Bootstrap

Linux中openssh服务升级到openssh-9.3版本

1、准备工作(本次升级是虚拟机测试环境)

注意:如果是生产环境,建议先备份!!!

首先一台虚拟机,我这边使用的是centos7的系统,openssh版本如下

[root@docker-client ~]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@docker-client ~]#

2、安装centos对应的依赖包和命令

[root@docker-client ~]# yum -y install wget gcc openssl-devel pam-devel rpm-build zlib-devel 

3、官网下载openssl安装包:[ 1.1.1 ] - /source/old/1.1.1/index.html (openssl.org)

可以下载好上传到对应服务器,或者直接使用wget命令下载

[root@docker-client ~]#  wget https://www.openssl.org/source/old/1.1.1/openssl-1.1.1t.tar.gz
[root@docker-client ~]# ls -l
total 490008
-rw-r--r-- 1 root root 491879424 Apr  2 11:01 centos7.tar
-rw-r--r-- 1 root root   9881866 Dec  4 22:38 openssl-1.1.1t.tar.gz
-rw-r--r-- 1 root root        56 Mar 29 15:41 test.txt
[root@docker-client ~]#

4、编译安装openssl

4.1  解压并移动到/usr/local/目录下


[root@docker-client ~]# tar xf openssl-1.1.1t.tar.gz 
[root@docker-client ~]# mv openssl-1.1.1t /usr/local/
[root@docker-client local]# ls
bin  etc  games  include  lib  lib64  libexec  nginx   openssl  openssl-1.1.1t  sbin  share  src
[root@docker-client local]# cd openssl-1.1.1t/
[root@docker-client openssl-1.1.1t]# ls
ACKNOWLEDGEMENTS  config          crypto    FAQ            libcrypto.pc      libssl.so      NOTES.ANDROID  openssl.pc     ssl
apps              config.com      demos     fuzz           libcrypto.so      libssl.so.1.1  NOTES.DJGPP    os-dep         test
appveyor.yml      configdata.pm   doc       include        libcrypto.so.1.1  LICENSE        NOTES.PERL     pod2htmd.tmp   tools
AUTHORS           Configurations  engines   INSTALL        libssl.a          Makefile       NOTES.UNIX     README         util
build.info        Configure       e_os.h    libcrypto.a    libssl.map        ms             NOTES.VMS      README.ENGINE  VMS
CHANGES           CONTRIBUTING    external  libcrypto.map  libssl.pc         NEWS           NOTES.WIN      README.FIPS    wycheproof

4.2 编译安装openssl

  1. ./config shared --prefix=/usr/local/openssl

    • ./config:这是运行 OpenSSL 配置脚本的命令。配置脚本用于根据系统环境和需求生成适当的 Makefile 文件,以便后续的编译过程。
    • shared:这个参数告诉配置脚本生成一个共享库(Shared Library),也就是动态链接库,使得 OpenSSL 库可以在不同的程序之间共享。
    • --prefix=/usr/local/openssl:这个参数指定了安装目录,即将 OpenSSL 安装到 /usr/local/openssl 目录下。通常,--prefix 参数用于指定软件的安装目录,默认情况下,软件会安装到 /usr/local 目录下。
  2. make -j 4

    • make:这是一个用于自动构建可执行程序和库的工具,通常与 Makefile 文件一起使用。它根据 Makefile 中的规则来编译源代码,并生成最终的可执行文件或库文件。
    • -j 4:这个参数告诉 make 工具使用 4 个并行任务(jobs)来加速编译过程。这样可以同时处理多个文件,加快整个编译过程。具体的并行任务数可以根据系统的 CPU 核心数量和可用内存来调整。
  3. make install

    • make install:这个命令将编译好的 OpenSSL 库文件和相关的头文件、文档等安装到指定的目录中(在上一步中通过 --prefix 参数指定)。通常,这个命令会将编译好的文件复制到系统的标准位置,以便其他程序可以使用 OpenSSL 库。
[root@docker-client openssl-1.1.1t]# ./config shared --prefix=/usr/local/openssl

[root@docker-client openssl-1.1.1t]# make -j 4

[root@docker-client openssl-1.1.1t]# make install

4.3 创建openssl软链接

# 将 /usr/local/openssl/lib/ 路径追加到 /etc/ld.so.conf 文件中
[root@docker-client openssl-1.1.1t]# echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf
[root@docker-client openssl-1.1.1t]# cat /etc/ld.so.conf
include ld.so.conf.d/*.conf
/usr/local/openssl/lib/

[root@docker-client openssl-1.1.1t]# cat /etc/ld.so.c
ld.so.cache   ld.so.conf    ld.so.conf.d/

