Linux 制作 OpenSSH RPM 包

本文适用系统：Rocky Linux 9、AWS Amazon Linux 2023

1. 安装依赖

• Rocky Linux:

dnf -y install epel-release gcc initscripts krb5-devel make openssl openssl-devel pam-devel perl rpm-build zlib-devel
dnf -y install imake

• AWS Amazon Linux 2023(不支持 EPEL):

dnf -y install gcc initscripts krb5-devel make openssl openssl-devel pam-devel perl rpm-build zlib-devel
rpm -ivh https://dl.fedoraproject.org/pub/epel/9/Everything/x86_64/Packages/i/imake-1.0.8-6.el9.x86_64.rpm

2. 建立编译目录

mkdir -p ~/rpmbuild
cd ~/rpmbuild
mkdir -p BUILD BUILDROOT RPMS SOURCES SPECS SRPMS

3. 下载源码包并解压

cd SOURCES
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
tar xf openssh-9.6p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz

4. 复制编译配置

cp openssh-9.6p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/

5. 修改编译配置

cd ~/rpmbuild/SPECS
sed -i "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" openssh.spec
sed -i "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" openssh.spec
sed -i '/PreReq:/s/^/#/' openssh.spec
sed -i '/Obsoletes:/s/^/#/' openssh.spec
sed -i '/--without-openssl \\/,+1d' openssh.spec
sed -i '/%if %{without_openssl}/d' openssh.spec

6. 编译制作 RPM 包

rpmbuild -bb ~/rpmbuild/SPECS/openssh.spec
ls -l ~/rpmbuild/RPMS/x86_64/

带 debug 字符串的文件名后缀 .rpm 包非调试环境无需安装，只需安装另外3个包即可。

安装更新 OpenSSH RPM 包前先备份配置：

mv /etc/pam.d/sshd /etc/pam.d/sshd.bak

服务器安装完 RPM 包后续操作，否则重启服务 systemctl restart sshd 失败和报错:

cd ~/rpmbuild/RPMS/x86_64/
rpm -Uvh openssh-9.6p1-1.*.rpm openssh-clients-9.6p1-1.*.rpm openssh-server-9.6p1-1.*.rpm
sed -i '/ssh_host_rsa_key.pub/d' /etc/rc.d/init.d/sshd
sed -i '/ssh_host_dsa_key.pub/d' /etc/rc.d/init.d/sshd
mv /etc/pam.d/sshd.bak /etc/pam.d/sshd
echo 'UsePAM yes' >> /etc/ssh/sshd_config
chmod 0600 /etc/ssh/*
systemctl daemon-reload
systemctl restart sshd