操作环境:Redhat Enterprise Linux 4 Update 5
[root@mytest ~]# uname -a
Linux mytest 2.6.9-55.EL #1 Fri Apr 20 16:35:59 EDT 2007 i686 i686 i386 GNU/Linux
记得当时在安装新版本9.4.0,提示
"It is recommended that you upgrade to OpenSSL version 0.9.8d/0.9.7l (or greater).You can disable this warning by specifying:--disable-openssl-version-check
并且找不到对应系统版本的openssl的rpm包来升级所以当时就直接跳过了版本检测.现在把使用源码升级linux下两大安全组件openssl以及openssh的过程发出来供大家参考!
从站点上下在最新的软件包
http://www.openssl.org/
http://www.openssh.org/
[root@mytest src]# rpm -q openssl
openssl-0.9.7a-43.16
[root@mytest src]# rpm -ql openssl 查看原openssl相关文件,把相关信息记录下来.由于是采用源码方式安装,后续需要手动更新部分库文件
===============================================================
[root@mytest src]# ll /lib/libcrypto.so.* //查找原openssl的库文件路径
-rwxr-xr-x 1 root root 824272 Sep 28 2006 /lib/libcrypto.so.0.9.6b
-rwxr-xr-x 1 root root 939336 Jan 12 2007 /lib/libcrypto.so.0.9.7a
lrwxrwxrwx 1 root root 19 Feb 24 16:08 /lib/libcrypto.so.2 -> libcrypto.so.0.9.6b
lrwxrwxrwx 1 root root 19 Feb 24 15:48 /lib/libcrypto.so.4 -> libcrypto.so.0.9.7a
[root@mytest src]# ll /lib/libssl.so.*
-rwxr-xr-x 1 root root 186304 Sep 28 2006 /lib/libssl.so.0.9.6b
-rwxr-xr-x 1 root root 211948 Jan 12 2007 /lib/libssl.so.0.9.7a
lrwxrwxrwx 1 root root 16 Feb 24 16:08 /lib/libssl.so.2 -> libssl.so.0.9.6b
lrwxrwxrwx 1 root root 16 Feb 24 15:48 /lib/libssl.so.4 -> libssl.so.0.9.7a
[root@mytest openssl-0.9.8g]# ll /usr/lib/libcrypto.so
lrwxrwxrwx 1 root root 29 Feb 24 16:05 /usr/lib/libcrypto.so -> ../../lib/libcrypto.so.0.9.7a
[root@mytest openssl-0.9.8g]# ll /usr/lib/libssl.so
lrwxrwxrwx 1 root root 26 Feb 24 16:05 /usr/lib/libssl.so -> ../../lib/libssl.so.0.9.7a
[root@mytest src]# find / -name openssl //查找原openssl相关文件,包括动态连接库文件,可执行文件。
/usr/include/openssl
/usr/bin/openssl
/usr/lib/ruby/1.8/openssl
[root@mytest src]# mv /usr/include/openssl /usr/include/oldssl //移动备份原头文件
[root@mytest src]# mkdir /lib/oldssl
[root@mytest src]# ldd /usr/bin/openssl //先确定原openssl中依赖的库,便于后续的查找,目前暂时未使用到的信息
libssl.so.4 => /lib/libssl.so.0.9.7a
libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0x00d4b000)
libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0x0098f000)
libcom_err.so.2 => /lib/libcom_err.so.2 (0x001df000)
libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0x00739000)
libresolv.so.2 => /lib/libresolv.so.2 (0x00c9f000)
libcrypto.so.4 => /lib/libcrypto.so.0.9.7a
libdl.so.2 => /lib/libdl.so.2 (0x00852000)
libz.so.1 => /usr/lib/libz.so.1 (0x00e46000)
libc.so.6 => /lib/tls/libc.so.6 (0x003c9000)
/lib/ld-linux.so.2 (0x002b8000)
删除原库文件,准备升级,这里只是移动了做备份并没有直接删除
[root@mytest src]# mv /lib/libcrypto.so.0.9.7a /lib/oldssl/ //这里先要通过下面的rpm -ql openssl 确定openssl染件包
中包含的库文件
[root@mytest src]# mv /lib/libcrypto.so.4 /lib/oldssl/ //这个连接文件可以直接删除,下libssl.so.4同
[root@mytest src]# mv /lib/libssl.so.0.9.7a /lib/oldssl/
[root@mytest src]# mv /lib/libssl.so.4 /lib/oldssl/
[root@mytest src]# ll /usr/bin/openssl
-rwxr-xr-x 1 root root 333416 Jan 12 2007 /usr/bin/openssl
[root@mytest src]# mv /usr/bin/openssl /usr/bin/BAKopenssl
[root@mytest src]# rm -rf /usr/lib/libcrypto.so //原是连接 /usr/lib/libcrypto.so ->
../../lib/libcrypto.so.0.9.7a
