目前OpenSSH版本已至9.4,其作为操作系统底层管理平台软件,需要保持更新以免遭受安全攻击,编译生成rpm包是生产环境中批量升级的最佳途径。编译软件包时与当前的运行环境有较大关系,请注意本安装包系在CentOS Stream 8原生系统纯净系统下编译完成的。实际本软件包可用于Anolis OS8.*/BClinux8U8等el8运行环境的Linux系统升级openssh。
一、准备编译环境:
1、发布一台虚拟机,最小化安装CentOS Stream 8,查看系统信息如下:
[root@localhost ~]# cat /etc/os-release
NAME="CentOS Stream"
VERSION="8"
ID="centos"
ID_LIKE="rhel fedora"
VERSION_ID="8"
PLATFORM_ID="platform:el8"
PRETTY_NAME="CentOS Stream 8"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:centos:centos:8"
HOME_URL="https://centos.org/"
BUG_REPORT_URL="https://bugzilla.redhat.com/"
REDHAT_SUPPORT_PRODUCT="Red Hat Enterprise Linux 8"
REDHAT_SUPPORT_PRODUCT_VERSION="CentOS Stream"
2、查看系统所带openssl的版本信息:
[root@localhost ~]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
[root@localhost ~]# openssl version
OpenSSL 1.1.1k FIPS 25 Mar 2021
[root@localhost ~]# rpm -qa|grep openssh
openssh-server-8.0p1-12.el8.x86_64
openssh-8.0p1-12.el8.x86_64
openssh-clients-8.0p1-12.el8.x86_64
3、查看系统源:
[root@localhost ~]# cd /etc/yum.repos.d/
[root@localhost yum.repos.d]# ll
总用量 44
-rw-r--r--. 1 root root 713 1月 19 2022 CentOS-Stream-AppStream.repo
-rw-r--r--. 1 root root 698 1月 19 2022 CentOS-Stream-BaseOS.repo
-rw-r--r--. 1 root root 316 1月 19 2022 CentOS-Stream-Debuginfo.repo
-rw-r--r--. 1 root root 698 1月 19 2022 CentOS-Stream-Extras.repo
-rw-r--r--. 1 root root 734 1月 19 2022 CentOS-Stream-HighAvailability.repo
-rw-r--r--. 1 root root 696 1月 19 2022 CentOS-Stream-Media.repo
-rw-r--r--. 1 root root 683 1月 19 2022 CentOS-Stream-NFV.repo
-rw-r--r--. 1 root root 718 1月 19 2022 CentOS-Stream-PowerTools.repo
-rw-r--r--. 1 root root 690 1月 19 2022 CentOS-Stream-RealTime.repo
-rw-r--r--. 1 root root 748 1月 19 2022 CentOS-Stream-ResilientStorage.repo
-rw-r--r--. 1 root root 1771 1月 19 2022 CentOS-Stream-Sources.repo
[root@localhost yum.repos.d]# mkdir old
[root@localhost yum.repos.d]# mv *.repo old
[root@localhost SOURCES]# mount /dev/cdrom /media
mount: /media: WARNING: device write-protected, mounted read-only.
