openssh和openssl升级
原创
一 CentOS7.6
yum install -y gcc gcc-c++ glibc make autoconf pcre-devel \
pam-devel automake makedepend perl-Test-Simple perl zlib zlib-devel
find / -name openssl
unalias mv
unalias rm
mv /usr/bin/openssl /usr/bin/openssl.2023.bak
mv /usr/lib64/openssl /usr/lib64/openssl.2023.bak
mv /usr/include/openssl /usr/include/openssl.2023.bak
mv /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.2023.bak
mkdir -p /tmp/newOpenssh
cd /tmp/newOpenssh
#上传安装包openssl-1.1.1l.tar.gz
tar -zxvf openssl-1.1.1l.tar.gz
cd openssl-1.1.1l
./config shared -fPIC
make depend
make && make install
echo $?
unalias cp
cp -rvf include/openssl /usr/include/
ln -s /usr/local/bin/openssl /usr/bin/openssl
ln -snf /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so
ln -snf /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -snf /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so
ln -snf /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
echo "/usr/local/lib64" >> /etc/ld.so.conf
ldconfig
cp /usr/local/bin/openssl /usr/bin/openssl
openssl version
yum-y install gcc gcc-c++ autoconf libjpeg libjpeg-devel libpng libpng-develfreetype \
freetype-devel libxml2 libxml2-devel zlib zlib-devel glibc glibc-develglib2 glib2-devel \
bzip2 bzip2-devel ncurses ncurses-devel curl curl-devele2fsprogs e2fsprogs-devel krb5 \
krb5-devel libidn libidn-devel opensslopenssl-devel openldap openldap-devel nss_ldap \
openldap-clientsopenldap-servers
升级openssh
cd /tmp/newOpenssh
上传安装包 openssh-9.0p1.tar.gz
#备份openssh:
ls -lrt /usr/bin/ssh
ls -lrt /usr/sbin/sshd
ls -lrt /etc/ssh
mv /usr/bin/ssh /usr/bin/ssh.bak.2023
mv /usr/sbin/sshd /usr/sbin/sshd.bak.2023
mv /etc/ssh /etc/ssh.bak.2023
cd /tmp/newOpenssh
tar -zxvf openssh-9.0p1.tar.gz
cd openssh-9.0p1/
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam --with-ssl-engine
make && make install
echo $?
ssh -V
cp -a ./contrib/redhat/sshd.init /etc/init.d/sshd
cp -a ./contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
systemctl stop sshd.service
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
mv /etc/ssh/sshd_config /etc/ssh/sshd_config-2023
cp /etc/ssh.bak.2023/sshd_config /etc/ssh/
systemctl daemon-reload
/etc/init.d/sshd start
cp /run/systemd/generator.late/sshd.service /usr/lib/systemd/system/sshd.service
systemctl daemon-reload ; systemctl restart sshd ;systemctl enable sshd
systemctl status sshd
ssh -V
二 CentOS7.9
#!/bin/bash
rm -rf /opt/openss*
cd /opt
echo -e "Install_openssl"
sleep 3
wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz --no-check-certificate
tar -zxvf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w/
./config --prefix=/usr/local/openssl
./config -t
make -j 4 && make install
sleep 2
if [ $? -eq 0 ]; then
ldd /usr/local/openssl/bin/openssl
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
ldconfig -v
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ll /usr/bin/openssl
ldd /usr/local/openssl/bin/openssl
else
echo -e "flase"
sleep 2
exit
fi
sleep 1
echo -e "\033[32m当前版本路径:$(which openssl)\033[0m"
echo -e "\033[31m当前版本:$(openssl version)\033[0m"
sleep 10
echo -e "Install_openssh"
sleep 5
cd /opt
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
tar -zxvf openssh-9.6p1.tar.gz
mv /etc/ssh /etc/ssh_bak
cd openssh-9.6p1
sleep 3
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam \
--with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man \
--with-zlib=/usr/local/zlib --without-hardening --without-openssl-header-check
sleep 5
make -j 4 && make install
sleep 5
if [ $? -eq 0 ]; then
mv /usr/sbin/sshd /usr/sbin/sshd_bak
mv /etc/sysconfig/sshd /opt
mv /usr/lib/systemd/system/sshd.service /opt
\cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
