制作openssh+openssl的rpm及安装

1、概要

日常运维过程中,经常需要升级修复openssh和openssl的补丁漏洞,并且依照目前形势下,将是一个持续修复的过程,故做此文档,记录制作rpm及安装过程

必须要认清的情况:

在此次测试的操作系统版本中,6和7的openssh相对依赖的系统及其它软件包少,可以实现完全卸载,并安装,但是openssl实际上还是安装一个新分支,老的关键lib包和关联包都未清除,暂时也只能做到这点,测试量还不足,需要后期继续验证。

参考链接:

https://my.oschina.net/u/4308002/blog/4914897

https://www.cnblogs.com/michael-xiang/p/10480809.html

https://rpm-packaging-guide.github.io/#_new_features_of_rpm_in_rhel_7

环境介绍

rpmbuild机器/升级前环境 IP OS Kernel openssh openssl zlib pam glibc
192.225.119.180 centos-7.4.1708 3.10.0-693 7.4 1.0.2K 1.2.7-18 1.1.8-18 2.17-196
192.225.119.191 Redhat-6.9 2.6.32-696 5.3 1.0.1e 1.2.3-29 1.1.1-24 2.12-1.209
升级后环境 192.225.119.180 centos-7.4.1708 3.10.0-693 8.6 1.1.1k 1.2.7-18 1.1.8-18 2.17-196
192.225.119.191 Redhat-6.9 2.6.32-696 8.6 1.1.1k 1.2.3-29 1.1.1-24 2.12-1.209

2、openssl

2.1、centos7.4制作及安装

2.1.1、制作

制作前的准备工作

①、配置好yum源,本文是7.4的系统,内网有现有yum资源,可以直接在/etc/yum.repos.d/remote.repo配置 

[remote]
name=RedHat7.4 Enterprise Linux base
baseurl=http://192.224.103.39/7.4
enabled=1
gpgcheck=0

②、上传对应的tar源码包至/root目录下

③、安装rpm包会安装在/usr/local/newopenssl/openssl111k目录下

④、执行完build_openssl.sh生成的rpm在/root/rpmbuild/RPMS/x86_64目录下。

⑤、使用rpm -qpi openssl-1.1.1k-1.el7.centos.x86_64.rpm  可以查看制作的rpm包详情。

编写制作rpm的脚本

build_openssl7.sh

#!/bin/bash

#设置每行中其中有一行结果不为true则退出
set -e

#设置执行该脚本显示执行过程
set -v

#默认使用root执行,当前目录在/root下
mkdir ~/openssl && cd ~/openssl

#安装相关依赖包
#注意由于perl-WWW-Curl比较特殊,一般源里面没有该软件包需要单独安装,这里暂时不写安装。自行rpm -ivh perl-WWW-Curl
yum -y install \
    curl \
    which \
    make \
    gcc \
    perl \
    rpm-build \
    pam \
    pam-devel \
    zlib \
    zlib-devel \
    openssl \
    openssl-devel

#提前卸载openssl    
yum -y remove openssl

# Get openssl tarball
#curl -O --silent https://www.openssl.org/source/openssl-1.1.1k.tar.gz

# SPEC file
cat << 'EOF' > ~/openssl/openssl.spec
Summary: OpenSSL 1.1.1k for Centos
Name: openssl
Version: %{?version}%{!?version:1.1.1k}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+
Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/local/newopenssl/openssl111k
%description
2021年5月10日
OpenSSL RPM for version 1.1.1k on Centos
%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
OpenSSL RPM for version 1.1.1k on Centos (development package)
%prep
%setup -q
%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make -j4
%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}
%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1
%files devel
%{openssldir}/include/*
%defattr(-,root,root)
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
EOF

mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
cp ~/openssl/openssl.spec /root/rpmbuild/SPECS/openssl.spec

mv /root/openssl-1.1.1k.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS && \
    rpmbuild \
    -D "version 1.1.1k" \
    -ba openssl.spec

# For install:  rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# Verify install:  rpm -qa openssl
#                  openssl version -a

2.1.2、安装

①备份原有openssl命令文件

mv /usr/bin/openssl /usr/bin/opensslbak
#cp /usr/local/openssl111/bin/openssl /usr/bin/openssl