[root@localhost SOURCES]# ll /media
总用量 30
dr-xr-xr-x. 4 root root 2048 2月 15 2022 AppStream
dr-xr-xr-x. 4 root root 2048 2月 15 2022 BaseOS
dr-xr-xr-x. 3 root root 2048 2月 15 2022 EFI
dr-xr-xr-x. 3 root root 2048 2月 15 2022 images
dr-xr-xr-x. 2 root root 2048 2月 15 2022 isolinux
-r--r--r--. 1 root root 18092 9月 14 2021 LICENSE
-r--r--r--. 1 root root 88 2月 15 2022 media.repo
-r--r--r--. 1 root root 883 2月 15 2022 TRANS.TBL
[root@localhost SOURCES]# vi /etc/yum.repos.d/http.repo
[root@localhost SOURCES]# cat /etc/yum.repos.d/http.repo
[os]
name=os
baseurl=file:///media/BaseOS
gpgcheck=0
enabled=1
[app]
name=app
baseurl=file:///media/AppStream
gpgcheck=0
enabled=1
[root@localhost SOURCES]# dnf repolist
仓库 id 仓库名称
app app
os os
4、准备相关目录及工具
[root@localhost ~]# cd ~
[root@localhost ~]# mkdir -p rpmbuild/{SOURCES,SPECS}
[root@localhost ~]# dnf install wget tree -y
os 838 kB/s | 4.6 MB 00:05
app 710 kB/s | 8.4 MB 00:12
上次元数据过期检查:0:00:01 前,执行于 2023年09月11日 星期一 04时02分54秒。
依赖关系解决。
=========================================================================================================================================================
软件包 架构 版本 仓库 大小
=========================================================================================================================================================
安装:
tree x86_64 1.7.0-15.el8 os 59 k
wget x86_64 1.19.5-10.el8 app 734 k
安装依赖关系:
libmetalink x86_64 0.1.3-7.el8 os 32 k
事务概要
=========================================================================================================================================================
安装 3 软件包
总下载:825 k
安装大小:2.9 M
下载软件包:
(1/3): libmetalink-0.1.3-7.el8.x86_64.rpm 116 kB/s | 32 kB 00:00
(2/3): tree-1.7.0-15.el8.x86_64.rpm 192 kB/s | 59 kB 00:00
(3/3): wget-1.19.5-10.el8.x86_64.rpm 532 kB/s | 734 kB 00:01
---------------------------------------------------------------------------------------------------------------------------------------------------------
总计 589 kB/s | 825 kB 00:01
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务
准备中 : 1/1
安装 : libmetalink-0.1.3-7.el8.x86_64 1/3
安装 : wget-1.19.5-10.el8.x86_64 2/3
运行脚本: wget-1.19.5-10.el8.x86_64 2/3
安装 : tree-1.7.0-15.el8.x86_64 3/3
运行脚本: tree-1.7.0-15.el8.x86_64 3/3
验证 : libmetalink-0.1.3-7.el8.x86_64 1/3
验证 : tree-1.7.0-15.el8.x86_64 2/3
验证 : wget-1.19.5-10.el8.x86_64 3/3
已安装:
libmetalink-0.1.3-7.el8.x86_64 tree-1.7.0-15.el8.x86_64 wget-1.19.5-10.el8.x86_64
完毕!
5、 准备源文件
[root@localhost ~]# cd rpmbuild/SOURCES/
[root@localhost SOURCES]# wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.4p1.tar.gz --no-check-certificate
--2023-09-11 04:04:04-- https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.4p1.tar.gz
正在解析主机 ftp.openbsd.org (ftp.openbsd.org)... 199.185.178.81
正在连接 ftp.openbsd.org (ftp.openbsd.org)|199.185.178.81|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1845094 (1.8M) [text/plain]
正在保存至: “openssh-9.4p1.tar.gz”
openssh-9.4p1.tar.gz 100%[=========================================================================>] 1.76M 138KB/s 用时 16s
2023-09-11 04:04:22 (114 KB/s) - 已保存 “openssh-9.4p1.tar.gz” [1845094/1845094])
[root@localhost SOURCES]# wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
--2023-09-11 04:04:24-- https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
正在解析主机 src.fedoraproject.org (src.fedoraproject.org)... 38.145.60.20, 38.145.60.21
正在连接 src.fedoraproject.org (src.fedoraproject.org)|38.145.60.20|:443... 已连接。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:29229 (29K) [application/x-gzip]
正在保存至: “x11-ssh-askpass-1.2.4.1.tar.gz”
x11-ssh-askpass-1.2.4.1.tar.gz 100%[=========================================================================>] 28.54K 115KB/s 用时 0.2s
2023-09-11 04:04:26 (115 KB/s) - 已保存 “x11-ssh-askpass-1.2.4.1.tar.gz” [29229/29229])
[root@localhost SOURCES]# cp /etc/pam.d/sshd sshd.pam.el8
[root@localhost SOURCES]# ll
总用量 11504
-rw-r--r--. 1 root root 1845094 8月 9 23:15 openssh-9.4p1.tar.gz
-rw-r--r--. 1 root root 727 9月 11 04:04 sshd.pam.el8
-rw-r--r--. 1 root root 29229 6月 25 2004 x11-ssh-askpass-1.2.4.1.tar.gz
[root@localhost SOURCES]# cat sshd.pam.el8
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
6、 安装编译工具
[root@localhost SOURCES]# cd ../SPECS
[root@localhost SPECS]# dnf install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel -y
os 3.8 MB/s | 3.9 kB 00:00
app 49 MB/s | 7.6 MB 00:00
依赖关系解决。
=========================================================================================================================================================
软件包 架构 版本 仓库 大小
=========================================================================================================================================================
安装:
gcc x86_64 8.5.0-10.el8 app 23 M
openssl-devel x86_64 1:1.1.1k-5.el8_5 os 2.3 M
pam-devel x86_64 1.3.1-16.el8 os 210 k
perl-devel x86_64 4:5.26.3-421.el8 app 599 k
rpm-build x86_64 4.14.3-21.el8 app 174 k
zlib-devel x86_64 1.2.11-17.el8 os 58 k
...
