First, the experimental background
Customers ask a third party security firm scanned at their servers, SSH find there are many security vulnerabilities, because CentOS 7.2 uses an older version of OpenSSH v6.6.1, and these vulnerabilities have been fixed in the new version of OpenSSH, so for security reasons, needs to be upgraded.
yum repository is not the latest version of OpenSSH, we need to own the latest from the official download source packages compiled opeenSSh make rpm installation package.
Because the client can not connect server outside the network, so it needs to be made offline upgrade package.
Second, the experimental environment
Operating System: CentOS7.2 Mininal
serverA 192.168.1.104 analog development machine, can be networked, for making offline upgrade package
serverB 192.168.1.106 simulate client-server, not networking, openSSH related packages and their dependent older version
Third, the experiment is expected to
Done on severA openSSH related and dependent on compiler download, fill a key upgrade script, complete the upgrade openSSH drag on serverB.
The current version is the latest openSSh source package openssh-7.9p1.tar.gz
Fourth, the experimental operation
In serverA
# yum -y install vim wget epel-release
# yum -y install rpm-build gcc make
# yum -y install openssl openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
# wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
# tar -zxf openssh-7.9p1.tar.gz
# mkdir -p /root/rpmbuild/{SOURCES,SPECS}
# cp ./openssh-7.9p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
# cp openssh-7.9p1.tar.gz /root/rpmbuild/SOURCES/
# cd /root/rpmbuild/SPECS/
# sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
# sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
# sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
# sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec
# rpmbuild -bb openssh.spec
Good compiled files are placed in the / root / rpmbuild / RPMS / x86_64 / directory:
# ll /root/rpmbuild/RPMS/x86_64
The above operation scripted:
# cat build.sh
#####################################################
#!/bin/bash
OPENSSH_VERSION=7.9p1
yum -y install vim wget epel-release
yum -y install rpm-build gcc make
yum -y install openssl openssl-devel krb5-devel pam-devel libX11-devel xmkmf libXt-devel
# cd /root
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz
tar -zxf openssh-${OPENSSH_VERSION}.tar.gz
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cp ./openssh-${OPENSSH_VERSION}/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cp openssh-${OPENSSH_VERSION}.tar.gz /root/rpmbuild/SOURCES/
cd /root/rpmbuild/SPECS/
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec
sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g" openssh.spec
rpmbuild -bb openssh.spec
ls -l /root/rpmbuild/RPMS/x86_64
########################################################
Fifth, do openSSH upgrade testing on a development machine
In serverA
# cd /root/rpmbuild/RPMS/x86_64
# Rpm -Uvh * .rpm
# rpm -qa | grep openssh
Originally this, we upgrade is complete, but the landing from the client when they failed!
At first we thought to produce their own rpm package in question, tossing several times, finally found the result was the default configuration is incorrect due.
Permissions can not log in using ssh key mode, the default host key document authorizing too, need to modify the key file
# ll /etc/ssh/ssh_host_*_key
# chmod 600 /etc/ssh/ssh_host_*_key
# ll /etc/ssh/ssh_host_*_key
After the upgrade of openSSH not allowed to use the default password to log on, we need to change the configuration file:
# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
# sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
# sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
# sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
# sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
默认的 /etc/pam.d/sshd 中使用了过时的 pam_stack.so 动态库,需要更新:
# cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
# cat > /etc/pam.d/sshd <<EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
重启ssh服务,查看服务状态:
# systemctl restart sshd
# systemctl enable sshd
# systemctl status sshd
你会发现,升级后的sshd服务,是用的启动脚本,不是/usr/lib/systemd/system/sshd.service文件了。
实际上升级过程中,程序已经将 /usr/lib/systemd/system/sshd.service 删除了,并且添加了服务启动脚本 /etc/init.d/sshd
细心的你还会发现,升级完后,我们经常用于做免密登录的公钥拷贝命令 ssh-copy-id也没有了!
其实不是没有了,而是我们需要去解压后源码包拷贝到/usr/bin/目录
# cp /root/openssh-7.9p1/contrib/ssh-copy-id /usr/bin/
# chmod 755 /usr/bin/ssh-copy-id
六、制作离线升级安装包
在serverA
# yum -y install yum-utils createrepo
# mkdir /root/localrepo
# repotrack openssl -p /root/localrepo/
你可能会疑惑:不是找opennsh相关包的依赖么,怎么找的是openssl了?