②备份lib库关键文件libssl.so.10和libcrypto.so.10 , 必须备份这两个文件,关键时候可以直接还原

mkdir -p /home/libfilebak/

if [ $? -eq 0 ]; then
    echo $(ls -al /usr/lib64/libcrypto*) >>/home/libfilebak/libfile.txt
    echo $(ls -al /usr/lib64/libssl*)    >>/home/libfilebak/libfile.txt
    cp /usr/lib64/libcrypto.so.1.0.2k /home/libfilebak
    cp /usr/lib64/libssl.so.1.0.2k   /home/libfilebak
else
    echo "failed"
fi

③安装

#yum remove openssl     ##7的系统openssl可以直接remove,但是会多删一个authconfig包,之后需安装上,或者直接rpm删除openssl
rpm -ivvh openssl-1.1.1k-1.el7.centos.x86_64.rpm --nodeps

#openssl-devel-1.1.1k-1.el7.centos.x86_64.rpm暂时可以不安装

④检查ld.so.conf.d

cat /etc/ld.so.conf
echo "/usr/local/newopenssl/openssl111k/lib" >> /etc/ld.so.conf

⑤增加lib包软连接,做之前要确认其是否存在

ln -sf /usr/local/newopenssl/openssl111k/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -sf /usr/local/newopenssl/openssl111k/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

2.2、redhat6.9制作及安装

2.2.1、制作

制作前的准备工作

①、配置好yum源,本文是6.9的系统,内网有现有yum资源,可以直接在/etc/yum.repos.d/remote.repo配置 

[remote]
name=RedHat6.9 Enterprise Linux base
baseurl=http://192.224.103.39/6.9
enabled=1
gpgcheck=0

②、上传对应的tar源码包至/root目录下

③、安装rpm包会安装在/usr/local/newopenssl/openssl111k目录下

④、执行完build_openssl.sh生成的rpm在/root/rpmbuild/RPMS/x86_64目录下。

⑤、使用rpm -qpi openssl-1.1.1k-1.el6.x86_64.rpm  可以查看制作的rpm包详情。

编写制作rpm的脚本

build_openssl6.sh

#!/bin/bash
#设置每行中其中有一行结果不为true则退出
set -e

#设置执行该脚本显示执行过程
set -v

#download软件包
if [[ ! -f "/root/openssl-1.1.1k.tar.gz" ]];then
  wget -O /root/openssl-1.1.1k.tar.gz https://www.openssl.org/source/openssl-1.1.1k.tar.gz
fi

#创建目录+到安装目录
mkdir ~/openssl && cd ~/openssl
yum -y install \
    curl \
    which \
    make \
    gcc \
    perl \
    rpm-build \
    pam \
    pam-devel \
    zlib \
    zlib-devel \
    openssl* \
    openssl-devel

#卸载原目录  由于6系统以来的openssl比较多,不能直接使用yum卸载,需要结合rpm --nodeps删除,不通版本制作有些区别
#rpm -e openssl-1.0.1e-57.el6.x86_64 --nodeps
# Get openssl tarball
if [[ ! -f "./openssl-1.1.1k.tar.gz" ]];then
  cp /root/openssl-1.1.1k.tar.gz ./
fi

# SPEC file
cat << 'EOF' > ~/openssl/openssl.spec
Summary: OpenSSL 1.1.1k for Centos
Name: openssl
Version: %{?version}%{!?version:1.1.1k}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+

Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz

BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/local/newopenssl/openssl111k

%description
OpenSSL RPM for version 1.1.1k on Centos

%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}

%description devel
OpenSSL RPM for version 1.1.1k on Centos (development package)

%prep
%setup -q

%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make -j4

%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install

mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}

%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}

%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1

%files devel
%{openssldir}/include/*
%defattr(-,root,root)

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig
EOF

mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
cp ~/openssl/openssl.spec /root/rpmbuild/SPECS/openssl.spec

mv openssl-1.1.1k.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS && \
    rpmbuild \
    -D "version 1.1.1k" \
    -ba openssl.spec

# Before Uninstall  Openssl :   rpm -qa openssl
# Uninstall Current Openssl Vesion : yum -y remove openssl
# For install:  rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# or rpm -Uvh openssl-1.1.1k-1.el7.x86_64.rpm --nodeps --force
# Verify install:  rpm -qa openssl
#                  openssl version

2.2.2、安装

①备份原有openssl命令文件

mv /usr/bin/openssl /usr/bin/opensslbak
#cp /usr/local/openssl111/bin/openssl /usr/bin/openssl

