$key\"<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u4fee\u590d $key \u6743\u9650\u4e3a 644\"<br> &nbsp; &nbsp;fi<br>done<br>\u200b<br># \u9a8c\u8bc1\u6743\u9650<br>echo \"\u5f53\u524dSSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650\uff1a\"<br>ls -la \/etc\/ssh\/ssh_host_*_key* | head -10<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"2_%E5%AE%89%E8%A3%85%E7%BC%96%E8%AF%91%E4%BE%9D%E8%B5%96\"><\/span>2. \u5b89\u88c5\u7f16\u8bd1\u4f9d\u8d56<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># Anolis OS 8.10 \u4f7f\u7528 dnf\/yum \u5b89\u88c5\u4f9d\u8d56<br>dnf update -y<br>dnf groupinstall -y \"Development Tools\"<br>dnf install -y \\<br> &nbsp; &nbsp;gcc \\<br> &nbsp; &nbsp;make \\<br> &nbsp;  openssl-devel \\<br> &nbsp;  zlib-devel \\<br> &nbsp;  pam-devel \\<br> &nbsp;  rpm-build \\<br> &nbsp; &nbsp;wget \\<br> &nbsp;  tar \\<br> &nbsp;  systemd-devel \\<br> &nbsp;  krb5-devel<br>\u200b<br># \u9a8c\u8bc1\u4f9d\u8d56\u5b89\u88c5<br>rpm -qa | grep -E \"(gcc|openssl-devel|zlib-devel|pam-devel)\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"3_%E4%B8%8B%E8%BD%BD%E6%BA%90%E7%A0%81\"><\/span>3. \u4e0b\u8f7d\u6e90\u7801<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">cd \/tmp<br>#\u4e0b\u8f7d\u65b0\u7248\u672c\u8f6f\u4ef6\u5305<br>wget  https:\/\/mirrors.aliyun.com\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-10.2p1.tar.gz<br>\u200b<br># \u89e3\u538b\u6e90\u7801<br>tar -xzf openssh-10.2p1.tar.gz<br>cd openssh-10.2p1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"4_%E9%85%8D%E7%BD%AE%E5%92%8C%E7%BC%96%E8%AF%91\"><\/span>4. \u914d\u7f6e\u548c\u7f16\u8bd1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u67e5\u770b\u5f53\u524dSSH\u5b89\u88c5\u8def\u5f84<br>rpm -ql openssh-server | head -10<br>make clean<br>\u200b<br># \u914d\u7f6e\u7f16\u8bd1\u9009\u9879\uff08\u9002\u914dAnolis OS\uff09<br>.\/configure \\<br> &nbsp; &nbsp;--prefix=\/usr \\<br> &nbsp; &nbsp;--sysconfdir=\/etc\/ssh \\<br> &nbsp; &nbsp;--libexecdir=\/usr\/libexec\/openssh \\<br> &nbsp; &nbsp;--datadir=\/usr\/share\/openssh \\<br> &nbsp; &nbsp;--with-xauth=\/usr\/bin\/xauth \\<br> &nbsp; &nbsp;--with-default-path=\/usr\/local\/bin:\/bin:\/usr\/bin \\<br> &nbsp; &nbsp;--with-superuser-path=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin \\<br> &nbsp; &nbsp;--with-privsep-path=\/var\/empty\/sshd \\<br> &nbsp; &nbsp;--with-pid-dir=\/var\/run \\<br> &nbsp; &nbsp;--with-pam \\<br> &nbsp; &nbsp;--disable-strip \\<br> &nbsp; &nbsp;--without-zlib-version-check \\<br> &nbsp; &nbsp;--with-ssl-engine \\<br> &nbsp; &nbsp;--with-ipaddr-display \\<br> &nbsp; &nbsp;--with-kerberos5=\/usr \\<br> &nbsp; &nbsp;--with-gssapi<br>\u200b<br># \u7f16\u8bd1\uff08\u4f7f\u7528\u591a\u6838\u52a0\u901f\uff09<br>echo \"\u5f00\u59cb\u7f16\u8bd1...\"<br>make -j$(nproc)<br>\u200b<br># \u9a8c\u8bc1\u7f16\u8bd1\u6210\u529f<br>if [ $? -eq 0 ]; then<br> &nbsp; &nbsp;echo \"\u2705 \u7f16\u8bd1\u5b8c\u6210\uff0c\u68c0\u67e5\u4e3b\u8981\u6587\u4ef6\uff1a\"<br> &nbsp; &nbsp;ls -la ssh sshd ssh-keygen scp sftp<br>else<br> &nbsp; &nbsp;echo \"\u274c \u7f16\u8bd1\u5931\u8d25\"<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br># \u5b89\u88c5\u5230\u6d4b\u8bd5\u76ee\u5f55<br>make install DESTDIR=\/usr\/local\/openssh-new<br>echo \"\u2705 \u5b89\u88c5\u5230\u6d4b\u8bd5\u76ee\u5f55\u5b8c\u6210\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"5_%E5%8F%8C%E7%AB%AF%E5%8F%A3%E5%AE%89%E8%A3%85%E6%B5%8B%E8%AF%95\"><\/span>5. \u53cc\u7aef\u53e3\u5b89\u88c5\u6d4b\u8bd5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u521b\u5efa\u4e34\u65f6\u5b89\u88c5\u76ee\u5f55<br>#mkdir -p \/usr\/local\/openssh-new\/usr\/{bin,sbin,libexec\/openssh,share\/man\/{man1,man5,man8}}<br>#mkdir -p \/usr\/local\/openssh-new\/etc\/ssh<br>\u200b<br># \u590d\u5236\u7f16\u8bd1\u597d\u7684\u6587\u4ef6\u5230\u4e34\u65f6\u76ee\u5f55<br># \u590d\u5236\u4e3b\u8981\u7a0b\u5e8f\u5230 usr\/bin<br>#cp ssh ssh-keygen scp sftp ssh-add ssh-agent ssh-keyscan \/usr\/local\/openssh-new\/usr\/bin\/<br>\u200b<br># \u590d\u5236sshd\u5230 usr\/sbin &nbsp;<br>#cp sshd \/usr\/local\/openssh-new\/usr\/sbin\/<br>\u200b<br># \u590d\u5236libexec\u6587\u4ef6\u5230\u6b63\u786e\u4f4d\u7f6e<br>#cp sftp-server ssh-keysign sshd-auth sshd-session ssh-pkcs11-helper ssh-sk-helper \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/<br>\u200b<br>#\u8bbe\u7f6e\u6b63\u786e\u6743\u9650<br>chown root:ssh_keys \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/ssh-keysign<br>chmod 2755 \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/ssh-keysign<br># \u590d\u5236\u5f53\u524d\u914d\u7f6e\u6587\u4ef6<br>cp -r \/etc\/ssh\/* \/usr\/local\/openssh-new\/etc\/ssh<br>\u200b<br># \u4fee\u6539\u6d4b\u8bd5\u914d\u7f6e\uff08\u4f7f\u75282222\u7aef\u53e3\uff09<br>sed -i 's\/^Port [0-9]*\/Port 2222\/' \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>sed -i 's\/^#Port [0-9]*\/Port 2222\/' \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>\u200b<br># \u6dfb\u52a0\u8c03\u8bd5\u4fe1\u606f<br>echo \"LogLevel INFO\" &gt;&gt; \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>echo \"PidFile \/var\/run\/sshd-new.pid\" &gt;&gt; \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>#\u9632\u6b6210.2\u7248\u672c\u4e0d\u517c\u5bb9\u95ee\u9898<br>mv  \/etc\/crypto-policies\/back-ends\/openssh.config \/etc\/crypto-policies\/back-ends\/openssh.config.disable<br># \u4e34\u65f6\u4fee\u6539\u670d\u52a1\u542f\u52a8\u547d\u4ee4\uff0c\u79fb\u9664CRYPTO_POLICY<br>cp \/usr\/lib\/systemd\/system\/sshd.service \/usr\/lib\/systemd\/system\/sshd.service.backup<br># \u4fee\u6539\u542f\u52a8\u547d\u4ee4<br>sed -i 's\/ExecStart=\\\/usr\\\/sbin\\\/sshd -D \\$OPTIONS \\$CRYPTO_POLICY\/ExecStart=\\\/usr\\\/sbin\\\/sshd -D\/' \/usr\/lib\/systemd\/system\/sshd.service<br>\u200b<br># \u91cd\u65b0\u52a0\u8f7dsystemd\u914d\u7f6e<br>systemctl daemon-reload<br>\u200b<br>#openssh9.x\u7248\u672c\u5f15\u5165\u7684\u65b0\u7ec4\u4ef6sshd-session\u548csshd-auth<br>echo \"=== \u68c0\u67e5\u7cfb\u7edf\u539f\u6709\u7ec4\u4ef6 ===\"<br>if [ -f \"\/usr\/libexec\/openssh\/sshd-session\" ] &amp;&amp; [ ! -L \"\/usr\/libexec\/openssh\/sshd-session\" ]; then<br> &nbsp; &nbsp;echo \"\u26a0\ufe0f  \u7cfb\u7edf\u5df2\u6709 sshd-session\uff0c\u4e0d\u5efa\u8bae\u76f4\u63a5\u8986\u76d6\"<br> &nbsp; &nbsp;echo \"\u539f\u6587\u4ef6\u4fe1\u606f\uff1a\"<br> &nbsp; &nbsp;ls -la \/usr\/libexec\/openssh\/sshd-session<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;echo \"=== \u5efa\u8bae\uff1a\u5907\u4efd\u540e\u66ff\u6362 ===\"<br> &nbsp; &nbsp;echo \"mv \/usr\/libexec\/openssh\/sshd-session \/usr\/libexec\/openssh\/sshd-session.backup\"<br> &nbsp; &nbsp;echo \"mv \/usr\/libexec\/openssh\/sshd-auth \/usr\/libexec\/openssh\/sshd-auth.backup\"<br>else<br> &nbsp; &nbsp;echo \"\u2705 \u7cfb\u7edf\u65e0\u51b2\u7a81\u6587\u4ef6\uff0c\u7b26\u53f7\u94fe\u63a5\u5b89\u5168\"<br>fi<br># \u6267\u884c\u7b26\u53f7\u94fe\u63a5<br>ln -sf \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/sshd-session \/usr\/libexec\/openssh\/sshd-session<br>ln -sf \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/sshd-auth \/usr\/libexec\/openssh\/sshd-auth<br>\u200b<br>\u200b<br># \u9a8c\u8bc1\u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5<br>echo \"\u9a8c\u8bc1\u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5...\"<br>\/usr\/local\/openssh-new\/usr\/sbin\/sshd -t -f \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>\u200b<br>if [ $? -eq 0 ]; then<br> &nbsp; &nbsp;echo \"\u2705 \u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5\u6b63\u786e\"<br>else<br> &nbsp; &nbsp;echo \"\u274c \u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5\u9519\u8bef\uff0c\u9700\u8981\u624b\u52a8\u68c0\u67e5\"<br> &nbsp; &nbsp;echo \"\u53ef\u80fd\u7684\u95ee\u9898\uff1a\"<br> &nbsp; &nbsp;echo \"1. SSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650\u95ee\u9898\"<br> &nbsp; &nbsp;echo \"2. \u914d\u7f6e\u9009\u9879\u4e0d\u517c\u5bb9\"<br> &nbsp; &nbsp;echo \"\"<br> &nbsp; &nbsp;echo \"\u68c0\u67e5SSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650\uff1a\"<br> &nbsp; &nbsp;ls -la \/etc\/ssh\/ssh_host_*_key<br> &nbsp; &nbsp;echo \"\"<br> &nbsp; &nbsp;echo \"\u5982\u679c\u6743\u9650\u4e0d\u662f600\uff0c\u8bf7\u8fd0\u884c\uff1a\"<br> &nbsp; &nbsp;echo \"chmod 600 \/etc\/ssh\/ssh_host_*_key\"<br> &nbsp; &nbsp;echo \"chmod 600 \/usr\/local\/openssh-new\/etc\/ssh\/ssh_host_*_key\"<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br>\u200b<br># \u542f\u52a8\u6d4b\u8bd5SSH\u670d\u52a1<br>\/usr\/local\/openssh-new\/usr\/sbin\/sshd -f \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config -D &amp;<br>TEST_SSHD_PID=$!<br>\u200b<br># \u68c0\u67e5\u6d4b\u8bd5\u670d\u52a1\u72b6\u6001<br>sleep 2<br>ss -tlnp | grep :2222<br>if [ $? -eq 0 ]; then<br> &nbsp; &nbsp;echo \"\u2705 \u6d4b\u8bd5SSH\u670d\u52a1\u542f\u52a8\u6210\u529f\uff0c\u7aef\u53e32222\"<br>else<br> &nbsp; &nbsp;echo \"\u274c \u6d4b\u8bd5SSH\u670d\u52a1\u542f\u52a8\u5931\u8d25\"<br> &nbsp; &nbsp;kill $TEST_SSHD_PID 2&gt;\/dev\/null<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br># \u68c0\u67e5\u7248\u672c<br>\/usr\/local\/openssh-new\/usr\/sbin\/sshd -V<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"6_%E6%B5%8B%E8%AF%95%E6%96%B0%E6%9C%8D%E5%8A%A1\"><\/span>6. \u6d4b\u8bd5\u65b0\u670d\u52a1<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u6d4b\u8bd5\u672c\u5730\u8fde\u63a5<br>ssh -F \/dev\/null -p 2222 &nbsp;-o StrictHostKeyChecking=no root@127.0.0.1<br>#\u6d4b\u8bd5\u8fdc\u7a0b\u8fde\u63a5\uff08linux\uff09<br>sh -F \/dev\/null -p 2222 &nbsp;-o StrictHostKeyChecking=no root@10.0.0.112<br>#\u6d4b\u8bd5\u8fdc\u7a0b\u8fde\u63a5\uff08windows xshell\uff09<br>ssh  root@10.0.0.112 2222<br>\u200b<br># \u68c0\u67e5\u65b0\u7248\u672c<br>\/usr\/local\/openssh-new\/usr\/bin\/ssh -V<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"7_%E6%AD%A3%E5%BC%8F%E6%9B%BF%E6%8D%A2\"><\/span>7. \u6b63\u5f0f\u66ff\u6362<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%AC%AC1%E6%AD%A5%EF%BC%9A%E4%BF%9D%E6%8C%81%E6%96%B0SSH%E6%9C%8D%E5%8A%A1%E8%BF%90%E8%A1%8C%EF%BC%8C%E9%AA%8C%E8%AF%81%E5%8A%9F%E8%83%BD\"><\/span>\u7b2c1\u6b65\uff1a\u4fdd\u6301\u65b0SSH\u670d\u52a1\u8fd0\u884c\uff0c\u9a8c\u8bc1\u529f\u80fd<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u786e\u8ba4\u65b0SSH\u670d\u52a1\u6b63\u5728\u8fd0\u884c<br>echo \"=== \u9a8c\u8bc1\u65b0SSH\u670d\u52a1 ===\"<br>ps aux | grep \"openssh-new\" | grep -v grep<br>ss -tlnp | grep :2222<br>\u200b<br># \u6d4b\u8bd5\u6240\u6709\u529f\u80fd<br>echo \"=== \u6d4b\u8bd5SSH\u8fde\u63a5 ===\"<br>\/usr\/local\/openssh-new\/usr\/bin\/ssh -p 2222 -o StrictHostKeyChecking=no localhost \"echo 'SSH\u8fde\u63a5\u6d4b\u8bd5\u6210\u529f'\"<br>\u200b<br>echo \"=== \u6d4b\u8bd5SCP ===\"<br>echo \"test file\" &gt; \/tmp\/test_scp.txt<br>\/usr\/local\/openssh-new\/usr\/bin\/scp -P 2222 -o StrictHostKeyChecking=no \/tmp\/test_scp.txt localhost:\/tmp\/test_scp_received.txt<br>ls -la \/tmp\/test_scp_received.txt<br>\u200b<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%AC%AC2%E6%AD%A5%EF%BC%9A%E5%A4%87%E4%BB%BD%E5%8E%9F%E6%9C%89%E6%96%87%E4%BB%B6\"><\/span>\u7b2c2\u6b65\uff1a\u5907\u4efd\u539f\u6709\u6587\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"=== \u5907\u4efd\u539f\u6709SSH\u6587\u4ef6 ===\"<br>BACKUP_DIR=\"\/data\/backup\/ssh_backup_$(date +%Y%m%d_%H%M%S)\"<br>mkdir -p $BACKUP_DIR\/{bin,sbin,libexec}<br>\u200b<br># \u5907\u4efd\u4e8c\u8fdb\u5236\u6587\u4ef6<br>cp \/usr\/bin\/ssh* $BACKUP_DIR\/bin\/<br>cp \/usr\/sbin\/sshd $BACKUP_DIR\/sbin<br>cp -r \/usr\/libexec\/openssh $BACKUP_DIR\/libexec<br>\u200b<br># \u5907\u4efd\u914d\u7f6e\u6587\u4ef6<br>cp -r \/etc\/ssh $BACKUP_DIR\/<br>\u200b<br>echo \"\u5907\u4efd\u5b8c\u6210\uff0c\u4f4d\u7f6e: $BACKUP_DIR\"<br>ls -la $BACKUP_DIR<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%AC%AC3%E6%AD%A5%EF%BC%9A%E6%9B%BF%E6%8D%A2%E4%BA%8C%E8%BF%9B%E5%88%B6%E6%96%87%E4%BB%B6%EF%BC%88%E4%BF%9D%E6%8C%81%E6%9C%8D%E5%8A%A1%E8%BF%90%E8%A1%8C%EF%BC%89\"><\/span>\u7b2c3\u6b65\uff1a\u66ff\u6362\u4e8c\u8fdb\u5236\u6587\u4ef6\uff08\u4fdd\u6301\u670d\u52a1\u8fd0\u884c\uff09<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"=== \u5f00\u59cb\u66ff\u6362\u4e8c\u8fdb\u5236\u6587\u4ef6 ===\"<br>\u200b<br># 1. \u66ff\u6362\u5ba2\u6237\u7aef\u5de5\u5177\uff08\u8fd9\u4e9b\u4e0d\u4f1a\u5f71\u54cd\u8fd0\u884c\u4e2d\u7684\u670d\u52a1\uff09<br>echo \"\u66ff\u6362\u5ba2\u6237\u7aef\u5de5\u5177...\"<br>mv \/usr\/bin\/ssh \/usr\/bin\/ssh.old<br>cp \/usr\/local\/openssh-new\/usr\/bin\/ssh \/usr\/bin\/ssh<br>\u200b<br>cp \/usr\/local\/openssh-new\/usr\/bin\/scp \/usr\/bin\/scp<br>cp \/usr\/local\/openssh-new\/usr\/bin\/sftp \/usr\/bin\/sftp<br>cp \/usr\/local\/openssh-new\/usr\/bin\/ssh-add \/usr\/bin\/ssh-add<br>cp \/usr\/local\/openssh-new\/usr\/bin\/ssh-agent \/usr\/bin\/ssh-agent<br>cp \/usr\/local\/openssh-new\/usr\/bin\/ssh-keygen \/usr\/bin\/ssh-keygen<br>cp \/usr\/local\/openssh-new\/usr\/bin\/ssh-keyscan \/usr\/bin\/ssh-keyscan<br>\u200b<br># 2. \u66ff\u6362\u670d\u52a1\u5668\u5de5\u5177<br>echo \"\u66ff\u6362\u670d\u52a1\u5668\u5de5\u5177...\"<br>#\u5907\u4efd\u65e7sshd\u4e3b\u7a0b\u5e8f<br>mv \/usr\/sbin\/sshd \/usr\/sbin\/sshd.old<br>cp \/usr\/local\/openssh-new\/usr\/sbin\/sshd \/usr\/sbin\/sshd<br># \u5220\u9664\u8f6f\u94fe\u63a5<br>rm \/usr\/libexec\/openssh\/sshd-auth<br>rm \/usr\/libexec\/openssh\/sshd-session<br>cp \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/* \/usr\/libexec\/openssh\/<br>\u200b<br># \u4fee\u590dssh-keysign\u6743\u9650\uff08\u5728\u590d\u5236\u540e\u8bbe\u7f6e\uff09<br>chown root:ssh_keys \/usr\/libexec\/openssh\/ssh-keysign<br>chmod 2755 \/usr\/libexec\/openssh\/ssh-keysign<br>\u200b<br>echo \"\u6587\u4ef6\u66ff\u6362\u5b8c\u6210\"<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%AC%AC7%E6%AD%A5%EF%BC%9A%E9%AA%8C%E8%AF%81%E6%9B%BF%E6%8D%A2%E7%BB%93%E6%9E%9C\"><\/span>\u7b2c7\u6b65\uff1a\u9a8c\u8bc1\u66ff\u6362\u7ed3\u679c<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"=== \u9a8c\u8bc1\u66ff\u6362\u7ed3\u679c ===\"<br>\u200b<br># \u68c0\u67e5\u7248\u672c<br>echo \"\u65b0SSH\u7248\u672c\uff1a\"<br>ssh -V<br>\u200b<br>echo \"\u65b0sshd\u7248\u672c\uff1a\"<br>\/usr\/sbin\/sshd -V<br>\u200b<br># \u68c0\u67e5\u670d\u52a1\u72b6\u6001<br>echo \"\u670d\u52a1\u72b6\u6001\uff1a\"<br>systemctl status sshd<br>ss -tlnp | grep :22<br>\u200b<br># \u6d4b\u8bd5\u8fde\u63a5<br>echo \"\u6d4b\u8bd5\u7cfb\u7edfSSH\u8fde\u63a5...\"<br>ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no localhost \"echo 'SSH 10.2\u5347\u7ea7\u6210\u529f\uff01'\" &amp;&amp; echo \"\u2705 \u7cfb\u7edfSSH\u6b63\u5e38\" || echo \"\u274c \u7cfb\u7edfSSH\u5f02\u5e38\"<br>\u200b<br># \u5982\u679c\u7cfb\u7edfSSH\u6b63\u5e38\uff0c\u53ef\u4ee5\u5173\u95ed\u6d4b\u8bd5\u670d\u52a1<br>if ssh -o ConnectTimeout=5 localhost \"exit\" 2&gt;\/dev\/null; then<br> &nbsp; &nbsp;echo \"\u7cfb\u7edfSSH\u6b63\u5e38\uff0c\u5173\u95ed\u6d4b\u8bd5\u670d\u52a1...\"<br> &nbsp;  pkill -f \"openssh-new.*sshd\"<br> &nbsp; &nbsp;echo \"\u2705 \u5347\u7ea7\u5b8c\u6210\uff01\"<br>else<br> &nbsp; &nbsp;echo \"\u274c \u7cfb\u7edfSSH\u5f02\u5e38\uff0c\u4fdd\u6301\u6d4b\u8bd5\u670d\u52a1\u8fd0\u884c\"<br> &nbsp; &nbsp;echo \"\u53ef\u901a\u8fc7\u7aef\u53e32222\u8fde\u63a5\u8fdb\u884c\u6545\u969c\u6392\u9664\"<br>fi<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E7%AC%AC8%E6%AD%A5%EF%BC%9A%E6%B8%85%E7%90%86%E5%92%8C%E6%9C%80%E7%BB%88%E9%AA%8C%E8%AF%81\"><\/span>\u7b2c8\u6b65\uff1a\u6e05\u7406\u548c\u6700\u7ec8\u9a8c\u8bc1<span class=\"ez-toc-section-end\"><\/span><\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">echo \"=== \u6700\u7ec8\u9a8c\u8bc1\u548c\u6e05\u7406 ===\"<br>\u200b<br># \u5168\u9762\u529f\u80fd\u6d4b\u8bd5<br>echo \"SSH\u5ba2\u6237\u7aef\u5de5\u5177\u6d4b\u8bd5\uff1a\"<br>ssh -V<br># scp \u6d4b\u8bd5\uff08\u4e0d\u4f7f\u7528 --help\uff09<br>echo \"test\" &gt; \/tmp\/testfile<br>scp \/tmp\/testfile localhost:\/tmp\/testfile2 &amp;&amp; echo \"\u2705 scp\u6b63\u5e38\" || echo \"\u274c scp\u5f02\u5e38\"<br>\u200b<br># sftp \u6d4b\u8bd5\uff08\u4f7f\u7528\u6b63\u786e\u7684\u53c2\u6570\uff09<br>echo \"quit\" | sftp localhost &gt;\/dev\/null 2&gt;&amp;1 &amp;&amp; echo \"\u2705 sftp\u6b63\u5e38\" || echo \"\u274c sftp\u5f02\u5e38\"<br>\u200b<br>echo \"SSH\u670d\u52a1\u6d4b\u8bd5\uff1a\"<br>ssh localhost \"uname -a\"<br>\u200b<br># \u663e\u793a\u5907\u4efd\u4fe1\u606f<br>echo \"\u5907\u4efd\u6587\u4ef6\u4f4d\u7f6e: $BACKUP_DIR\"<br>echo \"\u5982\u9700\u56de\u6eda\uff0c\u53ef\u6267\u884c:\"<br>echo \"systemctl stop sshd\"<br>echo \"cp $BACKUP_DIR\/sshd \/usr\/sbin\/\"<br>echo \"cp $BACKUP_DIR\/ssh* \/usr\/bin\/\"<br>echo \"cp -r $BACKUP_DIR\/openssh \/usr\/libexec\/\"<br>echo \"cp $BACKUP_DIR\/sshd_config \/etc\/ssh\/\"<br>echo \"systemctl start sshd\"<br>\u200b<br>echo \"=== OpenSSH\u5347\u7ea7\u5b8c\u6210 ===\"<br>\u200b<br># \u6e05\u7406\u4e34\u65f6\u6587\u4ef6<br>rm -rf \/tmp\/openssh-10.2p1*<br>rm -rf \/usr\/local\/openssh-new<br>\u200b<br># \u786e\u4fddSSH\u670d\u52a1\u5f00\u673a\u81ea\u542f<br>systemctl enable sshd<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"8_%E5%9B%9E%E6%BB%9A%E6%96%B9%E6%A1%88\"><\/span>8. \u56de\u6eda\u65b9\u6848<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<p>\u5982\u679c\u51fa\u73b0\u95ee\u9898\uff0c\u6267\u884c\u4ee5\u4e0b\u56de\u6eda\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\"># \u56de\u6eda\u811a\u672c<br>cat &gt; \/tmp\/ssh_rollback.sh &lt;&lt; 'EOF'<br>#!