CentOS7下使用rpmbuild对openssh-7.9p1源码进行制作rpm升级包

工作需要需要对跑在CentOS7下的openssh-server-7.4p1-21.el7.x86_64进行版本升级，此处经过借鉴多处网络资源，进行rpm打包，进行知识回顾及解决问题。

一、测试的CentOS7环境准备，测试前环境做下快照

# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
# cat /etc/redhat-release 
CentOS Linux release 7.9.2009 (Core)
# uname  -a 
Linux umail-stable 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux

安装工具、依赖包：
# yum -y install rpmbuild openssh openssl openssl-devel zlib zlib-devel pam pam-devel tcp_wrappers tcp_wrappers-devel gcc gcc-c++ make automake autoconf libtool

下载源码包，创建打包目录
# wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
# mkdir -p /root/rpmbuild/{SOURCES,SPECS}
# mv openssh-7.9p1.tar.gz /root/rpmbuild/SOURCES/
# cd  /root/rpmbuild/SOURCES/ && tar xf openssh-7.9p1.tar.gz && cd openssh-7.9p1

二、rpmbuild制作rpm包

1、参照一些资料，先对源码包做下处理

①、根据 CSDN——HunterMichaelG作者的文章 及openssh.spec文件中279行对源码中的sshd.pam做下修改

# vi /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
... ...
276 %if %{build6x}
277 install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
278 %else
279 install -m644 contrib/redhat/sshd.pam     $RPM_BUILD_ROOT/etc/pam.d/sshd
280 %endif
... ...

# 修改如下 
#  cat /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/sshd.pam
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth

②、对sshd.conf文件提前做下更改, 复制32行到33行，将prohibit-password改为yes

# vi /root/rpmbuild/SOURCES/openssh-7.9p1/sshd_config
... ...
 32 #PermitRootLogin prohibit-password
 33 PermitRootLogin yes
... ...

③ 、对openssh.spec的12和15行做下更改，删除103行 BuildRequires: openssl-devel < 1.1及装包后权限处理

# sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
# sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
# sed -i '/BuildRequires: openssl-devel < 1.1/d' /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
# 新增 装包后的权限处理，340行增加key文件的权限处理 chmod 600 /etc/ssh/ssh_host_*_key ，先要打包系统执行一次，权限不对打包报错
# chmod 600 /etc/ssh/ssh_host_*_key
# sed -i '/%post server/a chmod 600 /etc/ssh/ssh_host_*_key' /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec

④、复制openssh.spec到SPECS打包目录下

#cp -a openssh.spec /root/rpmbuild/SPECS/

2、处理掉下载的源码包，将处理后的源码包重新打包

# cd /root/rpmbuild/SOURCES/
# rm -f openssh-7.9p1.tar.gz
# tar  zcf  openssh-7.9p1.tar.gz  -C  /root/rpmbuild/SOURCES/   openssh-7.9p1
# rm -rf  openssh-7.9p1

3、开始打包

# cd /root/rpmbuild/SPECS
# rpmbuild -bb openssh.spec
# ls /root/rpmbuild/RPMS/x86_64/ 
openssh-7.9p1-1.el7.x86_64.rpm  
openssh-clients-7.9p1-1.el7.x86_64.rpm  
openssh-debuginfo-7.9p1-1.el7.x86_64.rpm  
openssh-server-7.9p1-1.el7.x86_64.rpm

4、升级测试

# cd /root/rpmbuild/RPMS/x86_64/
# rpm -Uvh openssh-*
# # ssh -V
OpenSSH_7.9p1, OpenSSL 1.0.2k-fips  26 Jan 2017
# 发现因为我的sshd文件改过，升级后sshd文件没被替换，手动替换下
# ll /etc/ssh/sshd_config*
-rw------- 1 root root 3891 May  9  2020 /etc/ssh/sshd_config
-rw------- 1 root root 3149 Mar  1 21:45 /etc/ssh/sshd_config.rpmnew

# mv /etc/ssh/sshd_config{,-bak}
# mv /etc/ssh/sshd_config.rpmnew  /etc/ssh/sshd_config
# /etc/init.d/sshd  restart

# 替换完查看新配置文件
# egrep -v "^$|^#" /etc/ssh/sshd_config
PermitRootLogin yes
AuthorizedKeysFile	.ssh/authorized_keys
Subsystem	sftp	/usr/libexec/openssh/sftp-server

# 从其他机器连过来测试下，没啥问题， 有点怪怪的，没啥事不建议做升级。
# 漏洞什么的，执行 yum  update openssh openssh sudo 就可以了。
# 修改默认ssh端口，堡垒机加上配置/etc/hosts.allow 、/etc/hosts.deny这2个文件，应该是不会无端受到大神照顾的

5、回退快照，做下测试实验

三、引用资料，感谢各位大佬

HunterMichaelG https://blog.csdn.net/michaelwoshi/article/details/108154328
村口王铁匠 https://www.cnblogs.com/liao-lin/p/10286722.html
独指蜗牛 https://blog.51cto.com/techsnail/2138927