②备份lib库关键文件----关键一步,必须备份这两个文件,关键时候可以直接还原

mkdir -p /home/libfilebak/

if [ $? -eq 0 ]; then
    echo $(ls -al /usr/lib64/libcrypto*) >>/home/libfilebak/libfile.txt
    echo $(ls -al /usr/lib64/libssl*)    >>/home/libfilebak/libfile.txt
    cp /usr/lib64/libcrypto.so.1.0.1e /home/libfilebak
    cp /usr/lib64/libssl.so.1.0.1e   /home/libfilebak
else
    echo "failed"
fi

③安装

#yum remove openssl     ##7的系统openssl可以直接remove,但是会多删一个authconfig包,之后需安装上,或者直接rpm删除openssl
rpm -e openssl-1.0.1e-57.el6.x86_64 --nodeps
rpm -ivh openssl-1.1.1k-1.el6.x86_64.rpm
rpm -Uvh openssl-debuginfo-1.1.1k-1.el6.x86_64.rpm 
rpm -ivh openssl-devel-1.1.1k-1.el6.x86_64.rpm

④检查ld.so.conf.d

cat /etc/ld.so.conf
echo "/usr/local/newopenssl/openssl111k/lib" >> /etc/ld.so.conf

⑤增加lib包软连接,做之前要确认其是否存在

ln -sf /usr/local/newopenssl/openssl111k/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -sf /usr/local/newopenssl/openssl111k/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

3、openssh

3.1、centos7.4 制作openssh rpm

3.1.1、制作

①如在/root/下面有rpmbuild目录,则把其改名,默认下面脚本也是生成在/root/rpmbuild

②如 2.1.1一样配置好yum源头

build_openssh7.sh

#!/bin/bash
#设置执行过程,每有一步错误,直接退出
set -ev

#安装相关依赖包
yum install rpm-build zlib zlib-devel openssl-devel gcc* perl-devel pam  pam-devel unzip libXt-devel  imake  gtk2-devel krb5*  -y

#创建目录
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES

#download openssh的tar包,如果没有外网环境可以直接上传
if [[ ! -f "openssh-8.6p1.tar.gz" ]];then
    wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
fi

#与上类似
if [[ ! -f "x11-ssh-askpass-1.2.4.1.tar.gz" ]];then
    wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
fi

#解压提取spec文件
tar -zxvf openssh-8.6p1.tar.gz openssh-8.6p1/contrib/redhat/openssh.spec
mv openssh-8.6p1/contrib/redhat/openssh.spec ../SPECS/

#赋权及修改相关文件
chown sshd:sshd /root/rpmbuild/SPECS/openssh.spec
cp /root/rpmbuild/SPECS/openssh.spec /root/rpmbuild/SPECS/openssh.spec_def
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
#想安装sshpass
#sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/^BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" /root/rpmbuild/SPECS/openssh.spec

#指定好新版本的openssl对应路径
sed -i -e '/with-privsep-path/a\        --with-openssl-includes=/usr/local/newopenssl/openssl111k/include/openssl  \\\n        --with-ssl-dir=/usr/local/newopenssl/openssl111k \\' /root/rpmbuild/SPECS/openssh.spec
cd /root/rpmbuild/SPECS/

#安全前的重要文件备份
sed -i '/%post server/i\\\cp -rf /etc/pam.d/ /etc/pam.d_bak2021 \
'  openssh.spec

#补充安装后的安全操作
sed -i '/%post server/a\chmod  600  /etc/ssh/ssh_host_*_key \
sed -i -e  "s/#PasswordAuthentication yes/PasswordAuthentication yes/g"  /etc/ssh/sshd_config \
#sed -i -e  "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g"    /etc/ssh/sshd_config \
sed -i -e  "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"  /etc/ssh/sshd_config \
sed -i -e  "s/#UsePAM no/UsePAM yes/g"  /etc/ssh/sshd_config \
sed -i -e "s/#X11Forwarding no/X11Forwarding yes/g" /etc/ssh/sshd_config \
echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256" >>/etc/ssh/sshd_config \
chmod +x /etc/init.d/sshd \
/sbin/chkconfig sshd on 135 \
ln -s /lib64/security/pam_tally2.so /lib64/security/pam_tally.so \
\\cp -rf /etc/pam.d_bak2021/sshd  /etc/pam.d/sshd' openssh.spec

#收尾,生成rpm包
rpmbuild -ba openssh.spec

3.2.1、安装

开好telnet,并确认可连

步骤略~

备份对应文件

mkdir -p /etc/pam.d_$(date +'%Y-%m-%d')
cp /etc/pam.d/* /etc/pam.d_$(date +'%Y-%m-%d')

mkdir -p /etc/ssh_$(date +'%Y-%m-%d')
cp /etc/ssh/* /etc/ssh_$(date +'%Y-%m-%d')

安装

cd /root/rpmbuild/RPMS/x86_64
yum install openssh* -y

可能遇到的问题

# 修改权限,必须修改权限,否则重启sshd失败,
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
# 允许 root登录,可选
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
# 不修改这个文件,会出现密码是对的,却无法登陆。
cat <<EOF>/etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
## pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
EOF

#配置密钥,老版CRT不支持最新其算法
echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config

#确保可以telnet或者以上配置都做了,才可以重启
systemctl restart sshd

ssh -V
#OpenSSH_8.6p1, OpenSSL 1.1.1k  25 Mar 2021

3.2、redhat6.9制作openssh rpm

3.2.1、制作

①如在/root/下面有rpmbuild目录,则把其改名,默认下面脚本也是生成在/root/rpmbuild

②如 2.1.1一样配置好yum源头

build_openssh6.sh

#!/bin/bash
#设置执行过程,每有一步错误,直接退出
set -ev

#安装相关依赖包
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel  imake  gtk2-devel  -y

#创建目录
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES

#download openssh的tar包,如果没有外网环境可以直接上传
if [[ ! -f "openssh-8.6p1.tar.gz" ]];then
    wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
fi

#与上类似
if [[ ! -f "x11-ssh-askpass-1.2.4.1.tar.gz" ]];then
    wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
fi

#解压提取spec文件
tar -zxvf openssh-8.6p1.tar.gz openssh-8.6p1/contrib/redhat/openssh.spec
mv openssh-8.6p1/contrib/redhat/openssh.spec ../SPECS/

#赋权及修改相关文件
chown sshd:sshd /root/rpmbuild/SPECS/openssh.spec
cp /root/rpmbuild/SPECS/openssh.spec /root/rpmbuild/SPECS/openssh.spec_def
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
#想安装sshpass
#sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/^BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" /root/rpmbuild/SPECS/openssh.spec

#指定好新版本的openssl对应路径
#sed -i -e '/with-privsep-path/a\        --with-openssl-includes=/usr/local/newopenssl/openssl111k/include/openssl  \\\n        --with-ssl-dir=/usr/local/newopenssl/openssl111k \\' /root/rpmbuild/SPECS/openssh.spec
cd /root/rpmbuild/SPECS/

#安全前的重要文件备份
sed -i '/%post server/i\\\cp -rf /etc/pam.d/ /etc/pam.d_bak2021 \
'  openssh.spec

#补充安装后的安全操作
sed -i '/%post server/a\chmod  600  /etc/ssh/ssh_host_*_key \
sed -i -e  "s/#PasswordAuthentication yes/PasswordAuthentication yes/g"  /etc/ssh/sshd_config \
#sed -i -e  "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g"    /etc/ssh/sshd_config \
sed -i -e  "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g"  /etc/ssh/sshd_config \
sed -i -e  "s/#UsePAM no/UsePAM yes/g"  /etc/ssh/sshd_config \
sed -i -e "s/#X11Forwarding no/X11Forwarding yes/g" /etc/ssh/sshd_config \
echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256" >>/etc/ssh/sshd_config \
chmod +x /etc/init.d/sshd \
/sbin/chkconfig sshd on 135 \
ln -s /lib64/security/pam_tally2.so /lib64/security/pam_tally.so \
\\cp -rf /etc/pam.d_bak2021/sshd  /etc/pam.d/sshd' openssh.spec

#收尾,生成rpm包
rpmbuild -ba openssh.spec

3.2.2、安装

build_openssh6.sh

#!/bin/bash
#设置执行过程,每有一步错误,直接退出
set -ev

#安装相关依赖包
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel  imake  gtk2-devel  -y

#创建目录
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES

#download openssh的tar包,如果没有外网环境可以直接上传
if [[ ! -f "openssh-8.6p1.tar.gz" ]];then
    wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.6p1.tar.gz
fi

#与上类似
if [[ ! -f "x11-ssh-askpass-1.2.4.1.tar.gz" ]];then
    wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
fi