\/bin\/bash<br>echo \"\u5f00\u59cb\u56de\u6edaSSH...\"<br>\u200b<br># \u505c\u6b62\u670d\u52a1<br>systemctl stop sshd<br>\u200b<br># \u6062\u590d\u5907\u4efd\u6587\u4ef6<br>cp \/usr\/sbin\/sshd.backup.* \/usr\/sbin\/sshd 2&gt;\/dev\/null<br>cp \/usr\/bin\/ssh.backup.* \/usr\/bin\/ssh 2&gt;\/dev\/null<br>\u200b<br># \u6062\u590d\u914d\u7f6e<br>BACKUP_DIR=$(ls -td \/backup\/ssh-upgrade-* | head -1)<br>if [ -d \"$BACKUP_DIR\" ]; then<br> &nbsp; &nbsp;cp -r $BACKUP_DIR\/ssh\/* \/etc\/ssh\/<br>fi<br>\u200b<br># \u91cd\u88c5\u539fSSH\u5305<br>dnf reinstall -y openssh openssh-server<br>\u200b<br># \u542f\u52a8\u670d\u52a1<br>systemctl start sshd<br>systemctl status sshd<br>\u200b<br>echo \"SSH\u56de\u6eda\u5b8c\u6210\"<br>EOF<br>\u200b<br>chmod +x \/tmp\/ssh_rollback.sh<br>echo \"\u56de\u6eda\u811a\u672c\u5df2\u51c6\u5907: \/tmp\/ssh_rollback.sh\"<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E6%B3%A8%E6%84%8F%E4%BA%8B%E9%A1%B9\"><\/span>\u6ce8\u610f\u4e8b\u9879<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>\u4fdd\u6301\u4f1a\u8bdd<\/strong>: \u6574\u4e2a\u8fc7\u7a0b\u4e2d\u81f3\u5c11\u4fdd\u6301\u4e00\u4e2aSSH\u4f1a\u8bdd\u4e0d\u8981\u65ad\u5f00<\/li>\n\n\n\n<li><strong>\u9632\u706b\u5899<\/strong>: \u786e\u4fdd\u9632\u706b\u5899\u5141\u8bb8SSH\u8fde\u63a5<\/li>\n\n\n\n<li><strong>SELinux<\/strong>: \u5982\u679c\u542f\u7528\u4e86SELinux\uff0c\u6ce8\u610f\u6587\u4ef6\u4e0a\u4e0b\u6587<\/li>\n\n\n\n<li><strong>\u5b9a\u671f\u5907\u4efd<\/strong>: \u5347\u7ea7\u524d\u7684\u5907\u4efd\u975e\u5e38\u91cd\u8981<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\"><span class=\"ez-toc-section\" id=\"%E8%87%AA%E5%8A%A8%E5%8C%96%E8%84%9A%E6%9C%AC\"><\/span>\u81ea\u52a8\u5316\u811a\u672c<span class=\"ez-toc-section-end\"><\/span><\/h3>\n\n\n\n<pre class=\"wp-block-preformatted\">#!\/bin\/bash<br>\u200b<br># OpenSSH\u5347\u7ea7\u811a\u672c - \u81ea\u52a8\u56de\u6eda\u7248\u672c<br># \u9002\u7528\u4e8eAnolis OS 8.10\u7cfb\u7edf<br>\u200b<br>set -e &nbsp;# \u9047\u5230\u9519\u8bef\u65f6\u9000\u51fa<br>\u200b<br>echo \"=== OpenSSH \u5347\u7ea7\u811a\u672c\u5f00\u59cb\u6267\u884c ===\"<br>echo \"\u76ee\u6807\u7248\u672c: OpenSSH 10.2p1\"<br>echo \"\u7cfb\u7edf: Anolis OS 8.10\"<br>echo \"==================================\"<br>\u200b<br># \u83b7\u53d6\u7528\u6237\u51ed\u636e\u7528\u4e8e\u540e\u7eed\u6d4b\u8bd5<br>echo \"=== \u83b7\u53d6\u6d4b\u8bd5\u51ed\u636e ===\"<br>read -p \"\u8bf7\u8f93\u5165\u7528\u4e8eSSH\u6d4b\u8bd5\u7684\u7528\u6237\u540d (\u5efa\u8bae\u4f7f\u7528root): \" TEST_USER<br>read -s -p \"\u8bf7\u8f93\u5165\u8be5\u7528\u6237\u7684\u5bc6\u7801: \" TEST_PASSWORD<br>echo \"\"<br>echo \"\u51ed\u636e\u5df2\u4fdd\u5b58\uff0c\u5c06\u7528\u4e8e\u81ea\u52a8\u5316\u6d4b\u8bd5\"<br>\u200b<br># \u9a8c\u8bc1\u51ed\u636e<br>echo \"\u6b63\u5728\u9a8c\u8bc1\u51ed\u636e...\"<br>if ! echo \"$TEST_PASSWORD\" | su - \"$TEST_USER\" -c \"whoami\" &gt;\/dev\/null 2&gt;&amp;1; then<br> &nbsp; &nbsp;echo \"\u274c \u51ed\u636e\u9a8c\u8bc1\u5931\u8d25\uff0c\u8bf7\u68c0\u67e5\u7528\u6237\u540d\u548c\u5bc6\u7801\"<br> &nbsp; &nbsp;exit 1<br>fi<br>echo \"\u2705 \u51ed\u636e\u9a8c\u8bc1\u6210\u529f\"<br>\u200b<br># 1. \u51c6\u5907\u5de5\u4f5c<br>echo \"=== 1. \u51c6\u5907\u5de5\u4f5c ===\"<br>ssh -V<br>systemctl status sshd --no-pager -l<br>ss -tlnp | grep :22<br>\u200b<br>mkdir -p \/data\/backup\/ssh-upgrade-$(date +%Y%m%d-%H%M)<br>BACKUP_DIR=\"\/data\/backup\/ssh-upgrade-$(date +%Y%m%d-%H%M)\"<br>\u200b<br>cp -r \/etc\/ssh\/ $BACKUP_DIR\/<br>cp \/etc\/passwd $BACKUP_DIR\/<br>cp \/etc\/shadow $BACKUP_DIR\/<br>cp \/etc\/group $BACKUP_DIR\/<br>systemctl list-unit-files | grep ssh &gt; $BACKUP_DIR\/ssh-services.txt<br>\u200b<br>ls -la \/etc\/ssh\/ssh_host_*_key* &gt; $BACKUP_DIR\/original-key-permissions.txt<br>echo \"\u5f53\u524dSSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650\u5df2\u8bb0\u5f55\u5230\u5907\u4efd\u76ee\u5f55\"<br>\u200b<br>echo \"\u68c0\u67e5\u5e76\u4fee\u590dSSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650...\"<br>for key in \/etc\/ssh\/ssh_host_*_key; do<br> &nbsp; &nbsp;if [ -f \"$key\" ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;chmod 600 \"$key\"<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u4fee\u590d $key \u6743\u9650\u4e3a 600\"<br> &nbsp; &nbsp;fi<br>done<br>\u200b<br>for key in \/etc\/ssh\/ssh_host_*_key.pub; do<br> &nbsp; &nbsp;if [ -f \"$key\" ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;chmod 644 \"$key\"<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u4fee\u590d $key \u6743\u9650\u4e3a 644\"<br> &nbsp; &nbsp;fi<br>done<br>\u200b<br>echo \"\u5f53\u524dSSH\u4e3b\u673a\u5bc6\u94a5\u6743\u9650\uff1a\"<br>ls -la \/etc\/ssh\/ssh_host_*_key* | head -10<br>\u200b<br># 2. \u5b89\u88c5\u7f16\u8bd1\u4f9d\u8d56<br>echo \"=== 2. \u5b89\u88c5\u7f16\u8bd1\u4f9d\u8d56 ===\"<br># \u5b89\u88c5sshpass\u7528\u4e8e\u81ea\u52a8\u5316SSH\u6d4b\u8bd5<br>dnf update -y<br>dnf groupinstall -y \"Development Tools\"<br>dnf install -y \\<br> &nbsp; &nbsp;gcc \\<br> &nbsp; &nbsp;make \\<br> &nbsp;  openssl-devel \\<br> &nbsp;  zlib-devel \\<br> &nbsp;  pam-devel \\<br> &nbsp;  rpm-build \\<br> &nbsp; &nbsp;wget \\<br> &nbsp;  tar \\<br> &nbsp;  systemd-devel \\<br> &nbsp;  krb5-devel \\<br> &nbsp;  sshpass \\<br> &nbsp;  expect<br>\u200b<br>rpm -qa | grep -E \"(gcc|openssl-devel|zlib-devel|pam-devel)\"<br>\u200b<br># 3. \u4e0b\u8f7d\u6e90\u7801<br>echo \"=== 3. \u4e0b\u8f7d\u6e90\u7801 ===\"<br>cd \/tmp<br># \u6e05\u7406\u53ef\u80fd\u5b58\u5728\u7684\u65e7\u6587\u4ef6<br>rm -rf openssh-10.2p1*<br># \u6dfb\u52a0\u8d85\u65f6\u548c\u91cd\u8bd5\u53c2\u6570<br>wget --timeout=30 --tries=3 https:\/\/mirrors.aliyun.com\/pub\/OpenBSD\/OpenSSH\/portable\/openssh-10.2p1.tar.gz<br>\u200b<br>tar -xzf openssh-10.2p1.tar.gz<br>cd openssh-10.2p1<br>\u200b<br># 4. \u914d\u7f6e\u548c\u7f16\u8bd1<br>echo \"=== 4. \u914d\u7f6e\u548c\u7f16\u8bd1 ===\"<br>rpm -ql openssh-server | head -10<br>\u200b<br># \u914d\u7f6e\u7f16\u8bd1\u9009\u9879<br>.