Upgrade OpenSSH to 7.7p1 in CentOS 6
Last edited by Junyangz AT 2018-06-09 10:08:21
Installation
yum -y install telnet-server* telnetyum -y install gcc-c++,zlib,zlib-devel,openssl,openssl-devel,pam-devel
Enable telnet service
# vi /etc/xinetd.d/telnet# 将其中disable字段的yes改为no以启用telnet服务# mv /etc/securetty /etc/securetty.old #允许root用户通过telnet登录# service xinetd start #启动telnet服务# chkconfig xinetd on #使telnet服务开机启动,避免升级过程中服务器意外重启后无法远程登录系统
#!/bin/bash# Copyright © 2018 Junyangzcd#mkdir ssh_upgrade && cd ssh_upgrade#find / -name openssl#find / -name "libssl*"timestamp=$(date +%s)#backup old OpenSSLcp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10-${timestamp}cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10-${timestamp}mv /usr/bin/openssl /usr/bin/openssl-${timestamp}mv /usr/include/openssl /usr/include/openssl-${timestamp}mv /usr/lib64/openssl/engines /usr/lib64/openssl/engines-${timestamp}mv /usr/lib64/openssl /usr/lib64/openssl-${timestamp}#remove old OpenSSL rpm packagerpm -qa |grep openssl|xargs -i rpm -e --nodeps {}#compile and install new OpenSSLtar zxvf openssl-1.0.2o.tar.gz && cd openssl-1.0.2o./config --prefix=/usr/local/openssl --openssldir=/etc/ssl --shared zlib&& make && make test && make installln -s /usr/local/openssl/bin/openssl /usr/bin/opensslln -s /usr/local/openssl/include/openssl /usr/include/opensslecho "/usr/local/openssl/lib">>/etc/ld.so.confldconfigmv /usr/lib64/libcrypto.so.10-* /usr/lib64/libcrypto.so.10mv /usr/lib64/libssl.so.10-* /usr/lib64/libssl.so.10#ldconfig -v # for checkecho "OpenSSl version upgrades as to lastest:" && openssl version#openssl version -a# OpenSSL 1.0.2o 27 Mar 2018# built on: reproducible build, date unspecified# platform: linux-x86_64# options: bn(64,64) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)# compiler: gcc -I. -I.. -I../include -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -Wa,--noexecstack -m64 -DL_ENDIAN -O3 -Wall -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM#OPENSSLDIR: "/usr/local/openssl/ssl"#echo "New version upgrades as to lastest:" && $(ssh -V)
cdtimestamp=$(date +%s)#backup old OpenSSHcp -R /etc/ssh /etc/ssh-${timestamp}cp /etc/init.d/sshd /etc/init.d/sshd-${timestamp}rpm -qa | grep opensshrpm -e --nodeps `rpm -qa | grep openssh`tar zxvf openssh-7.7p1.tar.gz && cd openssh-7.7p1./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh \--with-ssl-dir=/usr/local/openssl && make && make install#ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd #or modify sshd file.# 复制配置文件cp ssh_config /etc/ssh/cp sshd_config /etc/ssh/cp moduli /etc/ssh/# 复制启动脚本到/etc/init.d# 根据安装路径情况,可能需要修改启动脚本中sshd的路径cp contrib/redhat/sshd.init /etc/init.d/sshdchmod +x /etc/init.d/sshd/usr/sbin/sshd -t -f /etc/ssh/sshd_config # vim /etc/init.d/sshd# 加入开机自启chkconfig --add sshdchkconfig sshd onchkconfig sshd --list# 开启root用户远程登录。#vi /etc/ssh/sshd_configsed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config# 开启SSH服务# 千万不能restart。使用restart会造成连不上,需要登录控制台启动。service sshd start#service sshd restart#mv /etc/securetty.old /etc/securetty ##disable telnet login
最终批量更新使用RPM包的形式来进行详情参考。