sleep 3
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
mv /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
mv /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
mv /etc/ssh/moduli.rpmsave /etc/ssh/moduli
\cp -arf /usr/local/openssh/bin/* /usr/bin/
\cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
\cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
\cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
\cp -a /opt/openssh-9.6p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
mv /opt/sshd.service /usr/lib/systemd/system/
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
else
echo -e "flase"
exit
fi
sleep 5
systemctl daemon-reload
yum -y install openssh (因上面命令可能删除openssh基础包)
systemctl start sshd ; systemctl enable sshd
systemctl status sshd
sleep 2
echo -e "\033[31m当前版本:$(ssh -V 2>&1)\033[0m"
echo -e "\033[32m当前版本路径:$(which ssh)\033[0m"
openssh编译安装是检查pam模块,需添加/etc/pam.d/sshd 文件,没有时添加,有则无需添加
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
## pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin麒麟系统升级openssh
[root@localhost ~]# cat /etc/os-release
NAME="Kylin Linux Advanced Server"
VERSION="V10 (Sword)"
ID="kylin"
VERSION_ID="V10"
PRETTY_NAME="Kylin Linux Advanced Server V10 (Sword)"
ANSI_COLOR="0;31"
升级openssh
#!/bin/bash
pwd=$(pwd)
yum install -y openssl-devel
cd /opt
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
tar -zxvf openssh-9.6p1.tar.gz
mv /etc/ssh /etc/ssh_bak
cd ./openssh-9.6p1
echo $(pwd)
sleep 3
if [ "$pwd"="/opt/openssh-9.6p1" ];then
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man \
--with-zlib=/usr/local/zlib --without-hardening --without-openssl-header-check
else
echo "当前工作目录不是 /opt/openssh-9.6p1"
exit
fi
sleep 10
make -j 4 && make install
sleep 10
if [ $? -eq 0 ]; then
mv -f /usr/sbin/sshd /usr/sbin/sshd_bak
mv -f /etc/sysconfig/sshd /opt
mv -f /usr/lib/systemd/system/sshd.service /opt
\cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
sleep 6
for i in $(rpm -qa |grep openssh);do rpm -e $i --nodeps ;done
mv -f /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
mv -f /etc/ssh/ssh_config.rpmsave /etc/ssh/ssh_config
mv -f /etc/ssh/moduli.rpmsave /etc/ssh/moduli
\cp -arf /usr/local/openssh/bin/* /usr/bin/
\cp -arf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
\cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
\cp /opt/openssh-9.6p1/contrib/redhat/sshd.init /etc/init.d/sshd
\cp -a /opt/openssh-9.6p1/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
mv /opt/sshd.service /usr/lib/systemd/system/
else
echo -e "flase"
exit
fi
sleep 5
sed -ri "/^PermitRootLogin no/c PermitRootLogin yes" /etc/ssh/sshd_config
# echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "AllowUsers lsy" >> /etc/ssh/sshd_config
systemctl daemon-reload
yum -y install openssh
systemctl start sshd ; systemctl enable sshd
systemctl status sshd && echo -e "\033[33m安装完成\033[0m"
sleep 2
echo -e "\033[31m当前版本:$(ssh -V 2>&1)\033[0m"
echo -e "\033[32m当前版本路径:$(which ssh)\033[0m"
编译命令后报错,报错信息如下:
configure: error: *** working libcrypto not found, check config.log ***
或者
configure: error: *** OpenSSL headers missing - please install first or check config.log ***
报错原因
出现上述两种报错,是因为缺少openssl-devel包或者libcrypto相关库的位置不正确。
解决办法
第一种解决办法 -- 最推荐的解决办法(最简单有效)
yum安装openssl-devel包即可:
yum install -y openssl-devel新升级openssh,服务启动出现卡顿
麒麟报错信息如下:
Apr 17 09:10:00 localhost systemd[1]: sshd-keygen@sm2.service: Main process exited, code=exited, status=1/FAILURE
Apr 17 09:10:00 localhost systemd[1]: sshd-keygen@sm2.service: Failed with result 'exit-code'.
Apr 17 09:10:00 localhost systemd[1]: Failed to start OpenSSH sm2 Server Key Generation.
