centos更新openssh包下载 centos7 openssh升级

1. 备份ssh目录

```bash
$ cp -rf /etc/ssh /etc/ssh.bak
```
2. 升级需要的组件
```bash
$ yum install -y gcc openssl-devel pam-devel rpm-build
```
4. **如果之前就是源码安装的，找到之前的安装包，在里面执行**
```
make uninstall
make clean
```
6. 下载openssh新版本包
```bash
$ wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
```
7. 解压包并进行编译安装
```bash
$ tar xf openssh-7.9p1.tar.gz
$ cd openssh-7.9p1
$ ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
#如果报错找不到configure: error: OpenSSL library not found.
原因是升级完 openssl 后,找不到它的库了,因为默认的库是存在/usr/lib64下,但是升级完 openssl 后,库的位置变了.
#指定新版 openssl 的库位置.
--with-ssl-dir=/usr/local/openssl/lib/
--with-openssl-includes=/usr/local/openssl/include
#如果有提示PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/subdirectory
#没有关系, 只要有那个文件就行.
$ make
```
9. 安装
```
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
make install
```
11. 替换ssh和 sshd
```bash
#如果版本号不对, 也需要替换 ssh 文件
mv /usr/bin/ssh /usr/bin/ssh.old
cp -r /root/openssh-8.0p1/ssh /usr/bin/ssh
#Download 两台服务器有个问题, 输入全路径/usr/bin/ssh 可以出版本号.
输入ssh -v 就会出现缺少一个文件的提示, 不过没有影响.
#替换 sshd 文件
[root@rclb-public-2 openssh-8.0p1]# which sshd
/usr/local/sbin/sshd
#备份 sshd 源文件
mv /usr/sbin/sshd /usr/sbin/sshd.bak
#替换新文件
cp -r /root/openssh-8.0p1/sshd /usr/sbin/sshd
```
12. 修改配置文件
```
#注意生产环境的 sshd 端口用的是 5225.
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no
UsePAM yes
```
14. 复制启动脚本到/etc/init.d
```bash
#备份老脚本
cp -r /etc/init.d/sshd /etc/init.d/sshd.bak
#复制新脚本
cp -p /root/openssh-8.0p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
```
15. 重启ssh
```bash
#需要移走 systemctl 脚本, 否则无法重启 ssh 服务
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
systemctl daemon-reload
$ /etc/init.d/sshd restart
```
16. 回滚操作
如果之前是rpm包安装的。并且按照以上步骤操作，可以直接以下命令进行回滚
```
# yum -y install openssh-clients
# yum -y install openssh-server
# yum -y install openssh
----------------------------------------------
# 升级 openssl
安装依赖库
```
yum install -y zlib zlib-dev openssl-devel sqlite-devel bzip2-devel libffi libffi-devel gcc gcc-c++
```
下载1.0.2版本的openssl
```
wget http://www.openssl.org/source/openssl-1.0.2j.tar.gz
```
解压openssl源代码，并安装
```
$ tar -zxvf openssl-1.0.2j.tar.gz
#注意这里是 config 不是 configur
# 编译为静态库
./config --prefix=/usr/local/openssl shared zlib
# 编译为动态库
# ./config --prefix=/usr/local/openssl shared zlib-dynamic
make depend
make
make install
```
设置环境变量 ,直接在`/etc/ld.so.conf`添加指定新版本 openssl 下的 lib 包:
```
cd /etc/ld.so.conf.d/
$ vim openssl.conf
/usr/local/openssl/lib/
#另外如果是现网的,还需要把这两个注释掉,但是需要注意 openssh 也要在之后立刻升级,否则 ssh 会出问题, 因为它还是用的之前 1.0.2 的 lib.
