RHEL8.6编译升级OpenSSH9.8P1

原创

路世LUSHI 2024-09-30 15:15:41 博主文章分类：运维/OPS ©著作权

©著作权归作者所有：来自51CTO博客作者路世LUSHI的原创作品，请联系作者获取转载授权，否则将追究法律责任

确认系统版本

[root@localhost ~]# cat /etc/redhat-release
Red Hat Enterprise Linux release 8.6 (Ootpa)
[root@localhost ~]# uname -a
Linux localhost.localdomain 4.18.0-372.9.1.el8.x86_64 #1 SMP Fri Apr 15 22:12:19 EDT 2022 x86_64 x86_64 x86_64 GNU/Linux

备份配置文件

bktm=$(date +%m%d)
find /usr/local  -maxdepth 1 -type d -name "ssh" -exec mv {} {}.bak_$bktm \;
find /usr/local  -maxdepth 1 -type d -name "zlib" -exec mv {} {}.bak_$bktm \;
find /usr/local  -maxdepth 1 -type d -name "openssl" -exec mv {} {}.bak_$bktm \;
find /usr/bin  -maxdepth 1 -type f -name "ssh*" -exec cp {} {}.bak_$bktm \;
find /usr/bin  -maxdepth 1 -type f -name "scp" -exec cp {} {}.bak_$bktm \;
find /usr/bin  -maxdepth 1 -type f -name "sftp" -exec cp {} {}.bak_$bktm \;
find /usr/sbin  -maxdepth 1 -type f -name "ssh*" -exec cp {} {}.bak_$bktm \;
find /usr/libexec  -maxdepth 1 -type f -name "ssh*" -exec cp {} {}.bak_$bktm \;
find /usr/libexec  -maxdepth 1 -type f -name "sftp-server" -exec cp {} {}.bak_$bktm \;

cp -rf /etc/ssh /etc/ssh.bak_$bktm;
cp -rf /usr/bin/openssl /usr/bin/openssl.bak_$bktm;
cp -rf /etc/pam.d /etc/pam.d.bak_$bktm;
cp -rf /usr/lib/systemd/system /usr/lib/systemd/system.bak_$bktm;

安装编译依赖工具包

yum install -y vim gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel perl-IPC-Cmd wget tar lrzsz perl-Pod-Html

下载升级，依赖包

cd /usr/local/src
wget https://www.zlib.net/zlib-1.3.1.tar.gz
wget https://www.openssl.org/source/openssl-3.2.1.tar.gz
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz


tar -zxvf zlib-1.3.1.tar.gz

tar -zxvf openssl-3.2.1.tar.gz

tar -zxvf openssh-9.8p1.tar.gz

编译升级zlib

cd zlib-1.3.1

ls /usr/local/


./configure --prefix=/usr/local/zlib
make -j4

make install

ls /usr/local/zlib/
echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf

ldconfig -v

编译升级openssl

cd openssl-3.2.1
 ls
 ls /usr/local/
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared --with-zlib-include=/usr/local/zlib/include --with-zlib-lib=/usr/local/zlib/lib zlib -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -O2 -g -pipe -Wall -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -Wp,-D_GLIBCXX_ASSERTIONS -fexceptions -fstack-protector-strong -grecord-gcc-switches -specs=/usr/lib/rpm/redhat/redhat-hardened-cc1 -specs=/usr/lib/rpm/redhat/redhat-annobin-cc1 -m64 -mtune=generic -fasynchronous-unwind-tables -fstack-clash-protection -fcf-protection -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -specs=/usr/lib/rpm/redhat/redhat-hardened-ld -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG -DPURIFY -DSYSTEM_CIPHERS_FILE="/etc/crypto-policies/back-ends/openssl.config"
 
make -j4
 
make install
 
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -sf /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -sf /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
echo '/usr/local/openssl/lib64' >> /etc/ld.so.conf.d/ssl.conf

确认openssl版本

# openssl version -v
OpenSSL 3.2.1 30 Jan 2024 (Library: OpenSSL 3.2.1 30 Jan 2024)

编译升级openssh

cd openssh-9.8p1/
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl/ --with-zlib=/usr/local/zlib --with-ssl-engine --with-selinux


make -j4
chmod 600 /etc/ssh/*key
make install

配置sshd服务

cp contrib/redhat/sshd.init /etc/init.d/sshd
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

ln -sf /usr/local/openssh/bin/ssh /usr/bin/ssh
ln -sf /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add
ln -sf /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agent
ln -sf /usr/local/openssh/bin/ssh-copy-id /usr/bin/ssh-copy-id
ln -sf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -sf /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -sf /usr/local/openssh/bin/scp /usr/bin/scp
ln -sf /usr/local/openssh/bin/sftp /usr/bin/sftp
ln -sf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
ln -sf /usr/local/openssh/libexec/ssh-keysign /usr/libexec/ssh-keysign
ln -sf /usr/local/openssh/libexec/ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper
ln -sf /usr/local/openssh/libexec/sftp-server /usr/libexec/sftp-server

ll /etc/init.d/
chkconfig --add sshd
chkconfig sshd on

echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
echo 'UsePAM yes' >> /etc/ssh/sshd_config


取消GSSAPIKexAlgorithms
sed -i.bak_$bktm 's/^GSSAPI/#GSSAPI/g' /etc/ssh/sshd_config;
sed -i.bak_$bktm 's/^# CRYPTO_POLICY/CRYPTO_POLICY/g' /etc/sysconfig/sshd;