如果只需升级OpenSSH的话可以看我的另一篇文章CentOS/RHEL 7.6升级OpenSSH(不升级OpenSSL)
这里升级OpenSSL是为了解决SSL/TLS协议信息泄露漏洞(CVE-2016-2183)
本文构建完成的所有RPM包:
OpenSSL 1.1.1k和OpenSSH 8.5p1
安装依赖
yum install -y wget rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel openssl-libs
脚本构建OpenSSL 1.1.1k RPM包
在写本文时最新的版本是OpenSSL 1.1.1k,如果各位读者在看本文时有更新的版本可以直接将下面脚本中的1.1.1k替换为新的版本号
#!/bin/bash
set -e
set -v
mkdir ~/openssl && cd ~/openssl
yum -y install \
curl \
which \
make \
gcc \
perl \
perl-WWW-Curl \
rpm-build
yum -y remove openssl
# Get openssl tarball
curl -O --silent https://www.openssl.org/source/openssl-1.1.1k.tar.gz
# SPEC file
cat << 'EOF' > ~/openssl/openssl.spec
Summary: OpenSSL 1.1.1k for Centos
Name: openssl
Version: %{?version}%{!?version:1.1.1k}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+
Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz
BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
# openssldir 可以自行更改
%global openssldir /usr/local/openssl
%description
https://github.com/philyuchkoff/openssl-RPM-Builder
OpenSSL RPM for version 1.1.1k on Centos
%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}
%description devel
OpenSSL RPM for version 1.1.1k on Centos (development package)
%prep
%setup -q
%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make
%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install
mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}
%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1
%files devel
%{openssldir}/include/*
%defattr(-,root,root)
%post -p /sbin/ldconfig
%postun -p /sbin/ldconfig
EOF
mkdir -p /root/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}
cp ~/openssl/openssl.spec /root/rpmbuild/SPECS/openssl.spec
mv openssl-1.1.1k.tar.gz /root/rpmbuild/SOURCES
cd /root/rpmbuild/SPECS && \
rpmbuild \
-D "version 1.1.1k" \
-ba openssl.spec
# For install: rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# Verify install: rpm -qa openssl
# openssl version
构建完成后界面打印以下内容:
检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64
写道:/root/rpmbuild/SRPMS/openssl-1.1.1k-1.el7.src.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-devel-1.1.1k-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssl-debuginfo-1.1.1k-1.el7.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.CdyqOD
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssl-1.1.1k
+ '[' /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64 '!=' / ']'
+ /usr/bin/rm -rf /root/rpmbuild/BUILDROOT/openssl-1.1.1k-1.el7.x86_64
+ exit 0
# For install: rpm -ivvh /root/rpmbuild/RPMS/x86_64/openssl-1.1.1k-1.el7.x86_64.rpm --nodeps
# Verify install: rpm -qa openssl
# openssl version
升级OpenSSL
1.卸载旧版
注意openssl-libs不能卸载
rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps
2.安装新版
# 1.确定要安装的包
cd /root/rpmbuild/RPMS/x86_64/
cp openssl* ~/openssl
cd ~/openssl
rm -rf openssl-debuginfo-1.1.1k-1.el7.x86_64.rpm
# 2.开始安装
[root@localhost openssl]# rpm -Uvh *.rpm --nodeps
准备中... ################################# [100%]
正在升级/安装...