\/configure \\<br> &nbsp; &nbsp;--prefix=\/usr \\<br> &nbsp; &nbsp;--sysconfdir=\/etc\/ssh \\<br> &nbsp; &nbsp;--libexecdir=\/usr\/libexec\/openssh \\<br> &nbsp; &nbsp;--datadir=\/usr\/share\/openssh \\<br> &nbsp; &nbsp;--with-xauth=\/usr\/bin\/xauth \\<br> &nbsp; &nbsp;--with-default-path=\/usr\/local\/bin:\/bin:\/usr\/bin \\<br> &nbsp; &nbsp;--with-superuser-path=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin \\<br> &nbsp; &nbsp;--with-privsep-path=\/var\/empty\/sshd \\<br> &nbsp; &nbsp;--with-pid-dir=\/var\/run \\<br> &nbsp; &nbsp;--with-pam \\<br> &nbsp; &nbsp;--disable-strip \\<br> &nbsp; &nbsp;--without-zlib-version-check \\<br> &nbsp; &nbsp;--with-ssl-engine \\<br> &nbsp; &nbsp;--with-ipaddr-display \\<br> &nbsp; &nbsp;--with-kerberos5=\/usr \\<br> &nbsp; &nbsp;--with-gssapi<br>\u200b<br># \u68c0\u67e5configure\u662f\u5426\u6210\u529f<br>if [ $? -ne 0 ]; then<br> &nbsp; &nbsp;echo \"\u274c \u914d\u7f6e\u5931\u8d25\uff0c\u81ea\u52a8\u56de\u6eda...\"<br> &nbsp; &nbsp;cd \/tmp<br> &nbsp; &nbsp;rm -rf openssh-10.2p1*<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br>echo \"\u5f00\u59cb\u7f16\u8bd1...\"<br>make -j$(nproc)<br>\u200b<br>if [ $? -eq 0 ]; then<br> &nbsp; &nbsp;echo \"\u2705 \u7f16\u8bd1\u5b8c\u6210\uff0c\u68c0\u67e5\u4e3b\u8981\u6587\u4ef6\uff1a\"<br> &nbsp; &nbsp;ls -la ssh sshd ssh-keygen scp sftp<br>else<br> &nbsp; &nbsp;echo \"\u274c \u7f16\u8bd1\u5931\u8d25\uff0c\u81ea\u52a8\u56de\u6eda...\"<br> &nbsp; &nbsp;cd \/tmp<br> &nbsp; &nbsp;rm -rf openssh-10.2p1*<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br>make install DESTDIR=\/usr\/local\/openssh-new<br>echo \"\u2705 \u5b89\u88c5\u5230\u6d4b\u8bd5\u76ee\u5f55\u5b8c\u6210\"<br>\u200b<br># 5. \u53cc\u7aef\u53e3\u5b89\u88c5\u6d4b\u8bd5<br>echo \"=== 5. \u53cc\u7aef\u53e3\u5b89\u88c5\u6d4b\u8bd5 ===\"<br># \u68c0\u67e5ssh_keys\u7ec4\u662f\u5426\u5b58\u5728\uff0c\u4e0d\u5b58\u5728\u5219\u4f7f\u7528root<br>if getent group ssh_keys &gt; \/dev\/null 2&gt;&amp;1; then<br> &nbsp; &nbsp;chown root:ssh_keys \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/ssh-keysign<br>else<br> &nbsp; &nbsp;chown root:root \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/ssh-keysign<br>fi<br>chmod 2755 \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/ssh-keysign<br>\u200b<br># \u5f3a\u5236\u8986\u76d6\u590d\u5236<br>cp -rf \/etc\/ssh\/* \/usr\/local\/openssh-new\/etc\/ssh\/<br>\u200b<br># \u4fee\u6539\u6d4b\u8bd5\u7aef\u53e3\u914d\u7f6e<br>sed -i 's\/^#*Port .*\/Port 2222\/' \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>\u200b<br>echo \"LogLevel INFO\" &gt;&gt; \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>echo \"PidFile \/var\/run\/sshd-new.pid\" &gt;&gt; \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>\u200b<br># \u5907\u4efd\u548c\u4fee\u6539\u7cfb\u7edf\u914d\u7f6e<br>if [ -f \/etc\/crypto-policies\/back-ends\/openssh.config ]; then<br> &nbsp; &nbsp;cp \/etc\/crypto-policies\/back-ends\/openssh.config \/etc\/crypto-policies\/back-ends\/openssh.config.backup<br> &nbsp; &nbsp;mv \/etc\/crypto-policies\/back-ends\/openssh.config \/etc\/crypto-policies\/back-ends\/openssh.config.disable<br>fi<br>\u200b<br>cp \/usr\/lib\/systemd\/system\/sshd.service \/usr\/lib\/systemd\/system\/sshd.service.backup<br>sed -i 's\/ExecStart=\\\/usr\\\/sbin\\\/sshd -D \\$OPTIONS \\$CRYPTO_POLICY\/ExecStart=\\\/usr\\\/sbin\\\/sshd -D\/' \/usr\/lib\/systemd\/system\/sshd.service<br>\u200b<br>systemctl daemon-reload<br>\u200b<br>echo \"=== \u68c0\u67e5\u7cfb\u7edf\u539f\u6709\u7ec4\u4ef6 ===\"<br>if [ -f \"\/usr\/libexec\/openssh\/sshd-session\" ] &amp;&amp; [ ! -L \"\/usr\/libexec\/openssh\/sshd-session\" ]; then<br> &nbsp; &nbsp;echo \"\u26a0\ufe0f  \u7cfb\u7edf\u5df2\u6709 sshd-session\uff0c\u81ea\u52a8\u5907\u4efd\u540e\u66ff\u6362\"<br> &nbsp; &nbsp;mv \/usr\/libexec\/openssh\/sshd-session \/usr\/libexec\/openssh\/sshd-session.backup<br> &nbsp; &nbsp;if [ -f \"\/usr\/libexec\/openssh\/sshd-auth\" ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;mv \/usr\/libexec\/openssh\/sshd-auth \/usr\/libexec\/openssh\/sshd-auth.backup<br> &nbsp; &nbsp;fi<br>else<br> &nbsp; &nbsp;echo \"\u2705 \u7cfb\u7edf\u65e0\u51b2\u7a81\u6587\u4ef6\uff0c\u7b26\u53f7\u94fe\u63a5\u5b89\u5168\"<br>fi<br>\u200b<br>ln -sf \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/sshd-session \/usr\/libexec\/openssh\/sshd-session<br>if [ -f \"\/usr\/local\/openssh-new\/usr\/libexec\/openssh\/sshd-auth\" ]; then<br> &nbsp; &nbsp;ln -sf \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/sshd-auth \/usr\/libexec\/openssh\/sshd-auth<br>fi<br>\u200b<br>echo \"\u9a8c\u8bc1\u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5...\"<br>\/usr\/local\/openssh-new\/usr\/sbin\/sshd -t -f \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br>\u200b<br>if [ $? -eq 0 ]; then<br> &nbsp; &nbsp;echo \"\u2705 \u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5\u6b63\u786e\"<br>else<br> &nbsp; &nbsp;echo \"\u274c \u914d\u7f6e\u6587\u4ef6\u8bed\u6cd5\u9519\u8bef\uff0c\u81ea\u52a8\u4fee\u590d\u6743\u9650...