#解压提取spec文件
tar -zxvf openssh-8.6p1.tar.gz openssh-8.6p1/contrib/redhat/openssh.spec
mv openssh-8.6p1/contrib/redhat/openssh.spec ../SPECS/

#赋权及修改相关文件
chown sshd:sshd /root/rpmbuild/SPECS/openssh.spec
cp /root/rpmbuild/SPECS/openssh.spec /root/rpmbuild/SPECS/openssh.spec_def
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
#想安装sshpass
#sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/^BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" /root/rpmbuild/SPECS/openssh.spec

#指定好新版本的openssl对应路径
sed -i -e '/with-privsep-path/a\        --with-openssl-includes=/usr/local/newopenssl/openssl111k/include/openssl  \\\n        --with-ssl-dir=/usr/local/newopenssl/openssl111k \\' /root/rpmbuild/SPECS/openssh.spec
cd /root/rpmbuild/SPECS/

#收尾,生成rpm包
rpmbuild -ba openssh.spec

开好 telnet,并确认可连

步骤略~

备份对应文件

mkdir -p /etc/pam.d_$(date +'%Y-%m-%d')
cp /etc/pam.d/* /etc/pam.d_$(date +'%Y-%m-%d')

mkdir -p /etc/ssh_$(date +'%Y-%m-%d')
cp /etc/ssh/* /etc/ssh_$(date +'%Y-%m-%d')

安装

cd /root/rpmbuild/RPMS/x86_64
yum install openssh* -y

可能遇到的问题

# 修改权限,必须修改权限,否则重启sshd失败,
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
# 允许 root登录,可选
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
# 不修改这个文件,会出现密码是对的,却无法登陆。
cat <<EOF>/etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
## pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
EOF

#配置密钥,老版CRT不支持最新其算法
echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256" >> /etc/ssh/sshd_config

#确保可以telnet或者以上配置都做了,才可以重启
systemctl restart sshd

ssh -V
#OpenSSH_8.6p1, OpenSSL 1.1.1k  25 Mar 2021

4、openssh升级遇到的几点问题汇总

升级前,可以先做一下准备点,
1、备份/etc/ssh和/etc/pam.d文件夹;

​ 2、配置yum,centos/redhat 6的可配置6.9的remote源,centos/redhat 7可以配置7的remote源;

​ 3、开启telnet服务,确认已开启,并且未被其它服务器占用端口。

​ 4、查看本地环境的ssh目前是rpm安装的还是编译安装的。如是编译安装,请先mv其文件夹


遇到的几个问题汇总:

​ 1、依赖包 gcc 、 pam-devel 、krb5 、zlib、pam*。

​ 2、之前ssh有部分是编译安装,可能其配置文件是创建软连接的形式在/etc/ssh或者在/etc/profile中添加了环境变量,并且真正的配置文件不在默认目录,升级openssh至8.5后需要重新reload一下,并且有时ssh升级后其sshd服务还是deleted状态(可以使用lsof查看),需要在开启telnet前提下杀死sshd主进程服务,然后restart。

​ 3、之前ssh有部分是编译安装,直接升级openssh8.5可能在重启后产生 Generating SSH1 RSA host key [FAILED],启动失败,需要在 默认目录/etc/ssh重新生成哪些点pub和key。
在终端中输入:ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key 重新建立ssh_host_dsa_key文件
在终端中输入:ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key 重新建立ssh_host_rsa_key文件
在终端中输入:ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ED25519_key 重新建立ssh_host_ED25519_key文件
然后restart ssh服务

5、关于sshd文件中的密钥串,可以在登录的CRT的connect in Tab -->某个IP -->Session Options-->SSH2-->Key exchange。 其中CRT的Key和操作系统的密钥对比性,有相同加密算法则可以登录,反之报错。
为了规范,如下KexAlgorithms 是经过测试的,适用于目前堡垒机CRT的算法
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256

额外说明:
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,diffie-hellman-group14-sha1 也可以在堡垒机的CRT登录,但不通用,目前普遍默认使用上面的

linux查看KexAlgorithms 可以在root下, sshd -T |grep kexalgorithms

​ 6、/var/log/secure错误
​ PAM unable to dlopen(/lib64/security/pam_tally.so): /lib64/security/pam_tally.so: cannot open shared object file: No such file or directory
​ PAM adding faulty module: /lib64/security/pam_tally.so

参考解决措施:ln -s /lib64/security/pam_tally2.so /lib64/security/pam_tally.so

扫码_搜索联合传播样式白色版1.png