偶然间看到某’开车群’里有位萌新在讨论升级openssh,遂自己折腾了一番
环境准备
系统环境
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
# 系统平台和版本 [root@xadocker ~]# hostnamectl Static hostname: xadocker Icon name: computer-vm Chassis: vm Machine ID: 6a95166986604960b8a690e6e5103d2f Boot ID: 14613b5df0e14801be2569cd111cceae Virtualization: vmware Operating System: CentOS Linux 7 (Core) CPE OS Name: cpe:/o:centos:centos:7 Kernel: Linux 3.10.0-693.el7.x86_64 Architecture: x86-64 [root@xadocker ~]# cat /etc/redhat-release CentOS Linux release 7.4.1708 (Core) # 查看openssl版本 [root@xadocker ~]# openssl version OpenSSL 1.0.2k-fips 26 Jan 2017 # 查看当前ssh服务版本 [root@xadocker ~]# ssh -V OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 # 安装一些编译需要用到的软件包和一些openssl或sshd依赖 [root@xadocker ~]# yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel pam* zlib* |
软件包下载地址
1 2 3 4 5 6 |
[root@xadocker tools]# pwd /data/tools [root@xadocker tools]# ll total 6812 -rw-r--r-- 1 root root 1597697 May 14 10:33 openssh-8.0p1.tar.gz -rw-r--r-- 1 root root 5348369 May 14 10:27 openssl-1.0.2r.tar.gz |
升级过程
编译升级openssl
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
# 将原来的openssl备份先 [root@xadocker tools]# mv /usr/bin/openssl /usr/bin/openssl_bak [root@xadocker tools]# mv /usr/include/openssl /usr/include/openssl_bak # 解压openssl源码并编译 [root@xadocker tools]# tar -zxf openssl-1.0.2r.tar.gz [root@xadocker openssl-1.0.2r]# ./config shared && make && make install [root@xadocker openssl-1.0.2r]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl [root@xadocker openssl-1.0.2r]# ln -s /usr/local/ssl/include/openssl /usr/include/openssl [root@xadocker openssl-1.0.2r]# ll /usr/bin/openssl lrwxrwxrwx 1 root root 26 May 14 10:32 /usr/bin/openssl -> /usr/local/ssl/bin/openssl [root@xadocker openssl-1.0.2r]# ll /usr/include/openssl -ld lrwxrwxrwx 1 root root 30 May 14 10:32 /usr/include/openssl -> /usr/local/ssl/include/openssl # 将该模块加入配置文件 [root@xadocker openssl-1.0.2r]# echo "/usr/local/ssl/lib" >> /etc/ld.so.conf # 加载模块 [root@xadocker openssl-1.0.2r]# /sbin/ldconfig # 测试 [root@xadocker ~]# openssl version OpenSSL 1.0.2r 26 Feb 2019 |
编译升级openssh
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 |
# 解压源码包并编译 [root@xadocker tools]# tar xfz openssh-8.0p1.tar.gz [root@xadocker tools]# cd openssh-8.0p1/ [root@xadocker openssh-8.0p1]# chown -R root.root /data/tools/openssh-8.0p1 [root@xadocker openssh-8.0p1]# mv /etc/ssh /tmp/ssh_bak [root@xadocker openssh-8.0p1]# ./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords ke && make install # 编辑新生成的/etc/ssh/sshd_config [root@xadocker openssh-8.0p1]# grep "^PermitRootLogin" /etc/ssh/sshd_config PermitRootLogin yes [root@xadocker openssh-8.0p1]# grep -i "dns" /etc/ssh/sshd_config UseDNS no # 复制启动文件到相应目录 [root@xadocker openssh-8.0p1]# cp -a contrib/redhat/sshd.init /etc/init.d/sshd # 复制sshd可能用到的模块文件,也许可以不复制,sshd配置文件里没有开启加载该文件 [root@xadocker openssh-8.0p1]# cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam # 重新生成systemd启动文件 [root@xadocker openssh-8.0p1]# mv /usr/lib/systemd/system/sshd.service /data/ [root@xadocker openssh-8.0p1]# chmod +x /etc/init.d/sshd [root@xadocker openssh-8.0p1]# systemctl restart sshd [root@xadocker openssh-8.0p1]# systemctl enable sshd # 查看此时版本 [root@xadocker openssl-1.0.2r]# ssh -V OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019 |
测试
新开会话测试
1 2 3 4 |
[root@xadocker ~]# openssl version OpenSSL 1.0.2r 26 Feb 2019 [root@xadocker ~]# ssh -V OpenSSH_8.0p1, OpenSSL 1.0.2r 26 Feb 2019 |