\"<br> &nbsp; &nbsp;chmod 600 \/etc\/ssh\/ssh_host_*_key<br> &nbsp; &nbsp;chmod 600 \/usr\/local\/openssh-new\/etc\/ssh\/ssh_host_*_key<br> &nbsp; &nbsp;# \u91cd\u65b0\u9a8c\u8bc1<br> &nbsp;  \/usr\/local\/openssh-new\/usr\/sbin\/sshd -t -f \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config<br> &nbsp; &nbsp;if [ $? -ne 0 ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u274c \u914d\u7f6e\u6587\u4ef6\u4ecd\u6709\u95ee\u9898\uff0c\u81ea\u52a8\u56de\u6eda...\"<br> &nbsp; &nbsp; &nbsp; &nbsp;cd \/tmp<br> &nbsp; &nbsp; &nbsp; &nbsp;rm -rf openssh-10.2p1*<br> &nbsp; &nbsp; &nbsp; &nbsp;rm -rf \/usr\/local\/openssh-new<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u6062\u590d\u5907\u4efd\u6587\u4ef6<br> &nbsp; &nbsp; &nbsp; &nbsp;if [ -f \/etc\/crypto-policies\/back-ends\/openssh.config.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mv \/etc\/crypto-policies\/back-ends\/openssh.config.backup \/etc\/crypto-policies\/back-ends\/openssh.config<br> &nbsp; &nbsp; &nbsp; &nbsp;fi<br> &nbsp; &nbsp; &nbsp; &nbsp;exit 1<br> &nbsp; &nbsp;fi<br>fi<br>\u200b<br># \u542f\u52a8\u6d4b\u8bd5SSH\u670d\u52a1<br>echo \"\u542f\u52a8\u6d4b\u8bd5SSH\u670d\u52a1...\"<br>\/usr\/local\/openssh-new\/usr\/sbin\/sshd -f \/usr\/local\/openssh-new\/etc\/ssh\/sshd_config -D &amp;<br>TEST_SSHD_PID=$!<br>\u200b<br>sleep 5<br>ss -tlnp | grep :2222<br>if [ $? -eq 0 ]; then<br> &nbsp; &nbsp;echo \"\u2705 \u6d4b\u8bd5SSH\u670d\u52a1\u542f\u52a8\u6210\u529f\uff0c\u7aef\u53e32222\"<br>else<br> &nbsp; &nbsp;echo \"\u274c \u6d4b\u8bd5SSH\u670d\u52a1\u542f\u52a8\u5931\u8d25\uff0c\u81ea\u52a8\u56de\u6eda...\"<br> &nbsp; &nbsp;kill $TEST_SSHD_PID 2&gt;\/dev\/null<br> &nbsp; &nbsp;cd \/tmp<br> &nbsp; &nbsp;rm -rf openssh-10.2p1*<br> &nbsp; &nbsp;rm -rf \/usr\/local\/openssh-new<br> &nbsp; &nbsp;# \u6062\u590d\u5907\u4efd\u6587\u4ef6<br> &nbsp; &nbsp;if [ -f \/etc\/crypto-policies\/back-ends\/openssh.config.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;mv \/etc\/crypto-policies\/back-ends\/openssh.config.backup \/etc\/crypto-policies\/back-ends\/openssh.config<br> &nbsp; &nbsp;fi<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br>\/usr\/local\/openssh-new\/usr\/sbin\/sshd -V<br>\u200b<br># 6. \u6d4b\u8bd5\u65b0SSH\u670d\u52a1\u8fde\u63a5<br>echo \"=== 6. \u6d4b\u8bd5\u65b0SSH\u670d\u52a1\u8fde\u63a5 ===\"<br>echo \"\u6b63\u5728\u6d4b\u8bd5\u65b0SSH\u670d\u52a1\u7684\u8fde\u63a5\u529f\u80fd...\"<br>\u200b<br># \u83b7\u53d6\u672c\u673aIP<br>LOCAL_IP=$(ip route get 8.8.8.8 | awk 'NR==1{print $7}')<br>if [ -z \"$LOCAL_IP\" ]; then<br> &nbsp; &nbsp;LOCAL_IP=\"127.0.0.1\"<br>fi<br>\u200b<br>echo \"\u4f7f\u7528IP: $LOCAL_IP, \u7aef\u53e3: 2222\"<br>\u200b<br># \u521b\u5efaexpect\u811a\u672c\u8fdb\u884c\u81ea\u52a8\u5316SSH\u6d4b\u8bd5<br>cat &gt; \/tmp\/ssh_test.exp &lt;&lt; EOF<br>#!\/usr\/bin\/expect<br>set timeout 30<br>spawn \/usr\/local\/openssh-new\/usr\/bin\/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=\/dev\/null -p 2222 $TEST_USER@$LOCAL_IP \"echo 'SSH\u8fde\u63a5\u6d4b\u8bd5\u6210\u529f' &amp;&amp; \/usr\/local\/openssh-new\/usr\/sbin\/sshd -V\"<br>expect {<br> &nbsp; &nbsp;\"*password:\" {<br> &nbsp; &nbsp; &nbsp;  send \"$TEST_PASSWORD\\r\"<br> &nbsp; &nbsp; &nbsp;  expect {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"*SSH\u8fde\u63a5\u6d4b\u8bd5\u6210\u529f*\" {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  puts \"\u2705 SSH\u8fde\u63a5\u6d4b\u8bd5\u901a\u8fc7\"<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  expect eof<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;exit 0<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  timeout {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  puts \"\u274c SSH\u8fde\u63a5\u6d4b\u8bd5\u8d85\u65f6\"<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;exit 1<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp;  timeout {<br> &nbsp; &nbsp; &nbsp;  puts \"\u274c SSH\u8fde\u63a5\u8d85\u65f6\"<br> &nbsp; &nbsp; &nbsp; &nbsp;exit 1<br> &nbsp;  }<br>}<br>EOF<br>\u200b<br>chmod +x \/tmp\/ssh_test.exp<br>\u200b<br># \u6267\u884cSSH\u8fde\u63a5\u6d4b\u8bd5<br>if \/tmp\/ssh_test.exp; then<br> &nbsp; &nbsp;echo \"\u2705 \u65b0SSH\u670d\u52a1\u8fde\u63a5\u6d4b\u8bd5\u6210\u529f\"<br>else<br> &nbsp; &nbsp;echo \"\u274c \u65b0SSH\u670d\u52a1\u8fde\u63a5\u6d4b\u8bd5\u5931\u8d25\uff0c\u81ea\u52a8\u56de\u6eda...\"<br> &nbsp; &nbsp;kill $TEST_SSHD_PID 2&gt;\/dev\/null<br> &nbsp; &nbsp;cd \/tmp<br> &nbsp; &nbsp;rm -rf openssh-10.2p1*<br> &nbsp; &nbsp;rm -rf \/usr\/local\/openssh-new<br> &nbsp; &nbsp;rm -f \/tmp\/ssh_test.exp<br> &nbsp; &nbsp;# \u6062\u590d\u5907\u4efd\u6587\u4ef6<br> &nbsp; &nbsp;if [ -f \/etc\/crypto-policies\/back-ends\/openssh.config.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;mv \/etc\/crypto-policies\/back-ends\/openssh.config.backup \/etc\/crypto-policies\/back-ends\/openssh.config<br> &nbsp; &nbsp;fi<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br># 7. \u6b63\u5f0f\u66ff\u6362<br>echo \"=== 7. \u6b63\u5f0f\u66ff\u6362 ===\"<br>\u200b<br># \u7b2c1\u6b65\uff1a\u9a8c\u8bc1\u65b0SSH\u670d\u52a1<br>echo \"=== \u9a8c\u8bc1\u65b0SSH\u670d\u52a1 ===\"<br>ps aux | grep \"openssh-new\" | grep -v grep<br>ss -tlnp | grep :2222<br>\u200b<br>echo \"=== \u81ea\u52a8\u5316\u529f\u80fd\u6d4b\u8bd5 ===\"<br>echo \"test file\" &gt; \/tmp\/test_scp.txt<br>echo \"\u2705 \u6d4b\u8bd5\u6587\u4ef6\u521b\u5efa\u6210\u529f\"<br>\u200b<br># \u7b2c2\u6b65\uff1a\u5907\u4efd\u539f\u6709\u6587\u4ef6<br>echo \"=== \u5907\u4efd\u539f\u6709SSH\u6587\u4ef6 ===\"<br>BACKUP_DIR2=\"\/data\/backup\/ssh_backup_$(date +%Y%m%d_%H%M%S)\"<br>mkdir -p $BACKUP_DIR2\/{bin,sbin,libexec}<br>\u200b<br># \u5f3a\u5236\u590d\u5236\uff0c\u4e0d\u63d0\u793a\u8986\u76d6<br>cp -f \/usr\/bin\/ssh* $BACKUP_DIR2\/bin\/ 2&gt;\/dev\/null || true<br>cp -f \/usr\/sbin\/sshd $BACKUP_DIR2\/sbin<br>cp -rf \/usr\/libexec\/openssh $BACKUP_DIR2\/libexec<br>\u200b<br>cp -rf \/etc\/ssh $BACKUP_DIR2\/<br>\u200b<br>echo \"\u5907\u4efd\u5b8c\u6210\uff0c\u4f4d\u7f6e: $BACKUP_DIR2\"<br>ls -la $BACKUP_DIR2<br>\u200b<br># \u7b2c3\u6b65\uff1a\u66ff\u6362\u4e8c\u8fdb\u5236\u6587\u4ef6\uff08\u4fdd\u6301\u670d\u52a1\u8fd0\u884c\uff09<br>echo \"=== \u5f00\u59cb\u66ff\u6362\u4e8c\u8fdb\u5236\u6587\u4ef6 ===\"<br>\u200b<br>echo \"\u66ff\u6362\u5ba2\u6237\u7aef\u5de5\u5177...