openssh和openssl升级

2024-05-07 15:44:41 浏览数 (3)

一 CentOS7.6

代码语言:bash复制
yum install  -y gcc gcc-c   glibc make autoconf pcre-devel 
pam-devel automake makedepend perl-Test-Simple perl zlib zlib-devel

find / -name openssl

unalias mv 
unalias rm

mv  /usr/bin/openssl                    /usr/bin/openssl.2023.bak 
mv  /usr/lib64/openssl                  /usr/lib64/openssl.2023.bak 
mv  /usr/include/openssl                /usr/include/openssl.2023.bak 
mv  /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.2023.bak

mkdir -p /tmp/newOpenssh  
cd /tmp/newOpenssh

#上传安装包openssl-1.1.1l.tar.gz

tar -zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l
./config shared -fPIC
make depend
make && make install
echo $?

unalias cp 
 cp -rvf include/openssl /usr/include/
 ln -s /usr/local/bin/openssl /usr/bin/openssl
 ln -snf /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so
 ln -snf /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
 ln -snf /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so
 ln -snf /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
 echo "/usr/local/lib64"   >> /etc/ld.so.conf
 ldconfig
 cp /usr/local/bin/openssl /usr/bin/openssl
 openssl version
 
 
 
 yum-y install gcc gcc-c   autoconf libjpeg libjpeg-devel libpng libpng-develfreetype 
 freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-develglib2 glib2-devel 
 bzip2 bzip2-devel ncurses ncurses-devel curl curl-devele2fsprogs e2fsprogs-devel krb5 
 krb5-devel libidn libidn-devel opensslopenssl-devel openldap openldap-devel nss_ldap 
 openldap-clientsopenldap-servers

 
 
 升级openssh
 
 cd /tmp/newOpenssh
 
上传安装包 openssh-9.0p1.tar.gz
 
 #备份openssh:

ls -lrt /usr/bin/ssh 
ls -lrt /usr/sbin/sshd 
ls -lrt /etc/ssh 

mv /usr/bin/ssh /usr/bin/ssh.bak.2023
mv /usr/sbin/sshd /usr/sbin/sshd.bak.2023
mv /etc/ssh /etc/ssh.bak.2023

cd /tmp/newOpenssh

tar -zxvf  openssh-9.0p1.tar.gz 
cd openssh-9.0p1/

./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam --with-ssl-engine

make && make install
echo $?
ssh -V


cp -a ./contrib/redhat/sshd.init /etc/init.d/sshd
cp -a ./contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
systemctl stop sshd.service
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
mv /etc/ssh/sshd_config  /etc/ssh/sshd_config-2023
cp /etc/ssh.bak.2023/sshd_config /etc/ssh/ 
systemctl daemon-reload

/etc/init.d/sshd start
cp /run/systemd/generator.late/sshd.service /usr/lib/systemd/system/sshd.service 
systemctl daemon-reload ; systemctl restart sshd  ;systemctl enable sshd 
	systemctl status sshd
ssh -V

二 CentOS7.9

代码语言:bash复制

#!/bin/bash

rm -rf /opt/openss*
cd /opt
echo -e  "Install_openssl"
    sleep 3
    wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz   --no-check-certificate
      
    tar -zxvf openssl-1.1.1w.tar.gz

	cd openssl-1.1.1w/

	./config --prefix=/usr/local/openssl

	./config -t

	make -j 4 && make install

    sleep 2

    if [ $? -eq 0 ]; then
        ldd /usr/local/openssl/bin/openssl
        echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
        ldconfig -v
        mv /usr/bin/openssl /usr/bin/openssl.bak
        ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
        ll /usr/bin/openssl
        ldd /usr/local/openssl/bin/openssl

    else

        echo -e "flase"

    sleep 2

  exit

fi

    sleep 1
	echo -e  "33[32m当前版本路径:$(which openssl)33[0m"
    echo -e  "33[31m当前版本:$(openssl version)33[0m"



sleep 10

echo -e  "Install_openssh"
    sleep 5
    
	cd /opt
	
	wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz

	tar -zxvf openssh-9.6p1.tar.gz

	mv /etc/ssh /etc/ssh_bak
	
	cd openssh-9.6p1
    sleep 3
	./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam 
    --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man 
	--with-zlib=/usr/local/zlib --without-hardening --without-openssl-header-check


