【openSSH】Linux openEuler-20.03-x86-64服务器升级openSSH至10.2p1版本
OpenSSH 官方网站和源码包格式
OpenSSH 的官方下载地址: https://www.openssh.com/portable.html
OpenBSD 官方镜像:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
在官网或镜像站,你可以找到各个版本的 OpenSSH 源码包,命名格式为:
```
openssh-X.XpY.tar.gz
X.X 是主版本号(如 10.0)
Y 是补丁号(如 p1)
```
```
yum -y install gcc make zlib-devel openssl-devel pam-devel krb5-devel
```
```
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.2p1.tar.gz
```
```
tar -zxf openssh-10.2p1.tar.gz
cd openssh-10.2p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-engine --with-kerberos5 --with-gssapi
make clean
make
ll /etc/ssh/ssh_host*
chmod 400 /etc/ssh/ssh_host*
make install
```
```
# make install
Makefile:729: warning: ignoring prerequisites on suffix rule definition
(cd openbsd-compat && make)
make[1]: 进入目录“/tmp/openssh-10.2p1/openbsd-compat”
make[1]: 对“all”无需做任何事。
make[1]: 离开目录“/tmp/openssh-10.2p1/openbsd-compat”
/usr/bin/mkdir -p /usr/bin
/usr/bin/mkdir -p /usr/sbin
/usr/bin/mkdir -p /usr/share/man/man1
/usr/bin/mkdir -p /usr/share/man/man5
/usr/bin/mkdir -p /usr/share/man/man8
/usr/bin/mkdir -p /usr/libexec
/usr/bin/mkdir -p -m 0755 /var/empty
/usr/bin/install -c -m 0755 -s ssh /usr/bin/ssh
/usr/bin/install -c -m 0755 -s scp /usr/bin/scp
/usr/bin/install -c -m 0755 -s ssh-add /usr/bin/ssh-add
/usr/bin/install -c -m 0755 -s ssh-agent /usr/bin/ssh-agent
/usr/bin/install -c -m 0755 -s ssh-keygen /usr/bin/ssh-keygen
/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/bin/ssh-keyscan
/usr/bin/install -c -m 0755 -s sshd /usr/sbin/sshd
/usr/bin/install -c -m 0755 -s sshd-session /usr/libexec/sshd-session
/usr/bin/install -c -m 0755 -s sshd-auth /usr/libexec/sshd-auth
/usr/bin/install -c -m 4711 -s ssh-keysign /usr/libexec/ssh-keysign
/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper
/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper
/usr/bin/install -c -m 0755 -s sftp /usr/bin/sftp
/usr/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server
/usr/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 155: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 157: Deprecated option RhostsRSAAuthentication
```
```
sed -i '/RSAAuthentication/s/^/#/' /etc/ssh/sshd_config
sed -i '/GSSAPIKexAlgorithms/s/^/#/' /etc/ssh/sshd_config
systemctl restart sshd
systemctl status sshd
systemctl enable sshd
```
从客户端发起对 目标机器的SSH连接失败,从目标机器上看日志:
```
# tail -f /var/log/messages
Dec 4 17:31:29 localhost [/bin/bash]: [> /var/log/messages] return code=[0], execute success by [root(uid=0)] from [pts/2 (192.168.2.200)]
Dec 4 17:31:37 localhost sshd-session[28254]: Connection from 192.168.2.200 port 20380 on 192.168.2.167 port 22 rdomain ""
Dec 4 17:31:37 localhost audit[28254]: USER_AUTH pid=28254 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:31:37 localhost audit[28254]: USER_ACCT pid=28254 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:31:37 localhost sshd-session[28254]: Accepted password for root from 192.168.2.200 port 20380 ssh2
Dec 4 17:31:37 localhost audit[28254]: CRED_ACQ pid=28254 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:31:37 localhost audit[28254]: AVC avc: denied { create } for pid=28254 comm="sshd-session" scontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tcontext=system_u:system_r:sshd_t:s0-s0:c0.c1023 tclass=netlink_selinux_socket permissive=0
Dec 4 17:31:37 localhost audit[28254]: SYSCALL arch=c000003e syscall=41 success=no exit=-13 a0=10 a1=80003 a2=7 a3=7f3e17af9aa0 items=0 ppid=27954 pid=28254 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=11 comm="sshd-session" exe="/usr/libexec/sshd-session" subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 key=(null)
Dec 4 17:31:37 localhost audit: PROCTITLE proctitle=737368642D73657373696F6E3A20726F6F74205B707269765D
Dec 4 17:31:37 localhost audit[28254]: ANOM_ABEND auid=0 uid=0 gid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 pid=28254 comm="sshd-session" exe="/usr/libexec/sshd-session" sig=6 res=1
Dec 4 17:31:37 localhost dbus-daemon[1789]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.17' (uid=0 pid=1713 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
Dec 4 17:31:37 localhost sshd-session[28258]: Connection from 192.168.2.200 port 20381 on 192.168.2.167 port 22 rdomain ""
Dec 4 17:31:37 localhost systemd[1]: Started Process Core Dump (PID 28259/UID 0).
