一、使用rpm升级openssh9.6p1

cd /tmp/
wget --no-check-certificate http://vip.123pan.cn/1815238395/download/openssh/9.6/openssh-9.6p1-rpms.tar.gz
tar xzvf openssh-9.6p1-rpms.tar.gz
rpm -Uvh openssl11-libs-1.1.1k-6.el7.x86_64.rpm
rpm -Uvh openssh-9.6p1-1.el7.x86_64.rpm openssh-clients-9.6p1-1.el7.x86_64.rpm openssh-server-9.6p1-1.el7.x86_64.rpm 
chown -R 600 /etc/ssh/*
wget --no-check-certificate http://vip.123pan.cn/1815238395/download/openssh/9.6/sshd.pam.txt -O /etc/pam.d/sshd
sed -i '/^PermitRootLogin/d' /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
systemctl restart sshd
systemctl status sshd

安装效果如下:
2024-01-17T03:18:19.png

检查各项指标:

# 查看当前ssh版本
ssh -V

# 查看当前
ssh -Q key

2024-01-17T03:12:29.png

二、如何自己编译rpm包呢

(0)下载源代码

cd /root
wget "https://mirrors.aliyun.com/openssh/portable/openssh-9.6p1.tar.gz" -O openssh-9.6p1.tar.gz
tar xzvf openssh-9.6p1.tar.gz
cd /root/openssh-9.6p1

(1)安装rpm打包工具

yum install -y rpmdevtools

(2)进入一个目录,使用刚刚安装的工具生成编译所需的文件夹

cd /root
rpmdev-setuptree

(3)将openssh9.6.1的中的openssh.spec文件拷贝到SOURCES文件夹里

cp ./openssh-9.6p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/openssh.spec

(3)将openssh9.6.1的代码包拷贝到SOURCES文件夹里

cp /root/openssh-9.6p1.tar.gz ~/rpmbuild/SOURCES/

(3.5)编译前微调
将openssh.pem中的without-ssl的内容删掉。不加上openssl,可能会造成ssh -Q key的时候不支持rsa和edcsa等,只支持ed25519,过去部署的RSA key都会失效。另外,注意configure里面不要加井号#注释,这是不对的。
2024-01-17T03:13:49.png

%configure \
        --sysconfdir=%{_sysconfdir}/ssh \
        --libexecdir=%{_libexecdir}/openssh \
        --datadir=%{_datadir}/openssh \
        --with-default-path=/usr/local/bin:/bin:/usr/bin \
        --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
        --with-privsep-path=%{_var}/empty/sshd \
        --mandir=%{_mandir} \
        --with-mantype=man \
        --disable-strip \
%if %{scard}
        --with-smartcard \
%endif
%if %{rescue}
        --without-pam \
%else
        --with-pam \
%endif
%if %{kerberos5}
         --with-kerberos5=$K5DIR \
%endif

(3.6)编译openssl

yum remove -y openssl openssl-devel
cd /root
wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1v.tar.gz -O openssl-1.1.1v.tar.gz --no-check-certificate
tar xzvf openssl-1.1.1v.tar.gz
cd openssl-1.1.1v
#./config --prefix=/usr/local/src/openssl-1.1.1v
./config --prefix=/usr
make
make install

如果没有这一步的话,可能会面临找不到libcrypto
2024-01-23T07:54:03.png

(4)开始编译

rpmbuild -bb ~/rpmbuild/SPECS/openssh.spec

注意,-ba是binary和rpms都编译,-bb只是编译binary。

三、遇到问题

需要进行如下操作:

wget -O ~/rpmbuild/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

yum install -y glibc-devel gtk2-devel krb5-devel imake libXt-devel gcc pam-devel

2024-01-16T08:30:55.png

四、打包完成后

rpm文件
2024-01-16T08:31:32.png

这里面的openssh-9.6p1-1.el7.x86_64.rpm openssh-clients-9.6p1-1.el7.x86_64.rpm openssh-server-9.6p1-1.el7.x86_64.rpm 使我们一般情况下用到的升级文件,直接rpm -Uvh 就可以了。
其余的文件看文件名与gnome等有关,直接rpm安装后报各种依赖问题,所以也就不折腾了。

2024-01-16T08:33:15.png

处理安装时碰到的依赖问题openssl-libs

实际安装的时候,依赖openssl,本文开头给出的tar包中已经包括了openssl的版本。

yum reinstall --downloadonly --downloaddir=./ openssh-9.6p1-1.el7.x86_64.rpm openssh-clients-9.6p1-1.el7.x86_64.rpm openssh-server-9.6p1-1.el7.x86_64.rpm

五、版本openss-9.8p1生成rpms,以及安装方式

(1)准备逃生艇

# 安装telnet-server,并使用telnet远程服务器,避免失联。
yum install -y telnet telnet-server
mv /etc/securetty /etc/securetty.bak
systemctl enable telnet.socket
systemctl start telnet.socket

(2) 编译openssh-9.8,收果子

cd /root; rm -rf openssh-9.8*
wget "http://vip.123pan.cn/1815238395/download/openssh/9.8/openssh-9.8p1.tar.gz" -O openssh-9.8p1.tar.gz
tar xzvf openssh-9.8p1.tar.gz
cd /root/openssh-9.8p1
/bin/cp -f /root/openssh-9.8p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/openssh.spec
rm -rvf /root/rpmbuild/SOURCES/*
/bin/cp -f /root/openssh-9.8p1.tar.gz /root/rpmbuild/SOURCES/
wget http://vip.123pan.cn/1815238395/download/openssh/9.8/x11-ssh-askpass-1.2.4.1.tar.gz -O /root/rpmbuild/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz
rpmbuild -bb /root/rpmbuild/SPECS/openssh.spec

# 下载依赖,输出可安装的文件
cd /root/rpmbuild/RPMS/x86_64
yum install --downloadonly --downloaddir=./ openssh-9.8p1-1.el7.x86_64.rpm openssh-clients-9.8p1-1.el7.x86_64.rpm openssh-server-9.8p1-1.el7.x86_64.rpm
tar czvf openssh-9.8p1-rpms.tar.gz *.rpm

(3) 新机直接安装,卸载原有openssh

rpm -qa | grep openssh

cd /tmp; wget http://vip.123pan.cn/1815238395/download/openssh/9.8/openssh-9.8p1-rpms.tar.gz -O openssh-9.8p1-rpms.tar.gz ; tar xzvf openssh-9.8p1-rpms.tar.gz
rpm -Uvh openssl11-libs-1.1.1k-7.el7.x86_64.rpm openssh-9.8p1-1.el7.x86_64.rpm openssh-clients-9.8p1-1.el7.x86_64.rpm openssh-server-9.8p1-1.el7.x86_64.rpm

cat <<'EOF'>/usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target
EOF

chmod 0600 /etc/ssh/*
systemctl daemon-reload
systemctl enable sshd
systemctl restart sshd
systemctl status sshd

2024-07-02T06:31:42.png

六、参考

最后修改:2024 年 07 月 02 日
© 允许规范转载
如果觉得我的文章对你有用,请随意赞赏