openssh升级到openssh-9.4p1
1. openssh官方只提供源码包,我们选择自己将源码编译为rpm包来升级环境的openssh,需要安装的环境为CentOS7
https://www.openssl.org/source/
https://www.openssh.com/releasenotes.html
wget https://github.com/boypt/openssh-rpms/archive/refs/heads/main.zip unzip main.zip cd openssh-rpms-main/
compile.sh:编译脚本el5、el6、el7:对应CentOS5、6、7三个系统,编译相关的参数由SPECS目录下的openssh.spec控制。
编译好的rpm包放在RPMS目录下。
pullsrc.sh:openssh相关源码下载脚本
version.env:定义了openssh及openssl源码的版本信息
2. 修改相关的配置
为wget增加不检查证书的参数 --no-check-certificate
# grep wget pullsrc.sh wget --no-check-certificate $OPENSSLMIR/$OPENSSLSRC wget --no-check-certificate $OPENSSHMIR/$OPENSSHSRC wget --no-check-certificate $ASKPASSMIR/$ASKPASSSRC
openssh源码中是没有ssh-copy-id相关参数的,如果直接编译安装,会发现安装后没有ssh-copy-id命令,因此如果需要用到该命令,需要修改编译参数控制文件openssh.spec (大概在305行的位置)
# vim el7/SPECS/openssh.spec +305 # 插入以下内容 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id
在388行的位置再继续插入以下内容,保存退出
%attr(0755,root,root) %{_bindir}/ssh-copy-id
修改openssl版本否会编译失败
[root@VM-0-12-centos openssh-rpms-main]# cat version.env #OPENSSLSRC=openssl-3.0.11.tar.gz # 注释此版本 OPENSSLSRC=openssl-1.1.1v.tar.gz # 修改为1.1.1 OPENSSHSRC=openssh-9.4p1.tar.gz ASKPASSSRC=x11-ssh-askpass-1.2.4.1.tar.gz PKGREL=4 OPENSSHVER=${OPENSSHSRC%%.tar.gz} OPENSSHVER=${OPENSSHVER##openssh-} OPENSSLVER=${OPENSSLSRC%%.tar.gz} OPENSSLVER=${OPENSSLVER##openssl-}
3. 安装编译环境
yum groupinstall -y "Development Tools" yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel
4.拉取源码并编辑打包
# bash pullsrc.sh # ll downloads/ total 11500 -rw-r--r-- 1 root root 1845094 Aug 10 11:15 openssh-9.4p1.tar.gz -rw-r--r-- 1 root root 9893443 Aug 1 22:09 openssl-1.1.1v.tar.gz -rw-r--r-- 1 root root 29229 Sep 20 08:54 x11-ssh-askpass-1.2.4.1.tar.gz
5.执行源码打包脚本
# bash compile.sh # $? # 检查执行结果是否成功,为0则成功 # ll el7/RPMS/x86_64/ total 15412 -rw-r--r-- 1 root root 5154360 Sep 25 22:11 openssh-9.4p1-4.el7.x86_64.rpm -rw-r--r-- 1 root root 5181812 Sep 25 22:11 openssh-clients-9.4p1-4.el7.x86_64.rpm -rw-r--r-- 1 root root 3911620 Sep 25 22:11 openssh-debuginfo-9.4p1-4.el7.x86_64.rpm -rw-r--r-- 1 root root 1527116 Sep 25 22:11 openssh-server-9.4p1-4.el7.x86_64.rpm
6. 安装以上四个文件即可,或者使用ansible批量推送安装
# cat update_ssh9.4.yaml - hosts: "{{ server_group }}" tasks: - name: Copy OpenSSH Update file copy: src=files/openssh-9.4p1/{{ item }} dest=/tmp/ with_items: - openssh-9.4p1-4.el7.x86_64.rpm - openssh-clients-9.4p1-4.el7.x86_64.rpm - openssh-debuginfo-9.4p1-4.el7.x86_64.rpm - openssh-server-9.4p1-4.el7.x86_64.rpm - name: Install OpenSSH yum: name={{ packages }} state=present vars: packages: - /tmp/openssh-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm - name: Del Histroy OpenSSH file file: path={{ item }} state=absent with_items: - /tmp/openssh-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm # ansible-playbook update_ssh9.4.yaml -e server_group=192.168.78.11
备注:如果使用openssl-3.0.11.tar.gz编译可能会报以下错误
RPM build errors: Bad exit status from /var/tmp/rpm-tmp.LsYNDz (%prep) Aborted, error 1 in command: rpmbuild -ba SPECS/openssh.spec --target $(uname -m) --define "_topdir $PWD" --define "opensslver ${OPENSSLVER}" --define "opensshver ${OPENSSHVER}" --define "opensshpkgrel ${PKGREL}" --define 'no_gtk2 1' --define 'skip_gnome_askpass 1' --define 'skip_x11_askpass 1'
参考链接:https://zhuanlan.zhihu.com/p/652906168