前言

由于现网要做安全整改，升级旧版本的引异常OpenSSH和OpenSSL存在安全风险，为提升服务器的程序安全性和稳定性，需要对其进行升级。连接

本文将详细讲述升级后，及解决全记录程序连接出现异常的升级情况，以及排查和解决问题的引异常全过程

安装说明

安装环境

虚拟机环境

OpenSSH版本

OpenSSL版本

升级前

linux CentOS

OpenSSH_7.4p1

OpenSSL 1.0.2k

升级后

linux CentOS

OpenSSH_9.7p1

OpenSSL 3.0.14

下载地址openssl：https://openssl-library.org/source/old/3.0/index.htmlopenssh：https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

注意事项

升级前务必保证虚拟机已经打快照或备份。注意：升级过程全程不要关闭xshell窗口！程序！连接！及解决全记录关闭后将无法ssh登录。升级注意：提前将openssh和openssl安装包上传到虚拟机！引异常！程序！连接卸载ssh后将无法上传。及解决全记录注意：升级openssh后检查服务器ulimit值！！！

安装OpenSSL

查看当前版本，并上传OpenSSH和OpenSSL

图片

安装编译环境：

复制yum -y install perl-IPC-Cmd perl-Data-Dumper gcc gcc-c++ perl perl-devel zlib zlib-devel pam pam-devel1.

备份原openssl：

复制whereis openssl openssl: /usr/bin/openssl /usr/lib64/openssl /usr/share/man/man1/openssl.1ssl.gz # 备份/usr/bin/openssl目录 cp /usr/bin/openssl /usr/bin/openssl.bak # 备份/usr/lib64/openssl目录 cp /usr/lib64/openssl /usr/lib64/openssl.bak1.2.3.4.5.6.7.8.

解压安装openssl：

复制tar -zxvf openssl-3.0.14.tar.gz # 解压安装包 mkdir -p /usr/local/openssl # 创建安装目录1.2.

编译：

复制cd /opt/ssh/openssl-3.0.14 ./config --prefix=/usr/local/openssl --shared make && make install1.2.3.

图片

更新openssl：

复制# 建立软连接, 替换原有的openssl ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl # 检查软连接建立情况 ls -al /usr/bin/openssl lrwxrwxrwx. 1 root root 30 4月 10 13:31 /usr/bin/openssl -> /usr/local/openssl/bin/openssl # 添加动态链接库 echo "/usr/local/openssl/lib64" >> /etc/ld.so.conf # 刷新库 ldconfig1.2.3.4.5.6.7.8.9.10.11.

查看版本：

复制[root@localhost openssl]# openssl version -a OpenSSL 3.0.14 4 Jun 2024 (Library: OpenSSL 3.0.14 4 Jun 2024) built on: Thu Apr 10 05:23:47 2025 UTC platform: linux-x86_64 options: bn(64,64) compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_BUILDING_OPENSSL -DNDEBUG OPENSSLDIR: "/usr/local/openssl/ssl" ENGINESDIR: "/usr/local/openssl/lib64/engines-3" MODULESDIR: "/usr/local/openssl/lib64/ossl-modules" Seeding source: os-specific CPUINFO: OPENSSL_ia32cap=0xfffa3203478bffff:0xd11e4fb91.2.3.4.5.6.7.8.9.10.11.

安装OpenSSH

备份原有的亿华云ssh

复制# 查看ssh服务所在的目录 whereis ssh ssh: /usr/bin/ssh /etc/ssh /usr/share/man/man1/ssh.1.gz # 备份/etc/ssh/目录 cp /etc/ssh/ /etc/ssh.bak # 备份/usr/bin/ssh目录 cp /usr/bin/ssh /usr/bin/ssh.bak whereis sshd sshd: /usr/sbin/sshd /usr/share/man/man8/sshd.8.gz # 备份/usr/sbin/shhd文件 cp /usr/sbin/sshd /usr/sbin/sshd.bak # 备份/etc/init.d/shhd文件 cp /etc/init.d/sshd /etc/init.d/sshd.bak # 注意/etc/init.d/sshd不存在，则无需备份 # /etc/pam.d/sshd文件 cp /etc/pam.d/sshd /etc/pam.d/sshd.bak # 注意sshd不存在，则无需备份 卸载原有 rpm -e --nodeps `rpm -qa | grep openssh`1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.

