时间戳

首页 > 技术文章 > linx6.7 update openssh to 7.7p1

linx6.7 update openssh to 7.7p1

butterflies 2018-10-10 08:35 原文

升级之前需要注意几点:

1 必须要有自己的镜像,必须自己做好本地yum源(可以连接外网,能够有网络yum源也可以)

2 配置好基本的升级环境。在升级openssh时需要依赖openssl和zlib。一般系统自带的版本都比较低,而要升级到较高版本的openssh,就对依赖软件的版本有要求

一般试用源码编译的方式进行升级。需要编译则必须要有编译环境

3 依次按顺序升级zlib,openssl和openssh

4 在安装zlib之前,需要试用telnet连接到服务器,并且需要验证ftp是否可以正常上传文件(使用的匿名方式)。这两种途径是解决openssh升级失败的唯一方法。

5 待所有软件升级完毕之后,需要在telnet连接的服务端哪里启动sshd服务,注意不要直接试用restart。需要先试用start,然后在次试用restart。否则服务器会断开。

6 环境及依赖版本:openssh-7.7p1.tar.gz    openssl-1.0.2o.tar.gz          zlib-1.2.11.tar.gz 

对应软件下载地址:

zlib下载地址:链接:https://pan.baidu.com/s/1Ez10B_16pOytBZMQ9JueKQ  提取码:yr98

openssl下载地址:链接:https://pan.baidu.com/s/1oJKL77ZB1n6kzQQYMDOsaQ  提取码:9x0a

openssh下载地址:链接:https://pan.baidu.com/s/1Lr4Ww_2NDBLwaQAvSB-7jw  提取码:fpg5

7 下面是不成熟的脚本,没有逻辑判断,假设的是所有的命令执行成功的情况下进行的,如果要试用下面的脚本,需要谨慎试用。

#!/bin/bash
#Describle:update openssh to 7.7p1 on linux6.7
#Tue Oct  9 17:15:19 CST 2018 
#Mail:Michael92@126.com

#Before updating openssh,you need to be ready for some environments.
#In order to avoid downloading too many rpm packages,the best way is downloading the right iso images and make a local yum repository. 
#After that,you can use the yum install some local servers,such as perl,vsftpd,telnet,telnet-server,pam-devel,gcc,gcc-c++.
#Then,you have to update the zlib to 1.2.11 and update openssl to 1.0.2o(This is the lowest version that openssh7.7p1 have dependence)
#The last but not the least,update openssh to 7.7p1 and clean up your environment.

#1 Now,the next is building a local repository
mkdir /iso
#$1 is the directory of your iso images
mount -o loop $1 /iso
cat >>/etc/yum.repos.d/local.repo<<EOF
[localrepo]
name = localrepo
baseurl = file:///iso
enabled = 1
gpgcheck = 0
EOF

yum clean all
yum repolist


# 2 Try to use yum install some basical environment
yum -y install perl vsftpd telnet telnet-server pam-devel gcc gcc-c++
#Check whether install successfully
gcc -v
perl -v



# 3 install telnet and vsftpd. telnet is the last way to link you server and vsftp is the last way to transfer files
echo "anon_upload_enable=YES" >> /etc/vsftpd/vsftpd.conf
echo "anon_other_write_enable=YES" >> /etc/vsftpd/vsftpd.conf
echo "anon_mkdir_write_enable=YES" >> /etc/vsftpd/vsftpd.conf
echo "anonymous_enable=YES" >> /etc/vsftpd/vsftpd.conf
echo "anon_umask=022" >> /etc/vsftpd/vsftpd.conf
echo "no_anon_password=YES" >> /etc/vsftpd/vsftpd.conf
chown ftp /var/ftp -R
/etc/init.d/vsftpd restart
echo "You have 60 seconds to check whether you can use telnet"
for ((i=30;i>0;i--));do
        echo -e "\033[31m$i\033[0m"
        sleep 1
done
# Modify telnet configure file and check it 
sed -i 's/yes/no/g' /etc/xinetd.d/telnet
mv /etc/securetty /etc/securetty.old
chkconfig xinetd on
echo "You have 30 seconds to check whether you can use telnet"
for ((i=30;i>0;i--));do
        echo -e "\033[31m$i\033[0m"
        sleep 1
done



#4 Update zlib to use resource way
tar -zxvf ./zlib-1.2.11.tar.gz || exit 6
cd zlib-1.2.11
./configure --prefix=/usr
make || exit 6
rpm -e --nodeps zlib
make install
echo '/usr/lib' >> /etc/ld.so.conf
ldconfig
cd ..

ZlibDirectory=`find /usr/ -name zlib.pc`
cat $ZlibDirectory


#5 Update openssl
tar -zxvf ./openssl-1.0.2o.tar.gz || exit 7
mv  /usr/lib64/openssl /usr/lib64/openssl.old
mv  /usr/bin/openssl  /usr/bin/openssl.old
mv  /etc/pki/ca-trust/extracted/openssl  /etc/pki/ca-trust/extracted/openssl.old
cp  /usr/lib64/libcrypto.so.10  /usr/lib64/libcrypto.so.10.old
cp  /usr/lib64/libssl.so.10  /usr/lib64/libssl.so.10.old
rpm -qa |grep openssl|xargs -i rpm -e --nodeps {}

cd openssl-1.0.2o
./config --prefix=/usr --openssldir=/etc/ssl --shared zlib   #必须加上--shared,否则编译时会找不到新安装的openssl的库而报错
make
make test       #必须执行这一步结果为pass才能继续,否则即使安装完成,ssh也无法使用
make install
openssl version -a
cd ..
sleep 10
mv  /usr/lib64/libcrypto.so.10.old  /usr/lib64/libcrypto.so.10
mv  /usr/lib64/libssl.so.10.old  /usr/lib64/libssl.so.10


#6 Update openssh
tar -zxvf ./openssh-7.7p1.tar.gz || exit 8
mv /etc/ssh /etc/ssh.old
rpm -qa |grep openssh|xargs -i rpm -e --nodeps {}
install  -v -m700 -d /var/lib/sshd
chown  -v root:sys /var/lib/sshd
groupadd -g 50 sshd
useradd  -c 'sshd PrivSep' -d /var/lib/sshd -g sshd -s /bin/false -u 50 sshd
cd openssh-7.7p1
./configure --prefix=/usr  --sysconfdir=/etc/ssh  --with-pam --with-md5-passwords  --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd --with-tcp-wrappers
make
make install

install -v -m755    contrib/ssh-copy-id /usr/bin
install -v -m644    contrib/ssh-copy-id.1 /usr/share/man/man1
install -v -m755 -d /usr/share/doc/openssh-7.7p1
install -v -m644    INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.7p1
ssh -V
for ((i=10;i>0;i--));do
    echo -e "\033[31m$i\033[0m"
    sleep 1
done
echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config   #允许root用户通过ssh登录
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig  --add  sshd
chkconfig  sshd  on


# The last you have to use telnet to link the server and reboot the sshd
/etc/init.d/sshd start
/etc/init.d/sshd restart

 

tar -zxvf ./openssl-1.0.2o.tar.gz

推荐阅读