CentOS7 通过编译RPM包升级OpenSSH-8.8

编译环境

系统版本： CentOS 7
软件版本：

• openssh-8.8p1.tar.gz
• x11-ssh-askpass-1.2.4.1.tar.gz

编译 OpenSSH

1. 依赖包

yum install rpm-build zlib-devel openssl-devel gcc krb5-devel pam-devel libX11-devel libXt-devel gtk2-devel imake -y

2. 创建编译目录

mkdir -p /root/rpmbuild/{SOURCES,SPECS}

3. 下载 openssh-8.8p1编译包和 x11-ssh-askpass 依赖包并解压修改配置

https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz

https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

安装包上传至/root/rpmbuild/SOURCES目录下

cd /root/rpmbuild/SOURCES
tar -zvxf openssh-8.8p1.tar.gz
cp openssh-8.8p1/contrib/redhat/openssh.spec  /root/rpmbuild/SPECS/

sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec

vim /root/rpmbuild/SPECS/openssh.spec
# 注释掉 BuildRequires: openssl-devel < 1.1 这一行

4. 开始编译

rpmbuild -ba /root/rpmbuild/SPECS/openssh.spec

编译成功后 RPM 软件包存放在 /root/rpmbuild/RPMS/x86_64/ 目录下

cd /root/rpmbuild/RPMS/x86_64/ && ll

安装 OpenSSH

前提条件

​ 必须使用多台物理机在不用网络环境下（有线连接和手机热点连接）打开多个SSH终端，避免因为网络中断安装失败，导致 SSH 连接不上主机。

​ 安装过程中不能断开当前 SSH 终端连接，必须在 OpenSSH 服务启动后并且测试新的 SSH 终端可以连接的情况下断开。否则主机将无法连接进入终端。

安装 OpenSSH

1. 备份 PAM

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

以下为 /etc/pam.d/sshd 内容备份

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare

2. 安装 OpenSSH RPM 软件包 （会自动处理依赖关系）

cd /root/rpmbuild/RPMS/x86_64/
yum install openssh-8.8p1-1.el7.x86_64.rpm  openssh-clients-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm

3. 允许 Root 用户登录

注意检查 /etc/ssh/sshd_config 中是否启用密码登录，即PasswordAuthentication yes

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

4. 给予权限

cd /etc/sshd
chmod 600 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key

5. 恢复 PAM

cp /etc/pam.d/sshd.bak /etc/pam.d/sshd

6. 重启 OpenSSH 并检查启动状态

ssh -V
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
systemctl enable sshd              

至此，升级完成，先别关闭当前SSH终端，直接新开一个终端，连接到服务器测试。

降级 OpenSSH

正常情况下，降级是不会覆盖 /etc/pam.d/sshd 和 vi /etc/ssh/sshd_config , 但保险起见还是对文件进行备份检查。

1. 备份 PAM

cp /etc/pam.d/sshd /etc/pam.d/sshd.bak2

2. 降级

yum downgrade openssh openssh-clients openssh-server

3. 检查配置文件

vi /etc/ssh/sshd_config

PermitRootLogin yes
PasswordAuthentication yes

4. 检查 PAM 如果被修改则恢复

cat /etc/pam.d/sshd

5. 重启服务

ssh -V
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
systemctl enable sshd

至此，降级完成，先别关闭当前SSH终端，直接新开一个终端，连接到服务器测试。

编译安装 OpenSSL3.0.7

官方下载地址: https://www.openssl.org/source/openssl-3.0.7.tar.gz

1. 安装依赖包

yum install perl-IPC-Cmd

2. 解压源码包

tar -zvxf openssl-3.0.7.tar.gz

3. 配置

cd openssl-3.0.7
./config

4. 安装

make && make install

5. 更换 openssl

# 备份 openssl
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old

# 链接新版 openssl
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl/ /usr/include/openssl

6. 更新动态链接库数据

echo "/usr/local/lib/" >> /etc/ld.so.conf
echo "/usr/local/lib64/" >> /etc/ld.so.conf
# 重新加载动态链接库
ldconfig -v

7. 更新完成

openssl version -a