Centos7编译及升级openssh

编包及升级

1. 安装rpmbuild及依赖包

yum install -y rpm-build gcc gcc-c++ make pam-devel rpm-build rpmdevtools zlib-devel krb5-devel tcp_wrappers tcp_wrappers-devel tcp_wrappers-libs libX11-devel xmkmf libXt-devel wget openssl openssl-devel

2. 创建编包目录

mkdir -p ~/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

3. 获取openssh源码包

cd ~/rpmbuild/SOURCES
wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz

4. 获取spec文件,同时修改两个配置项

cd ~/rpmbuild/SPECS/
tar zxf ../SOURCES/openssh-7.6p1.tar.gz openssh-7.6p1/contrib/redhat/openssh.spec
mv openssh-7.6p1/contrib/redhat/openssh.spec openssh-7.6p1.spec
rm -fr openssh-7.6p1
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh-7.6p1.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh-7.6p1.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh-7.6p1.spec

5. 编译生成rpm包

rpmbuild -bb openssh-7.6p1.spec
ll ~/rpmbuild/RPMS/x86_64
cd ~/rpmbuild/RPMS/x86_64

6. 先备份原配置文件然后安装升级openssh

cp -ap /etc/ssh/* /var/sshbak/
cp -ap /etc/pam.d/sshd /var/pambak/
yum localinstall ~/rpmbuild/RPMS/x86_64/*

7. 恢复配置文件

mkdir /var/{sshbak, pambak}
\cp -ap /var/sshbak/* /etc/ssh/
\cp -ap /var/pambak/sshd /etc/pam.d/
chmod 400 /etc/ssh/*
systemctl restart sshd

踩坑

问题1：
PAM unable to dlopen(/lib64/security/pam_stack.so): /lib64/security/pam_stack.so: cannot open shared object file: No such file or directory PAM adding faulty module: /lib64/security/pam_stack.so​:

解决：
升级前备份/etc/pam.d/sshd文件
或者修改/etc/pam.d/sshd文件为如下内容

#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin

问题2：
root用户无法登陆

解决：
修改 /etc/ssh/sshd_config
添加配置项

# PermitRootLogin prohibit-password
PermitRootLogin yes