解压安装openssh：

复制tar -zxvf openssh-9.7p1.tar.gz cd openssh-9.7p1 # 使用默认安装目录的openssl ./configure --prefix=/usr --syscnotallow=/etc/ssh --with-md5-passwords --with-pam --with-privsep-path=/var/lib/sshd --without-hardening # 使用指定安装目录的openssl(使用这个) ./configure --prefix=/usr --syscnotallow=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-privsep-path=/var/lib/sshd --without-hardening # 使用指定安装目录的openssl和zlib ./configure --prefix=/usr --syscnotallow=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --with-privsep-path=/var/lib/sshd --without-hardening # 编译安装 make && make install1.2.3.4.5.6.7.8.9.10.11.12.13.14.

图片

图片

配置：

复制mv /etc/pam.d/sshd.bak /etc/pam.d/sshd # 修改ssh的相关秘钥文件的权限 chmod 600 /etc/ssh/ssh_host_rsa_key chmod 600 /etc/ssh/ssh_host_ecdsa_key chmod 600 /etc/ssh/ssh_host_ed25519_key #修改允许远程登录 # 修改配置文件，允许root直接登录 echo"PasswordAuthentication yes" >> /etc/ssh/sshd_config echo"PermitRootLogin yes" >> /etc/ssh/sshd_config echo"UsePAM yes" >> /etc/ssh/sshd_config #开机自启 cp -p /opt/ssh/openssh-9.7p1/contrib/redhat/sshd.init /etc/init.d/sshd chmod +x /etc/init.d/sshd chkconfig --add sshd chkconfig sshd on systemctl restart sshd systemctl status sshd1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.

验证OpenSSH服务：

复制ssh -V OpenSSH_9.7p1, OpenSSL 3.0.14 4 Jun 20241.2.

程序连接异常问题出现

升级完成后，发现ch.ethz.ssh2报错：

复制java.io.IOException: There was a problem while connecting to 172.18.2.76:22 at ch.ethz.ssh2.Connection.connect(Connection.java:699) at ch.ethz.ssh2.Connection.connect(Connection.java:490) at org.example.ssh.SSH2Util.openConnection(SSH2Util.java:30) at org.example.ssh.SSH2Util.main(SSH2Util.java:221) Caused by: java.io.IOException: Key exchange was not finished, connection is closed. at ch.ethz.ssh2.transport.KexManager.getOrWaitForConnectionInfo(KexManager.java:91) at ch.ethz.ssh2.transport.TransportManager.getConnectionInfo(TransportManager.java:229) at ch.ethz.ssh2.Connection.connect(Connection.java:655) ... 3 more Caused by: java.io.IOException: Cannot negotiate, proposals do not match. at ch.ethz.ssh2.transport.KexManager.handleMessage(KexManager.java:412) at ch.ethz.ssh2.transport.TransportManager.receiveLoop(TransportManager.java:753) at ch.ethz.ssh2.transport.TransportManager$1.run(TransportManager.java:468) at java.lang.Thread.run(Thread.java:748)1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.

通过报错信息可知，问题出在密钥交换阶段，客户端和服务端的提议不匹配。找到ch.ethz.ssh2.transport.KexManager类，其中有个方法mergeKexParameters，这个就是匹配服务端客户端两边相关参数通用的算法，底层调用getFirstMatch去比较二者相同的算法。

图片

kex_algo比较的是KexAlgorithms参数的高防服务器值server_host_key_algorithms比较的是HostKeyAlgorithms参数的值mac_algorithms_client_to_server比较的是MACs参数的值

在ch.ethz.ssh2.crypto.CryptoWishlist类中查看默认支持的算法，如KexAlgorithms、HostKeyAlgorithms、MACs等参数的值。发现默认算法列表可能与升级后的OpenSSH和OpenSSL不兼容。

查看支持算法:

图片

复制public static final String[] getDefaultKexAlgorithmList() { return new String[]{"diffie-hellman-group-exchange-sha1", "diffie-hellman-group14-sha1", "diffie-hellman-group1-sha1"}; } public static final String[] getDefaultServerHostkeyAlgorithmList() { return new String[]{"ssh-rsa", "ssh-dss"}; } public static final String[] getMacList() { return new String[]{"hmac-sha1-96", "hmac-sha1", "hmac-md5-96", "hmac-md5"}; }1.2.3.4.5.6.7.8.9.10.11.

