广告

Linux升级openssh+openssl步骤及自动升级脚本

Linux自带的ssh版本一般与系统版本相差无几,然而,为了达到更高的安全标准,常常需要升级openssh和Openssl至更新版本,本文讲述在CentOS系统下的更新方法,并附自动升级的shell脚本。

安装前建议先备份原openssl和openssh,步骤略。

部署openssl

点击此处访问OpenSSL官方下载页面查看是否有新版本,否则无需更新。

安装依赖包

yum -y install gcc perl zlib zlib-devel

安装openssl

cd /opt/installation

wget https://www.openssl.org/source/openssl-1.1.1g.tar.gz

# 备份旧版openssl

mv /usr/bin/openssl /opt/installation/bak/usr.bin.openssl.bak

mv /usr/include/openssl /opt/installation/bak/usr.include.openssl.bak

# 开始更新openssl

# 如果以前在/usr/local安装过openssl

# mv /usr/local/openssl /opt/installation/bak/usr.local.openssl.bak

tar zxvf openssl-1.1.1g.tar.gz

cd openssl-1.1.1g

./config --prefix=/usr/local/openssl --shared zlib

make && make install

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl

ln -s /usr/local/openssl/include/openssl /usr/include/openssl

echo "/usr/local/openssl/lib/" >> /etc/ld.so.conf

# Linux8版本不要 ldconfig -v

ldconfig -v

查看openssl版本

openssl version

部署openssh

点击此处访问OpenSSH官方下载页面查看是否有新版本,否则无需更新。

安装依赖包

yum install -y gcc openssl-devel pam-devel rpm-build

安装openssh

# 备份旧版openssh

cp -f /etc/init.d/sshd /opt/installation/bak/etc.init.d.sshd.bak

cp -f /etc/pam.d/sshd.pam /opt/installation/bak/etc.pam.d.sshd.pam.bak

mv /usr/bin/ssh-keygen /opt/installation/bak/usr.bin.ssh-keygen.bak

mv /usr/sbin/sshd /opt/installation/bak/usr.sbin.sshd.bak

# 开始更新openssh

# 如果以前在/usr/local安装过openssh

# mv /usr/local/openssh /opt/installation/bak/usr.local.openssh.bak

cd /opt/installation

wget https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz

tar zxvf openssh-8.3p1.tar.gz

cd openssh-8.3p1

./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-openssl-dir=/usr/local/openssl --with-pam --with-zlib --with-md5-passwords

make && make install

cp -f contrib/redhat/sshd.init /etc/init.d/sshd

cp -f contrib/redhat/sshd.pam /etc/pam.d/

chmod 600 /etc/ssh/ssh_host_ed25519_key

systemctl enable sshd

# 以下是CentOS6命令

# chkconfig --add sshd

# chkconfig sshd on

echo "PermitRootLogin    yes" >> /etc/ssh/sshd_config

ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd

rm -rf /usr/bin/ssh

切记:一定检查openssh是否开机启动!

没有编译部署openssl则必须去掉“--with-openssl-dir=/usr/local/openssl”参数,另外如果编译过程中出现如下错误:

configure: error: OpenSSL library not found.

可以尝试指定如下参数:

--with-openssl-includes={openssl-inc-dir} --with-openssl-libraries={openssl-lib-dir}

查看openssh版本

ssh -V

修改sshd_config

vim /etc/ssh/sshd_config

PermitRootLogin        yes #允许root登录
PermitEmptyPasswords   no  #不允许空密码登录
PasswordAuthentication yes #设置是否使用口令验证

启动openssh

service sshd start

自动部署脚本

该脚本已在CentOS6/7/8中进行测试。

#!/bin/bash 

inspath="/opt/installation"
bakpath="${inspath}/bak"
exelogs="${inspath}/install.log"
errlogs="${inspath}/error.log"
#Openssl安装包名称
soft1="openssl-1.1.1g.tar.gz"
#Openssl当前版本高于此版本时不升级
soft1uv="1.1.1g"
#Openssl解压目录
soft1dr="openssl-1.1.1g"
#Openssl下载地址
soft1dl="https://www.openssl.org/source/openssl-1.1.1g.tar.gz"
#Openssl安装目录
soft1pt="/usr/local/openssl"
#Openssh安装包名称
soft2="openssh-8.3p1.tar.gz"
#Openssh当前版本高于此版本时不升级
soft2uv="8.3p1"
#Openssh解压目录
soft2dr="openssh-8.3p1"
#Openssh下载地址
soft2dl="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz"
#Openssh安装目录
soft2pt="/usr/local/openssh"