    sleep 5
	make -j 4 && make install

    sleep 5

  if [ $? -eq 0 ]; then

	 
         mv /usr/sbin/sshd /usr/sbin/sshd_bak
         mv /etc/sysconfig/sshd /opt
         mv  /usr/lib/systemd/system/sshd.service  /opt
         cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
         
    sleep 3

      for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done

         
         mv /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
         mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
         mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli
         cp -arf /usr/local/openssh/bin/* /usr/bin/
         cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
         cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
         cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
         cp -a /opt/openssh-9.6p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
         mv /opt/sshd.service /usr/lib/systemd/system/
         echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

  else 
	 echo -e "flase"

   exit

fi

   sleep 5
	systemctl daemon-reload
   yum -y install openssh (因上面命令可能删除openssh基础包)
	systemctl start sshd ; systemctl enable sshd
	systemctl status sshd

    sleep 2
	    echo -e "33[31m当前版本:$(ssh -V 2>&1)33[0m" 
        echo -e  "33[32m当前版本路径:$(which ssh)33[0m"

	

openssh编译安装是检查pam模块,需添加/etc/pam.d/sshd 文件,没有时添加,有则无需添加

#%PAM-1.0
auth       substack     password-auth
auth       include      postlogin
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
## pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so
session    include      password-auth
session    include      postlogin

麒麟系统升级openssh

代码语言:bash复制
[root@localhost ~]# cat /etc/os-release 
NAME="Kylin Linux Advanced Server"
VERSION="V10 (Sword)"
ID="kylin"
VERSION_ID="V10"
PRETTY_NAME="Kylin Linux Advanced Server V10 (Sword)"
ANSI_COLOR="0;31"


升级openssh
#!/bin/bash

pwd=$(pwd)

    yum install -y openssl-devel

    cd /opt

    wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz

    tar -zxvf openssh-9.6p1.tar.gz


    mv /etc/ssh /etc/ssh_bak

    cd ./openssh-9.6p1

    echo $(pwd)

 sleep 3

    if [ "$pwd"="/opt/openssh-9.6p1" ];then

        ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh  --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man 
              --with-zlib=/usr/local/zlib --without-hardening --without-openssl-header-check

    else
       echo "当前工作目录不是 /opt/openssh-9.6p1"

    exit

fi


  sleep 10

     make -j 4 && make install

  sleep 10

    if [ $? -eq 0 ]; then

         mv  -f /usr/sbin/sshd /usr/sbin/sshd_bak
         mv -f /etc/sysconfig/sshd /opt
         mv  -f /usr/lib/systemd/system/sshd.service  /opt
         cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd


    sleep 6

      for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done


         mv -f /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config

         mv -f /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config

         mv -f /etc/ssh/moduli.rpmsave /etc/ssh/moduli

         cp -arf /usr/local/openssh/bin/* /usr/bin/

         cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd

         cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd

         cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd

         cp -a /opt/openssh-9.6p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

         mv /opt/sshd.service /usr/lib/systemd/system/


 else
         echo -e "flase"

   exit

fi

   sleep 5

         sed -ri "/^PermitRootLogin no/c PermitRootLogin yes" /etc/ssh/sshd_config
#        echo "PermitRootLogin no" >> /etc/ssh/sshd_config
         echo "AllowUsers lsy" >> /etc/ssh/sshd_config


        systemctl daemon-reload

        yum -y install openssh

        systemctl start sshd ; systemctl enable sshd
        systemctl status sshd && echo -e "33[33m安装完成33[0m" 

    sleep 2
        
    echo -e "33[31m当前版本:$(ssh -V 2>&1)33[0m" 
    echo -e  "33[32m当前版本路径:$(which ssh)33[0m"

编译命令后报错,报错信息如下:

代码语言:bash复制
configure: error: *** working libcrypto not found, check config.log ***
或者
configure: error: *** OpenSSL headers missing - please install first or check config.log ***


报错原因

出现上述两种报错,是因为缺少openssl-devel包或者libcrypto相关库的位置不正确。

解决办法

    第一种解决办法 -- 最推荐的解决办法(最简单有效)
    yum安装openssl-devel包即可:
    yum install -y openssl-devel

新升级openssh,服务启动出现卡顿

代码语言:bash复制
麒麟报错信息如下:
Apr 17 09:10:00 localhost systemd[1]: sshd-keygen@sm2.service: Main process exited, code=exited, status=1/FAILURE
Apr 17 09:10:00 localhost systemd[1]: sshd-keygen@sm2.service: Failed with result 'exit-code'.
Apr 17 09:10:00 localhost systemd[1]: Failed to start OpenSSH sm2 Server Key Generation.


