原文地址: OpenSSH 升级 release 8.8
当前环境
系统版本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19# cat /etc/os-release
NAME="CentOS Linux"
VERSION="7 (Core)"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="7"
PRETTY_NAME="CentOS Linux 7 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:7"
HOME_URL="https://www.centos.org/"
BUG_REPORT_URL="https://bugs.centos.org/"
CENTOS_MANTISBT_PROJECT="CentOS-7"
CENTOS_MANTISBT_PROJECT_VERSION="7"
REDHAT_SUPPORT_PRODUCT="centos"
REDHAT_SUPPORT_PRODUCT_VERSION="7"
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)OpenSSH 版本
1
2# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
OpenSSH 8.8 的依赖
官方文档说明: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL
OpenSSH 8.8 对OpenSSL的要求:
1
1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
升级 OpenSSH
编译安装
安装编译需要的依赖
1
2
3
4yum install gcc zlib-devel openssl-devel pam-devel
# RPM 打包还需要以下依赖
yum install libXt-devel imake gtk2-devel krb5-devel- 使用 yum 离线下载 rpm 包到本地
1
2mkdir rpm_package
yum install -y libXt-devel imake gtk2-devel krb5-devel gcc zlib-devel openssl-devel pam-devel --downloadonly --downloaddir=./rpm_package/- 离线安装 rpm 包
1
yum localinstall -y rpm_package/*.rpm
备份 OpenSSH 相关文件
- 备份 /etc/pam.d/sshd 文件
1
2mkdir ~/backup
cp /etc/pam.d/sshd ~/backup/卸载旧的 OpenSSH
1
yum remove openssh
会卸载 openssh openssh-clients openssh-server 三个包。当前 ssh连接还在,千万别退出,退出就连不上了。或者提前配置好 telnet 服务。
安装新版本 OpenSSH
- 下载 OpenSSH 源码包
1
2wget --no-check-certificate https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
wget --no-check-certificate https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz- 解压源码包
1
tar xvf openssh-8.8p1.tar.gz -C /usr/local/src/
- 覆盖安装 OpenSSH
1
2
3cd /usr/local/src/openssh-8.8p1
./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make && make install注意:编译安装没有服务管理文件,不被 servcie 、 systemd 管理。可以自行添加服务管理。
构建 RPM 安装包
下载 OpenSSH 需要的源码包
1
2wget --no-check-certificate https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
wget --no-check-certificate https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz安装依赖包
1
2
3
4
5# 先下载到本地,方便无网络的机器进行安装
yum install -y rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel xmkmf libXt-devel gtk2-devel make libXt-devel imake gtk2-devel --downloadonly --downloaddir=./rpm_package/
# 离线安装
yum localinstall -y ./rpm_package/*.rpm拷贝源码到构建目录
1
2mkdir -p ~/rpmbuild/{SOURCES,SPECS}
mv openssh-8.8p1.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz ~/rpmbuild/SOURCES备份 /etc/pam.d/sshd 文件
1
cp /etc/pam.d/sshd ~/rpmbuild/SOURCES/
解压源码包 拷贝 openssh.spec 进行修改
1
2
3
4
5
6
7
8
9
10
11
12
13cd ~/rpmbuild/SOURCES
tar xf openssh-8.8p1.tar.gz
cp openssh-8.8p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/
vim ~/rpmbuild/SPECS/openssh.spec
# 修改 BuildRequires,注释 openssl-devel < 1.1 ,否则会报错
# 修改 %install section 部分,安装 sshd 文件
%if %{build6x}
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
%else
# install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd # 注释这一行原始的内容
install -m644 $RPM_SOURCE_DIR/sshd $RPM_BUILD_ROOT/etc/pam.d/sshd # 添加一行内容
%endif编译 rpm 二进制包
1
2cd rpmbuild/SPECS/
rpmbuild -bb openssh.spec如上命令,将在
~/rpmbuild/RPMS/
目录下生成 .rpm 二进制安装包。复制安装包 openssh-8.8p1-1.el7.x86_64.rpm,openssh-server-8.8p1-1.el7.x86_64.rpm,openssh-clients-8.8p1-1.el7.x86_64.rpm 到目标服务器。执行部署安装
1
yum localinstall -y openssh-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm openssh-clients-8.8p1-1.el7.x86_64.rpm
注意:
yum localinstall
会卸载原来的版本,如果需要请 自行备份配置文件等。配置 sshd 服务
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40# 删除秘钥文件,重启服务后会重新生成
rm -rf /etc/ssh/ssh_host_*
# 修改 sshd 配置文件,如果不修改使用默认的配置文件可能会导致无法认证
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
echo 'UsePAM yes' >> /etc/ssh/sshd_config
# 如果是图形化界面,需要x11的话,需要配置如下
echo "X11Forwarding yes" >> /etc/ssh/sshd_config
echo "X11UseLocalhost no" >> /etc/ssh/sshd_config
echo "XAuthLocation /usr/bin/xauth" >> /etc/ssh/sshd_config
# 配置 systemd 管理 openssh 服务
cat > /usr/lib/systemd/system/sshd.service <<EOF
[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/rc.d/init.d/sshd
Description=SYSV: OpenSSH server daemon
[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=no
PIDFile=/var/run/sshd.pid
ExecStart=/etc/rc.d/init.d/sshd start
ExecStop=/etc/rc.d/init.d/sshd stop
ExecReload=/etc/rc.d/init.d/sshd reload
EOF
# 重启 sshd 服务以及配置开机启动
systemctl daemon-reload
systemctl restart sshd
systemctl enable sshd验证 openssh 版本,为确保服务能正常开机启动,最好重启服务器测试一下
1
2# ssh -V
OpenSSH_8.8p1, OpenSSL 1.0.2k-fips 26 Jan 2017