Centos7 通过 rpm 升级 OpenSSH 8.3版本
背景:
安全扫描,openssh 8.1之前的版本有漏洞,需要升级到8.1之后的版本。
使用rpmbuild将tar包打成rpm包,编译升级比较麻烦。费事
安装相关依赖
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -y
下载源码包
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz
创建所需目录
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
把所需的包拷贝到该目录下面
cd /root/rpmbuild/
cp /root/openssh-8.3p1.tar.gz .
tar xf openssh-8.3p1.tar.gz
cp openssh-8.3p1/contrib/redhat/openssh.spec /root/rpmbuild/
cp /root/openssh-8.3p1.tar.gz /root/rpmbuild/SOURCES/
cp /root/x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES/
修改配置文件
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
构建
rpmbuild -ba openssh.spec
报错
error: Failed build dependencies:
/usr/include/X11/Xlib.h
error: Failed build dependencies:
/usr/include/X11/Xlib.h is needed by openssh-8.3.p1-1.el7.x86_64
libXt-devel is needed by openssh-8.3.p1-1.el7.x86_64
imake is needed by openssh-8.3.p1-1.el7.x86_64
gtk2-devel is needed by openssh-8.3.p1-1.el7.x86_64
解决办法
yum install libXt-devel imake gtk2-devel openssl-libs -y
第二个报错: openssl-devel < 1.1 被 openssh-8.3p1-1.el7.x86_64 需要
构建依赖失败:openssl-devel < 1.1 被 openssh-8.3p1-1.el7.x86_64 需要 解决方法:
[root@localhost SPECS]# vim openssh.spec
注释掉 BuildRequires: openssl-devel < 1.1 这一行
第三个报错:
RPM build errors:
Installed (but unpackaged) file(s) found:
/usr/libexec/openssh/ssh-sk-helper
/usr/share/man/man8/ssh-sk-helper.8.gz
解决方法:
vi /usr/lib/rpm/macros
#%__check_files %{_rpmconfigdir}/check-files %{buildroot}
注释改行
打包成功
写道:/root/rpmbuild/SRPMS/openssh-8.3p1-1.el7.src.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-8.3p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-clients-8.3p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-server-8.3p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-8.3p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.3p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.3p1-1.el7.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.5M8cIL
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-8.3p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.3p1-1.el7.x86_64
+ exit 0
升级前备份pam 文件
cp /etc/pam.d/{sshd,sshd.bak}
开始升级
rpm -Uvh *rpm
安装失败
[root@localhost ~]# rpm -Uvh openssh-*
错误:依赖检测失败:
libcrypto.so.10(OPENSSL_1.0.2)(64bit) 被 openssh-8.3p1-1.el7.centos.x86_64 需要
libICE.so.6()(64bit) 被 openssh-askpass-8.3p1-1.el7.centos.x86_64 需要
libSM.so.6()(64bit) 被 openssh-askpass-8.3p1-1.el7.centos.x86_64 需要
libXt.so.6()(64bit) 被 openssh-askpass-8.3p1-1.el7.centos.x86_64 需要
libcrypto.so.10(OPENSSL_1.0.2)(64bit) 被 openssh-clients-8.3p1-1.el7.centos.x86_64 需要
libcrypto.so.10(OPENSSL_1.0.2)(64bit) 被 openssh-server-8.3p1-1.el7.centos.x86_64 需要
[root@localhost ~]# yum -y instll openssl-libs libcrypto libICE libXt libSM
接着安装
rpm -Uvh *rpm
修改权限
[root@localhost ~]# cd /etc/ssh/
[root@localhost ssh]# chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
#允许root登陆
[root@localhost ssh]# echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
[root@localhost pam.d]# cp sshd sshd.2020.bak
[root@localhost pam.d]# cp sshd.
sshd.2020.bak sshd.bak
[root@localhost pam.d]# cp sshd.bak sshd
重启sshd 验证
[root@localhost pam.d]# systemctl restart sshd
[root@localhost pam.d]# ssh -V
OpenSSH_8.3p1, OpenSSL 1.0.2k-fips 26 Jan 2017
网友评论