当前情况

[root@osboxes osboxes]# uname -vor
3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 GNU/Linux
[root@osboxes osboxes]# date
Mon Dec 11 09:15:20 GMT 2017
[root@osboxes osboxes]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@osboxes osboxes]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@osboxes osboxes]#

目标

  • 升级openssh到7.6p1
  • 升级openssl到1.0.2n

    过程

    1. 检查依赖关系
[root@osboxes osboxes]# yum deplist openssh 
  dependency: libcrypto.so.10()(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7
  dependency: libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7
  dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7
  dependency: libcrypto.so.10(libcrypto.so.10)(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7
  1. 安装openssl 
    wget https://www.openssl.org/source/openssl-1.0.2n.tar.gz
tar xvf openssl-1.0.2n.tar.gz 
cd openssl-1.0.2n/
./config --prefix=/usr/local/ssl -fPIC
make
make install
[root@osboxes ssl]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@osboxes bin]# /usr/local/ssl/bin/openssl version
OpenSSL 1.0.2n  7 Dec 2017
[root@osboxes ssl]# which openssl
/usr/bin/openssl
[root@osboxes bin]# mv /usr/bin/openssl /usr/bin/openssl.1.0.2k-fips
[root@osboxes bin]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
[root@osboxes bin]# openssl version
OpenSSL 1.0.2n  7 Dec 2017
[root@osboxes tmp]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
  2. 安装openssh
#yum remove openssh-server openssh
#rm -rf /etc/ssh/
[root@osboxes tmp]# wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
[root@osboxes tmp]# cd openssh-7.6p1/
[root@osboxes openssh-7.6p1]#  ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/ssl --with-md5-passwords --without-hardening
[root@osboxes openssh-7.6p1]# make
[root@osboxes openssh-7.6p1]# make install
[root@osboxes openssh-7.6p1]# ssh -V
OpenSSH_7.6p1, OpenSSL 1.0.2n  7 Dec 2017
#/usr/sbin/sshd   //启动sshd 
#yum install -y openssh-server   //以便将ssh加入service unit
  1. 启用selinux的,重启sshd service之前: 
grep sshd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp