openssl以及openssh升级

1 前言

本文旨在介绍openssl以及openssh升级步骤,末文也介绍下升级过程中遇到的问题及处理方式(建议优先看末文)

2 环境准备

操作系统:CentOS Linux release 7.2.1511 (Core)
Linux version 3.10.0-327.el7.x86_64 ([email protected]) (gcc version 4.8.3 20140911 (Red Hat 4.8.3-9) (GCC) ) #1 SMP Thu Nov 19 22:10:57 UTC 2015
源码包最新版官网查询获取:
https://www.openssl.org/source/openssl-1.1.1f.tar.gz
https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz

安装依赖包
[root@localhost ~]#yum install -y gcc openssl-devel pam-devel rpm-build
注:我环境中yum源直接是aliyun镜像未设置本地镜像;操作均通过secureCRT ssh连接至虚拟机

3 openssl升级

3.1 查看当前openssl版本号

[root@localhost ~]# openssl version -a
OpenSSL 1.0.2k-fips 26 Jan 2017
built on: reproducible build, date unspecified
platform: linux-x86_64
options: bn(64,64) md2(int) rc4(16x,int) des(idx,cisc,16,int) idea(int) blowfish(idx)
compiler: gcc -I. -I… -I…/include -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -m64 -DL_ENDIAN -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector-strong --param=ssp-buffer-size=4 -grecord-gcc-switches -m64 -mtune=generic -Wa,–noexecstack -DPURIFY -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DRC4_ASM -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DAES_ASM -DVPAES_ASM -DBSAES_ASM -DWHIRLPOOL_ASM -DGHASH_ASM -DECP_NISTZ256_ASM
OPENSSLDIR: “/etc/pki/tls”
engines: rdrand dynamic

3.2 获取源码包

[root@localhost ~]# wget https://www.openssl.org/source/openssl-1.1.1f.tar.gz

3.3 升级安装openssl

[root@localhost ~]# tar -zxvf openssl-1.1.1f.tar.gz
[root@localhost ~]# cd openssl-1.1.1f/
[root@localhost openssl-1.1.1f]# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl zlib shared
[root@localhost openssl-1.1.1f]# make
[root@localhost openssl-1.1.1f]# make install
#################################################
编译完成后配置
备份旧版openssl工具,链接新版openssl
[root@localhost openssl-1.1.1f]# mv /usr/bin/openssl /usr/bin/openssl.OFF
[root@localhost openssl-1.1.1f]# mv /usr/include/openssl /usr/include/openssl
[root@localhost openssl-1.1.1f]# ln -s /usr/local/openssl/include/openssl /usr/include/openssl
[root@localhost openssl-1.1.1f]# ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
配置库文件搜索路径
[root@localhost openssl-1.1.1f]# echo /usr/local/openssl/lib >> /etc/ld.so.conf
[root@localhost openssl-1.1.1f]# ldconfig
#################################################

3.4 查看版本确认

[root@localhost openssl-1.1.1f]# openssl version -a
OpenSSL 1.1.1f 31 Mar 2020
built on: Fri Apr 17 09:35:05 2020 UTC
platform: linux-x86_64
options: bn(64,64) rc4(16x,int) des(int) idea(int) blowfish(ptr)
compiler: gcc -fPIC -pthread -m64 -Wa,–noexecstack -Wall -O3 -DOPENSSL_USE_NODELETE -DL_ENDIAN -DOPENSSL_PIC -DOPENSSL_CPUID_OBJ -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DOPENSSL_BN_ASM_MONT5 -DOPENSSL_BN_ASM_GF2m -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DKECCAK1600_ASM -DRC4_ASM -DMD5_ASM -DAESNI_ASM -DVPAES_ASM -DGHASH_ASM -DECP_NISTZ256_ASM -DX25519_ASM -DPOLY1305_ASM -DZLIB -DNDEBUG
OPENSSLDIR: “/usr/local/openssl”
ENGINESDIR: “/usr/local/openssl/lib/engines-1.1”
Seeding source: os-specific

4 升级openssh

4.1 查看当前版本

[root@localhost ~]# ssh -V
OpenSSH_6.6.1p1, OpenSSL 1.0.1e-fips 11 Feb 2013

4.2 下载源码包

[root@localhost ~]# wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-8.2p1.tar.gz