Dec 4 17:31:37 localhost audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@1-28259-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 4 17:31:37 localhost systemd-coredump[28263]: Process 28254 (sshd-session) of user 0 dumped core.#012#012Stack trace of thread 28254:#012#0 0x00007f3e179c842b raise (libc.so.6)#012#1 0x00007f3e179c9751 abort (libc.so.6)#012#2 0x00007f3e179c0e2a n/a (libc.so.6)#012#3 0x00007f3e179c0ea2 __assert_fail (libc.so.6)#012#4 0x00007f3e178f9e15 avc_context_to_sid_raw (libselinux.so.1)#012#5 0x00007f3e178f9e50 avc_context_to_sid (libselinux.so.1)#012#6 0x00007f3e178fd05d selinux_check_access (libselinux.so.1)#012#7 0x00007f3e17793b77 pam_sm_open_session (pam_selinux.so)#012#8 0x00007f3e17fc7e04 n/a (libpam.so.0)#012#9 0x000055b46ef6f077 n/a (sshd-session)#012#10 0x000055b46ef3eca8 n/a (sshd-session)#012#11 0x00007f3e179b4ae7 __libc_start_main (libc.so.6)#012#12 0x000055b46ef3f6ba n/a (sshd-session)
Dec 4 17:31:37 localhost systemd[1]: systemd-coredump@1-28259-0.service: Succeeded.
Dec 4 17:31:37 localhost audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@1-28259-0 comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Dec 4 17:31:37 localhost sshd-session[28258]: Connection closed by authenticating user root 192.168.2.200 port 20381 [preauth]
Dec 4 17:31:37 localhost audit[28258]: USER_ERR pid=28258 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=failed'
Dec 4 17:31:37 localhost sshd[27954]: srclimit_penalise: ipv4: new 192.168.2.200/32 deferred penalty of 1 seconds for penalty: connections without attempting authentication
Dec 4 17:31:37 localhost dbus-daemon[1789]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Dec 4 17:31:37 localhost setroubleshoot[28261]: failed to retrieve rpm info for /usr/libexec/sshd-session
Dec 4 17:31:37 localhost setroubleshoot[28261]: SELinux is preventing /usr/libexec/sshd-session from create access on the netlink_selinux_socket labeled sshd_t. For complete SELinux messages run: sealert -l dfa653d6-4819-43d1-9a8a-366489f8cfe8
Dec 4 17:31:37 localhost python3[28261]: SELinux is preventing /usr/libexec/sshd-session from create access on the netlink_selinux_socket labeled sshd_t.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that sshd-session should be allowed create access on the Unknown netlink_selinux_socket by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'sshd-session' --raw | audit2allow -M my-sshdsession#012# semodule -X 300 -i my-sshdsession.pp#012
```
```
# journalctl -xe
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- systemd-coredump@1-28259-0.service 单元已结束启动。
--
-- 启动结果为“done”。
12月 04 17:31:37 localhost.localdomain audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@1-28259-0 comm="systemd" exe="/usr/lib>
12月 04 17:31:37 localhost.localdomain systemd-coredump[28263]: Process 28254 (sshd-session) of user 0 dumped core.
