Linux update operating system Openssh version 9.3p1 (source code compilation and installation)
Prepare for deployment
- install dependencies
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
yum install -y pam* zlib*
- openssh-9.3p1.tar.gz
- openssl-3.1.0.tar.gz
- backup file
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
Upgrade Openssl
Unzip the installation package
tar zxvf openssl-3.1.0.tar.gz
cd openssl-3.1.0
Backup old Openssl
mv /usr/bin/openssl /usr/bin/openssl_old
mv /usr/include/openssl /usr/include/openssl_old
Compile and install Openssl
./config --prefix=/usr/local/openssl && make && make install
Create operating system soft links
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
Set load library
- Note: The name of the lib library, the old version is 'lib', and the new version is compiled as 'lib64', so check the path lib library name you installed after the compilation is complete
echo "/usr/local/openssl/lib64" >> /etc/ld.so.conf
ldconfig -v
Check Openssl version
openssl version
Upgrade Openssh
Unzip the openssh installation package
tar zxvf openssh-9.3p1.tar.gz
cd openssh-9.3p1/
backup old openssl directory
mv /etc/ssh /etc/ssh_old
Compile and install Openssh
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardening
make && make install
backup old files
mv /usr/sbin/sshd /usr/sbin/sshd_old
mv /etc/sysconfig/sshd /etc/sysconfig/sshd_old
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_old
uninstall openssh
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
restore openssh configuration file
cp -a /etc/ssh_old/sshd_config /etc/ssh/sshd_config
mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli
mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
Replace the new version of openssh related commands
cp -arf /usr/local/openssh/bin/* /usr/bin/
cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
copy startup script
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
# 此处如果是SUSE操作系统,对应的目录是contrib/susu/
cp -a contrib/suse/rc.sshd /etc/init.d/sshd
cp -a contrib/suse/sysconfig.ssh /etc/sysconfig/ssh
Set boot and verify the version
systemctl daemon-reload
chkconfig --add sshd && chkconfig sshd on
systemctl start sshd
ssh -V
set security
sed -ie ''$(grep -rn 'Ciphers and keying' /etc/ssh/sshd_config | cut -d ':' -f1)'a Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n\nMACs hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected] \n\nKexAlgorithms [email protected],diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 \n' /etc/ssh/sshd_config
Check configuration and comment out unsupported parameters
sshd -t
Step on the pit
- /etc/pam.d/sshd configuration content
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
- ssh remote other machine reports an error
mv /etc/ssh/ssh_config /etc/ssh/ssh_config_new
mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
systemctl restart sshd
-
Anolis operating system
- Need to install pcre and perl separately
-
After the update is complete, other servers cannot use scp to transfer data to the updated server
- Use scp -O to force the use of the old version of scp