4.3 升级openssh

###################################################
卸载原Openssh
[root@localhost ~]# mv /etc/ssh /etc/ssh.old
[root@localhost ~]# rpm -qa | grep openssh
openssh-clients-6.6.1p1-22.el7.x86_64
openssh-server-6.6.1p1-22.el7.x86_64
openssh-6.6.1p1-22.el7.x86_64
[root@localhost ~]# rpm -qa | grep openssh | xargs -i rpm -e --nodeps {}
warning: file /etc/ssh/ssh_config: remove failed: No such file or directory
warning: file /etc/ssh/sshd_config: remove failed: No such file or directory
warning: file /etc/ssh/moduli: remove failed: No such file or directory
warning: file /etc/ssh: remove failed: No such file or directory
[root@localhost ~]#
[root@localhost ~]# rpm -qa | grep openssh

解压并安装新版openssh安装包

[root@localhost ~]#tar -zxvf openssh-8.2p1.tar.gz
[root@localhost ~]# cd openssh-8.2p1/
[root@localhost openssh-8.2p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-ssl-dir=/usr/local/openssl --without-hardening
执行后出现以下内容则可下一步编译

OpenSSH has been configured with the following options:
	                     User binaries: /usr/bin
	                   System binaries: /usr/sbin
	               Configuration files: /etc/ssh
	                   Askpass program: /usr/libexec/ssh-askpass
	                      Manual pages: /usr/share/man/manX
	                          PID file: /var/run
	  Privilege separation chroot path: /var/empty
	            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
	                    Manpage format: doc
	                       PAM support: yes

[root@localhost openssh-8.2p1]# make
[root@localhost openssh-8.2p1]# make install
编译完成后,执行相关配置
[root@localhost openssh-8.2p1]# cp contrib/redhat/sshd.init /etc/init.d/sshd
[root@localhost openssh-8.2p1]# chkconfig --add sshd
[root@localhost openssh-8.2p1]# chkconfig --list | grep sshd

Note: This output shows SysV services only and does not include native
      systemd services. SysV configuration data might be overridden by native
      systemd configuration.

      If you want to list systemd services use 'systemctl list-unit-files'.
      To see services enabled on particular target use
      'systemctl list-dependencies [target]'.

sshd           	0:off	1:off	2:on	3:on	4:on	5:on	6:off

[root@localhost openssh-8.2p1]# echo “PermitRootLogin yes” >> /etc/ssh/sshd_config

[root@localhost openssh-8.2p1]# systemctl enable sshd
sshd.service is not a native service, redirecting to /sbin/chkconfig.
Executing /sbin/chkconfig sshd on
[root@localhost openssh-8.2p1]# systemctl restart sshd
[root@localhost openssh-8.2p1]# systemctl status sshd

● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; bad; vendor preset: enabled)
   Active: active (running) since Fri 2020-04-17 15:50:45 CST; 7s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 32951 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 32964 (sshd)
   CGroup: /system.slice/sshd.service
           └─32964 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups

Apr 17 15:50:45 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH serv...
Apr 17 15:50:45 localhost.localdomain sshd[32964]: Server listening on 0.0.0....
Apr 17 15:50:45 localhost.localdomain sshd[32964]: Server listening on :: por...
Apr 17 15:50:45 localhost.localdomain sshd[32951]: Starting sshd:[  OK  ]
Apr 17 15:50:45 localhost.localdomain systemd[1]: Started SYSV: OpenSSH serve...
Hint: Some lines were ellipsized, use -l to show in full.

4.4 查看版本确认

[root@localhost openssh-8.2p1]# netstat -tnl 查看端口监听情况
[root@localhost openssh-8.2p1]# ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1f 31 Mar 2020
则升级安装完成,可退出crt验证

5 遇到的问题

1、开始升级时想着卸载掉原有的版本,卸载后安装openssl依赖包时执行报错如下
[root@localhost ~]# yum install -y gcc openssl-devel pam-devel rpm-build
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

libssl.so.10: cannot open shared object file: No such file or directory

Please install a package which provides this module, or
verify that the module is installed correctly.