Stack trace of thread 28254:
#0 0x00007f3e179c842b raise (libc.so.6)
#1 0x00007f3e179c9751 abort (libc.so.6)
#2 0x00007f3e179c0e2a n/a (libc.so.6)
#3 0x00007f3e179c0ea2 __assert_fail (libc.so.6)
#4 0x00007f3e178f9e15 avc_context_to_sid_raw (libselinux.so.1)
#5 0x00007f3e178f9e50 avc_context_to_sid (libselinux.so.1)
#6 0x00007f3e178fd05d selinux_check_access (libselinux.so.1)
#7 0x00007f3e17793b77 pam_sm_open_session (pam_selinux.so)
#8 0x00007f3e17fc7e04 n/a (libpam.so.0)
#9 0x000055b46ef6f077 n/a (sshd-session)
#10 0x000055b46ef3eca8 n/a (sshd-session)
#11 0x00007f3e179b4ae7 __libc_start_main (libc.so.6)
#12 0x000055b46ef3f6ba n/a (sshd-session)
-- Subject: 进程 28254 (sshd-session) 核心已转储
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
-- Documentation: man:core(5)
--
-- 进程 28254 (sshd-session) 已崩溃并进行核心转储。
--
-- 这通常意味着崩溃程序中存在编程错误,并应当将此错误向其开发者报告。
12月 04 17:31:37 localhost.localdomain systemd[1]: systemd-coredump@1-28259-0.service: Succeeded.
-- Subject: Unit succeeded
-- Defined-By: systemd
-- Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
--
-- The unit systemd-coredump@1-28259-0.service has successfully entered the 'dead' state.
12月 04 17:31:37 localhost.localdomain audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-coredump@1-28259-0 comm="systemd" exe="/usr/lib/>
12月 04 17:31:37 localhost.localdomain sshd-session[28258]: Connection closed by authenticating user root 192.168.2.200 port 20381 [preauth]
12月 04 17:31:37 localhost.localdomain audit[28258]: USER_ERR pid=28258 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:bad_ident grantors=? acct="?" exe="/us>
12月 04 17:31:37 localhost.localdomain sshd[27954]: srclimit_penalise: ipv4: new 192.168.2.200/32 deferred penalty of 1 seconds for penalty: connections without attempting authentication
12月 04 17:31:37 localhost.localdomain dbus-daemon[1789]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
12月 04 17:31:37 localhost.localdomain setroubleshoot[28261]: failed to retrieve rpm info for /usr/libexec/sshd-session
12月 04 17:31:37 localhost.localdomain setroubleshoot[28261]: SELinux is preventing /usr/libexec/sshd-session from create access on the netlink_selinux_socket labeled sshd_t. For complete SELinux messages>
12月 04 17:31:37 localhost.localdomain python3[28261]: SELinux is preventing /usr/libexec/sshd-session from create access on the netlink_selinux_socket labeled sshd_t.
***** Plugin catchall (100. confidence) suggests **************************
If you believe that sshd-session should be allowed create access on the Unknown netlink_selinux_socket by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c 'sshd-session' --raw | audit2allow -M my-sshdsession
# semodule -X 300 -i my-sshdsession.pp
12月 04 17:31:54 localhost.localdomain [28291]: [tail -f /var/log/messages] return code=[130], execute failed by [root(uid=0)] from [pts/2 (192.168.2.200)]
12月 04 17:33:27 localhost.localdomain [28337]: [getenforce] return code=[0], execute success by [root(uid=0)] from [pts/2 (192.168.2.200)]
```
```
yum -y install audit policycoreutils-python-utils
```
```
# ausearch -m avc -c sshd --raw | audit2allow
#============= sshd_t ==============
allow sshd_t self:netlink_selinux_socket create;
```
```
// 一定要来两遍
ausearch -c 'sshd-session' --raw | audit2allow -M my-sshdsession
semodule -X 300 -i my-sshdsession.pp
ausearch -c 'sshd-session' --raw | audit2allow -M my-sshdsession
semodule -X 300 -i my-sshdsession.pp
```
```
ausearch -c 'sshd-session' --raw | audit2allow
#============= sshd_t ==============
#!!!! This avc is allowed in the current policy
allow sshd_t self:netlink_selinux_socket { bind create };
```
保险起见,你最好关闭selinux:
```
setenforce 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/g /etc/sysconfig/selinux
```
```
# ssh -V
OpenSSH_10.2p1, OpenSSL 1.1.1f 31 Mar 2020
```
```
# ssh root@192.168.2.167
/etc/crypto-policies/back-ends/openssh.config: line 3: Bad configuration option: gssapikexalgorithms
/etc/crypto-policies/back-ends/openssh.config: terminating, 1 bad configuration options
```
```
//禁用 GSSAPI 认证
sed -i '3s/^/# /' /etc/crypto-policies/back-ends/openssh.config
sed -i 's/^GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config
systemctl restart sshd
```
```
# tail -f /var/log/messages
Dec 4 17:40:21 localhost [/bin/bash]: [> /var/log/messages] return code=[0], execute success by [root(uid=0)] from [pts/2 (192.168.2.200)]
Dec 4 17:40:30 localhost sshd-session[29168]: Connection from 192.168.2.200 port 22819 on 192.168.2.167 port 22 rdomain ""
Dec 4 17:40:30 localhost audit[29168]: USER_AUTH pid=29168 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost audit[29168]: USER_ACCT pid=29168 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost sshd-session[29168]: Accepted password for root from 192.168.2.200 port 22819 ssh2
Dec 4 17:40:30 localhost audit[29168]: CRED_ACQ pid=29168 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost audit[29168]: USER_ROLE_CHANGE pid=29168 uid=0 auid=0 ses=18 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost sshd-session[29172]: Connection from 192.168.2.200 port 22820 on 192.168.2.167 port 22 rdomain ""
Dec 4 17:40:30 localhost systemd-logind[1883]: New session 18 of user root.