补充一个较完整的算法配置，在相关配置文件（/etc/ssh/sshd_config）中添加以下内容：：

复制KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org HostbasedAcceptedKeytypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512 CASignatureAlgorithms ssh-ed25519,sk-ssh-ed25519@openssh.com,rsa-sha2-512,rsa-sha2-256 HostKeyAlgorithms ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa,ssh-dss PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,rsa-sha2-256,rsa-sha2-512,ssh-rsa MACs hmac-sha2-512,hmac-sha2-512-etm@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@openssh.com,hmac-sha1-961.2.3.4.5.6.

添加完成后，重启SSH服务，程序连接异常问题得到解决

最后附上ssh工具类： 复制public class SSH2Util { private static String DEFAULT_CHARSET = "UTF-8"; private Connection connection; private String hostname; private int port; private String username; private String password; public SSH2Util(String hostname, int port, String username, String password) { this.hostname = hostname; this.port = port; this.username = username; this.password = password; } /** * 连接到 SSH 服务器 * @return 是否连接成功 * @throws IOException 连接过程中发生的 I/O 异常 */ public boolean connect() throws IOException { connection = new Connection(hostname, port); connection.connect(); return connection.authenticateWithPassword(username, password); } /** * 执行 SSH 命令 * @param command 要执行的命令 * @return 命令执行结果 * @throws IOException 执行命令过程中发生的 I/O 异常 */ public String executeCommand(String command) throws IOException { if (connection == null ||!connection.isAuthenticationComplete()) { throw new IllegalStateException("未连接到 SSH 服务器"); } Session session = connection.openSession(); session.execCommand(command); InputStream stdout = new StreamGobbler(session.getStdout()); BufferedReader reader = new BufferedReader(new InputStreamReader(stdout,DEFAULT_CHARSET)); StringBuilder result = new StringBuilder(); String line; while ((line = reader.readLine()) != null) { result.append(line).append("\n"); } session.close(); return result.toString(); } /** * 上传文件到 SSH 服务器 * @param localFilePath 本地文件路径 * @param remoteFilePath 远程文件路径 * @throws IOException 上传过程中发生的 I/O 异常 */ public void uploadFile(String localFilePath, String remoteFilePath) throws IOException { if (connection == null ||!connection.isAuthenticationComplete()) { throw new IllegalStateException("未连接到 SSH 服务器"); } SCPClient scpClient = connection.createSCPClient(); scpClient.put(localFilePath, remoteFilePath); } /** * 从 SSH 服务器下载文件 * @param remoteFilePath 远程文件路径 * @param localFilePath 本地文件路径 * @throws IOException 下载过程中发生的云南idc服务商 I/O 异常 */ public void downloadFile(String remoteFilePath, String localFilePath) throws IOException { if (connection == null ||!connection.isAuthenticationComplete()) { throw new IllegalStateException("未连接到 SSH 服务器"); } SCPClient scpClient = connection.createSCPClient(); scpClient.get(remoteFilePath, localFilePath); } /** * 关闭 SSH 连接 */ public void close() { if (connection != null) { connection.close(); } } public static void main(String[] args) throws IOException { SSH2Util sshUtil = new SSH2Util("your_hostname", 22, "your_username", "your_password"); try { if (sshUtil.connect()) { System.out.println("连接成功"); String result = sshUtil.executeCommand("ls -l"); System.out.println("命令执行结果：\n" + result); sshUtil.uploadFile("local_file_path", "remote_file_path"); sshUtil.downloadFile("remote_file_path", "local_file_path"); } else { System.out.println("连接失败"); } } catch (IOException e) { e.printStackTrace(); } finally { sshUtil.close(); } } }1.2.3.4.5.6.7.8.9.10.11.12.13.14.15.16.17.18.19.20.21.22.23.24.25.26.27.28.29.30.31.32.33.34.35.36.37.38.39.40.41.42.43.44.45.46.47.48.49.50.51.52.53.54.55.56.57.58.59.60.61.62.63.64.65.66.67.68.69.70.71.72.73.74.75.76.77.78.79.80.81.82.83.84.85.86.87.88.89.90.91.92.93.94.95.96.97.98.99.100.101.102.103.104.105.106.