\"<br>mv \/usr\/bin\/ssh \/usr\/bin\/ssh.old<br>cp -f \/usr\/local\/openssh-new\/usr\/bin\/ssh \/usr\/bin\/ssh<br>\u200b<br>cp -f \/usr\/local\/openssh-new\/usr\/bin\/scp \/usr\/bin\/scp<br>cp -f \/usr\/local\/openssh-new\/usr\/bin\/sftp \/usr\/bin\/sftp<br>cp -f \/usr\/local\/openssh-new\/usr\/bin\/ssh-add \/usr\/bin\/ssh-add<br>cp -f \/usr\/local\/openssh-new\/usr\/bin\/ssh-agent \/usr\/bin\/ssh-agent<br>cp -f \/usr\/local\/openssh-new\/usr\/bin\/ssh-keygen \/usr\/bin\/ssh-keygen<br>cp -f \/usr\/local\/openssh-new\/usr\/bin\/ssh-keyscan \/usr\/bin\/ssh-keyscan<br>\u200b<br>echo \"\u66ff\u6362\u670d\u52a1\u5668\u5de5\u5177...\"<br>mv \/usr\/sbin\/sshd \/usr\/sbin\/sshd.old<br>cp -f \/usr\/local\/openssh-new\/usr\/sbin\/sshd \/usr\/sbin\/sshd<br>\u200b<br># \u5b89\u5168\u5220\u9664\u8f6f\u94fe\u63a5\u5e76\u590d\u5236\u65b0\u6587\u4ef6<br>rm -f \/usr\/libexec\/openssh\/sshd-auth<br>rm -f \/usr\/libexec\/openssh\/sshd-session<br>cp -f \/usr\/local\/openssh-new\/usr\/libexec\/openssh\/* \/usr\/libexec\/openssh\/<br>\u200b<br># \u4fee\u590d\u6743\u9650<br>if getent group ssh_keys &gt; \/dev\/null 2&gt;&amp;1; then<br> &nbsp; &nbsp;chown root:ssh_keys \/usr\/libexec\/openssh\/ssh-keysign<br>else<br> &nbsp; &nbsp;chown root:root \/usr\/libexec\/openssh\/ssh-keysign<br>fi<br>chmod 2755 \/usr\/libexec\/openssh\/ssh-keysign<br>\u200b<br>echo \"\u6587\u4ef6\u66ff\u6362\u5b8c\u6210\"<br>\u200b<br># \u9a8c\u8bc1\u66ff\u6362\u7ed3\u679c<br>echo \"=== \u9a8c\u8bc1\u66ff\u6362\u7ed3\u679c ===\"<br>\u200b<br>echo \"\u65b0SSH\u7248\u672c\uff1a\"<br>ssh -V<br>\u200b<br>echo \"\u65b0sshd\u7248\u672c\uff1a\"<br>\/usr\/sbin\/sshd -V<br>\u200b<br>echo \"\u670d\u52a1\u72b6\u6001\uff1a\"<br>systemctl status sshd --no-pager<br>ss -tlnp | grep :22<br>\u200b<br>echo \"\u5173\u95ed\u6d4b\u8bd5\u670d\u52a1...\"<br>kill $TEST_SSHD_PID 2&gt;\/dev\/null<br>sleep 2<br>\u200b<br># \u6062\u590d\u6b63\u5e38\u7aef\u53e3\u914d\u7f6e<br>sed -i 's\/^Port 2222\/Port 22\/' \/etc\/ssh\/sshd_config<br>\u200b<br>echo \"\u91cd\u542fSSH\u670d\u52a1...\"<br>systemctl restart sshd<br>sleep 5<br>\u200b<br>echo \"\u9a8c\u8bc1SSH\u670d\u52a1\u72b6\u6001\uff1a\"<br>systemctl status sshd --no-pager<br>ss -tlnp | grep :22<br>\u200b<br>if systemctl is-active --quiet sshd; then<br> &nbsp; &nbsp;echo \"\u2705 SSH\u670d\u52a1\u6b63\u5e38\u8fd0\u884c\"<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;# \u6700\u7ec8SSH\u8fde\u63a5\u6d4b\u8bd5<br> &nbsp; &nbsp;echo \"=== \u6700\u7ec8SSH\u8fde\u63a5\u6d4b\u8bd5 ===\"<br> &nbsp; &nbsp;cat &gt; \/tmp\/final_ssh_test.exp &lt;&lt; EOF<br>#!\/usr\/bin\/expect<br>set timeout 30<br>spawn ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=\/dev\/null $TEST_USER@$LOCAL_IP \"echo 'SSH\u6700\u7ec8\u6d4b\u8bd5\u6210\u529f' &amp;&amp; ssh -V\"<br>expect {<br> &nbsp; &nbsp;\"*password:\" {<br> &nbsp; &nbsp; &nbsp;  send \"$TEST_PASSWORD\\r\"<br> &nbsp; &nbsp; &nbsp;  expect {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;\"*SSH\u6700\u7ec8\u6d4b\u8bd5\u6210\u529f*\" {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  puts \"\u2705 SSH\u6700\u7ec8\u8fde\u63a5\u6d4b\u8bd5\u901a\u8fc7\"<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  expect eof<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;exit 0<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  timeout {<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  puts \"\u274c SSH\u6700\u7ec8\u8fde\u63a5\u6d4b\u8bd5\u8d85\u65f6\"<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;exit 1<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;  }<br> &nbsp; &nbsp; &nbsp;  }<br> &nbsp;  }<br> &nbsp;  timeout {<br> &nbsp; &nbsp; &nbsp;  puts \"\u274c SSH\u6700\u7ec8\u8fde\u63a5\u8d85\u65f6\"<br> &nbsp; &nbsp; &nbsp; &nbsp;exit 1<br> &nbsp;  }<br>}<br>EOF<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;chmod +x \/tmp\/final_ssh_test.exp<br> &nbsp; &nbsp;<br> &nbsp; &nbsp;if \/tmp\/final_ssh_test.exp; then<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u2705 \u5347\u7ea7\u5b8c\u6210\u5e76\u901a\u8fc7\u6700\u7ec8\u6d4b\u8bd5\uff01\"<br> &nbsp; &nbsp;else<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u274c \u6700\u7ec8SSH\u6d4b\u8bd5\u5931\u8d25\uff0c\u81ea\u52a8\u56de\u6eda...\"<br> &nbsp; &nbsp; &nbsp;  systemctl stop sshd<br> &nbsp; &nbsp; &nbsp; &nbsp;cp -f $BACKUP_DIR2\/sbin\/sshd \/usr\/sbin\/sshd<br> &nbsp; &nbsp; &nbsp; &nbsp;cp -f $BACKUP_DIR2\/bin\/ssh* \/usr\/bin\/<br> &nbsp; &nbsp; &nbsp; &nbsp;cp -rf $BACKUP_DIR2\/libexec\/openssh \/usr\/libexec\/<br> &nbsp; &nbsp; &nbsp; &nbsp;cp -rf $BACKUP_DIR2\/ssh \/etc\/<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u6062\u590d\u7cfb\u7edf\u670d\u52a1\u914d\u7f6e<br> &nbsp; &nbsp; &nbsp; &nbsp;if [ -f \/usr\/lib\/systemd\/system\/sshd.service.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;cp \/usr\/lib\/systemd\/system\/sshd.service.backup \/usr\/lib\/systemd\/system\/sshd.service<br> &nbsp; &nbsp; &nbsp; &nbsp;fi<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp; &nbsp;# \u6062\u590dcrypto-policies\u914d\u7f6e<br> &nbsp; &nbsp; &nbsp; &nbsp;if [ -f \/etc\/crypto-policies\/back-ends\/openssh.config.