安全部门扫描系统漏洞，OpenSSH 7.9出现漏洞，需升级到8。使用 rpmbuild 将源码包编译为 rpm包。

yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -ymkdir -p /root/rpmbuild/{SOURCES,SPECS}cd /root/rpmbuild/SOURCES wget   zxvf openssh-8.0p1.tar.gz openssh-8.0p1/contrib/redhat/openssh.specmv openssh-8.0p1/contrib/redhat/openssh.spec ../SPECS/chown sshd:sshd /root/rpmbuild/SPECS/openssh.speccp /root/rpmbuild/SPECS/openssh.spec /root/rpmbuild/SPECS/openssh.spec_defsed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.specsed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.speccd /root/rpmbuild/SPECS/rpmbuild -ba openssh.spec

编译过程遇到的错误:

错误：构建依赖失败： openssl-devel < 1.1 被 openssh-8.0p1-1.el7.x86_64 需要解决：[root@localhost SPECS]# vim openssh.spec 注释掉 BuildRequires: openssl-devel < 1.1 这一行

安装后要修改选项：

cd /etc/ssh/chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_keyecho "PermitRootLogin no" >> /etc/ssh/sshd_configsystemctl restart sshd

centos 7 记得修改这个文件。不然会出现密码是对的，却无法登陆。

[root@iZ16pk5aqeZ ~]# cat /etc/pam.d/sshd#%PAM-1.0auth       required     pam_sepermit.soauth       include      password-authaccount    required     pam_nologin.soaccount    include      password-authpassword   include      password-auth## pam_selinux.so close should be the first session rulesession    required     pam_selinux.so closesession    required     pam_loginuid.so## pam_selinux.so open should only be followed by sessions to be executed in the user contextsession    required     pam_selinux.so open env_paramssession    optional     pam_keyinit.so force revokesession    include      password-auth