[root@mytest src]# rm -rf /usr/lib/libssl.so //原是连接 /usr/lib/libssl.so -> ../../lib/libssl.so.0.9.7a注
意后续要补上
[root@mytest src]# tar xzf openssl-0.9.8g.tar.gz
[root@mytest src]# cd openssl-0.9.8g
[root@mytest openssl-0.9.8g]# ./config shared
[root@mytest openssl-0.9.8g]# make
[root@mytest openssl-0.9.8g]# make test
[root@mytest openssl-0.9.8g]# make install
这样默认安装在/usr/local/ssl/目录
[root@mytest openssl-0.9.8g]# /usr/local/ssl/bin/openssl version
OpenSSL 0.9.8g 19 Oct 2007
[root@mytest openssl-0.9.8g]# cp /usr/local/ssl/bin/openssl /usr/bin
[root@mytest openssl-0.9.8g]# openssl version
OpenSSL 0.9.8g 19 Oct 2007
[root@mytest openssl-0.9.8g]# ldd /usr/bin/openssl
libssl.so.0.9.8 => /usr/local/ssl/lib/libssl.so.0.9.8 (0x0075b000)
libcrypto.so.0.9.8 => /usr/local/ssl/lib/libcrypto.so.0.9.8 (0x009e3000)
libdl.so.2 => /lib/libdl.so.2 (0x006e5000)
libc.so.6 => /lib/tls/libc.so.6 (0x00cdd000)
/lib/ld-linux.so.2 (0x007fe000)
恢复原连接文件到新的库
ln -s /usr/local/ssl/lib/libcrypto.so.0.9.8 /lib/libcrypto.so.4
ln -s /usr/local/ssl/lib/libssl.so.0.9.8 /lib/libssl.so.4
ln -s /usr/local/ssl/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so
ln -s /usr/local/ssl/lib/libssl.so.0.9.8 /usr/lib/libssl.so
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
现在用新的来替代它了。
最后要刷新系统的动态连接库配置
[root@mytest openssl-0.9.8g]# echo /usr/local/ssl/lib >> /etc/ld.so.conf
[root@mytest openssl-0.9.8g]# ldconfig -v
===============================================================
[root@mytest src]# rpm -q zlib //高版本的openssh对zlib库有版本要求,所以要先升级这个
zlib-1.2.1.2-1.2
[root@mytest src]# rpm -ql zlib
/usr/lib/libz.so.1
/usr/lib/libz.so.1.2.1.2
/usr/share/doc/zlib-1.2.1.2
/usr/share/doc/zlib-1.2.1.2/README
[root@mytest src]# ll /usr/lib/libz*
-rwxr-xr-x 1 root root 71716 Jul 12 2005 /usr/lib/libz.a
lrwxrwxrwx 1 root root 15 Feb 24 16:04 /usr/lib/libz.so -> libz.so.1.2.1.2
lrwxrwxrwx 1 root root 15 Feb 24 15:48 /usr/lib/libz.so.1 -> libz.so.1.2.1.2
-rwxr-xr-x 1 root root 62248 Jul 12 2005 /usr/lib/libz.so.1.2.1.2
[root@mytest src]# tar zxf zlib-1.2.3.tar.gz
[root@mytest src]# cd zlib-1.2.3
[root@mytest zlib-1.2.3]# ./configure --prefix=/usr --shared
[root@mytest zlib-1.2.3]# make
[root@mytest zlib-1.2.3]# make check
[root@mytest zlib-1.2.3]# make install
[root@mytest zlib-1.2.3]# rpm -q zlib
zlib-1.2.1.2-1.2
[root@mytest zlib-1.2.3]# ll /usr/lib/libz*
lrwxrwxrwx 1 root root 13 Mar 2 19:48 /usr/lib/libz.so -> libz.so.1.2.3
lrwxrwxrwx 1 root root 13 Mar 2 19:48 /usr/lib/libz.so.1 -> libz.so.1.2.3
-rwxr-xr-x 1 root root 75778 Mar 2 19:48 /usr/lib/libz.so.1.2.3
===============================================================
更新了opesnssl后,openssh会无法正常启动。更新openssh
[root@mytest src]# rpm -ql openssh //同样查看相关文件,以便后续更新
[root@mytest src]# tar xzf openssh-4.7p1.tar.gz
[root@mytest src]# cd openssh-4.7p1
[root@mytest openssh-4.7p1]# ./configure --with-ssl-dir=/usr/local/ssl --with-zlib --with-pam --with-md5-passwords --with-kerberos5
完成后提示信息:PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/ subdirectory //启用了PAM,如果需要可以在该目录copy过去直接
使用
[root@mytest openssh-4.7p1]# make
[root@mytest openssh-4.7p1]# make install
完成提示信息:完成安装,生成了密钥对以及安装路径等信息
Generating public/private rsa1 key pair.