CentOS系统报错如下:
failed to start openssh server daemon code=exited, status=0/success


是systemd配置的问题。是systemd配置的问题。
将service文件中的Type=nofify 改为 Type=forking,或者删除Type参数如下:

麒麟系统:
cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target

[Service]
#Type=notify  或更改为 Type=forking
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

CentOS7系统
cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/local/openssh/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target

麒麟系统升级openssl

代码语言:bash复制
#!/bin/bash

rm -rf /opt/openss*
cd /opt
echo -e  "Install_openssl"
    sleep 3
    wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz   --no-check-certificate
      
    tar -zxvf openssl-1.1.1w.tar.gz

	cd openssl-1.1.1w/

	./config --prefix=/usr/local/openssl

	./config -t

	make -j 4 && make install

    sleep 2

    if [ $? -eq 0 ]; then
        ldd /usr/local/openssl/bin/openssl
        echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
        ldconfig -v
        mv /usr/bin/openssl /usr/bin/openssl.bak
        ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
        ll /usr/bin/openssl
        ldd /usr/local/openssl/bin/openssl

    else

        echo -e "flase"

    sleep 2

  exit

fi

    sleep 1
	echo -e  "33[32m当前版本路径:$(which openssl)33[0m"
    echo -e  "33[31m当前版本:$(openssl version)33[0m"

麒麟系统升级openssl升级完之后出现此Library信息

代码语言:txt复制
[root@host-192-168-5-38 ~]# openssl version
OpenSSL 1.1.1w  11 Sep 2023 (Library: OpenSSL 1.1.1f  31 Mar 2020)

解决方法,需重新创建软连接指向

代码语言:bash复制
1 openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
ln -s /usr/local/openssl/lib/libssl.so.1.1  /usr/lib64/libssl.so.1.1

2 openssl: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
ln -s /usr/local/openssl/lib/libcrypto.so.1.1  /usr/lib64/libcrypto.so.1.1


之后再次查看:
[root@host-192-168-5-173 openssl-1.1.1w]# openssl version
OpenSSL 1.1.1w  11 Sep 2023


场景:
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln: 无法创建符号链接 '/usr/lib64/libssl.so.1.1': 文件已存在
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln: 无法创建符号链接 '/usr/lib64/libcrypto.so.1.1': 文件已存在


[root@host-192-168-5-38 ~]# ll  /usr/local/openssl/lib/libssl.so.1.1  /usr/lib64/libssl.so.1.1
-rwxr-xr-x 1 root root 697416  5月  7 09:01 /usr/local/openssl/lib/libssl.so.1.1
lrwxrwxrwx 1 root root 16  3月  1 10:06 /usr/lib64/libssl.so.1.1 -> libssl.so.1.1.1f
[root@host-192-168-5-38 ~]# mv  /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1.bak
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[root@host-192-168-5-38 ~]# ll /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
lrwxrwxrwx 1 root root     36  5月  7 15:36 /usr/lib64/libssl.so.1.1 -> /usr/local/openssl/lib/libssl.so.1.1
-rwxr-xr-x 1 root root 697416  5月  7 09:01 /usr/local/openssl/lib/libssl.so.1.1
[root@host-192-168-5-38 ~]# 
[root@host-192-168-5-38 ~]# ll /usr/local/openssl/lib/libcrypto.so.1.1  /usr/lib64/libcrypto.so.1.1
lrwxrwxrwx 1 root root      19  3月  1 10:06 /usr/lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1f
-rwxr-xr-x 1 root root 3400232  5月  7 09:01 /usr/local/openssl/lib/libcrypto.so.1.1
[root@host-192-168-5-38 ~]# mv /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1.bak
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
[root@host-192-168-5-38 ~]#  
[root@host-192-168-5-38 ~]# openssl version
OpenSSL 1.1.1w  11 Sep 2023

0 人点赞