Dec 4 17:40:30 localhost systemd[1]: Started Session 18 of user root.
Dec 4 17:40:30 localhost audit[29168]: USER_START pid=29168 uid=0 auid=0 ses=18 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost sshd-session[29168]: User child is on pid 29174
Dec 4 17:40:30 localhost audit[29174]: CRED_ACQ pid=29174 uid=0 auid=0 ses=18 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost sshd-session[29174]: Starting session: shell on pts/6 for root from 192.168.2.200 port 22819 id 0
Dec 4 17:40:30 localhost audit[29175]: CRED_ACQ pid=29175 uid=0 auid=0 ses=18 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost audit[29172]: USER_AUTH pid=29172 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost audit[29172]: USER_ACCT pid=29172 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost sshd-session[29172]: Accepted password for root from 192.168.2.200 port 22820 ssh2
Dec 4 17:40:30 localhost audit[29172]: CRED_ACQ pid=29172 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost audit[29172]: USER_ROLE_CHANGE pid=29172 uid=0 auid=0 ses=19 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='pam: default-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 selected-context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost systemd-logind[1883]: New session 19 of user root.
Dec 4 17:40:30 localhost systemd[1]: Started Session 19 of user root.
Dec 4 17:40:30 localhost audit[29172]: USER_START pid=29172 uid=0 auid=0 ses=19 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost sshd-session[29172]: User child is on pid 29243
Dec 4 17:40:30 localhost audit[29243]: CRED_ACQ pid=29243 uid=0 auid=0 ses=19 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:30 localhost sshd-session[29243]: Starting session: subsystem 'sftp' for root from 192.168.2.200 port 22820 id 0
Dec 4 17:40:30 localhost audit[29244]: CRED_ACQ pid=29244 uid=0 auid=0 ses=19 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_faillock,pam_unix acct="root" exe="/usr/libexec/sshd-session" hostname=192.168.2.200 addr=192.168.2.200 terminal=ssh res=success'
Dec 4 17:40:31 localhost sftp-server[29244]: session opened for local user root from [192.168.2.200]
Dec 4 17:40:31 localhost sftp-server[29244]: opendir "/root"
Dec 4 17:40:31 localhost sftp-server[29244]: closedir "/root"
Dec 4 17:40:45 localhost systemd[1]: lvm2-lvmetad.service: Succeeded.
Dec 4 17:40:45 localhost audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=lvm2-lvmetad comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
```
```
# ssh -vvv root@192.168.2.167
debug1: OpenSSH_10.2p1, OpenSSL 1.1.1f 31 Mar 2020
debug3: Running on Linux 4.19.90-2003.4.0.0036.oe1.x86_64 #1 SMP Mon Mar 23 19:10:41 UTC 2020 x86_64
debug3: Started with: ssh -vvv root@192.168.2.167
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 52: Including file /etc/ssh/ssh_config.d/05-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/05-redhat.conf
debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 2: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: kex names ok: [curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1]
debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.2.167 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2'
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug3: channel_clear_timeouts: clearing
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.2.167 [192.168.2.167] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0xb8
debug1: Connection established.
```
参考
openEuler
https://www.openeuler.openatom.cn/zh/
openEuler Repo
https://repo.openeuler.org
OpenEuler-20.03-LTS 配置
https://blog.csdn.net/qq_28652401/article/details/123396589
openEuler20.03-LTS-SP2配置阿里yum源
https://www.cnblogs.com/lightice/p/16931558.html
