一、yum 仓库中并没有最新版的 OpenSSH,我们需要自己从官方下载最新的opeenSSh源码包编译制作 rpm 安装包。
因为客户服务器不能连外网,所以还需要将其做成离线升级包。
二、实验环境
操作系统: CentOS7.7
serverA 192.168.1.4 模拟能联网,用于制作离线升级包
serverB 192.168.1.6 模拟不能联网,openSSH相关包及其依赖版本较低
三、实验预期
在severA上完成openSSH相关编译及依赖下载,写成一键升级脚本,拖到serverB上完成openSSH的升级。
OpenSSH源码包官网:http://www.openssh.com
截止目前,最新OpenSSH源码包版本为 openssh-8.8p1.tar.gz
四、实验操作
在serverA
yum -y install vim wget epel-release
yum -y install rpm-build gcc make
yum -y install openssl openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
tar -zxf openssh-8.8p1.tar.gz
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cp ./openssh-8.8p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-8.8p1.tar.gz /root/rpmbuild/SOURCES/
mv x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS/
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec
rpmbuild -bb openssh.spec
编译好后的文件被放在 /root/rpmbuild/RPMS/x86_64/ 目录下:
# ls -l /root/rpmbuild/RPMS/x86_64
将上述操作脚本化:
cat openssh.sh
#####################################################
#!/bin/bash
OPENSSH_VERSION=8.8p1
yum -y install vim wget epel-release
yum -y install rpm-build gcc make
yum -y install openssl openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel gtk2-devel
cd /root
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
tar -zxf openssh-${OPENSSH_VERSION}.tar.gz
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cp ./openssh-${OPENSSH_VERSION}/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-${OPENSSH_VERSION}.tar.gz /root/rpmbuild/SOURCES/
mv x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS/
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec
rpmbuild -bb openssh.spec
ls -l /root/rpmbuild/RPMS/x86_64
########################################################
五、在开发机上做openSSH升级测试
在serverA
cd /root/rpmbuild/RPMS/x86_64
rpm -Uvh *.rpm
rpm -qa | grep openssh
本来到此,我们升级就完成了,但是从客户端登陆的时候却失败了!
无法用 ssh key 方式登录,默认的 host key 文件授权太大,需要修改 key 文件的权限
ll /etc/ssh/ssh_host_*_key
chmod 600 /etc/ssh/ssh_host_*_key
ll /etc/ssh/ssh_host_*_key
升级完后的openSSH默认不允许用密码方式登录,我们需要更改配置文件:
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
默认的 /etc/pam.d/sshd 中使用了过时的 pam_stack.so 动态库,需要更新:
cat > /etc/pam.d/sshd <<EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
#pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
重启ssh服务,查看服务状态:
# systemctl restart sshd
# systemctl enable sshd
# systemctl status sshd
你会发现,升级后的sshd服务,是用的启动脚本,不是/usr/lib/systemd/system/sshd.service文件了。
实际上升级过程中,程序已经将 /usr/lib/systemd/system/sshd.service 删除了,并且添加了服务启动脚本 /etc/init.d/sshd
细心的你还会发现,升级完后,我们经常用于做免密登录的公钥拷贝命令 ssh-copy-id也没有了!
其实不是没有了,而是我们需要去解压后源码包拷贝到/usr/bin/目录
tar -zxf openssh-8.8p1.tar.gz
ll /root/openssh-8.8p1/contrib/
cp /root/openssh-8.8p1/contrib/ssh-copy-id /usr/bin/
chmod 755 /usr/bin/ssh-copy-id
登陆成功
六、制作离线升级安装包
在serverA
yum -y install yum-utils createrepo
mkdir /root/localrepo
repotrack openssl -p /root/localrepo/
你可能会疑惑:不是找opennsh相关包的依赖么,怎么找的是openssl了?
其实从上面安装可以,升级opennsh版本并不会缺少依赖,我们们只是需要相应地升级一下openssl的版本:
cp /root/rpmbuild/RPMS/x86_64/*.rpm /root/localrepo
createrepo -v /root/localrepo
编写离线升级安装脚本:
cat install.sh
######################################################
#!/bin/bash
#定位脚本当前路径
parent_path=$( cd "$(dirname "${BASH_SOURCE}")"; pwd -P )
cd "$parent_path"
mkdir -p /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.repo? /etc/yum.repos.d/backup
rm -rf /tmp/localrepo
mkdir -p /tmp/localrepo
cp -rf ./localrepo/* /tmp/localrepo
echo "[localrepo]" > /etc/yum.repos.d/localrepo.repo
echo "name=Local Repository" >> /etc/yum.repos.d/localrepo.repo
echo "baseurl=file:///tmp/localrepo" >> /etc/yum.repos.d/localrepo.repo
echo "gpgcheck=0" >> /etc/yum.repos.d/localrepo.repo
echo "enabled=1" >> /etc/yum.repos.d/localrepo.repo
yum clean all
yum -y? install openssl
yum -y install openssh* --disablerepo="*" --enablerepo="localrepo"
rm -rf /tmp/localrepo
rm -f /etc/yum.repos.d/localrepo.repo
mv /etc/yum.repos.d/backup/*.repo? /etc/yum.repos.d
rm -rf /etc/yum.repos.d/backup
chmod 600 /etc/ssh/ssh_host_*_key
#modify /etc/ssh/sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
#modify /etc/pam.d/sshd
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cat > /etc/pam.d/sshd <<EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
#pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
#copy ssh-copy-id
cp ssh-copy-id /usr/bin
chmod 755 /usr/bin/ssh-copy-id
systemctl restart sshd
systemctl enable sshd
systemctl status sshd
rpm -qa | grep open
systemctl status sshd| grep "Active: active (running)"
if [ $ -eq 0 ]; then
echo -e "\033[32m[INFO] OpenSSH upgraded to 8.8p1 successfully!\033[0m"
else
echo -e "\033[31m[ERROR] OpenSSH upgraded to 8.8p1 faild!\033[0m"
fi
##############################################################
打包离线安装包
cd /root
mkdir opensshUpgrade
cp install.sh opensshUpgrade
cp -r /root/localrepo/ /root/opensshUpgrade/
cp /root/openssh-8.8p1/contrib/ssh-copy-id /root/opensshUpgrade
tar -zcvf openssshUpgrade.tar.gz opensshUpgrade
七、离线安装升级openSSH
将离线升级安装包 openssshUpgrade.tar.gz拷贝到serverB 服务器
tar -zxf openssshUpgrade.tar.gz
cd opensshUpgrade/
bash install.sh | tee install.log
rpm -qa | grep openssl
rpm -qa | grep openssh
systemctl status sshd
内容来源网络,如有侵权,联系删除,本文地址:https://www.230890.com/zhan/132979.html