已安装:
annobin-10.29-3.el8.x86_64 binutils-2.30-113.el8.x86_64
bzip2-1.0.6-26.el8.x86_64 cpp-8.5.0-10.el8.x86_64
dwz-0.12-10.el8.x86_64 efi-srpm-macros-3-3.el8.noarch
elfutils-0.186-1.el8.x86_64 gc-7.6.4-3.el8.x86_64
gcc-8.5.0-10.el8.x86_64 gdb-headless-8.2-18.el8.x86_64
ghc-srpm-macros-1.4.2-7.el8.noarch glibc-devel-2.28-189.el8.x86_64
glibc-headers-2.28-189.el8.x86_64 go-srpm-macros-2-17.el8.noarch
guile-5:2.0.14-7.el8.x86_64 isl-0.16.1-6.el8.x86_64
kernel-headers-4.18.0-365.el8.x86_64 keyutils-libs-devel-1.5.10-9.el8.x86_64
krb5-devel-1.18.2-14.el8.x86_64 libatomic_ops-7.6.2-3.el8.x86_64
libbabeltrace-1.5.4-3.el8.x86_64 libcom_err-devel-1.45.6-3.el8.x86_64
libipt-1.6.1-8.el8.x86_64 libkadm5-1.18.2-14.el8.x86_64
libmpc-1.1.0-9.1.el8.x86_64 libpkgconf-1.4.2-1.el8.x86_64
libselinux-devel-2.9-5.el8.x86_64 libsepol-devel-2.9-3.el8.x86_64
libverto-devel-0.3.0-5.el8.x86_64 libxcrypt-devel-4.1.1-6.el8.x86_64
ocaml-srpm-macros-5-4.el8.noarch openblas-srpm-macros-2-2.el8.noarch
openssl-devel-1:1.1.1k-5.el8_5.x86_64 pam-devel-1.3.1-16.el8.x86_64
patch-2.7.6-11.el8.x86_64 pcre2-devel-10.32-2.el8.x86_64
pcre2-utf16-10.32-2.el8.x86_64 pcre2-utf32-10.32-2.el8.x86_64
perl-CPAN-Meta-2.150010-396.el8.noarch perl-CPAN-Meta-Requirements-2.140-396.el8.noarch
perl-CPAN-Meta-YAML-0.018-397.el8.noarch perl-Carp-1.42-396.el8.noarch
perl-Data-Dumper-2.167-399.el8.x86_64 perl-Digest-1.17-395.el8.noarch
perl-Digest-MD5-2.55-396.el8.x86_64 perl-Encode-4:2.97-3.el8.x86_64
perl-Encode-Locale-1.05-10.module_el8.3.0+416+dee7bcef.noarch perl-Errno-1.28-421.el8.x86_64
perl-Exporter-5.72-396.el8.noarch perl-ExtUtils-Command-1:7.34-1.el8.noarch
perl-ExtUtils-Install-2.14-4.el8.noarch perl-ExtUtils-MakeMaker-1:7.34-1.el8.noarch
perl-ExtUtils-Manifest-1.70-395.el8.noarch perl-ExtUtils-ParseXS-1:3.35-2.el8.noarch
perl-File-Path-2.15-2.el8.noarch perl-File-Temp-0.230.600-1.el8.noarch
perl-Getopt-Long-1:2.50-4.el8.noarch perl-HTTP-Tiny-0.074-1.el8.noarch