vim /etc/ld.so.conf
include ld.so.conf.d/*.conf
#/usr/local/lib64
#/usr/local/openssl-1.0.2p/lib
```
修改openssl 命令路径
```
mv /usr/bin/openssl /usr/bin/openssl.old
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
```
修改openssl 目录
```
mv /usr/include/openssl /usr/include/openssl.old
将安装好的openssl 的openssl目录软连到/usr/include/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
```
ldconfig 使配置生效
```
$ ldconfig
#查看配置是否生效
ldconfig -v |grep ssl
```
查看 openssl 版本
```
$ openssl version
```

-----------------

openssh 升级脚本

#!/bin/bash
source /etc/init.d/functions

check() {
  if [ $? -ne 0 ]; then
    action "make is failed! exit. " /bin/false
    exit 1
  fi
}

openssh_version="openssh-8.3p1"
openssh_packge="openssh-8.3p1.tar.gz"


#备份
cp -rf /etc/ssh /etc/ssh.bak

#install 依赖
yum install -y gcc pam-devel rpm-build

#解压到/app 下, 编译安装. 安装目录/usr/下. 指定新版 openssl lib 目录位置
tar xf /tmp/$openssh_packge -C /app/
cd /app/$openssh_version/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers --with-ssl-dir=/app/openssl/lib/
check
make
check
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
make install
check

#替换 ssh 和 sshd
mv /usr/bin/ssh /usr/bin/ssh.old2
cp -r /app/$openssh_version/ssh /usr/bin/ssh
mv /usr/sbin/sshd /usr/sbin/sshd.bak2
cp -r /app/$openssh_version/sshd /usr/sbin/sshd

#备份替换启动脚本
cp -r /etc/init.d/sshd /etc/init.d/sshd.bak
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1" >>/etc/ssh/sshd_config
sed -i 's/^GSSAPIAuthentication yes/#GSSAPIAuthentication yes/' /etc/ssh/sshd_config
sed -i 's/^GSSAPICleanupCredentials/#GSSAPICleanupCredentials/' /etc/ssh/sshd_config
sed -i 's/^UsePAM yes/#UsePAM yes/' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin yes/PermitRootLogin yes/' /etc/ssh/sshd_config

#重启 sshd
mv /usr/lib/systemd/system/sshd.service  /usr/lib/systemd/system/sshd.service.bak
systemctl daemon-reload
/etc/init.d/sshd restart
check

#更改 sshd 配置文件,添加失败登录次数
#sed -i 's#^\#MaxAuthTries.*#MaxAuthTries 10#g' /etc/ssh/sshd_config
#check

#设置SSH空闲超时退出时间
#sed -i 's#^\#ClientAliveInterval.*#ClientAliveInterval 600#g' /etc/ssh/sshd_config
#sed -i 's#^\#ClientAliveCountMax.*#ClientAliveCountMax 2#g' /etc/ssh/sshd_config
#check
ssh -V

openssl升级脚本

#!/bin/bash
source /etc/init.d/functions

check() {
  if [ $? -ne 0 ]; then
    action "make is failed! exit. " /bin/false
    exit 1
  fi
}

openssl_version="openssl-1.1.1g"
openssl_packge="openssl-1.1.1g.tar.gz"

#install 依赖
#wget -O /etc/yum.repos.d/CentOS-Base.repo http://mirrors.aliyun.com/repo/Centos-7.repo
#yum clean all
#yum repolist
#yum -y install epel-release
#yum install -y zlib zlib-dev openssl-devel sqlite-devel bzip2-devel libffi libffi-devel gcc gcc-c++ perl-perl5i.x86_64

#将包解压到/app 目录下, 指定安装目录在/app/openssl 下,注意不是同一个目录.
#解压,编译,安装
mkdir -p /app
tar xf /tmp/$openssl_packge -C /app/
cd /app/$openssl_version
./config --prefix=/app/openssl shared zlib
make depend
make
check
make install
check

#设置环境变量
echo "/app/openssl/lib/" >/etc/ld.so.conf.d/openssl.conf

#备份,更新
mv /usr/bin/openssl  /usr/bin/openssl.old
ln -s /app/openssl/bin/openssl  /usr/bin/openssl
mv /usr/include/openssl  /usr/include/openssl.old
ln -s /app/openssl/include/openssl  /usr/include/openssl

#使配置生效
ldconfig
ldconfig -v |grep ssl

#查看 openssl 版本
openssl version