OpenSSH 配置Yum源 curl http://mirrors.aliyun.com/repo/Centos-7.repo>/etc/yum.repos.d/centos-7.repo curl http://mirrors.aliyun.com/repo/epel-7.repo>/etc/yum.repos.d/epel-7.repo sed -i 's/$releasever/7/g' /etc/yum.repos.d/centos-7.repo sed -i '/aliyuncs/d' /etc/yum.repos.d/centos-7.repo
安装wget
OpenSSL编译RPM 下载文件
wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
安装依赖
yum -y install curl which make gcc perl perl-WWW-Curl rpm-build zlib-devel
创建目录
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS} cp openssl-1.1.1w.tar.gz /root/rpmbuild/SOURCES/
创建配置文件
cat << 'EOF' > /root/rpmbuild/SPECS/openssl.spec Summary: OpenSSL 1.1.1w for Centos Name: openssl Version: 1.1.1w Release: 1%{?dist} Obsoletes: %{name} <= %{version} Provides: %{name} = %{version} URL: https://www.openssl.org/ License: GPLv2+ Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz BuildRequires: make gcc perl perl-WWW-Curl BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root %global openssldir /usr/openssl %description OpenSSL RPM for version 1.1.1w on Centos %package libs Summary: OpenSSL shared libraries Group: System Environment/Libraries %description libs The OpenSSL shared libraries provide a robust, commercial-grade, and full-featured toolkit for the TLS and SSL protocols. %package devel Summary: Development files for programs which will use the openssl library Group: Development/Libraries Requires: %{name} = %{version}-%{release} Requires: %{name}-libs = %{version}-%{release} %description devel OpenSSL RPM for version 1.1.1w on Centos (development package) %prep %setup -q %build ./config --prefix=%{openssldir} --openssldir=%{openssldir} shared zlib make %install [ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot} make DESTDIR=%{buildroot} install # Move shared libraries to libs package specific directory mkdir -p %{buildroot}/usr/openssl-libs mv %{buildroot}%{openssldir}/lib/*.so.* %{buildroot}/usr/openssl-libs/ # Create symbolic links mkdir -p %{buildroot}%{_bindir} mkdir -p %{buildroot}%{_libdir} ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir} ln -sf /usr/openssl-libs/libssl.so.1.1 %{buildroot}%{_libdir} ln -sf /usr/openssl-libs/libcrypto.so.1.1 %{buildroot}%{_libdir} %clean [ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot} %files %defattr(-,root,root,-) /usr/openssl/bin/* /usr/openssl/include/* /usr/openssl/lib/* /usr/openssl/share/* # 添加库文件 /usr/lib64/libcrypto.so.1.1 /usr/lib64/libssl.so.1.1 # 添加可执行文件 /usr/bin/openssl # 添加配置文件和其它需要的 extras /usr/openssl/ct_log_list.cnf /usr/openssl/ct_log_list.cnf.dist /usr/openssl/misc/CA.pl /usr/openssl/misc/tsget /usr/openssl/misc/tsget.pl /usr/openssl/openssl.cnf /usr/openssl/openssl.cnf.dist %files libs %defattr(-,root,root,-) /usr/openssl-libs/*.so.* %files devel %defattr(-,root,root,-) /usr/openssl/include/* %post -p /sbin/ldconfig %postun -p /sbin/ldconfig EOF
编译
rpmbuild -ba /root/rpmbuild/SPECS/openssl.spec
安装
rpm -Uvh openssl-1.1.1w-1.el7.x86_64.rpm openssl-libs-1.1.1w-1.el7.x86_64.rpm openssl-devel-1.1.1w-1.el7.x86_64.rpm --nodeps --force
OpenSSL源码安装 openssh-9.8p1依赖openssl 1.1.1,所以需要先安装openssl。下载openssl包
wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1w.tar.gz
安装依赖
解压压缩包
tar xf openssl-1.1.1w.tar.gz cd openssl-1.1.1w
xxxxxxxxxx [root@rke ~]# xfs_growfs /dev/sda3meta-data=/dev/sda3 isize=512 agcount=4, agsize=1114048 blks = sectsz=512 attr=2, projid32bit=1 = crc=1 finobt=0 spinodes=0data = bsize=4096 blocks=4456192, imaxpct=25 = sunit=0 swidth=0 blksnaming =version 2 bsize=4096 ascii-ci=0 ftype=1log =internal bsize=4096 blocks=2560, version=2 = sectsz=512 sunit=0 blks, lazy-count=1realtime =none extsz=4096 blocks=0, rtextents=0shell
./config --prefix=/usr/local/openssl-1.1.1w make && make install
备份旧版本
mv /usr/bin/openssl /usr/bin/openssl-1.0.2k ln -s /usr/local/openssl-1.1.1w/bin/openssl /usr/bin/openssl
添加环境变量
cat >/etc/profile.d/openssl.sh <<EOF #!/bin/bash export LD_LIBRARY_PATH=/usr/local/openssl-1.1.1w/lib:$LD_LIBRARY_PATH EOF source /etc/profile.d/openssl.sh openssl version
编译rpm包 下载openssh源码
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
创建目录
tar xf openssh-9.8p1.tar.gz -C /home/ mkdir -p /root/rpmbuild/{SOURCES,SPECS} cp /root/openssh-9.8p1.tar.gz /root/rpmbuild/SOURCES/ cp /root/x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES/ cp /home/openssh-9.8p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
编辑/root/rpmbuild/SPECS/openssh.spec,删除–without-openssl部分
# Do we want to disable building of x11-askpass? (1=yes 0=no) %global no_x11_askpass 1 # Do we want to disable building of gnome-askpass? (1=yes 0=no) %global no_gnome_askpass 1 %configure \ --sysconfdir=%{_sysconfdir}/ssh \ --libexecdir=%{_libexecdir}/openssh \ --datadir=%{_datadir}/openssh \ --with-default-path=/usr/local/bin:/bin:/usr/bin \ --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \ --with-privsep-path=%{_var}/empty/sshd \ --mandir=%{_mandir} \ --with-mantype=man \ --disable-strip \ #%if %{without_openssl} # --without-openssl \ #%endif
安装依赖
yum install rpm-build glibc-devel libXt-devel imake gtk2-devel krb5-devel gcc pam-devel -y
编译
cd /root/rpmbuild/SPECS/ rpmbuild -ba openssh.spec
编译后的rpm包路径:/root/rpmbuild/RPMS/x86_64/
升级 启动http服务
python -m SimpleHTTPServer 8899
下载文件
wget http://10.217.13.36:8899/el8.tar
备份配置文件
cp /etc/ssh/sshd_config /tmp/
升级
rpm -Uvh ./*.rpm systemctl restart sshd
对比diff配置文件
diff /etc/ssh/sshd_config /tmp/sshd_config
RHEL7.8需要执行以下操作:
sudo chmod 0600 /etc/ssh/ssh_host_rsa_key sudo chmod 0600 /etc/ssh/ssh_host_ed25519_key
如果用户登录失败,检查selinux,关闭selinux
setenforce 0 sudo sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config
验证版本
$ ssh -V OpenSSH_9.8p1, OpenSSL 1.1.1w 11 Sep 2023
参考链接:https://blog.csdn.net/fanxl10/article/details/139302942