其实从上面安装可以,升级opennsh版本并不会缺少依赖,我们们只是需要相应地升级一下openssl的版本
那么
# cp /root/rpmbuild/RPMS/x86_64/*.rpm /root/localrepo
# createrepo -v /root/localrepo
编写离线升级安装脚本:
cat install.sh
######################################################
#!/bin/bash
# 定位脚本当前路径
parent_path=$( cd "$(dirname "${BASH_SOURCE}")"; pwd -P )
cd "$parent_path"
mkdir -p /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup
rm -rf /tmp/localrepo
mkdir -p /tmp/localrepo
cp -rf ./localrepo/* /tmp/localrepo
echo "[localrepo]" > /etc/yum.repos.d/localrepo.repo
echo "name=Local Repository" >> /etc/yum.repos.d/localrepo.repo
echo "baseurl=file:///tmp/localrepo" >> /etc/yum.repos.d/localrepo.repo
echo "gpgcheck=0" >> /etc/yum.repos.d/localrepo.repo
echo "enabled=1" >> /etc/yum.repos.d/localrepo.repo
yum clean all
yum -y install openssl
yum -y install openssh* --disablerepo="*" --enablerepo="localrepo"
rm -rf /tmp/localrepo
rm -f /etc/yum.repos.d/localrepo.repo
mv /etc/yum.repos.d/backup/*.repo /etc/yum.repos.d
rm -rf /etc/yum.repos.d/backup
chmod 600 /etc/ssh/ssh_host_*_key
# modify /etc/ssh/sshd_config
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i -e "s/#PasswordAuthentication yes/PasswordAuthentication yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#PermitEmptyPasswords no/PermitEmptyPasswords no/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
# modify /etc/pam.d/sshd
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cat > /etc/pam.d/sshd <<EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
# copy ssh-copy-id
cp ssh-copy-id /usr/bin
chmod 755 /usr/bin/ssh-copy-id
systemctl restart sshd
systemctl enable sshd
systemctl status sshd
rpm -qa | grep open
systemctl status sshd| grep "Active: active (running)"
if [ $? -eq 0 ]; then
echo -e "\033[32m[INFO] OpenSSH upgraded to 7.9p1 successfully!\033[0m"
else
echo -e "\033[31m[ERROR] OpenSSH upgraded to 7.9p1 faild!\033[0m"
fi
##############################################################
打包离线安装包
# mkdir /root/opensshUpgrade
# cp install.sh /root/opensshUpgrade
# cp -r lcoalrepo /root/opensshUpgrade
# cp /root/openssh-7.9p1/contrib/ssh-copy-id /root/opensshUpgrade
# tar openssshUpgrade.tar.gz opensshUpgrade
七、离线安装升级openSSH
将离线升级安装包 openssshUpgrade.tar.gz拷贝到serverB 服务器
# tar -zxf openssshUpgrade.tar.gz
# cd openssshUpgrade
# bash install.sh | tee install.log
# rpm -qa | grep openssl
# rpm -qa | grep openssh
# systemctl status sshd
测试登录
[C:\~]$ ssh [email protected]
八、参考
Upgrade OpenSSH in CentOS 7
https://blog.forhot2000.cn/linux/2017/09/04/upgrade-openssh-in-centos-7.html
编译升级OpenSSH 7.9
https://blog.csdn.net/weixin_42123737/article/details/85283972
Centos 6.5升级openssh到7.9p1
https://blog.csdn.net/qq_25934401/article/details/83419849
openssh升级脚本分享(openssh-7.7p1版)
https://blog.csdn.net/GX_1_11_real/article/details/82152459
Upgrade OpenSSH to 7.7p1 in CentOS 6
https://docs.junyangz.com/upgrade-openssh-to-7.7p1-in-centos-6
createrepo生成仓库元数据,搭建本地yum源
https://www.jianshu.com/p/5cb5af152e75
解决离线安装依赖包的方法
https://www.jianshu.com/p/6f4f9a80a726