# 加载配置文件
[root@docker-client openssl-1.1.1t]# ld
ld        ldattach  ld.bfd    ldconfig  ldd       ld.gold
[root@docker-client openssl-1.1.1t]# ldconfig    

# 备份之前版本的openssl
[root@docker-client openssl-1.1.1t]# mv /usr/bin/openssl /usr/bin/openssl.old

# 创建openssl软链接
[root@docker-client openssl-1.1.1t]# ln -sv /usr/local/openssl/bin/openssl /usr/bin/openssl
‘/usr/bin/openssl’ -> ‘/usr/local/openssl/bin/openssl’

[root@docker-client openssl-1.1.1t]# ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1

[root@docker-client openssl-1.1.1t]# ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

4.4 查看openssl版本

[root@docker-client openssl-1.1.1t]# openssl version -a
OpenSSL 1.1.1t  7 Feb 2023
built on: Mon Apr 15 07:45:31 2024 UTC
platform: linux-x86_64
options:  bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,--noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DNDEBUG
OPENSSLDIR: "/usr/local/openssl/ssl"
ENGINESDIR: "/usr/local/openssl/lib/engines-1.1"
Seeding source: os-specific
[root@docker-client openssl-1.1.1t]#

5、卸载之前版本的openssh

 检查之前的openssh安装包,并备份旧的openssh

[root@docker-client openssl-1.1.1t]# rpm -qa |grep openssh
openssh-clients-7.4p1-22.el7_9.x86_64
openssh-7.4p1-22.el7_9.x86_64
openssh-server-7.4p1-22.el7_9.x86_64
[root@docker-client openssl-1.1.1t]#


# 备份
[root@docker-client openssl-1.1.1t]# mv /etc/ssh/ /etc/ssh.bak
[root@docker-client openssl-1.1.1t]#
[root@docker-client openssl-1.1.1t]# mv /usr/bin/ssh /usr/bin/ssh.bak
[root@docker-client openssl-1.1.1t]#
[root@docker-client openssl-1.1.1t]# mv /usr/sbin/sshd /usr/sbin/sshd.bak
[root@docker-client openssl-1.1.1t]#

# 如果是第一次升级openssh,备份/etc/init.d/sshd时会报不存在文件或者目录,如下,忽略即可
[root@docker-client openssl-1.1.1t]#  mv /etc/init.d/sshd /etc/init.d/sshd.bak
mv: cannot stat ‘/etc/init.d/sshd’: No such file or directory

# 卸载现在版本的openssh相关的包
[root@docker-client openssl-1.1.1t]# rpm -e --nodeps $(rpm -qa |grep openssh)
warning: file /usr/sbin/sshd: remove failed: No such file or directory
warning: file /etc/ssh/sshd_config: remove failed: No such file or directory
warning: file /usr/bin/ssh: remove failed: No such file or directory
warning: file /etc/ssh/ssh_config: remove failed: No such file or directory
warning: file /etc/ssh/moduli: remove failed: No such file or directory
warning: file /etc/ssh: remove failed: No such file or directory

# 卸载完成后在查一下是否卸载干净
[root@docker-client openssl-1.1.1t]# rpm -qa | grep openssh
[root@docker-client openssl-1.1.1t]# 

6、下载openssh的二进制包

官网下载:Index of /pub/OpenBSD/OpenSSH/portable/

可以下载好上传到对应服务器,或者直接使用wget命令下载

[root@docker-client ~]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
--2024-04-15 16:02:55--  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p2.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 151.101.111.52, 2a04:4e42:8c::820
Connecting to cdn.openbsd.org (cdn.openbsd.org)|151.101.111.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1835850 (1.8M) [application/octet-stream]
Saving to: ‘openssh-9.3p2.tar.gz’

100%[==============================================================================================>] 1,835,850    106KB/s   in 26s

2024-04-15 16:03:24 (67.8 KB/s) - ‘openssh-9.3p2.tar.gz’ saved [1835850/1835850]

[root@docker-client ~]#

7、编译安装openssh

7.1 解压并移动到/usr/local/目录下

[root@docker-client ~]# mv openssh-9.3p2.tar.gz /usr/local/
[root@docker-client ~]#
[root@docker-client ~]# cd /usr/local/
[root@docker-client local]# tar xf openssh-9.3p2.tar.gz
[root@docker-client local]# ls
bin  etc  games  include  lib  lib64  libexec  nginx  openssh-9.3p2  openssh-9.3p2.tar.gz  openssl  openssl-1.1.1t  sbin  share  src
[root@docker-client local]# 