yum install -y pam-devel rpm-build rpmdevtools zlib-devel openssl-devel krb5-devel gccmkdir -p ~/rpmbuild/SOURCES && cd ~/rpmbuild/SOURCESwget -c http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gzwget -c http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz.asc# # verify the file# update the pam sshd from the one included on the system# the default provided doesn't work properly on CentOS 6.5tar zxvf openssh-7.7p1.tar.gzcp /etc/pam.d/sshd openssh-7.7p1/contrib/redhat/sshd.pammv openssh-7.7p1.tar.gz{,.orig}tar zcpf openssh-7.7p1.tar.gz openssh-7.7p1cdtar zxvf ~/rpmbuild/SOURCES/openssh-7.7p1.tar.gz openssh-7.7p1/contrib/redhat/openssh.spec# edit the specfilecd openssh-7.7p1/contrib/redhat/sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.specsed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.specsed -i -e "s/BuildPreReq/BuildRequires/g" openssh.spec#if encounter build error with the follow line, comment it.sed -i -e "s/PreReq: initscripts >= 5.00/#PreReq: initscripts >= 5.00/g" openssh.specrpmbuild -ba openssh.spec
#!/bin/bash# Copyright © 2018 Junyangz# For CRS2-CentOS 6.5 with OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013cdmkdir openssh && cd opensshtimestamp=$(date +%s)if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then wget http://10.27.5.118/openssh-7.7p1-RPMs.tar.gz; fi;tar zxvf openssh-7.7p1-RPMs.tar.gzcp /etc/pam.d/sshd pam-ssh-conf-$timestamp#rpm -e openssh-askpass-5.3p1-94.el6.x86_64rpm -U *.rpm#mv /etc/pam.d/sshd /etc/pamd.d/sshd_bakyes | cp pam-ssh-conf-$timestamp /etc/pam.d/sshd#sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config/etc/init.d/sshd restartecho "New version upgrades as to lastest:" && $(ssh -V)
#!/bin/bash# Copyright © 2018 Junyangz# fix error when openssh-askpass was installed.if [ -f /etc/ssh/sshd_config.rpmnew ]; thenecho "New version upgrades as to lastest:" && $(ssh -V)exit 0ficd opensshif [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then wget http://${httpd-listen-ip}/openssh-7.7p1-RPMs.tar.gz; fi;if [ ! -f pam-ssh-conf-* ]; then cp /etc/pam.d/sshd pam-ssh-conf-bak; fi;if [ ! -f openssh-7.7p1-1.el6.x86_64.rpm ]; then tar zxvf openssh-7.7p1-RPMs.tar.gz; fi;rpm -e --nodeps `rpm -qa | grep openssh-askpass`rpm -U *.rpmyes | cp pam-ssh-conf-* /etc/pam.d/sshd/etc/init.d/sshd restart#cd#rm -rf opensshecho "New version upgrades as to lastest:" && $(ssh -V)
Update openssl first for CentOS 6.4 (add openssl-1.0.1e-57.el6.x86_64.rpm and openssl-devel-1.0.1e-57.el6.x86_64.rpm for update)
#!/bin/bash# Copyright © 2018 Junyangz# For CRS1-CentOS 6.4 with OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010if [ -f /etc/ssh/sshd_config.rpmnew ]; thenecho "New version upgrades as to lastest:" && $(ssh -V)exit 0ficd /tmp/# ansible all -m copy -a "src=/root/openssh-update/openssh-7.7p1-RPMs.tar.gz dest=/tmp/openssh-7.7p1-RPMs.tar.gz force=yes"if [ ! -f openssh-7.7p1-RPMs.tar.gz ]; then exit 1; fi;timestamp=$(date +%s)tar zxvf openssh-7.7p1-RPMs.tar.gzcd opensshrpm -e --nodeps `rpm -qa |grep openssl-devel`# update opensslrpm -U openssl/*.rpm# backup sshdcp /etc/pam.d/sshd pam-ssh-conf-$timestamprpm -e --nodeps `rpm -qa | grep openssh-askpass`rpm -U *.rpmyes | cp pam-ssh-conf-$timestamp /etc/pam.d/sshd/etc/init.d/sshd restartcdrm -rf /tmp/openssh /tmp/openssh-7.7p1-RPMs.tar.gzecho "New version upgrades as to lastest:" && $(ssh -V)
整个升级过程不会中断ssh连接,但这种升级方式会禁止root密码登录,如需开启需修改/etc/ssh/sshd_config文件后重启sshd。
sed -i 's/#PermitRootLogin yes/PermitRootLogin yes/g' /etc/ssh/sshd_config/etc/init.d/sshd restart
附PermitRootLogin参数解释:
PermitRootLogin yes #允许root用户以任何认证方式登录(貌似也就两种认证方式:用户名密码认证,公钥认证)PermitRootLogin without-password #只允许root用public key认证方式登录PermitRootLogin no #不允许root用户以任何认证方式登录
目前已批量更新了虚拟机集群,待测试稳定无问题后再升级物理机集群。 已更新完集群所有机器。