openssh升级到openssh-9.4p1

1. openssh官方只提供源码包,我们选择自己将源码编译为rpm包来升级环境的openssh,需要安装的环境为CentOS7

https://www.openssl.org/source/

https://www.openssh.com/releasenotes.html

wget https://github.com/boypt/openssh-rpms/archive/refs/heads/main.zip
unzip main.zip 
cd openssh-rpms-main/

compile.sh:编译脚本el5、el6、el7:对应CentOS5、6、7三个系统,编译相关的参数由SPECS目录下的openssh.spec控制。
编译好的rpm包放在RPMS目录下。
pullsrc.sh:openssh相关源码下载脚本
version.env:定义了openssh及openssl源码的版本信息

 2. 修改相关的配置

为wget增加不检查证书的参数 --no-check-certificate
# grep wget pullsrc.sh 
  wget --no-check-certificate $OPENSSLMIR/$OPENSSLSRC
  wget --no-check-certificate $OPENSSHMIR/$OPENSSHSRC
  wget --no-check-certificate $ASKPASSMIR/$ASKPASSSRC

openssh源码中是没有ssh-copy-id相关参数的,如果直接编译安装,会发现安装后没有ssh-copy-id命令,因此如果需要用到该命令,需要修改编译参数控制文件openssh.spec (大概在305行的位置)

# vim el7/SPECS/openssh.spec +305   # 插入以下内容
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id

在388行的位置再继续插入以下内容,保存退出

%attr(0755,root,root) %{_bindir}/ssh-copy-id

修改openssl版本否会编译失败

[root@VM-0-12-centos openssh-rpms-main]# cat version.env 
#OPENSSLSRC=openssl-3.0.11.tar.gz    # 注释此版本
OPENSSLSRC=openssl-1.1.1v.tar.gz     # 修改为1.1.1
OPENSSHSRC=openssh-9.4p1.tar.gz
ASKPASSSRC=x11-ssh-askpass-1.2.4.1.tar.gz
PKGREL=4

OPENSSHVER=${OPENSSHSRC%%.tar.gz}
OPENSSHVER=${OPENSSHVER##openssh-}
OPENSSLVER=${OPENSSLSRC%%.tar.gz}
OPENSSLVER=${OPENSSLVER##openssl-}

3. 安装编译环境

yum groupinstall -y "Development Tools"
yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel

4.拉取源码并编辑打包

# bash pullsrc.sh
# ll downloads/
total 11500
-rw-r--r-- 1 root root 1845094 Aug 10 11:15 openssh-9.4p1.tar.gz
-rw-r--r-- 1 root root 9893443 Aug  1 22:09 openssl-1.1.1v.tar.gz
-rw-r--r-- 1 root root   29229 Sep 20 08:54 x11-ssh-askpass-1.2.4.1.tar.gz

5.执行源码打包脚本

# bash compile.sh
# $?    # 检查执行结果是否成功,为0则成功
# ll el7/RPMS/x86_64/
total 15412
-rw-r--r-- 1 root root 5154360 Sep 25 22:11 openssh-9.4p1-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 5181812 Sep 25 22:11 openssh-clients-9.4p1-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 3911620 Sep 25 22:11 openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 1527116 Sep 25 22:11 openssh-server-9.4p1-4.el7.x86_64.rpm

6. 安装以上四个文件即可,或者使用ansible批量推送安装

# cat update_ssh9.4.yaml 
- hosts: "{{ server_group }}"
  tasks: 

    - name: Copy OpenSSH Update file
      copy: src=files/openssh-9.4p1/{{ item }} dest=/tmp/
      with_items:
        - openssh-9.4p1-4.el7.x86_64.rpm
        - openssh-clients-9.4p1-4.el7.x86_64.rpm
        - openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
        - openssh-server-9.4p1-4.el7.x86_64.rpm

    - name: Install OpenSSH
      yum: name={{ packages }} state=present
      vars:
        packages:
          - /tmp/openssh-9.4p1-4.el7.x86_64.rpm
          - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm
          - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
          - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm

    - name: Del Histroy OpenSSH file
      file: path={{ item }} state=absent
      with_items:
        - /tmp/openssh-9.4p1-4.el7.x86_64.rpm
        - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm
        - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
        - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm
# ansible-playbook update_ssh9.4.yaml -e server_group=192.168.78.11

备注:如果使用openssl-3.0.11.tar.gz编译可能会报以下错误

RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.LsYNDz (%prep)
Aborted, error 1 in command: rpmbuild -ba SPECS/openssh.spec --target $(uname -m) --define "_topdir $PWD" --define "opensslver ${OPENSSLVER}" --define "opensshver ${OPENSSHVER}" --define "opensshpkgrel ${PKGREL}" --define 'no_gtk2 1' --define 'skip_gnome_askpass 1' --define 'skip_x11_askpass 1'

参考链接:https://zhuanlan.zhihu.com/p/652906168

posted @ 2023-09-26 10:04  林中龙虾  阅读(992)  评论(0编辑  收藏  举报