7.2 编译安装openssh

[root@docker-client local]# cd openssh-9.3p2
[root@docker-client openssh-9.3p2]# CCFLAGS="-I/usr/local/include" \
> LDFLAGS="-L/usr/local/lib64" \
> ./configure \
> --sysconfdir=/etc/ssh \
> --with-zlib \
> --with-ssl-dir=/usr/local/openssl


[root@docker-client openssh-9.3p2]# make -j 4

[root@docker-client openssh-9.3p2]# make install
(cd openbsd-compat && make)
make[1]: Entering directory `/usr/local/openssh-9.3p2/openbsd-compat'
make[1]: Nothing to be done for `all'.
make[1]: Leaving directory `/usr/local/openssh-9.3p2/openbsd-compat'
/usr/bin/mkdir -p /usr/local/bin
/usr/bin/mkdir -p /usr/local/sbin
/usr/bin/mkdir -p /usr/local/share/man/man1
/usr/bin/mkdir -p /usr/local/share/man/man5
/usr/bin/mkdir -p /usr/local/share/man/man8
/usr/bin/mkdir -p /usr/local/libexec
/usr/bin/mkdir -p -m 0755 /var/empty
/usr/bin/install -c -m 0755 -s ssh /usr/local/bin/ssh
/usr/bin/install -c -m 0755 -s scp /usr/local/bin/scp
/usr/bin/install -c -m 0755 -s ssh-add /usr/local/bin/ssh-add
/usr/bin/install -c -m 0755 -s ssh-agent /usr/local/bin/ssh-agent
/usr/bin/install -c -m 0755 -s ssh-keygen /usr/local/bin/ssh-keygen
/usr/bin/install -c -m 0755 -s ssh-keyscan /usr/local/bin/ssh-keyscan
/usr/bin/install -c -m 0755 -s sshd /usr/local/sbin/sshd
/usr/bin/install -c -m 4711 -s ssh-keysign /usr/local/libexec/ssh-keysign
/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/local/libexec/ssh-pkcs11-helper
/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/local/libexec/ssh-sk-helper
/usr/bin/install -c -m 0755 -s sftp /usr/local/bin/sftp
/usr/bin/install -c -m 0755 -s sftp-server /usr/local/libexec/sftp-server
/usr/bin/install -c -m 644 ssh.1.out /usr/local/share/man/man1/ssh.1
/usr/bin/install -c -m 644 scp.1.out /usr/local/share/man/man1/scp.1
/usr/bin/install -c -m 644 ssh-add.1.out /usr/local/share/man/man1/ssh-add.1
/usr/bin/install -c -m 644 ssh-agent.1.out /usr/local/share/man/man1/ssh-agent.1
/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/local/share/man/man1/ssh-keygen.1
/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/local/share/man/man1/ssh-keyscan.1
/usr/bin/install -c -m 644 moduli.5.out /usr/local/share/man/man5/moduli.5
/usr/bin/install -c -m 644 sshd_config.5.out /usr/local/share/man/man5/sshd_config.5
/usr/bin/install -c -m 644 ssh_config.5.out /usr/local/share/man/man5/ssh_config.5
/usr/bin/install -c -m 644 sshd.8.out /usr/local/share/man/man8/sshd.8
/usr/bin/install -c -m 644 sftp.1.out /usr/local/share/man/man1/sftp.1
/usr/bin/install -c -m 644 sftp-server.8.out /usr/local/share/man/man8/sftp-server.8
/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/local/share/man/man8/ssh-keysign.8
/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/local/share/man/man8/ssh-pkcs11-helper.8
/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/local/share/man/man8/ssh-sk-helper.8
/usr/bin/mkdir -p /etc/ssh
ssh-keygen: generating new host keys: RSA ECDSA ED25519
/usr/local/sbin/sshd -t -f /etc/ssh/sshd_config
[root@docker-client openssh-9.3p2]#

编译命令详解:

  1. CCFLAGS="-I/usr/local/include":这部分设置了编译器标志,其中 -I 选项用于指定编译时包含文件的搜索路径。在这里,-I/usr/local/include 指定了编译器在搜索头文件时应该包含 /usr/local/include 目录。

  2. LDFLAGS="-L/usr/local/lib64":这部分设置了链接器标志,其中 -L 选项用于指定链接时库文件的搜索路径。在这里,-L/usr/local/lib64 指定了链接器在搜索库文件时应该包含 /usr/local/lib64 目录。

  3. ./configure:这是运行 OpenSSH 的配置脚本的命令。配置脚本会根据系统环境和指定的参数来生成 Makefile,用于后续编译和安装。

  4. --sysconfdir=/etc/ssh:这个选项指定了配置文件安装的目录。在这里,/etc/ssh 是指将 OpenSSH 的配置文件安装到 /etc/ssh 目录下。

