CentOS openssh升级到openssh-7.2版本

CentOS openssh

安全部门漏洞检查，让升级openssh版本，升级操作不复杂，但毕竟是线上环境，主要注意如果你是通过ssh远程升级ssh版本，万一失败了，ssh不上去，是否可以到现场处理。（重要提示：当进行系统update的时候，会将sshd文件和ssh文件恢复到原来的版本，如果配置了支持jenkins相关的内容KexAlgorithms，会导致ssh无法启动，解决方式参考文章最后，使用不同目录安装方式）

环境：

cat /etc/issue
CentOS release 6.5 (Final)
ssh -V
OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
openssl version -a
OpenSSL 1.0.1e-fips 11 Feb 2013

一、准备

备份ssh目录(重要)

cp -rf /etc/ssh /etc/ssh.bak

可以现场处理的，不用设置

//安装telnet，避免ssh升级出现问题，导致无法远程管理
yum install telnet-server
vi /etc/xinetd.d/telnet
service telnet
{
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/in.telnetd
        log_on_failure  += USERID
        disable         = no
}

vi /etc/securetty

//默认不允许root登录
增加
pts/0
pts/1
pts/2
//如果登录用户较多，需要更多的pts/*
/etc/init.d/xinetd restart
//这样root可以telnet登录了
//ssh升级后建议再修改回还原设置

二、安装

升级需要几个组件

yum install -y gcc openssl-devel pam-devel rpm-build

现在新版本，目前是openssh-8.4最新，但刚刚出来，为保险，我选用7.2版本

wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz //最新的
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.3p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.1p1.tar.gz

解压升级包，并安装

tar -zxvf openssh-7.2p1.tar.gz 
cd openssh-7.2p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers

make && make install

安装后提示：

/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
ssh-keygen: generating new host keys: ECDSA ED25519 
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials

修改配置文件,允许root登录

vi /etc/ssh/sshd_config
#PermitRootLogin yes

修改为

PermitRootLogin yes

或者命令：

sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config

重启openSSH

service sshd restart

升级后版本

ssh -V
OpenSSH_7.2p1, OpenSSL 1.0.1e-fips 11 Feb 2013

【
如果之前你将原ssh目录修改名字
mv /etc/ssh /etc/ssh_bak
需要修改下配置：
修改配置文件,禁止root登录
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
可以不操作，禁止dns解析
sed -i '/^#UseDNS yes/s/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
可以不操作默认是22，修改ssh端口至6022
echo "Port 6022" >> /etc/ssh/sshd_config
】
注:在升级SSH时你的SSH是不会因为升级或重启服务而断掉的.
问题1：
[root@testserver2 tmp]# service sshd restart
Stopping sshd:                                             [  OK  ]
Starting sshd: /etc/ssh/sshd_config line 81: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 83: Unsupported option GSSAPICleanupCredentials [  OK  ]
解决：
将/etc/ssh/sshd_config文件中以上行数内容注释下即可
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
问题2：
更新后ssh有如下提示，但不影响使用：
[root@testserver2 tmp]# ssh 10.111.32.51
/etc/ssh/ssh_config line 50: Unsupported option "gssapiauthentication"                                           
解决：
可以注释/etc/ssh/ssh_config的gssapiauthentication内容
------------------------------------------------------------------------------------------

CentOS7升级openssh参考这里的内容

本次使用源码安装（系统需要gcc），各软件版本如下：

zlib-1.2.8
openssl-1.0.2h
openssh-7.3p1

安装步骤如下：

1、安装zlib

[root@CentOS7test ~]# cd zlib-1.2.8/
[root@CentOS7test zlib-1.2.8]# ./configure
[root@CentOS7test zlib-1.2.8]# make
[root@CentOS7test zlib-1.2.8]# make install

2、安装openssl

[root@CentOS7test ~]# cd openssl-1.0.2h/
[root@CentOS7test openssl-1.0.2h]# ./config --prefix=/usr/ --shared
[root@CentOS7test openssl-1.0.2h]# make
[root@CentOS7test openssl-1.0.2h]# make install

3、安装openssh

[root@CentOS7test ~]# cd openssh-7.3p1/
[root@CentOS7test openssh-7.3p1]# ./configure --prefix=/usr/local --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
[root@CentOS7test openssh-7.3p1]# make
[root@CentOS7test openssh-7.3p1]# make install

4、查看版本是否已更新

[root@CentOS7test openssh-7.3p1]# ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2h 3 May 2016

5、新介质替换原有内容

[root@CentOS7test openssh-7.3p1]# mv /usr/bin/ssh /usr/bin/ssh_bak
[root@CentOS7test openssh-7.3p1]# cp /usr/local/bin/ssh /usr/bin/ssh
[root@CentOS7test openssh-7.3p1]# mv /usr/sbin/sshd /usr/sbin/sshd_bak
[root@CentOS7test openssh-7.3p1]# cp /usr/local/sbin/sshd /usr/sbin/sshd

6-加载ssh配置重启ssh服务

[root@CentOS7test ~]# systemctl daemon-reload
[root@CentOS7test ~]# systemctl restart sshd.service

7、遇到的问题解决

问题1：
安装完成后，telnet 22端口不通，通过systemctl status sshd.service查看发现有警告信息
部分信息如Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open

修正：
修改相关提示文件的权限为600，并重启sshd服务（systemctl restart sshd.service）
查看服务状态（systemctl status sshd.service）
例：chmod 600 /etc/ssh/ssh_host_ecdsa_key

问题2：
安装完成后，如需root直接登录

修正：
修改/etc/ssh/sshd_config文件，将文件中#PermitRootLogin yes改为PermitRootLogin yes
并重启sshd服务
升级后验证

问题3：

如果你使用了jenkins进行部署，升级后会影响jenkins部署，测试连接web端会报错 Algorithm negotiation fail

修正：

在web端修改sshd_config文件最后一行增加以下内容

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1

参考：http://stackoverflow.com/questions/32627998/algorithm-negotiation-fail-in-jenkins

【临时修改版本号，运行很久的线上环境升级存在风险，如果可以的话只修改版本号吧（后期经过验证，这种修改版本号的方法无效，ssh -v IP可以查看版本）
查询
ssh -V
sshd -V

备份

cp /usr/bin/ssh /usr/bin/ssh.bak.version_edit
cp /usr/sbin/sshd /usr/sbin/sshd.bak.version_edit

修改

sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/bin/ssh
sed -i 's#OpenSSH_5.3p1#OpenSSH_7.2p1#g' /usr/sbin/sshd

】

补充汇总下：

centos7.X主机升级ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
mv /etc/ssh /etc/ssh.bak
---下载包、安装gcc 、编译等中间步骤参上边内容---
make && make install
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config

cp /etc/ssh.bak/sshd_config /etc/ssh/sshd_config 将原来的文件覆盖下这个新生成的内容

/bin/systemctl restart sshd.service

centos6.X升级ssh
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
cp -rf /etc/ssh /etc/ssh.bak
---下载包、安装gcc 、编译等中间步骤参上边内容---
make && make install
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^UsePAM/s/UsePAM yes/#UsePAM yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config
service sshd restart

附录：

CentOS7 sshd_config配置内容

[python] view plain copy

$OpenBSD: sshd_config,v 1.93 2014/01/10 05:59:19 djm Exp$

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

If you want to change the port on a SELinux system, you have to tell

SELinux about this change.

semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

Port 22

AddressFamily any

ListenAddress 0.0.0.0

ListenAddress ::

The default requires explicit activation of protocol 1

Protocol 2

HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h

ServerKeyBits 1024

Ciphers and keying

RekeyLimit default none

Logging

obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

SyslogFacility AUTHPRIV

LogLevel INFO

Authentication:

LoginGraceTime 2m

PermitRootLogin yes

StrictModes yes

MaxAuthTries 6

MaxSessions 10

RSAAuthentication yes

PubkeyAuthentication yes

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

AuthorizedPrincipalsFile none

AuthorizedKeysCommand none

AuthorizedKeysCommandUser nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no

Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

PasswordAuthentication yes

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

Kerberos options

KerberosAuthentication no

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

KerberosGetAFSToken no

KerberosUseKuserok yes

GSSAPI options

GSSAPIAuthentication yes
GSSAPICleanupCredentials no

GSSAPIStrictAcceptorCheck yes

GSSAPIKeyExchange no

GSSAPIEnablek5users no

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several

problems.

UsePAM yes

AllowAgentForwarding yes

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes

PermitTTY yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UsePrivilegeSeparation sandbox # Default for new installations.

PermitUserEnvironment no

Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

ShowPatchLevel no

UseDNS yes

UseDNS no

PidFile /var/run/sshd.pid

MaxStartups 10:30:100

PermitTunnel no

ChrootDirectory none

VersionAddendum none

no default banner path

Banner none

Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Example of overriding settings on a per-user basis

Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

PermitTTY no

ForceCommand cvs server

CentOS6 sshd_config配置内容
[python] view plain copy

$OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp$

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options change a

default value.

Port 22

AddressFamily any

ListenAddress 0.0.0.0

ListenAddress ::

Disable legacy (protocol version 1) support in the server for new

installations. In future the default will change to require explicit

activation of protocol 1

Protocol 2

HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 1h

ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

SyslogFacility AUTHPRIV

LogLevel INFO

Authentication:

LoginGraceTime 2m

PermitRootLogin yes

StrictModes yes

MaxAuthTries 6

MaxSessions 10

RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile .ssh/authorized_keys

AuthorizedKeysCommand none

AuthorizedKeysCommandRunAs nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

RhostsRSAAuthentication no

similar for protocol version 2

HostbasedAuthentication no

Change to yes if you don't trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts no

Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

PasswordAuthentication yes

Change to no to disable s/key passwords

ChallengeResponseAuthentication yes

ChallengeResponseAuthentication no

Kerberos options

KerberosAuthentication no

KerberosOrLocalPasswd yes

KerberosTicketCleanup yes

KerberosGetAFSToken no

KerberosUseKuserok yes

GSSAPI options

GSSAPICleanupCredentials yes

GSSAPICleanupCredentials yes

GSSAPIStrictAcceptorCheck yes

GSSAPIKeyExchange no

Set this to 'yes' to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of "PermitRootLogin without-password".