Your identification has been saved in /usr/local/etc/ssh_host_key.
Your public key has been saved in /usr/local/etc/ssh_host_key.pub.
The key fingerprint is:
43:66:b6:09:76:51:e7:23:22:c6:45:b5:63:23:94:d3 root@mytest
Generating public/private dsa key pair.
Your identification has been saved in /usr/local/etc/ssh_host_dsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_dsa_key.pub.
The key fingerprint is:
5f:2e:4d:a6:67:26:69:47:1b:7b:9e:af:ca:6f:dc:a2 root@mytest
Generating public/private rsa key pair.
Your identification has been saved in /usr/local/etc/ssh_host_rsa_key.
Your public key has been saved in /usr/local/etc/ssh_host_rsa_key.pub.
The key fingerprint is:
04:bb:dc:da:e5:2c:27:c9:1c:6f:a3:ce:7c:fb:45:9b root@mytest
/usr/local/sbin/sshd -t -f /usr/local/etc/sshd_config
[root@mytest openssh-4.7p1]# /usr/local/bin/ssh -V
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
[root@mytest openssh-4.7p1]# mv /usr/bin/ssh /usr/bin/oldssh
[root@mytest openssh-4.7p1]# cp /usr/local/bin/ssh /usr/bin/
[root@mytest openssh-4.7p1]# ssh -V
OpenSSH_4.7p1, OpenSSL 0.9.8g 19 Oct 2007
版本号看到都已经更新了,在make install最后可以看到提示信息OpenSSH就被安装在/etc/local里面了,所有有关OpenSSH的配置文件都放
在/usr/local/etc目录下,修改配置文件/usr/local/etc/sshd_config
vi /usr/local/etc/sshd_config
把以下参数前面的注释#去掉
Port 22
Protocol 2,1
RhostsRSAAuthentication no
最后修改一下/etc/init.d/sshd 不然不能启动
以下参数是和原来不一样的,主要是路径改变了
#[ -f /etc/sysconfig/sshd ] && . /etc/sysconfig/sshd
KEYGEN=/usr/local/bin/ssh-keygen
SSHD=/usr/local/sbin/sshd
RSA1_KEY=/usr/local/etc/ssh_host_key
RSA_KEY=/usr/local/etc/ssh_host_rsa_key
DSA_KEY=/usr/local/etc/ssh_host_dsa_key
PID_FILE=/var/run/sshd.pid
[root@mytest openssh-4.7p1]# /etc/init.d/sshd start
启动 sshd[ 确定 ]
确定启动没有问题后重新设置其自动启动,如果是远程更新的话,千万注意不要断开,否则就嘿嘿连接不上了.
[root@mytest openssh-4.7p1]# ll /etc/rc.d/rc3.d/*ssh*
lrwxrwxrwx 1 root root 14 2月 24 15:51 /etc/rc.d/rc3.d/S55sshd -> ../init.d/sshd
[root@mytest openssh-4.7p1]# rm -f /etc/rc.d/rc3.d/S55sshd
[root@mytest openssh-4.7p1]# ln -s /etc/init.d/sshd /etc/rc.d/rc3.d/S55sshd
SSH1 RSA KEY generation FAILED 安装最新版本的openssh就好了,折腾了好久,看README INSTALL,官方站点都找不出来原因,算了,直接安装最新版本,问题解决
当然如果对更新确认没有问题的话可以先用rpm -e --nodeps卸载原系统自带版本的openssl和openssh
其他用源码编译升级的软件也可以参考该方法.
原文地址: http://blog.163.com/993_49/blog/static/32432424200892931441152/