It’s possible that the above module doesn’t match the
current version of Python, which is:
2.7.5 (default, Nov 20 2015, 02:00:19)
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]

If you cannot solve this problem yourself, please go to
the yum faq at:
http://yum.baseurl.org/wiki/Faq
原因为:卸载openssl时将yum跟wget依赖的库libssl.so.10、 libcrypto.so.10(实际此两库是软连接的openssl的库)删掉,所以执行yum跟wget命令时会报以上错误
解决方案:百度链接https://blog.csdn.net/baidu_33864675/article/details/93332571
自己尝试过直接用旧版本openssl的libssl.so.1.0.2k以及libcrypto.so.1.0.2k放/usr/lib64然后做软连接即可恢复;
需要说明的是,此文档安装方式没有卸载旧的openssl所以按照此文档方式不会出现此问题;(看网上说法大概意思由于依赖的原有的openssl库有很多,不建议卸载掉原有系统自带的openssl)
2、执行openssl version查看openssl版本时,报如下错误
[root@localhost openssl]# openssl version
openssl: error while loading shared libraries: libcrypto.so.1.1: cannot open shared object file: No such file or directory
原因:openssl库位置不对
解决方案:创建响应的软连接
ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

3、安装完openssl1.1.1f之后,执行yum命令会报如下错误

[root@localhost openssl-1.1.1f]# yum install openssl-devel
There was a problem importing one of the Python modules
required to run yum. The error leading to this problem was:

   /lib64/libcrypto.so.10: version `libcrypto.so.10' not found (required by /usr/lib64/python2.7/lib-dynload/_hashlib.so)

Please install a package which provides this module, or
verify that the module is installed correctly.

It's possible that the above module doesn't match the
current version of Python, which is:
2.7.5 (default, Nov 20 2015, 02:00:19) 
[GCC 4.8.5 20150623 (Red Hat 4.8.5-4)]

If you cannot solve this problem yourself, please go to 
the yum faq at:
  http://yum.baseurl.org/wiki/Faq

原因:即使创建了此版本对应的库给libcrypto.so.10做符号链接,仍然不能解决问题,猜测可能是当前系统yum/wget依赖的openssl库版本太高。
解决方法:复制了低版本的openssl库版本,libssl.so.1.0.2k以及libcrypto.so.1.0.2k版本至/usr/lib64目录,然后创建libssl.so.10以及libcrypto.so.10符号链接;运行yum跟wget可正常响应;暂不清楚这样处理是否对新升级的openssl有啥影响

4、升级安装完ssh后,执行ssh -V查看版本openssh是最新版本,但看openssl版本仍是旧版本

[root@localhost openssh-8.2p1]# ssh -V
OpenSSH_8.2p1, OpenSSL 1.0.2k-fips  26 Jan 2017

原因为编译安装openssh的时候,指向的ssl不是新版本,需要–with-ssl-dir的时候指定对应版本的路径(即得与编译安装openssl时–openssldir路径一致)
5、升级openssh时编译报错“OpenSSL library not found”
卸载openssl-devel然后再yum install openssl-devel没出现此报错,具体原因未知
6、升级openssh时编译报错“configure: error: PAM headers not found”
缺少pam-devel包,安装pam-devel包即可
7、升级完openssl即openssh退出crt远程登陆后,出现再以root登陆虚拟机出现即使密码输入对了,仍提示密码输入错误问题
解决:网上搜寻了如下比较全

7.1 openssh升级后,终端登陆会提示:WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!
应该在终端的~/.ssh/known_hostswe文件中将服务器ip对应的公钥信息删除再尝试登陆。
7.2 解决WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED仍然无法登陆,将/etc/ssh中的文件全部设置权限600 ,重启sshd服务,再在终端尝试登陆。
7.3 还是无法登陆的话,考虑是否是/etc/ssh/sshd_config配置不对,常见的修改配置有:PermitRootLogin yes、PubkeyAuthentication yes、PasswordAuthentication yes。
7.4 最重要的还是查看sshd服务的状态:service sshd status/sysctemctl status sshd。
7.5 如果sshd服务状态提示:get shadow information for root。考虑是否是selinux启用了策略,将/etc/selinux/config 文件中的SELINUX=enforcing 修改为 SELINUX=disabled。

亲测,以上在centos6也能正常部署(差别在于启动服务使用service),安装之前可先安装依赖包“yum install -y gcc openssl-devel pam-devel rpm-build”
另远程CRT登陆操作升级,一定记得重启sshd服务之前,关闭selinux;以及配置允许root登陆(PermitRootLogin yes)

你可能感兴趣的:(openssl+openssh)