perl-IO-1.38-421.el8.x86_64 perl-IO-Socket-IP-0.39-5.el8.noarch
perl-IO-Socket-SSL-2.066-4.module_el8.4.0+517+be1595ff.noarch perl-JSON-PP-1:2.97.001-3.el8.noarch
perl-MIME-Base64-3.15-396.el8.x86_64 perl-Math-BigInt-1:1.9998.11-7.el8.noarch
perl-Math-Complex-1.59-421.el8.noarch perl-Mozilla-CA-20160104-7.module_el8.3.0+416+dee7bcef.noarch
perl-Net-SSLeay-1.88-1.module_el8.4.0+517+be1595ff.x86_64 perl-PathTools-3.74-1.el8.x86_64
perl-Pod-Escapes-1:1.07-395.el8.noarch perl-Pod-Perldoc-3.28-396.el8.noarch
perl-Pod-Simple-1:3.35-395.el8.noarch perl-Pod-Usage-4:1.69-395.el8.noarch
perl-Scalar-List-Utils-3:1.49-2.el8.x86_64 perl-Socket-4:2.027-3.el8.x86_64
perl-Storable-1:3.11-3.el8.x86_64 perl-Term-ANSIColor-4.06-396.el8.noarch
perl-Term-Cap-1.17-395.el8.noarch perl-Test-Harness-1:3.42-1.el8.noarch
perl-Text-ParseWords-3.30-395.el8.noarch perl-Text-Tabs+Wrap-2013.0523-395.el8.noarch
perl-Time-HiRes-4:1.9758-2.el8.x86_64 perl-Time-Local-1:1.280-1.el8.noarch
perl-URI-1.73-3.el8.noarch perl-Unicode-Normalize-1.25-396.el8.x86_64
perl-constant-1.33-396.el8.noarch perl-devel-4:5.26.3-421.el8.x86_64
perl-interpreter-4:5.26.3-421.el8.x86_64 perl-libnet-3.11-3.el8.noarch
perl-libs-4:5.26.3-421.el8.x86_64 perl-macros-4:5.26.3-421.el8.x86_64
perl-parent-1:0.237-1.el8.noarch perl-podlators-4.11-1.el8.noarch
perl-srpm-macros-1-25.el8.noarch perl-threads-1:2.21-2.el8.x86_64
perl-threads-shared-1.58-2.el8.x86_64 perl-version-6:0.99.24-1.el8.x86_64
pkgconf-1.4.2-1.el8.x86_64 pkgconf-m4-1.4.2-1.el8.noarch
pkgconf-pkg-config-1.4.2-1.el8.x86_64 python-rpm-macros-3-41.el8.noarch
python-srpm-macros-3-41.el8.noarch python3-pyparsing-2.1.10-7.el8.noarch
python3-rpm-macros-3-41.el8.noarch qt5-srpm-macros-5.15.2-1.el8.noarch
redhat-rpm-config-127-1.el8.noarch rpm-build-4.14.3-21.el8.x86_64
rust-srpm-macros-5-2.el8.noarch systemtap-sdt-devel-4.6-4.el8.x86_64
unzip-6.0-46.el8.x86_64 zip-3.0-23.el8.x86_64
zlib-devel-1.2.11-17.el8.x86_64 zstd-1.4.4-1.el8.x86_64
完毕!