CentOS系统报错如下:
failed to start openssh server daemon code=exited, status=0/success
是systemd配置的问题。是systemd配置的问题。
将service文件中的Type=nofify 改为 Type=forking,或者删除Type参数如下:
麒麟系统:
cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.target
Wants=sshd-keygen.target
[Service]
#Type=notify 或更改为 Type=forking
EnvironmentFile=-/etc/crypto-policies/back-ends/opensshserver.config
EnvironmentFile=-/etc/sysconfig/sshd-permitrootlogin
EnvironmentFile=-/etc/sysconfig/sshd
ExecStart=/usr/sbin/sshd -D $OPTIONS $CRYPTO_POLICY $PERMITROOTLOGIN
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
CentOS7系统
cat /usr/lib/systemd/system/sshd.service
[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service
[Service]
EnvironmentFile=/etc/sysconfig/sshd
ExecStart=/usr/local/openssh/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s
[Install]
WantedBy=multi-user.target
麒麟系统升级openssl
#!/bin/bash
rm -rf /opt/openss*
cd /opt
echo -e "Install_openssl"
sleep 3
wget https://www.openssl.org/source/openssl-1.1.1w.tar.gz --no-check-certificate
tar -zxvf openssl-1.1.1w.tar.gz
cd openssl-1.1.1w/
./config --prefix=/usr/local/openssl
./config -t
make -j 4 && make install
sleep 2
if [ $? -eq 0 ]; then
ldd /usr/local/openssl/bin/openssl
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
ldconfig -v
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ll /usr/bin/openssl
ldd /usr/local/openssl/bin/openssl
else
echo -e "flase"
sleep 2
exit
fi
sleep 1
echo -e "\033[32m当前版本路径:$(which openssl)\033[0m"
echo -e "\033[31m当前版本:$(openssl version)\033[0m"麒麟系统升级openssl升级完之后出现此Library信息
[root@host-192-168-5-38 ~]# openssl version
OpenSSL 1.1.1w 11 Sep 2023 (Library: OpenSSL 1.1.1f 31 Mar 2020)解决方法,需重新创建软连接指向
1 openssl: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
2 openssl: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
之后再次查看:
[root@host-192-168-5-173 openssl-1.1.1w]# openssl version
OpenSSL 1.1.1w 11 Sep 2023
场景:
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln: 无法创建符号链接 '/usr/lib64/libssl.so.1.1': 文件已存在
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ln: 无法创建符号链接 '/usr/lib64/libcrypto.so.1.1': 文件已存在
[root@host-192-168-5-38 ~]# ll /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
-rwxr-xr-x 1 root root 697416 5月 7 09:01 /usr/local/openssl/lib/libssl.so.1.1
lrwxrwxrwx 1 root root 16 3月 1 10:06 /usr/lib64/libssl.so.1.1 -> libssl.so.1.1.1f
[root@host-192-168-5-38 ~]# mv /usr/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1.bak
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
[root@host-192-168-5-38 ~]# ll /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
lrwxrwxrwx 1 root root 36 5月 7 15:36 /usr/lib64/libssl.so.1.1 -> /usr/local/openssl/lib/libssl.so.1.1
-rwxr-xr-x 1 root root 697416 5月 7 09:01 /usr/local/openssl/lib/libssl.so.1.1
[root@host-192-168-5-38 ~]#
[root@host-192-168-5-38 ~]# ll /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
lrwxrwxrwx 1 root root 19 3月 1 10:06 /usr/lib64/libcrypto.so.1.1 -> libcrypto.so.1.1.1f
-rwxr-xr-x 1 root root 3400232 5月 7 09:01 /usr/local/openssl/lib/libcrypto.so.1.1
[root@host-192-168-5-38 ~]# mv /usr/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1.bak
[root@host-192-168-5-38 ~]# ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
[root@host-192-168-5-38 ~]#
[root@host-192-168-5-38 ~]# openssl version
OpenSSL 1.1.1w 11 Sep 2023
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
原创声明:本文系作者授权腾讯云开发者社区发表,未经许可,不得转载。
如有侵权,请联系 cloudcommunity@tencent.com 删除。
评论
登录后参与评论
推荐阅读
目录