  5. --with-zlib:这个选项用于启用对 zlib 库的支持,以便 OpenSSH 可以使用 zlib 进行压缩和解压缩操作。

  6. --with-ssl-dir=/usr/local/openssl:这个选项用于指定 OpenSSL 库的安装路径。在这里,/usr/local/openssl 是指 OpenSSL 库的安装目录,OpenSSH 将会使用这个目录下的 OpenSSL 库进行加密和解密操作。

8、添加600权限

[root@docker-client openssh-9.3p2]# chmod 600 /etc/ssh/*
[root@docker-client openssh-9.3p2]#
[root@docker-client openssh-9.3p2]# ls -l /etc/ssh/*
-rw------- 1 root root 573991 Apr 15 16:10 /etc/ssh/moduli
-rw------- 1 root root   1531 Apr 15 16:10 /etc/ssh/ssh_config
-rw------- 1 root root   3137 Apr 15 16:10 /etc/ssh/sshd_config
-rw------- 1 root root    513 Apr 15 16:10 /etc/ssh/ssh_host_ecdsa_key
-rw------- 1 root root    180 Apr 15 16:10 /etc/ssh/ssh_host_ecdsa_key.pub
-rw------- 1 root root    411 Apr 15 16:10 /etc/ssh/ssh_host_ed25519_key
-rw------- 1 root root    100 Apr 15 16:10 /etc/ssh/ssh_host_ed25519_key.pub
-rw------- 1 root root   2610 Apr 15 16:10 /etc/ssh/ssh_host_rsa_key
-rw------- 1 root root    572 Apr 15 16:10 /etc/ssh/ssh_host_rsa_key.pub
[root@docker-client openssh-9.3p2]#

9、cp复制配置文件

[root@docker-client openssh-9.3p2]# cp -rf /usr/local/sbin/sshd /usr/sbin/sshd
[root@docker-client openssh-9.3p2]# cp -rf /usr/local/bin/ssh /usr/bin/ssh
[root@docker-client openssh-9.3p2]# cp -rf /usr/local/bin/ssh-keygen /usr/bin/ssh-keygen
[root@docker-client openssh-9.3p2]# cp -ar /usr/local/openssh-9.3p2/contrib/redhat/sshd.init /etc/init.d/sshd
[root@docker-client openssh-9.3p2]# cp -ar /usr/local/openssh-9.3p2/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
[root@docker-client openssh-9.3p2]#

10、修改/etc/ssh/sshd_config配置文件,允许root登录,并开启端口22访问

[root@docker-client openssh-9.3p2]# vim /etc/ssh/ssh_config

未尾行添加如下信息
PermitRootLogin yes
X11Forwarding yes
PasswordAuthentication yes
KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,[email protected]

[root@docker-client openssh-9.3p2]# sed -i "s/^#Port/Port/g" /etc/ssh/sshd_config

11、给sshd添加权限,并重启sshd服务

[root@docker-client openssh-9.3p2]# chmod 755 /etc/init.d/sshd
[root@docker-client openssh-9.3p2]#
[root@docker-client openssh-9.3p2]#
[root@docker-client openssh-9.3p2]# systemctl enable sshd
sshd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig sshd on
[root@docker-client openssh-9.3p2]# systemctl restart sshd
[root@docker-client openssh-9.3p2]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: active (running) since Mon 2024-04-15 16:14:26 CST; 9s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 36517 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 36525 (sshd)
    Tasks: 1
   Memory: 548.0K
   CGroup: /system.slice/sshd.service
           └─36525 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups

Apr 15 16:14:26 docker-client systemd[1]: Starting SYSV: OpenSSH server daemon...
Apr 15 16:14:26 docker-client systemd[1]: Can't open PID file /var/run/sshd.pid (yet?) after start: No such file or directory
Apr 15 16:14:26 docker-client sshd[36517]: Starting sshd:[  OK  ]
Apr 15 16:14:26 docker-client sshd[36525]: Server listening on 0.0.0.0 port 22.
Apr 15 16:14:26 docker-client sshd[36525]: Server listening on :: port 22.
Apr 15 16:14:26 docker-client systemd[1]: Started SYSV: OpenSSH server daemon.
[root@docker-client openssh-9.3p2]#

12、查看openssh版本是否升级完成

[root@docker-client openssh-9.3p2]# ssh -V
OpenSSH_9.3p2, OpenSSL 1.1.1t  7 Feb 2023
[root@docker-client openssh-9.3p2]#

以上就是openssh7.4p1升级到openssh9.3p2的过程,希望能帮助到你!

;