一、当前环境
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
CentOS Linux release 7.4.1708 (Core)
openssh-7.4p1-11.el7.x86_64
openssh-clients-7.4p1-11.el7.x86_64
openssh-server-7.4p1-11.el7.x86_64
openssl-libs-1.0.2k-8.el7.x86_64
openssl-1.0.2k-8.el7.x86_64
二、OpenSSH 8.8 依赖
https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/INSTALL
OpenSSH 8.8 对OpenSSL的要求:
1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
经考虑,直接使用默认的openssl-1.0.2k。考虑兼容性,如果需要升级openssl,那直接升级centos8吧。
三、升级 OpenSSH 8.8 准备工作
编译安装需要
yum install gcc zlib-devel openssl-devel pam-devel
RPM打包还需要
yum install libXt-devel imake gtk2-devel krb5-devel
四、通过源码包安装
PAM
如果使用PAM,还需要自行安装一个PAM控制文件/etc/pam.d/sshd。
一个通用的PAM配置contrib/sshd.pam.generic,可以修改用于你的系统。 如果使用Red Hat Linux,contrib/redhat/sshd.pam应该更适合。 没有成功的安装有效的PAM文件会导致无法使用密码身份验证。在HP-UX 11 和 Solaris,标准的/etc/pam.conf可搭配sshd使用。
准备工作
- 备份
/etc/pam.d/sshd
cp /etc/pam.d/sshd ~/
- 卸载 openssh
yum remove openssh
会卸载 openssh openssh-clients openssh-server 三个包。
当前ssh连接还在,千万别退出,退出就连不上了。or配置telnet服务。
安装
- 默认安装
默认会将二进制文件安装到/usr/local/bin,配置文件安装到/usr/local/etc,服务器安装到/usr/local/sbin。
./configure
make
make install
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
MD5 password support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
- 指定安装位置
./configure --prefix=/opt
make
make install
将 OpenSSH 安装到 /opt/{bin,etc,lib,sbin}。
- 指定详细路径
./configure --prefix=/opt --sysconfdir=/etc/ssh
make
make install
将二进制文件安装到 /opt/{bin,lib,sbin},配置文件安装到 /etc/ssh。
- 覆盖安装
./configure --bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc/ssh --with-pam --with-zlib --with-md5-passwords
make
make install
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
MD5 password support: yes
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
+for sshd: -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
确认结果
[root@VM-99-17-centos openssh-8.8p1]# ssh -V
OpenSSH_8.8p1, OpenSSL 1.0.2k-fips 26 Jan 2017
注意:
编译安装没有服务管理文件,不被 servcie 、 systemd 管理。可以自行添加服务管理。
所以,为什么不 build 成 RPM packages 安装呢?
五、编译成 OpenSSH 8.8 RPM 包安装
升级 OpenSSH 8.8 released September 26, 2021
关于 pam
pam.d/目录下需要有一个sshd文件。
编译的包,自动导入的sshd文件,需要pam_stack.so、pam_nologin.so文件,没有。所以,还是用原来的sshd文件。
- 依赖包
- 创建
~/rpmbuild/目录
rpmdev-setuptree
- 准备源码包、补丁文件
- openssh 源码包
- x11-ssh-askpass-1.2.4.1.tar.gz 编译的时候需要
- sshd文件
cd ~/rpmbuild/SOURCES/
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
cp /etc/pam.d/sshd ./
- 修正spec文件
cd ~/rpmbuild/SOURCES/
tar xzvf openssh-8.8p1.tar.gz openssh-8.8p1/contrib/redhat/openssh.spec -C ../SPECS/
修改解压到SPECS/目录下的 openssh.spec 文件
- 修改
BuildRequires,注销openssl-devel < 1.1,否则会报错
BuildRequires: openssl-devel >= 1.0.1
# BuildRequires: openssl-devel < 1.1
- 修改
%installsection部分,安装sshd文件
if %{build6x}释义: 判断是否RHEL老版本(6及以前)
# Use build6x options for older RHEL builds
# RHEL 7 not yet supported
%if 0%{?rhel} > 6
%global build6x 0
%else
%global build6x 1
%endif
修改 %install section 关于sshd的部分,安装sshd文件,如下:
%if %{build6x}
install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
%else
# install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 $RPM_SOURCE_DIR/sshd $RPM_BUILD_ROOT/etc/pam.d/sshd
%endif
修改的文件,对比如下:
# diff --suppress-common-lines SOURCES/openssh-8.8p1/contrib/redhat/openssh.spec SPECS/openssh.spec
103c103
< BuildRequires: openssl-devel < 1.1
---
> # BuildRequires: openssl-devel < 1.1
279c279,280
< install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
---
> # install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
> install -m644 $RPM_SOURCE_DIR/sshd $RPM_BUILD_ROOT/etc/pam.d/sshd
- 编译生成二进制包
cd ~/rpmbuild/SPECS/
rpmbuild -bb openssh.spec
如上命令,将在~/rpmbuild/RPMS/目录下生成.rpm二进制安装包。
- 部署升级
复制安装包openssh-8.8p1-1.el7.x86_64.rpm,openssh-server-8.8p1-1.el7.x86_64.rpm,openssh-clients-8.8p1-1.el7.x86_64.rpm到目标服务器。
执行如下安装命令:
yum localinstall openssh-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm openssh-clients-8.8p1-1.el7.x86_64.rpm
查看版本
[root@VM-99-17-centos ~]# ssh -V
OpenSSH_8.8p1, OpenSSL 1.0.2k-fips 26 Jan 2017
重启服务
service sshd restart
注意:
yum localinstall 会卸载原来的版本,如果需要请自行备份配置文件等。
不支持systemd,使用service、chkconfig进行服务管理。
不支持使用root登录,根据自己需求修改spec文件,自定义配置。所以,在安装前需要配置好登录账户。
编译的版本缺少sshd-keygen和ssh-copy-id命令,待研究
附件一、参考文档
centos7 升级openssh到openssh-8.0p1版本 - nmap - 博客园 (cnblogs.com)
Centos7 upgrades openssh to OpenSSH_8.0p1 (programmer.ink)
Upgrade OpenSSH 7.9 | Develop Paper
CentOS7下制作OpenSSH 8.4p1 RPM包 - 云+社区 - 腾讯云 (tencent.com)
制定OpenSSH 8.6 RPM包 - (jianshu.com)
附件二、CentOS openssh-7.4p1 安装文件 (/usr/share 除外)
- openssh-7.4p1-21.el7.x86_64
- openssh-server-7.4p1-21.el7.x86_64
- openssh-clients-7.4p1-21.el7.x86_64
| 文件 | openssh | openssh-server | openssh-clients |
|---|---|---|---|
| config | /etc/ssh/etc/ssh/moduli |
/etc/ssh/sshd_config/etc/sysconfig/sshd/etc/pam.d/sshd |
/etc/ssh/ssh_config |
| /usr/lib/systemd/system/ | sshd-keygen.servicesshd.servicesshd.socket[email protected] |
||
| lib | /usr/lib64/fipscheck/ssh.hmac |
/usr/lib64/fipscheck/ssh.hmac |
|
| /usr/sbin/ | sshdsshd-keygen |
||
| /usr/bin/ | ssh-keygen |
scpsftpsloginsshssh-addssh-agentssh-copy-idssh-keyscan |
|
| /usr/libexec/openssh/ | ctr-cavstestssh-keysign |
sftp-server |
ssh-pkcs11-helper |
| other | /var/empty/sshd |