Installez les services Telnet comme solution de repli avant la mise à jour :
yum -y install xinetd telnet-server telnet
echo -e "pts/0\npts/1\npts/2\npts/3" >> /etc/securetty
systemctl enable telnet.socket --now
systemctl enable xinetd --now
Vérifiez la version du système :
cat /etc/redhat-release
Installez les dépendances requises :
yum -y install gcc gcc-c++ glibc make autoconf openssl openssl-devel \
pcre-devel pam-devel zlib-devel tcp_wrappers-devel
Procédez à la compilation des composants :
cd /tmp
tar -xf openssh-8.2p1.tar.gz
tar -xf openssl-1.1.1g.tar.gz
tar -xf zlib-1.2.11.tar.gz
# Installation de zlib
cd zlib-1.2.11
./configure && make && make install
# Installation d'OpenSSL
cd ../openssl-1.1.1g
./config --prefix=/usr/local/ssl shared zlib
make -j 4 && make install
mv /usr/bin/openssl /usr/bin/openssl.old
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
ldconfig
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/lib/libssl.so.1.1 /usr/lib64/
ln -s /usr/local/ssl/lib/libcrypto.so.1.1 /usr/lib64/
Compilation et configuration d'OpenSSH :
cd ../openssh-8.2p1
mv /etc/ssh /etc/ssh_backup
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords \
--with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
make -j 4 && make install
install -m755 contrib/ssh-copy-id /usr/bin
install -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
systemctl daemon-reload
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
systemctl restart sshd
Vérification finale et désactivation de Telnet :
systemctl status sshd
systemctl disable telnet.socket --now
systemctl disable xinetd --now
Scénarios spécifiques
Installation hors-ligne des dépendances :
mkdir /tmp/offline_pkgs
yum install --downloadonly --downloaddir=/tmp/offline_pkgs \
gcc gcc-c++ glibc make autoconf openssl openssl-devel \
pcre-devel pam-devel zlib-devel tcp_wrappers-devel
Résolution des limites de fichiers :
echo "UsePAM yes" >> /etc/ssh/sshd_config
cat > /etc/pam.d/sshd << EOF
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.so
session required pam_limits.so
EOF
systemctl restart sshd