OpenSSH&OpenSSL至最新版本
本次升级路径为Openssh8.6至9.3,OpenSSL1.1.1k至3.1.0
openssh下载地址:https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/
openssl下载地址:https://ftp.openssl.org/source/old/
一、升级准备
在升级前需做好SSH不可用的准备,开启VNC,如果可以通过虚拟化管理控制台登录,或服务器显示屏的则无需开启
本次升级路径为OpenSSH_8.6p1, OpenSSL 1.1.1k 25 Mar 2021至OpenSSH_9.3p1, OpenSSL 3.1.0 14 Mar 2023
检查版本
[root@gjgw-web-02 update_openssh]# ssh -V
OpenSSH_8.4p1, OpenSSL 1.1.1k 25 Mar 2021
[root@gjgw-web-02 update_openssh]# openssl version
OpenSSL 1.1.1k 25 Mar 2021
备份工作
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
mv /usr/lib64/libssl.so /usr/lib64/libssl.so.bak
二、升级OpenSSL
在安装Openssl前,由于是由1.1.1x至3.1.0,跨度较大,其中主机内缺少3.1.0版本所需的几个perl库,这里需要去安装
1)、在主机内使用perl -shell交互在线下载
2)、在官网下载对应的源码包,编译安装(很麻烦!有的包我是没找到才选用第三种方式)下载地址:https://cpan.metacpan.org/authors/id/B/BI/BINGOS/
安装方法已IPC-Cmd举例,在官网下载之后解压安装
tar -zxf IPC-Cmd-1.04.tar.gz
cd IPC-Cmd-1.04
perl Makefile.PL
make && make install
3)、使用yum安装,配置好对本地yum源即可,一条命令搞定(安装环境不同的话在OpenSSL编译过程中如果还缺少其他库,可参考下方文件名格式进行安装)
这里图方便,直接使用ISO镜像本地YUM进行安装
yum -y install perl-Module-Load-Conditional perl-Locale-Maketext-Simple perl-Params-Check perl-ExtUtils-MakeMaker perl-CPAN perl-IPC-cmd
Transaction test succeeded
Running transaction
Installing : 3:perl-version-0.99.07-3.el7.x86_64 1/10
Installing : 1:perl-Module-CoreList-2.76.02-293.el7.noarch 2/10
Installing : perl-Module-Metadata-1.000018-2.el7.noarch 3/10
Installing : perl-Locale-Maketext-1.23-3.el7.noarch 4/10
Installing : 1:perl-Locale-Maketext-Simple-0.21-293.el7.noarch 5/10
Installing : 1:perl-Params-Check-0.38-2.el7.noarch 6/10
Installing : 1:perl-Module-Load-0.24-3.el7.noarch 7/10
Installing : perl-local-lib-1.008010-4.el7.noarch 8/10
Installing : perl-CPAN-1.9800-293.el7.noarch 9/10
Installing : perl-Module-Load-Conditional-0.54-3.el7.noarch 10/10
Verifying : 3:perl-version-0.99.07-3.el7.x86_64 1/10
Verifying : perl-local-lib-1.008010-4.el7.noarch 2/10
Verifying : 1:perl-Params-Check-0.38-2.el7.noarch 3/10
Verifying : perl-CPAN-1.9800-293.el7.noarch 4/10
Verifying : 1:perl-Module-Load-0.24-3.el7.noarch 5/10
Verifying : perl-Module-Load-Conditional-0.54-3.el7.noarch 6/10
Verifying : 1:perl-Module-CoreList-2.76.02-293.el7.noarch 7/10
Verifying : perl-Locale-Maketext-1.23-3.el7.noarch 8/10
Verifying : perl-Module-Metadata-1.000018-2.el7.noarch 9/10
Verifying : 1:perl-Locale-Maketext-Simple-0.21-293.el7.noarch 10/10Installed:
perl-CPAN.noarch 0:1.9800-293.el7 perl-Locale-Maketext-Simple.noarch 1:0.21-293.el7 perl-Module-Load-Conditional.noarch 0:0.54-3.el7 perl-Params-Check.noarch 1:0.38-2.el7Dependency Installed:
perl-Locale-Maketext.noarch 0:1.23-3.el7 perl-Module-CoreList.noarch 1:2.76.02-293.el7 perl-Module-Load.noarch 1:0.24-3.el7 perl-Module-Metadata.noarch 0:1.000018-2.el7
perl-local-lib.noarch 0:1.008010-4.el7 perl-version.x86_64 3:0.99.07-3.el7
开始升级OpenSSL
创建升级目录解压并进入
mkdir /opt/update-openssh && cd /opt/update-openssh
mv ~/openss* /opt/update-openssh
tar -zxf openssl-3.1.0.tar.gz
cd openssl-3.1.0
指定安装配置
./config --shared --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
回车之后报了缺少依赖的回显,这块就是漏装了一个名为IPC/Cmd的库,使用yum安装它
[root@gjgw-web-02 openssl-3.1.0]# ./config --shared --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
Can’t locate IPC/Cmd.pm in @INC (@INC contains: /opt/update_openssh/openssl-3.1.0/util/perl /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 . /opt/update_openssh/openssl-3.1.0/external/perl/Text-Template-1.56/lib) at /opt/update_openssh/openssl-3.1.0/util/perl/OpenSSL/config.pm line 19.
BEGIN failed–compilation aborted at /opt/update_openssh/openssl-3.1.0/util/perl/OpenSSL/config.pm line 19.
Compilation failed in require at /opt/update_openssh/openssl-3.1.0/Configure line 23.
BEGIN failed–compilation aborted at /opt/update_openssh/openssl-3.1.0/Configure line 23.
yum-y install perl-IPC-Cmd
重新配置编译,并进行make
[root@gjgw-web-02 openssl-3.1.0]# ./config --shared --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
Configuring OpenSSL version 3.1.0 for target linux-x86_64
Using os-specific seed configuration
Created configdata.pm
Running configdata.pm
Created Makefile.in
Created Makefile
Created include/openssl/configuration.h
*** OpenSSL has been successfully configured ***
*** If you encounter a problem while building, please open an ****** issue on GitHub <https://github.com/openssl/openssl/issues> ****** and include the output from the following command: ***
*** perl configdata.pm --dump ***
*** (If you are new to OpenSSL, you might want to consult the ****** 'Troubleshooting' section in the INSTALL.md file first) ***
[root@gjgw-web-02 openssl-3.1.0]# make && make install
make && make install
安装完成后使用openssl version验证时,会出现xxxx则需要更新链接库文件,软连接安装目录下的,so文件
[root@gjgw-web-02 openssl-3.1.0]# openssl version
openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib/libssl.so.3
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib/libcrypto.so.3.3
并更新ldconfig 库文件,将原有的openssl的lib库路径注释,写/usr/local/lib64
vim /etc/ld.so.conf
include ld.so.conf.d/*.conf
#/usr/local/openssl/lib
/usr/local/lib64
更新lib库
ldconfig -v
此时再openssl version即可看到版本
[root@gjgw-web-02 openssl-3.1.0]# openssl version 3
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)
三、安装openssh
tar -zxf openssh-9.3p1.tar.gz
cd openssh-9.3p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib=/usr/local/zlib --with-ssl-dir=/usr/local/openssl --without-hardening --with-md5-passwords --mandir=/usr/share/man && make && make install
…
/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8
/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8
/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8
/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8
/bin/mkdir -p /etc/ssh
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/sbin/sshd -t -f /etc/ssh/sshd_config[root@gjgw-web-02 openssh-9.3p1]# ssh -V
OpenSSH_9.3p1, OpenSSL 3.1.0 14 Mar 2023
在安装openssh时还比较简单,但在我安装时出现的问题是最多的,有以下几个,各位对号入座
1)直接在命令行执行ssh -V 与新安装的版本不一致问题
用户执行的ssh命令存放于/usr/local/bin/ssh,可检查/usr/bin/或者sbin内有无ssh执行文件版本是否符合,再者重装SSH
**2)configure: error: * OpenSSL headers missing - please install first or check config.log ***
checking for getpagesize… (cached) yes
checking whether snprintf correctly terminates long strings… yes
checking whether snprintf understands %zu… yes
checking whether vsnprintf returns correct values on overflow… yes
checking whether snprintf can declare const char *fmt… yes
checking whether system supports SO_PEERCRED getsockopt… yes
checking if openpty correctly handles controlling tty… yes
checking whether AI_NUMERICSERV is declared… yes
checking if SA_RESTARTed signals interrupt select()… yes
checking for getpgrp… yes
checking if getpgrp accepts zero args… yes
checking for openssl… /sbin/openssl
checking for openssl/opensslv.h… no
**configure: error: * OpenSSL headers missing - please install first or check config.log ***或者configure: error: * working libcrypto not found, check config.log**
checking if openpty correctly handles controlling tty… yes
checking whether AI_NUMERICSERV is declared… yes
checking if SA_RESTARTed signals interrupt select()… yes
checking for getpgrp… yes
checking if getpgrp accepts zero args… yes
checking for openssl… /usr/bin/openssl
configure: error: * working libcrypto not found, check config.log**
出现这两种情况基本是因为缺少openssl-devel包或者libcrypto相关库的位置不正确。
yum安装openssl-devel,libcrypto库一般存放于安装目录的lib或者lib64内。可根据实际情况在配置编译内缩小openssl的安装位置。
3)普通用户执行ssh -V提示so.xx库找不到文件,可能是因为openssl或者ssh权限不足导致,使用 chmod 755 -R xxxxx
ssh: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory
4)error: Your OpenSSL headers do not match your
checking whether OpenSSL’s headers match the library… no
configure: error: Your OpenSSL headers do not match your
library. Check config.log for details.
If you are sure your installation is consistent, you can disable the check
by running “./configure --without-openssl-header-check”.
Also see contrib/findssl.sh for help identifying header/library mismatches.
这是坑的最惨的一次,基本情况是上一个版本的openssl没清理干净,或者ld.so.conf文件内的路径还是旧版本路径
我当时的回显是在编译过程中出现了两个Openssl版本,后来经过两天的挣扎才得以解决,
说下我当时的理解:
1.1.1x在安装之后安装目录都会存在lib 和lib64两个文件夹,但是在3.1.0安装目录只会有lib64这个文件了,然后openssl安装的时候尽管安装目录路径与旧版本一致,但是文件落地的时候并不会全部覆盖,只会覆盖它需要的目录,所以旧版本的lib还保留在新版本的安装路径,所以在编译ssh时才会出现同时存在俩版本的回显,建议在升级openssl前可以把旧版本整个打包压缩,然后删除整个路径或者lib库,再进行安装。