Linux更新操作系统Openssh版本9.3p1(源码编译安装)

部署前准备

• 安装依赖
  • yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
  • yum install -y pam* zlib*
• openssh-9.3p1.tar.gz
• openssl-3.1.0.tar.gz
• 备份文件
  • cp /etc/pam.d/sshd /etc/pam.d/sshd.bak

升级Openssl

解压安装包

• tar zxvf openssl-3.1.0.tar.gz
• cd openssl-3.1.0

备份旧Openssl

• mv /usr/bin/openssl /usr/bin/openssl_old
• mv /usr/include/openssl /usr/include/openssl_old

编译安装Openssl

• ./config --prefix=/usr/local/openssl && make && make install

创建操作系统软链接

• ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
• ln -s /usr/local/openssl/include/openssl /usr/include/openssl

设置加载库

• 注意：lib库名称，旧版本是’lib’，新版本编译后是’lib64’,故 编译完成后检查自己安装的路径lib库名称
• echo "/usr/local/openssl/lib64" >> /etc/ld.so.conf
• ldconfig -v

检查Openssl版本

• openssl version

升级Openssh

解压openssh安装包

• tar zxvf openssh-9.3p1.tar.gz
• cd openssh-9.3p1/

备份旧openssl目录

• mv /etc/ssh /etc/ssh_old

编译安装Openssh

• ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening
• make && make install

备份旧文件

• mv /usr/sbin/sshd /usr/sbin/sshd_old
• mv /etc/sysconfig/sshd /etc/sysconfig/sshd_old
• mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_old

卸载openssh

• for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done

还原openssh配置文件

• cp -a /etc/ssh_old/sshd_config /etc/ssh/sshd_config
• mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli
• mv /etc/pam.d/sshd.bak /etc/pam.d/sshd

替换新版本openssh相关命令

• cp -arf /usr/local/openssh/bin/* /usr/bin/
• cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd

拷贝启动脚本

• cp -a contrib/redhat/sshd.init /etc/init.d/sshd
• cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
• chmod +x /etc/init.d/sshd

# 此处如果是SUSE操作系统,对应的目录是contrib/susu/
cp -a contrib/suse/rc.sshd /etc/init.d/sshd
cp -a contrib/suse/sysconfig.ssh /etc/sysconfig/ssh

设置开机启动,并验证版本

• systemctl daemon-reload
• chkconfig --add sshd && chkconfig sshd on
• systemctl start sshd
• ssh -V

设置安全性

• sed -ie ''$(grep -rn 'Ciphers and keying' /etc/ssh/sshd_config | cut -d ':' -f1)'a Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n\nMACs hmac-sha2-256,hmac-sha2-512,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com \n\nKexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 \n' /etc/ssh/sshd_config

检查配置并注释不支持的参数

• sshd -t

踩坑

• /etc/pam.d/sshd配置内容

#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

• ssh远程其他机器报错

mv /etc/ssh/ssh_config /etc/ssh/ssh_config_new
mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
systemctl restart sshd

• Anolis操作系统
  • 需要单独安装pcre和perl