##### 准备工作 #####

# 检查操作系统版本
osversion=`cat /etc/redhat-release | sed 's/[^0-9]//g'`
osversion=${osversion:0:1}
if [ "${osversion}" -ge 8 ]
then
  echo "########当前操作系统版本已经很新了,不需要升级########" > upgrade-openssh.log
  exit 0
fi
# 检查基本命令和目录
chkwget=`rpm -qa wget`
if [ -z "${chkwget}" ]
then
  yum -y install wget
fi
# 检查安装目录
if [ -d "${inspath}" ]
then
  echo -e "########升级OPENSSL/OPENSSH########\n安装目录已存在" > ${exelogs}
else
  mkdir -p "${inspath}"
  echo -e "########升级OPENSSL/OPENSSH########\n成功创建安装目录" > ${exelogs}
fi
# 检查备份目录
if [ -d "${bakpath}" ]
then
  echo "备份目录已存在" >> ${exelogs}
else
  mkdir -p "${bakpath}"
  echo "成功创建备份目录" >> ${exelogs}
fi

#检查依赖包
CHKPACKS () {
  for pack in ${deppacks[@]}
  do
    packson=`rpm -qa "${pack}"`
    if [ -z "${packson}" ]
    then
      yum -y install "${pack}"
      echo "安装依赖包${pack}" >> ${exelogs}
    fi
  done
}

# 配置安装程序
CHKCONFIG () {
if [ -e "${errlogs}" ]
then
  errstatus=`grep -E ": error|终止" ${errlogs}`
  if [ -n "${errstatus}" ]
  then
    echo "配置失败,终止安装,请手动删除错误日志文件" >> ${exelogs}
    exit 0
  else
    echo "完成配置,开始安装"  >> ${exelogs}
  fi
  rm -f ${errlogs}
fi
}

##### 安装Openssl #####

UPOPENSSL () {
deppacks=(gcc perl zlib zlib-devel)
CHKPACKS
cd $inspath
# 检查安装包
if [ -e "${soft1}" ]
then
  echo "安装包${soft1}已存在" >> ${exelogs}
else
  echo "现在开始下载${soft1}" >> ${exelogs}
  wget ${soft1dl}
fi
# 备份旧版openssl
chgfile1="/usr/bin/openssl"
chgfile2="/usr/include/openssl"
if [ -d "${soft1pt}" ]
then
  mv "${soft1pt}" "${bakpath}/usr.local.openssl.bak"
  echo "成功备份目录${soft1pt}" >> ${exelogs}
fi
if [ -e "${chgfile1}" ] ||  [ -L "${chgfile1}" ]
then
  mv "${chgfile1}" "${bakpath}/usr.bin.openssl"
  echo "成功备份文件${chgfile1}" >> ${exelogs}
fi
if [ -e "${chgfile2}" ] || [ -L "${chgfile2}" ]
then
  mv "${chgfile2}" "${bakpath}/usr.include.openssl"
  echo "成功备份文件${chgfile2}" >> ${exelogs}
fi
# 开始安装
tar zxvf "${soft1}"
if [ -d "${soft1dr}" ]
then
  cd "${soft1dr}"
  echo "开始编译openssl" >> ${exelogs}
  ./config --prefix="${soft1pt}" shared zlib | grep -E "error|终止" > ${errlogs}
else
  echo "安装目录${soft1dr}不存在,终止安装" >> ${exelogs}
  exit 0
fi
CHKCONFIG
make depend
make && make install
ln -s /usr/local/openssl/bin/openssl "${chgfile1}"
ln -s /usr/local/openssl/include/openssl "${chgfile2}"
chkldcfg=`grep /usr/local/openssl/lib/ /etc/ld.so.conf`
if [ -z "${chkldcfg}" ]
then
  echo /usr/local/openssl/lib/ >> /etc/ld.so.conf
  echo "已修改配置文件ld.so.conf" >> ${exelogs}
else
  echo "参数已存在,无需修改ld.so.conf" >> ${exelogs}
fi
ldconfig -v
echo "成功升级OPENSSL" >> ${exelogs}
}