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;mv \/etc\/crypto-policies\/back-ends\/openssh.config.backup \/etc\/crypto-policies\/back-ends\/openssh.config<br> &nbsp; &nbsp; &nbsp; &nbsp;fi<br> &nbsp; &nbsp; &nbsp; &nbsp;<br> &nbsp; &nbsp; &nbsp;  systemctl daemon-reload<br> &nbsp; &nbsp; &nbsp;  systemctl start sshd<br> &nbsp; &nbsp; &nbsp;  systemctl status sshd<br> &nbsp; &nbsp; &nbsp; &nbsp;echo \"\u5df2\u6210\u529f\u56de\u6eda\u81f3\u539f\u7248\u672c\"<br> &nbsp; &nbsp; &nbsp; &nbsp;rm -f \/tmp\/final_ssh_test.exp<br> &nbsp; &nbsp; &nbsp; &nbsp;exit 1<br> &nbsp; &nbsp;fi<br> &nbsp; &nbsp;<br>else<br> &nbsp; &nbsp;echo \"\u274c SSH\u670d\u52a1\u5f02\u5e38\uff0c\u81ea\u52a8\u56de\u6eda...\"<br> &nbsp; &nbsp;echo \"\u6b63\u5728\u56de\u6eda\u81f3\u539f\u7248\u672c...\"<br> &nbsp;  systemctl stop sshd<br> &nbsp; &nbsp;cp -f $BACKUP_DIR2\/sbin\/sshd \/usr\/sbin\/sshd<br> &nbsp; &nbsp;cp -f $BACKUP_DIR2\/bin\/ssh* \/usr\/bin\/<br> &nbsp; &nbsp;cp -rf $BACKUP_DIR2\/libexec\/openssh \/usr\/libexec\/<br> &nbsp; &nbsp;cp -rf $BACKUP_DIR2\/ssh \/etc\/<br>\u200b<br> &nbsp; &nbsp;# \u6062\u590d\u7cfb\u7edf\u670d\u52a1\u914d\u7f6e<br> &nbsp; &nbsp;if [ -f \/usr\/lib\/systemd\/system\/sshd.service.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;cp \/usr\/lib\/systemd\/system\/sshd.service.backup \/usr\/lib\/systemd\/system\/sshd.service<br> &nbsp; &nbsp;fi<br>\u200b<br> &nbsp; &nbsp;# \u6062\u590dcrypto-policies\u914d\u7f6e &nbsp;<br> &nbsp; &nbsp;if [ -f \/etc\/crypto-policies\/back-ends\/openssh.config.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;mv \/etc\/crypto-policies\/back-ends\/openssh.config.backup \/etc\/crypto-policies\/back-ends\/openssh.config<br> &nbsp; &nbsp;fi<br>\u200b<br> &nbsp;  systemctl daemon-reload<br> &nbsp;  systemctl start sshd<br> &nbsp;  systemctl status sshd<br> &nbsp; &nbsp;echo \"\u5df2\u6210\u529f\u56de\u6eda\u81f3\u539f\u7248\u672c\"<br> &nbsp; &nbsp;exit 1<br>fi<br>\u200b<br># \u6700\u7ec8\u9a8c\u8bc1\u548c\u6e05\u7406<br>echo \"=== \u6700\u7ec8\u9a8c\u8bc1\u548c\u6e05\u7406 ===\"<br>\u200b<br>echo \"SSH\u5ba2\u6237\u7aef\u5de5\u5177\u6d4b\u8bd5\uff1a\"<br>ssh -V<br>\u200b<br>echo \"\u5907\u4efd\u6587\u4ef6\u4f4d\u7f6e: $BACKUP_DIR2\"<br>echo \"\u539f\u59cb\u5907\u4efd\u4f4d\u7f6e: $BACKUP_DIR\"<br>\u200b<br>echo \"=== OpenSSH\u5347\u7ea7\u5b8c\u6210 ===\"<br>\u200b<br># \u6e05\u7406\u4e34\u65f6\u6587\u4ef6<br>rm -rf \/tmp\/openssh-10.2p1*<br>rm -rf \/usr\/local\/openssh-new<br>rm -f \/tmp\/test_scp.txt \/tmp\/ssh_test.exp \/tmp\/final_ssh_test.exp<br>\u200b<br>systemctl enable sshd<br>\u200b<br>echo \"=== \u51c6\u5907\u56de\u6eda\u65b9\u6848 ===\"<br>cat &gt; \/tmp\/ssh_rollback.sh &lt;&lt; 'EOF'<br>#!\/bin\/bash<br>echo \"\u5f00\u59cb\u56de\u6edaSSH...\"<br>\u200b<br>systemctl stop sshd<br>\u200b<br>BACKUP_DIR2=\"\/data\/backup\/ssh_backup_$(ls -t \/data\/backup\/ | grep ssh_backup | head -1 | cut -d'_' -f3-)\"<br>BACKUP_DIR2=\"\/data\/backup\/$(ls -t \/data\/backup\/ | grep ssh_backup | head -1)\"<br>\u200b<br>if [ -d \"$BACKUP_DIR2\" ]; then<br> &nbsp; &nbsp;cp -f $BACKUP_DIR2\/sbin\/sshd \/usr\/sbin\/sshd<br> &nbsp; &nbsp;cp -f $BACKUP_DIR2\/bin\/ssh* \/usr\/bin\/<br> &nbsp; &nbsp;cp -rf $BACKUP_DIR2\/libexec\/openssh \/usr\/libexec\/<br> &nbsp; &nbsp;cp -rf $BACKUP_DIR2\/ssh \/etc\/<br>\u200b<br> &nbsp; &nbsp;# \u6062\u590d\u7cfb\u7edf\u670d\u52a1\u914d\u7f6e<br> &nbsp; &nbsp;if [ -f \/usr\/lib\/systemd\/system\/sshd.service.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;cp \/usr\/lib\/systemd\/system\/sshd.service.backup \/usr\/lib\/systemd\/system\/sshd.service<br> &nbsp; &nbsp;fi<br>\u200b<br> &nbsp; &nbsp;# \u6062\u590dcrypto-policies\u914d\u7f6e<br> &nbsp; &nbsp;if [ -f \/etc\/crypto-policies\/back-ends\/openssh.config.backup ]; then<br> &nbsp; &nbsp; &nbsp; &nbsp;mv \/etc\/crypto-policies\/back-ends\/openssh.config.backup \/etc\/crypto-policies\/back-ends\/openssh.config<br> &nbsp; &nbsp;fi<br>\u200b<br> &nbsp;  systemctl daemon-reload<br> &nbsp;  systemctl start sshd<br> &nbsp;  systemctl status sshd<br>\u200b<br> &nbsp; &nbsp;echo \"SSH\u56de\u6eda\u5b8c\u6210\"<br>else<br> &nbsp; &nbsp;echo \"\u672a\u627e\u5230\u5907\u4efd\u76ee\u5f55\"<br> &nbsp; &nbsp;exit 1<br>fi<br>EOF<br>\u200b<br>chmod +x \/tmp\/ssh_rollback.sh<br>echo \"\u56de\u6eda\u811a\u672c\u5df2\u51c6\u5907: \/tmp\/ssh_rollback.sh\"<br>\u200b<br>echo \"=== OpenSSH\u5347\u7ea7\u811a\u672c\u6267\u884c\u5b8c\u6210 ===\"<br>echo \"\u5f53\u524dSSH\u7248\u672c: $(ssh -V 2&gt;&amp;1)\"<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>\u597d\u7684\uff0c\u6839\u636e\u4f60\u7684\u7cfb\u7edf\u662f Anolis OS 8.10\uff08\u57fa\u4e8e RHEL\/CentOS\uff09\uff0c\u6211\u6765\u63d0\u4f9b\u4e00\u4e2a\u66f4\u9002\u914d\u7684\u5b8c\u5584\u65b9 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[1],"tags":[20],"class_list":["post-2999","post","type-post","status-publish","format-standard","hentry","category-vxhs888p","tag-create_project"],"_links":{"self":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts\/2999","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2999"}],"version-history":[{"count":1,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts\/2999\/revisions"}],"predecessor-version":[{"id":3000,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=\/wp\/v2\/posts\/2999\/revisions\/3000"}],"wp:attachment":[{"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2999"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2999"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/linuxjk.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2999"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}