如果只需升级OpenSSH的话可以看我的另一篇文章CentOS/RHEL 7.6升级OpenSSH(不升级OpenSSL)
这里升级OpenSSL是为了解决SSL/TLS协议信息泄露漏洞(CVE-2016-2183)
本文构建完成的所有RPM包:
OpenSSL 1.1.1k和OpenSSH 8.5p1

安装依赖

yum install -y wget rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel openssl-libs

脚本构建OpenSSL 1.1.1k RPM包

在写本文时最新的版本是OpenSSL 1.1.1k,如果各位读者在看本文时有更新的版本可以直接将下面脚本中的1.1.1k替换为新的版本号

#!/bin/bash
set -e
set -v
mkdir ~/openssl && cd ~/openssl
yum -y install \
    curl \
    which \
    make \
    gcc \
    perl \
    perl-WWW-Curl \
    rpm-build

yum -y remove openssl

# Get openssl tarball
curl -O --silent https://www.openssl.org/source/openssl-1.1.1k.tar.gz

# SPEC file
cat << 'EOF' > ~/openssl/openssl.spec
Summary: OpenSSL 1.1.1k for Centos
Name: openssl
Version: %{?version}%{!?version:1.1.1k}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+
Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
# openssldir 可以自行更改
%global openssldir /usr/local/openssl
%description
https://github.com/philyuchkoff/openssl-RPM-Builder
OpenSSL RPM for version 1.1.1k on Centos
%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
OpenSSL RPM for version 1.1.1k on Centos (development package)
%prep
%setup -q
%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make
%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}
%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1
%files devel
%{openssldir}/include/*
%defattr(-,root,root)
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
EOF


mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
cp ~/openssl/openssl.spec /root/rpmbuild/SPECS/openssl.spec

mv openssl-1.1.1k.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS && \
    rpmbuild \
    -D "version 1.1.1k" \
    -ba openssl.spec


# For install:  rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# Verify install:  rpm -qa openssl
#                  openssl version

构建完成后界面打印以下内容:

检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64
写道:/root/rpmbuild/SRPMS/openssl-1.1.1k-1.el7.src.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-devel-1.1.1k-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-debuginfo-1.1.1k-1.el7.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.CdyqOD
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssl-1.1.1k
+ '[' /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64 '!=' / ']'
+ /usr/bin/rm -rf /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64
+ exit 0


# For install:  rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# Verify install:  rpm -qa openssl
#                  openssl version

升级OpenSSL

1.卸载旧版
注意openssl-libs不能卸载

rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps 

2.安装新版

# 1.确定要安装的包
cd /root/rpmbuild/RPMS/x86_64/
cp openssl* ~/openssl
cd ~/openssl
rm -rf openssl-debuginfo-1.1.1k-1.el7.x86_64.rpm
# 2.开始安装
[root@localhost openssl]# rpm -Uvh *.rpm --nodeps
准备中...                          ################################# [100%]
正在升级/安装...
   1:openssl-1.1.1k-1.el7             ################################# [ 50%]
   2:openssl-devel-1.1.1k-1.el7       ################################# [100%]
[root@localhost openssl]# openssl version
OpenSSL 1.1.1k  25 Mar 2021

3.安装完成

根据已经升级的OpenSSL制作OpenSSH包

创建所需目录

上面OpenSSL的脚本已经把目录建好了,如果没有的话:

mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES

下载源码包

wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

tar -xvzf openssh-8.5p1.tar.gz
tar -xvzf x11-ssh-askpass-1.2.4.1.tar.gz

修改配置文件

cp openssh-8.5p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/

sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i 's/BuildRequires: openssl-devel < 1.1/#&/' /root/rpmbuild/SPECS/openssh.spec

vim openssh.spec
找到 %configure \的配置,加一行--with-ssl-dir配置,这里的目录就是上面OpenSSL安装的目录
%configure \
        --sysconfdir=%{_sysconfdir}/ssh \
        --libexecdir=%{_libexecdir}/openssh \
        --datadir=%{_datadir}/openssh \
        --with-default-path=/usr/local/bin:/bin:/usr/bin \
        --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
        --with-privsep-path=%{_var}/empty/sshd \
        --with-ssl-dir=/usr/local/openssl \
        --with-md5-passwords \
        --mandir=%{_mandir} \
        --with-mantype=man \
        --disable-strip \

开始构建

rpmbuild -ba openssh.spec

……
检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssh-8.5p1-1.el7.x86_64
写道:/root/rpmbuild/SRPMS/openssh-8.5p1-1.el7.src.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-clients-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-server-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.5p1-1.el7.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.Yhrfbl
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-8.5p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.5p1-1.el7.x86_64
+ exit 0

升级OpenSSH

备份配置文件

  1. mkdir ~/sshbak && cd ~
  2. cp /etc/pam.d/sshd sshbak/
  3. cp /etc/ssh/sshd_config sshbak
  4. 检查一下sshd_config里的PermitRootLogin yes,如果这一项被注释掉或者是no的话需要改成yes,否则无法登录

开始升级

1.停止sshd服务 service sshd stop
2.将做好的三个包放到同一个目录,我是直接放到了/root/

cd /root/rpmbuild/RPMS/x86_64
cp openssh-8.5p1-1.el7.x86_64.rpm ~/
cp openssh-server-8.5p1-1.el7.x86_64.rpm ~/
cp openssh-clients-8.5p1-1.el7.x86_64.rpm ~/

3.卸载旧版本的OpenSSH
rpm -erpm -qa | grep openssh--nodeps
4.rpm安装新版本

[root@localhost ~]# rpm -Uvh *.rpm
准备中...                          ################################# [100%]
正在升级/安装...
   1:openssh-8.5p1-1.el7              ################################# [ 33%]
   2:openssh-clients-8.5p1-1.el7      ################################# [ 67%]
   3:openssh-server-8.5p1-1.el7       ################################# [100%]

5.还原配置文件

[root@localhost ~]# cp sshbak/sshd /etc/pam.d/sshd 
cp:是否覆盖"/etc/pam.d/sshd"? y
[root@localhost ~]# cp sshbak/sshd_config /etc/ssh/sshd_config
cp:是否覆盖"/etc/ssh/sshd_config"? y

6.授权并启动

# chmod这一步不执行的话可能无法启动sshd服务
[root@localhost ~]# chmod 600 /etc/ssh/* 
[root@localhost ~]# service sshd start
Starting sshd (via systemctl):                             [  确定  ]
[root@localhost ~]# ssh -V
OpenSSH_8.5p1, OpenSSL 1.1.1k  25 Mar 2021

升级成功

现在已经升级到了OpenSSH 8.5,如果不需要使用scp的话可以卸载掉openssh-clients,因为OpenSSH 命令注入漏洞(CVE-2020-15778)是由openssh-clients引起的
rpm -e openssh-clients-8.5p1-1.el7.x86_64 --nodeps

精简升级步骤

1.卸载旧版OpenSSL
rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps 
2.安装新版OpenSSL
rpm -Uvh openssl* --nodeps
3.备份ssh文件
mkdir sshbak
cp /etc/pam.d/sshd sshbak/
cp /etc/ssh/sshd_config sshbak/
4.停止ssh服务
service sshd stop
service sshd status
5.卸载openssh
rpm -e `rpm -qa | grep openssh` --nodeps
6.安装openssh
rpm -Uvh openssh* --nodeps
7.还原备份的ssh文件并启动ssh服务
cp sshbak/sshd /etc/pam.d/sshd
cp sshbak/sshd_config /etc/ssh/sshd_config
chmod 600 /etc/ssh/*
service sshd start

Q.E.D.