Red Hat 7make install openssl3和openssh9以修复ssh安全漏洞

1.首先打云主机快照和块存储系统盘和数据盘快照,然后开两个终端用来测试和防止意外发生

2.查看系统环境

[root@localhost openssl-3.1.0]# hostnamectl
   Static hostname: localhost.localdomain
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 95d38b45186d4efab7be029c546774ba
           Boot ID: 1c96300c538c435a84ead1959e5983a8
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-1160.el7.x86_64
      Architecture: x86-64

3.查看软件版本

[root@localhost ~]# rpm -qa | egrep -i 'openssl|openssh'
openssh-clients-7.4p1-21.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
openssl-1.0.2k-19.el7.x86_64

4.在通网的机器下载好依赖

[root@localhost openssl-3.1.0]# yum install yum-plugin-downloadonly -y

安装openssl需要的依赖包

[root@localhost openssl-3.1.0]# yum install --downloadonly --downloaddir=/tmp/rpms/perl perl-IPC-Cmd perl-Test-Simple
[root@localhost openssl-3.1.0]# yum localinstall /tmp/rpms/perl/*.rpm -y

执行编译需要的c语言编译器

[root@localhost openssl-3.1.0]# yum install --downloadonly --downloaddir=/tmp/rpms/gcc gcc gcc-c++
[root@localhost openssl-3.1.0]# yum localinstall /tmp/rpms/gcc/*.rpm -y

安装openssh需要的依赖包

[root@localhost openssh-9.3p1]# rpm -e --nodeps zlib-1.2.7-21.el7_9.x86_64 zlib-devel-1.2.7-21.el7_9.x86_64
[root@localhost openssl-3.1.0]# yum install --downloadonly --downloaddir=/tmp/rpms/zlib zlib zlib-devel
[root@localhost openssl-3.1.0]# yum localinstall /tmp/rpms/zlib/*.rpm -y

5.下载好源码

[root@localhost ~]# cd /usr/src/
[root@localhost ~]# yum install -y wget
[root@localhost src]# wget https://www.openssl.org/source/openssl-3.1.0.tar.gz  --no-check-certificate
[root@localhost src]# tar -zvxf openssl-3.1.0.tar.gz
[root@localhost src]# wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz  --no-check-certificate
[root@localhost src]# tar -zvxf openssh-9.3p1.tar.gz

6.因为openssl为openssh所依赖，我们先编译安装openssl

[root@localhost src]# cd /usr/src/openssl-3.1.0
[root@localhost src]# ./config

执行编译安装，时间大概十分钟

[root@localhost src]# make && make tests && make install

创建指向 libssl 和 libcrypto 的符号链接：

[root@localhost openssl-3.1.0]# ln -s /usr/local/lib64/libssl.so.3 /usr/lib64/libssl.so.3
[root@localhost openssl-3.1.0]# ln -s /usr/local/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3

新开一个终端查看版本

[root@localhost openssl-3.1.0]# openssl version
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)

7.安装openssh

备份openssh文件和pam文件

[root@localhost openssh-9.3p1]# cp -r -a /etc/ssh/ /etc/ssh.bak/
[root@localhost openssh-9.3p1]# cp -r -a /etc/pam.d/ /etc/pam.d.bak/

编译安装openssh

[root@localhost ~]# cd /usr/src/openssh-9.3p1
[root@localhost openssh-9.3p1]# ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/ssl
[root@localhost openssh-9.3p1]# make && make tests

新开一个终端看ssh版本

[root@localhost ~]# ssh -V
OpenSSH_9.3p1, OpenSSL 3.1.0 14 Mar 2023

8.打rpm，省去在服务器编译的时间和节约服务器资源，用于ansible批量部署

#### '、'嘿嘿，打openssl rpm
#!/bin/bash

# 脚本运行错误会立刻停止
set -e
# 输出脚本内容
set -v
mkdir ~/openssl && cd ~/openssl
yum -y install \
    curl \
    which \
    make \
    gcc \
    perl \
    perl-WWW-Curl \
    rpm-build \
    perl-IPC-Cmd

yum -y remove openssl

# 下载好源码
curl -O --silent https://www.openssl.org/source/openssl-3.1.0.tar.gz

# 写SPEC文件
cat << 'EOF' > ~/openssl/openssl3.spec
Summary: OpenSSL 3.1.0 for Centos
Name: openssl
Version: %{?version}%{!?version:3.1.0}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+

Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz

BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/openssl

%description
https://github.com/philyuchkoff/openssl-RPM-Builder
OpenSSL RPM for version 3.1.0 on CentOS

%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}

%description devel
OpenSSL RPM for version 3.1.0 on CentOS (development package)

%prep
%setup -q

%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make

%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install

mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}

%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}

%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1

%files devel
%{openssldir}/include/*
%defattr(-,root,root)

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig
EOF

# 创建目录，复制spec到目录，移动源码到目录
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
cp ~/openssl/openssl3.spec /root/rpmbuild/SPECS/openssl.spec

mv openssl-3.1.0.tar.gz /root/rpmbuild/SOURCES
# 打rpm包
cd /root/rpmbuild/SPECS && \
    rpmbuild \
    -D "version 3.1.0" \
    -ba openssl.spec

[root@xxx tmp]# find openssh-9.3p1/ -name "*spec*"
openssh-9.3p1/contrib/redhat/openssh.spec
openssh-9.3p1/contrib/suse/openssh.spec