7、 生成源spec文件
[root@localhost SPECS]# vi openssh.spec
[root@localhost SPECS]# cat openssh.spec
%global ver 9.4p1
%global rel 1%{?dist}
# OpenSSH privilege separation requires a user & group ID
%global sshd_uid 74
%global sshd_gid 74
# Version of ssh-askpass
%global aversion 1.2.4.1
# Do we want to disable building of x11-askpass? (1=yes 0=no)
%global no_x11_askpass 1
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 1
# Do we want to link against a static libcrypto? (1=yes 0=no)
%global static_libcrypto 0
# Do we want smartcard support (1=yes 0=no)
%global scard 0
# Use GTK2 instead of GNOME in gnome-ssh-askpass
%global gtk2 1
# Use build6x options for older RHEL builds
# RHEL 7 not yet supported
%if 0%{?rhel} > 6
%global build6x 0
%else
%global build6x 1
%endif
%if 0%{?fedora} >= 26
%global compat_openssl 1
%else
%global compat_openssl 0
%endif
# Do we want kerberos5 support (1=yes 0=no)
%global kerberos5 1
# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%global no_x11_askpass 1}
%{?skip_gnome_askpass:%global no_gnome_askpass 1}
# Add option to build without GTK2 for older platforms with only GTK+.
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
%{?no_gtk2:%global gtk2 0}
# Is this a build for RHL 6.x or earlier?
%{?build_6x:%global build6x 1}
# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%global _sysconfdir /etc
%endif
# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%global static_libcrypto 1}
# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%global scard 1}
# Is this a build for the rescue CD (without PAM)? (1=yes 0=no)
%global rescue 0
%{?build_rescue:%global rescue 1}
# Turn off some stuff for resuce builds
%if %{rescue}
%global kerberos5 0
%endif
Summary: The OpenSSH implementation of SSH protocol version 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: https://www.openssh.com/portable.html
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
Source2: sshd.pam.el8
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts >= 5.00
%else
Requires: initscripts >= 5.20
%endif
BuildRequires: perl
%if %{compat_openssl}
BuildRequires: compat-openssl10-devel
%else
BuildRequires: openssl-devel >= 1.0.1
#BuildRequires: openssl-devel < 1.1
%endif
BuildRequires: /bin/login
%if ! %{build6x}
BuildRequires: glibc-devel, pam
%else
BuildRequires: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildRequires: /usr/include/X11/Xlib.h
# Xt development tools
BuildRequires: libXt-devel
# Provides xmkmf
BuildRequires: imake
# Rely on relatively recent gtk
BuildRequires: gtk2-devel
%endif
%if ! %{no_gnome_askpass}
BuildRequires: pkgconfig
%endif
%if %{kerberos5}
BuildRequires: krb5-devel
BuildRequires: krb5-libs
%endif
%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients
%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif
%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras
%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.
OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to separate libraries.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
%description clients
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
You'll also need to install the openssh package on OpenSSH clients.
%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. You also need to have the openssh
package installed.
%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.
%description askpass-gnome
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
environment.
%prep
%if ! %{no_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif
%build
%if %{rescue}
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif
%configure \
--sysconfdir=%{_sysconfdir}/ssh \
--libexecdir=%{_libexecdir}/openssh \
--datadir=%{_datadir}/openssh \
--with-default-path=/usr/local/bin:/bin:/usr/bin \
--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
--with-privsep-path=%{_var}/empty/sshd \
--mandir=%{_mandir} \
--with-mantype=man \
--disable-strip \
%if %{scard}
--with-smartcard \
%endif
%if %{rescue}
--without-pam \
%else
--with-pam \
%endif
%if %{kerberos5}
--with-kerberos5=$K5DIR \
%endif
%if %{static_libcrypto}
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
%endif
make
%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
%configure --libexecdir=%{_libexecdir}/openssh
xmkmf -a
make
popd
%endif
# Define a variable to toggle gnome1/gtk2 building. This is necessary
# because RPM doesn't handle nested %if statements.
%if %{gtk2}
gtk2=yes
%else
gtk2=no
%endif
%if ! %{no_gnome_askpass}
pushd contrib
if [ $gtk2 = yes ] ; then
make gnome-ssh-askpass2
mv gnome-ssh-askpass2 gnome-ssh-askpass
else
make gnome-ssh-askpass1
mv gnome-ssh-askpass1 gnome-ssh-askpass
fi
popd
%endif
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd
make install DESTDIR=$RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
%if %{build6x}
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
%else
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id
%endif
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
%if ! %{no_x11_askpass}
install x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
%endif
%if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif
%if ! %{scard}
rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
%endif
%if ! %{no_gnome_askpass}
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%endif
perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
%clean
rm -rf $RPM_BUILD_ROOT
%triggerun server -- ssh-server
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
touch /var/run/sshd.restart
fi
%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk 'BEGIN {IGNORECASE=1}
/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
END {exit sawhostkey}' /etc/ssh/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; then
echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
fi
%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then
/sbin/chkconfig --add sshd
if test -f /var/run/sshd.restart ; then
rm -f /var/run/sshd.restart
/sbin/service sshd start > /dev/null 2>&1 || :
fi
fi
%pre server
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
-g sshd -M -r sshd 2>/dev/null || :
%post server
/sbin/chkconfig --add sshd
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
echo "KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1" >>/etc/ssh/sshd_config
chmod 600 /etc/ssh/ssh_*_key
%postun server
/sbin/service sshd condrestart > /dev/null 2>&1 || :
%preun server
if [ "$1" = 0 ]
then
/sbin/service sshd stop > /dev/null 2>&1 || :
/sbin/chkconfig --del sshd
fi
%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
%endif
%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%endif
%if ! %{rescue}
%files server
%defattr(-,root,root)
%dir %attr(0111,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
%endif
%if ! %{no_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
%{_libexecdir}/openssh/ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
%endif
%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%endif
[root@localhost SPECS]# tree ..
..
├── SOURCES
│ ├── openssh-9.4p1.tar.gz
│ ├── sshd.pam.el8
│ └── x11-ssh-askpass-1.2.4.1.tar.gz
└── SPECS
└── openssh.spec
2 directories, 4 files
二、编译
1、编译
[root@localhost SPECS]# rpmbuild -bb openssh.spec
警告:展开行 113 注释中的宏:%{compat_openssl}
错误:构建依赖失败:
perl 被 openssh-9.4p1-.el8.x86_64 需要
[root@localhost SPECS]# dnf install perl
上次元数据过期检查:0:04:29 前,执行于 2023年09月11日 星期一 04时17分36秒。
依赖关系解决。
=========================================================================================================================================================
软件包 架构 版本 仓库 大小
=========================================================================================================================================================
安装:
perl x86_64 4:5.26.3-421.el8 app 73 k
安装依赖关系:
make x86_64 1:4.2.1-
...
已安装:
make-1:4.2.1-11.el8.x86_64 perl-4:5.26.3-421.el8.x86_64
perl-Algorithm-Diff-1.1903-9.el8.noarch perl-Archive-Tar-2.30-1.el8.noarch
perl-Archive-Zip-1.60-3.el8.noarch perl-Attribute-Handlers-0.99-421.el8.noarch
perl-B-Debug-1.26-2.el8.noarch perl-CPAN-2.18-397.el8.noarch
perl-Compress-Bzip2-2.26-6.el8.x86_64 perl-Compress-Raw-Bzip2-2.081-1.el8.x86_64
perl-Compress-Raw-Zlib-2.081-1.el8.x86_64 perl-Config-Perl-V-0.30-1.el8.noarch
perl-DB_File-1.842-1.el8.x86_64 perl-Data-OptList-0.110-6.el8.noarch
perl-Data-Section-0.200007-3.el8.noarch perl-Devel-PPPort-3.36-5.el8.x86_64
perl-Devel-Peek-1.26-421.el8.x86_64 perl-Devel-SelfStubber-1.06-421.el8.noarch
perl-Devel-Size-0.81-2.el8.x86_64 perl-Digest-SHA-1:6.02-1.el8.x86_64
perl-Encode-devel-4:2.97-3.el8.x86_64 perl-Env-1.04-395.el8.noarch
perl-ExtUtils-CBuilder-1:0.280230-2.el8.noarch perl-ExtUtils-Embed-1.34-421.el8.noarch
perl-ExtUtils-MM-Utils-1:7.34-1.el8.noarch perl-ExtUtils-Miniperl-1.06-421.el8.noarch
perl-File-Fetch-0.56-2.el8.noarch perl-File-HomeDir-1.002-4.el8.noarch
perl-File-Which-1.22-2.el8.noarch perl-Filter-2:1.58-2.el8.x86_64
perl-Filter-Simple-0.94-2.el8.noarch perl-IO-Compress-2.081-1.el8.noarch
perl-IO-Zlib-1:1.10-421.el8.noarch perl-IPC-Cmd-2:1.02-1.el8.noarch
perl-IPC-SysV-2.07-397.el8.x86_64 perl-IPC-System-Simple-1.25-17.el8.noarch
perl-Locale-Codes-3.57-1.el8.noarch perl-Locale-Maketext-1.28-396.el8.noarch
perl-Locale-Maketext-Simple-1:0.21-421.el8.noarch perl-MRO-Compat-0.13-4.el8.noarch
perl-Math-BigInt-FastCalc-0.500.600-6.el8.x86_64 perl-Math-BigRat-0.2614-1.el8.noarch
perl-Memoize-1.03-421.el8.noarch perl-Module-Build-2:0.42.24-5.el8.noarch
perl-Module-CoreList-1:5.20181130-1.el8.noarch perl-Module-CoreList-tools-1:5.20181130-1.el8.noarch
perl-Module-Load-1:0.32-395.el8.noarch perl-Module-Load-Conditional-0.68-395.el8.noarch
perl-Module-Loaded-1:0.08-421.el8.noarch perl-Module-Metadata-1.000033-395.el8.noarch
perl-Net-Ping-2.55-421.el8.noarch perl-Package-Generator-1.106-11.el8.noarch
perl-Params-Check-1:0.38-395.el8.noarch perl-Params-Util-1.07-22.el8.x86_64
perl-Perl-OSType-1.010-396.el8.noarch perl-PerlIO-via-QuotedPrint-0.08-395.el8.noarch
perl-Pod-Checker-4:1.73-395.el8.noarch perl-Pod-Html-1.22.02-421.el8.noarch