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to 'no'.

UsePAM no

UsePAM yes

Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

AllowAgentForwarding yes

AllowTcpForwarding yes

GatewayPorts no

X11Forwarding no

X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes

PrintMotd yes

PrintLastLog yes

TCPKeepAlive yes

UseLogin no

UseLogin no

UsePrivilegeSeparation yes

PermitUserEnvironment no

Compression delayed

ClientAliveInterval 0

ClientAliveCountMax 3

ShowPatchLevel no

PidFile /var/run/sshd.pid

MaxStartups 10

PermitTunnel no

ChrootDirectory none

no default banner path

Banner none

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Example of overriding settings on a per-user basis

Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

UseDNS no

GSSAPIAuthentication no

GSSAPIAuthentication yes

20161205补充：

实际使用中发现ansible和jenkins使用时有些问题，网上查询了下，需要在/etc/ssh/sshd_config文件中最后增加两行：

[python] view plain copy
Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
因为升级了openssh太新导致通信时加密算法出现问题，加上后重启就可以了。
20170428补充：

升级openssh版本脚本

[plain] view plain copy
cp /usr/bin/ssh /usr/bin/ssh.bak.20161124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20161124
cp -rf /etc/ssh /etc/ssh.bak
yum install -y gcc openssl-devel pam-devel rpm-build
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
tar -zxvf openssh-7.2p1.tar.gz && cd openssh-7.2p1 && ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers && make && make install
sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/ssh_config
sed -i '/^GSSAPICleanupCredentials/s/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i '/^GSSAPIAuthentication/s/GSSAPIAuthentication no/#GSSAPIAuthentication no/' /etc/ssh/sshd_config

sed -i '/^#UsePAM/s/#UsePAM yes/UsePAM yes/' /etc/ssh/sshd_config 如果内网使用ldap需要设置这项

echo "

ansible support" >>/etc/ssh/sshd_config

echo "Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc" >>/etc/ssh/sshd_config
echo "

service sshd restart

重要提示：最近发现，在升级完ssh版本后，如果你进行了系统update或者升级用到ssh包的相关软件包，会导致ssh的版本回退到原来的版本。

20170504补充：

对于linux执行update，会导致升级后的ssh恢复到之前版本问题，处理方式（新版本ssh安装到不用的目录中，系统启动使用新目录的ssh）

一、备份文件
cp /usr/bin/ssh /usr/bin/ssh.bak.20171124
cp /usr/sbin/sshd /usr/bin/sshd.bak.20171124
cp -rf /etc/ssh /etc/ssh.bak.20171124

二、安装（/usr/local/ssh7为新目录，/usr/local/ssh7/ssh放置配置文件）
yum install -y gcc openssl-devel pam-devel rpm-build
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.2p1.tar.gz
tar -zxvf openssh-7.2p1.tar.gz && cd openssh-7.2p1 && ./configure --prefix=/usr/local/ssh7 --sysconfdir=/usr/local/ssh7/ssh --with-pam --with-zlib --with-md5-passwords

--with-tcp-wrappers && make && make install

三、修改sshd_config内容
vi /usr/local/ssh7/ssh/sshd_config文件内容：

Port 22
Protocol 2
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
ChallengeResponseAuthentication no
UsePAM yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
X11Forwarding yes
Subsystem sftp /usr/local/ssh7/libexec/sftp-server
UseDNS no

ansible支持加入

Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc

jenkins支持加入

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-

sha256,diffie-hellman-group14-sha1

四、修改启动文件
cp /etc/init.d/sshd /etc/init.d/sshd7
mv /etc/init.d/sshd /etc/init.d/sshd.bak.20171124

vi /etc/init.d/sshd7
修改：

SSHD=/usr/sbin/sshd 为

SSHD=/usr/local/ssh7/sbin/sshd

修改：

[ -f /etc/ssh/sshd_config ] || exit 6 为

[ -f /usr/local/ssh7/ssh/sshd_config ] || exit 6

五、root下修改环境变量

vi /etc/profile.d/ssh7.sh

export SSH_7=/usr/local/ssh7
export PATH=${SSH_7}/bin:${SSH_7}/sbin:$PATH

六、重启ssh
service sshd7 restart
以后需要这样重启ssh服务

参考：
http://blog.c1gstudio.com/archives/1474
https://www.douban.com/note/306958442/

http://www.cnblogs.com/elisun/p/5523696.html
```