##### 安装Openssh #####

UPOPENSSH () {
deppacks=(openssh-clients gcc openssl-devel pam-devel rpm-build)
CHKPACKS
cd ${inspath}
# 检查安装包
if [ -e "${soft2}" ]
then
  echo "安装包${soft2}已存在" >> ${exelogs}
else
  echo "现在开始下载${soft2}" >> ${exelogs}
  wget ${soft2dl}
fi
# 备份旧版openssh
chgfile1="/etc/init.d/sshd"
chgfile2="/etc/pam.d/sshd.pam"
chgfile3="/usr/bin/ssh-keygen"
chgfile4="/usr/sbin/sshd"
chgfile5="/usr/bin/ssh"
if [ -d "${soft2pt}" ]
then
 mv "${soft2pt}" "${bakpath}/usr.local.openssh.bak"
 echo "成功备份目录${soft2pt}" >> ${exelogs}
fi
if [ -e "${chgfile1}" ]
then
  \cp "${chgfile1}" "${bakpath}/etc.init.d.sshd"
  echo "成功备份文件${chgfile1}" >> ${exelogs}
fi
if [ -e "${chgfile2}" ]
then
  \cp "${chgfile2}" "${bakpath}/etc.pam.d.sshd.pam"
  echo "成功备份文件${chgfile2}" >> ${exelogs}
fi
if [ -e "${chgfile3}" ] || [ -L "${chgfile3}" ]
then
  mv "${chgfile3}" "${bakpath}/usr.bin.ssh-keygen"
  echo "成功备份文件${chgfile3}" >> ${exelogs}
fi
if [ -e "${chgfile4}" ] || [ -L "${chgfile4}" ]
then
  mv "${chgfile4}" "${bakpath}/usr.sbin.sshd.bak"
  echo "成功备份文件${chgfile4}" >> ${exelogs}
fi
if [ -e "${chgfile5}" ] || [ -L "${chgfile5}" ]
then
  mv "${chgfile5}" "${bakpath}/usr.bin.ssh"
  echo "成功备份文件${chgfile5}" >> ${exelogs}
fi
# 开始安装
tar zxvf "${soft2}"
if [ -d "${soft2dr}" ]
then
  cd "${soft2dr}"
  echo "开始编译openssh" >> ${exelogs}
  ./configure --prefix="${soft2pt}" --sysconfdir=/etc/ssh --with-ssl-dir="${soft1pt}" --with-pam --with-zlib --with-md5-passwords | grep -E "error|终止" > $errlogs
else
  echo "安装目录${soft2dr}不存在,终止安装" >> ${exelogs}
  exit 0
fi
CHKCONFIG
make && make install
\cp contrib/redhat/sshd.init "${chgfile1}"
\cp contrib/redhat/sshd.pam "${chgfile2}"
chmfiles=("/etc/ssh/ssh_host_rsa_key" "/etc/ssh/ssh_host_ecdsa_key" "/etc/ssh/ssh_host_ed25519_key")
for chmfile in ${chmfiles[@]}
do
if [ -e "${chmfile}" ]
then
  chmod 600 "${chmfile}"
fi
done
if [ "${osversion}" -ge 7 ]
then
  chkcfgsshd=`systemctl list-unit-files | grep sshd.service | grep enabled`
  if [ -z "${chkcfgsshd}" ]
  then
    systemctl enable sshd
  fi
else
  chkcfgsshd=`/sbin/chkconfig --list sshd`
  if [ -z "${chkcfgsshd}" ]
  then
    /sbin/chkconfig --add sshd
  fi
  /sbin/chkconfig sshd on
fi
# 配置允许root登录,也可以配置不允许root登录
sshdcfg=`grep ^PermitRootLogin /etc/ssh/sshd_config`
if [ -z "${sshdcfg}" ]
then
  echo "PermitRootLogin    yes" >> /etc/ssh/sshd_config
else
  sshdcfg=`grep ^PermitRootLogin /etc/ssh/sshd_config | grep no`
  if [ -n "${sshdcfg}" ]
  then
    sed -i '/^PermitRootLogin/s/no/yes/g' /etc/ssh/sshd_config
  fi
fi
echo "已经配置允许root登录" >> ${exelogs}
ln -s /usr/local/openssh/bin/ssh-keygen "${chgfile3}"
ln -s /usr/local/openssh/sbin/sshd "${chgfile4}"
ln -s /usr/local/openssh/bin/ssh "${chgfile5}"
echo "成功升级OPENSSH" >> ${exelogs}
}

##### 开始执行升级程序 #####

version=`openssl version | awk -F'[ -]' '{print $2}'`
if [ -z "${version}" ] || [ ${soft1uv} \> ${version} ]
then
  echo -e "############升级OPENSSL############\n当前openssl版本是${version}\n将升级到${soft1dr}" >> ${exelogs}
  UPOPENSSL
else
  echo -e "############升级OPENSSL############\n当前openssl版本是${version},不需要升级" >> ${exelogs}
fi

version=`ssh -V 2>&1 | awk -F'[_,]' '{print $2}'`
if [ -z "${version}" ] || [ ${soft2uv} \> ${version} ]
then
  echo -e "############升级OPENSSH############\n当前openssh版本是${version}\n将升级到${soft2dr}" >> ${exelogs}
  UPOPENSSH
else
  echo -e "############升级OPENSSH############\n当前openssh版本是${version},不需要升级" >> ${exelogs}
fi

故障分析

如果执行ssh时提示:

-bash: /usr/local/openssh/bin/ssh: Permission denied

通过以下方案修复:

chmod 755 /usr/local/openssh

chmod 755 /usr/local/openssl

如果执行ssh时提示:

-bash: ssh: command not found

则需要安装openssh-clients:

yum -y install openssh-clients

赞 (0) 打赏

精彩点评 0

感谢您的支持与鼓励

支付宝扫一扫打赏

微信扫一扫打赏