perl-Pod-Parser-1.63-396.el8.noarch perl-SelfLoader-1.23-421.el8.noarch
perl-Software-License-0.103013-2.el8.noarch perl-Sub-Exporter-0.987-15.el8.noarch
perl-Sub-Install-0.928-14.el8.noarch perl-Sys-Syslog-0.35-397.el8.x86_64
perl-TermReadKey-2.37-7.el8.x86_64 perl-Test-1.30-421.el8.noarch
perl-Test-Simple-1:1.302135-1.el8.noarch perl-Text-Balanced-2.03-395.el8.noarch
perl-Text-Diff-1.45-2.el8.noarch perl-Text-Glob-0.11-4.el8.noarch
perl-Text-Template-1.51-1.el8.noarch perl-Thread-Queue-3.13-1.el8.noarch
perl-Time-Piece-1.31-421.el8.x86_64 perl-Unicode-Collate-1.25-2.el8.x86_64
perl-autodie-2.29-396.el8.noarch perl-bignum-0.49-2.el8.noarch
perl-encoding-4:2.22-3.el8.x86_64 perl-experimental-0.019-2.el8.noarch
perl-inc-latest-2:0.500-9.el8.noarch perl-libnetcfg-4:5.26.3-421.el8.noarch
perl-local-lib-2.000024-2.el8.noarch perl-open-1.11-421.el8.noarch
perl-perlfaq-5.20180605-1.el8.noarch perl-utils-5.26.3-421.el8.noarch
完毕!
[root@localhost SPECS]# rpmbuild -bb openssh.spec
正在执行(%prep):/bin/sh -e /var/tmp/rpm-tmp.01StAO
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd /root/rpmbuild/BUILD
+ rm -rf openssh-9.4p1
+ /usr/bin/gzip -dc /root/rpmbuild/SOURCES/openssh-9.4p1.tar.gz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd openssh-9.4p1
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ exit 0
正在执行(%build):/bin/sh -e /var/tmp/rpm-tmp.3OTjIN
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-9.4p1
...
Recommends: openssh-debugsource(x86-64) = 9.4p1-1.el8
检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssh-9.4p1-1.el8.x86_64
已写至:/root/rpmbuild/RPMS/x86_64/openssh-9.4p1-1.el8.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-clients-9.4p1-1.el8.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-server-9.4p1-1.el8.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-debugsource-9.4p1-1.el8.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-9.4p1-1.el8.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-clients-debuginfo-9.4p1-1.el8.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-server-debuginfo-9.4p1-1.el8.x86_64.rpm
正在执行(%clean):/bin/sh -e /var/tmp/rpm-tmp.umYllQ
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-9.4p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-9.4p1-1.el8.x86_64
+ exit 0
看到“+ exit 0”表示编译成功。
三、测试验证
1、安装新编译的openssh RPM包
[root@localhost SPECS]# cd /root/rpmbuild/RPMS/x86_64/
[root@localhost SPECS]# cd /root/rpmbuild/RPMS/x86_64
[root@localhost x86_64]# dnf update *
上次元数据过期检查:1:26:58 前,执行于 2023年09月11日 星期一 04时17分36秒。
软件包 openssh-clients-debuginfo 未安装,无法更新。
未找到匹配的参数: openssh-clients-debuginfo-9.4p1-1.el8.x86_64.rpm
软件包 openssh-debuginfo 未安装,无法更新。
未找到匹配的参数: openssh-debuginfo-9.4p1-1.el8.x86_64.rpm
软件包 openssh-debugsource 未安装,无法更新。
未找到匹配的参数: openssh-debugsource-9.4p1-1.el8.x86_64.rpm
软件包 openssh-server-debuginfo 未安装,无法更新。
未找到匹配的参数: openssh-server-debuginfo-9.4p1-1.el8.x86_64.rpm
依赖关系解决。
=========================================================================================================================================================
