Loading

CentOS7 通过编译RPM包升级OpenSSH-8.8

编译环境

系统版本: CentOS 7
软件版本:

  • openssh-8.8p1.tar.gz
  • x11-ssh-askpass-1.2.4.1.tar.gz

编译 OpenSSH

  1. 依赖包
yum install rpm-build zlib-devel openssl-devel gcc krb5-devel pam-devel libX11-devel libXt-devel gtk2-devel imake -y
  1. 创建编译目录
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
  1. 下载 openssh-8.8p1编译包和 x11-ssh-askpass 依赖包并解压修改配置

https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz

https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

安装包上传至/root/rpmbuild/SOURCES目录下

cd /root/rpmbuild/SOURCES
tar -zvxf openssh-8.8p1.tar.gz
cp openssh-8.8p1/contrib/redhat/openssh.spec  /root/rpmbuild/SPECS/

sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
vim /root/rpmbuild/SPECS/openssh.spec
# 注释掉 BuildRequires: openssl-devel < 1.1 这一行
  1. 开始编译
rpmbuild -ba /root/rpmbuild/SPECS/openssh.spec

编译成功后 RPM 软件包存放在 /root/rpmbuild/RPMS/x86_64/ 目录下

image-20221130170410196

cd /root/rpmbuild/RPMS/x86_64/ && ll

image-20221130170206509

安装 OpenSSH

前提条件

必须使用多台物理机在不用网络环境下(有线连接和手机热点连接)打开多个SSH终端,避免因为网络中断安装失败,导致 SSH 连接不上主机。

安装过程中不能断开当前 SSH 终端连接,必须在 OpenSSH 服务启动后并且测试新的 SSH 终端可以连接的情况下断开。否则主机将无法连接进入终端。

安装 OpenSSH

  1. 备份 PAM
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

以下为 /etc/pam.d/sshd 内容备份

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
  1. 安装 OpenSSH RPM 软件包 (会自动处理依赖关系)
cd /root/rpmbuild/RPMS/x86_64/
yum install openssh-8.8p1-1.el7.x86_64.rpm  openssh-clients-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm
  1. 允许 Root 用户登录

注意检查 /etc/ssh/sshd_config 中是否启用密码登录,即PasswordAuthentication yes

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
  1. 给予权限
cd /etc/sshd
chmod 600 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
  1. 恢复 PAM
cp /etc/pam.d/sshd.bak /etc/pam.d/sshd
  1. 重启 OpenSSH 并检查启动状态
ssh -V
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
systemctl enable sshd              

image-20221130171218520

至此,升级完成,先别关闭当前SSH终端,直接新开一个终端,连接到服务器测试。

降级 OpenSSH

正常情况下,降级是不会覆盖 /etc/pam.d/sshdvi /etc/ssh/sshd_config , 但保险起见还是对文件进行备份检查。

  1. 备份 PAM
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak2
  1. 降级
yum downgrade openssh openssh-clients openssh-server
  1. 检查配置文件
vi /etc/ssh/sshd_config

PermitRootLogin yes
PasswordAuthentication yes
  1. 检查 PAM 如果被修改则恢复
cat /etc/pam.d/sshd

image-20221130171319866

  1. 重启服务
ssh -V
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
systemctl enable sshd

至此,降级完成,先别关闭当前SSH终端,直接新开一个终端,连接到服务器测试。

编译安装 OpenSSL3.0.7

官方下载地址: https://www.openssl.org/source/openssl-3.0.7.tar.gz

  1. 安装依赖包
yum install perl-IPC-Cmd
  1. 解压源码包
tar -zvxf openssl-3.0.7.tar.gz
  1. 配置
cd openssl-3.0.7
./config

image-20221208144603419

  1. 安装
make && make install
  1. 更换 openssl
# 备份 openssl
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old

# 链接新版 openssl
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -s /usr/local/include/openssl/ /usr/include/openssl
  1. 更新动态链接库数据
echo "/usr/local/lib/" >> /etc/ld.so.conf
echo "/usr/local/lib64/" >> /etc/ld.so.conf
# 重新加载动态链接库
ldconfig -v
  1. 更新完成
openssl version -a

image-20221208151255143

posted @ 2022-12-07 15:22  白日醒梦  阅读(1028)  评论(0编辑  收藏  举报