1:openssl-1.1.1k-1.el7 ################################# [ 50%]
2:openssl-devel-1.1.1k-1.el7 ################################# [100%]
[root@localhost openssl]# openssl version
OpenSSL 1.1.1k 25 Mar 2021
3.安装完成
根据已经升级的OpenSSL制作OpenSSH包
创建所需目录
上面OpenSSL的脚本已经把目录建好了,如果没有的话:
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES
下载源码包
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
tar -xvzf openssh-8.5p1.tar.gz
tar -xvzf x11-ssh-askpass-1.2.4.1.tar.gz
修改配置文件
cp openssh-8.5p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i 's/BuildRequires: openssl-devel < 1.1/#&/' /root/rpmbuild/SPECS/openssh.spec
vim openssh.spec
找到 %configure \的配置,加一行--with-ssl-dir配置,这里的目录就是上面OpenSSL安装的目录
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
--with-ssl-dir=/usr/local/openssl \
--with-md5-passwords \
--mandir=%{_mandir} \
--with-mantype=man \
--disable-strip \
开始构建
rpmbuild -ba openssh.spec
……
检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssh-8.5p1-1.el7.x86_64
写道:/root/rpmbuild/SRPMS/openssh-8.5p1-1.el7.src.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-clients-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-server-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-8.5p1-1.el7.x86_64.rpm
写道:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-8.5p1-1.el7.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.Yhrfbl
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-8.5p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-8.5p1-1.el7.x86_64
+ exit 0
升级OpenSSH
备份配置文件
- mkdir ~/sshbak && cd ~
- cp /etc/pam.d/sshd sshbak/
- cp /etc/ssh/sshd_config sshbak
- 检查一下sshd_config里的PermitRootLogin yes,如果这一项被注释掉或者是no的话需要改成yes,否则无法登录
开始升级
1.停止sshd服务 service sshd stop
2.将做好的三个包放到同一个目录,我是直接放到了/root/
cd /root/rpmbuild/RPMS/x86_64
cp openssh-8.5p1-1.el7.x86_64.rpm ~/
cp openssh-server-8.5p1-1.el7.x86_64.rpm ~/
cp openssh-clients-8.5p1-1.el7.x86_64.rpm ~/
3.卸载旧版本的OpenSSH
rpm -erpm -qa | grep openssh--nodeps
4.rpm安装新版本
[root@localhost ~]# rpm -Uvh *.rpm
准备中... ################################# [100%]
正在升级/安装...
1:openssh-8.5p1-1.el7 ################################# [ 33%]
2:openssh-clients-8.5p1-1.el7 ################################# [ 67%]
3:openssh-server-8.5p1-1.el7 ################################# [100%]
5.还原配置文件
[root@localhost ~]# cp sshbak/sshd /etc/pam.d/sshd
cp:是否覆盖"/etc/pam.d/sshd"? y
[root@localhost ~]# cp sshbak/sshd_config /etc/ssh/sshd_config
cp:是否覆盖"/etc/ssh/sshd_config"? y
6.授权并启动
# chmod这一步不执行的话可能无法启动sshd服务
[root@localhost ~]# chmod 600 /etc/ssh/*
[root@localhost ~]# service sshd start
Starting sshd (via systemctl): [ 确定 ]
[root@localhost ~]# ssh -V
OpenSSH_8.5p1, OpenSSL 1.1.1k 25 Mar 2021
升级成功
现在已经升级到了OpenSSH 8.5,如果不需要使用scp的话可以卸载掉openssh-clients,因为OpenSSH 命令注入漏洞(CVE-2020-15778)是由openssh-clients引起的
rpm -e openssh-clients-8.5p1-1.el7.x86_64 --nodeps
精简升级步骤
1.卸载旧版OpenSSL
rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps
2.安装新版OpenSSL
rpm -Uvh openssl* --nodeps
3.备份ssh文件
mkdir sshbak
cp /etc/pam.d/sshd sshbak/
cp /etc/ssh/sshd_config sshbak/
4.停止ssh服务
service sshd stop
service sshd status
5.卸载openssh
rpm -e `rpm -qa | grep openssh` --nodeps
6.安装openssh
rpm -Uvh openssh* --nodeps
7.还原备份的ssh文件并启动ssh服务
cp sshbak/sshd /etc/pam.d/sshd
cp sshbak/sshd_config /etc/ssh/sshd_config
chmod 600 /etc/ssh/*
service sshd start
Q.E.D.