软件包 架构 版本 仓库 大小
=========================================================================================================================================================
升级:
openssh x86_64 9.4p1-1.el8 @commandline 680 k
openssh-clients x86_64 9.4p1-1.el8 @commandline 644 k
openssh-server x86_64 9.4p1-1.el8 @commandline 469 k
事务概要
=========================================================================================================================================================
升级 3 软件包
总计:1.8 M
确定吗?[y/N]: y
下载软件包:
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务
准备中 : 1/1
运行脚本: openssh-9.4p1-1.el8.x86_64 1/1
升级 : openssh-9.4p1-1.el8.x86_64 1/6
升级 : openssh-clients-9.4p1-1.el8.x86_64 2/6
运行脚本: openssh-server-9.4p1-1.el8.x86_64 3/6
升级 : openssh-server-9.4p1-1.el8.x86_64 3/6
运行脚本: openssh-server-9.4p1-1.el8.x86_64 3/6
运行脚本: openssh-server-8.0p1-12.el8.x86_64 4/6
清理 : openssh-server-8.0p1-12.el8.x86_64 4/6
运行脚本: openssh-server-8.0p1-12.el8.x86_64 4/6
清理 : openssh-clients-8.0p1-12.el8.x86_64 5/6
清理 : openssh-8.0p1-12.el8.x86_64 6/6
运行脚本: openssh-8.0p1-12.el8.x86_64 6/6
验证 : openssh-9.4p1-1.el8.x86_64 1/6
验证 : openssh-8.0p1-12.el8.x86_64 2/6
验证 : openssh-clients-9.4p1-1.el8.x86_64 3/6
验证 : openssh-clients-8.0p1-12.el8.x86_64 4/6
验证 : openssh-server-9.4p1-1.el8.x86_64 5/6
验证 : openssh-server-8.0p1-12.el8.x86_64 6/6
已升级:
openssh-9.4p1-1.el8.x86_64 openssh-clients-9.4p1-1.el8.x86_64 openssh-server-9.4p1-1.el8.x86_64
完毕!
[root@localhost x86_64]# systemctl restart sshd
[root@localhost x86_64]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
Loaded: loaded (/etc/rc.d/init.d/sshd; generated)
Active: active (running) since Mon 2023-09-11 05:44:45 EDT; 7s ago
Docs: man:systemd-sysv-generator(8)
Process: 111506 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
Main PID: 111516 (sshd)
Tasks: 1 (limit: 24686)
Memory: 924.0K
CGroup: /system.slice/sshd.service
└─111516 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups
9月 11 05:44:45 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
9月 11 05:44:45 localhost.localdomain sshd[111513]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory
9月 11 05:44:45 localhost.localdomain sshd[111516]: Server listening on 0.0.0.0 port 22.
9月 11 05:44:45 localhost.localdomain sshd[111516]: Server listening on :: port 22.
9月 11 05:44:45 localhost.localdomain sshd[111506]: Starting sshd:[ 确定 ]
9月 11 05:44:45 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
2、版本验证:
可以将/root/rpmbuild/RPMS/x86_64下的软件包进行拷贝分发或放到http服务器共享。至此,rpm包制作完成。
3、注意事项
openssh升级到9.*后加密算法最低要求256位,因此升级openssh后低版本的客户端和CRT都将无法连接,报以下错误:
Key exchange failed.
No compatible key-exchange method. The server supports these methods: [email protected],curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
此时其它未升级openssh的centos6服务器都连不上更新服务器的,不要以为升级失败了,只需将需要连接本服务器的主机的openssh-client也升级了即可。
Windows连接请升级SecureCRT到8.*.*版本,同时会话属性中仅启用256或512位算法,即可正常连接。
可以看到连接是没有任何问题的。
本人编译的成品包下载地址:openssh9.4p1 for el8