Linux update operating system Openssh version 9.3p1 (source code compilation and installation)
Prepare for deployment
- install dependencies
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-develyum install -y pam* zlib*
- openssh-9.3p1.tar.gz
- openssl-3.1.0.tar.gz
- backup file
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
Upgrade Openssl
Unzip the installation package
tar zxvf openssl-3.1.0.tar.gzcd openssl-3.1.0
Backup old Openssl
mv /usr/bin/openssl /usr/bin/openssl_oldmv /usr/include/openssl /usr/include/openssl_old
Compile and install Openssl
./config --prefix=/usr/local/openssl && make && make install
Create operating system soft links
ln -s /usr/local/openssl/bin/openssl /usr/bin/opensslln -s /usr/local/openssl/include/openssl /usr/include/openssl
Set load library
- Note: The name of the lib library, the old version is 'lib', and the new version is compiled as 'lib64', so check the path lib library name you installed after the compilation is complete
echo "/usr/local/openssl/lib64" >> /etc/ld.so.confldconfig -v
Check Openssl version
openssl version
Upgrade Openssh
Unzip the openssh installation package
tar zxvf openssh-9.3p1.tar.gzcd openssh-9.3p1/
backup old openssl directory
mv /etc/ssh /etc/ssh_old
Compile and install Openssh
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/lib64 --without-hardeningmake && make install
backup old files
mv /usr/sbin/sshd /usr/sbin/sshd_oldmv /etc/sysconfig/sshd /etc/sysconfig/sshd_oldmv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_old
uninstall openssh
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
restore openssh configuration file
cp -a /etc/ssh_old/sshd_config /etc/ssh/sshd_configmv /etc/ssh/moduli.rpmsave /etc/ssh/modulimv /etc/pam.d/sshd.bak /etc/pam.d/sshd
Replace the new version of openssh related commands
cp -arf /usr/local/openssh/bin/* /usr/bin/cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
copy startup script
cp -a contrib/redhat/sshd.init /etc/init.d/sshdcp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pamchmod +x /etc/init.d/sshd
# 此处如果是SUSE操作系统,对应的目录是contrib/susu/
cp -a contrib/suse/rc.sshd /etc/init.d/sshd
cp -a contrib/suse/sysconfig.ssh /etc/sysconfig/ssh
Set boot and verify the version
systemctl daemon-reloadchkconfig --add sshd && chkconfig sshd onsystemctl start sshdssh -V
set security
sed -ie ''$(grep -rn 'Ciphers and keying' /etc/ssh/sshd_config | cut -d ':' -f1)'a Ciphers aes128-ctr,aes192-ctr,aes256-ctr \n\nMACs hmac-sha2-256,hmac-sha2-512,[email protected],[email protected],[email protected],[email protected],[email protected],[email protected] \n\nKexAlgorithms [email protected],diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521 \n' /etc/ssh/sshd_config
Check configuration and comment out unsupported parameters
sshd -t
Step on the pit
- /etc/pam.d/sshd configuration content
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
- ssh remote other machine reports an error
mv /etc/ssh/ssh_config /etc/ssh/ssh_config_new
mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
systemctl restart sshd
-
Anolis operating system
- Need to install pcre and perl separately
-
After the update is complete, other servers cannot use scp to transfer data to the updated server
- Use scp -O to force the use of the old version of scp