美文网首页
CentOS 7 升级 openssh 8.4p1

CentOS 7 升级 openssh 8.4p1

作者: akka9 | 来源:发表于2020-12-25 03:42 被阅读0次

升级之后的问题和解决办法:

老客户端连不上

配置文件增加

KexAlgorithms=+diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

兼容老的密钥交换算法

root 连不上

PermitRootLogin yes

## 安装 dropbear 万一失败后可以远程ssh上
yum install -y dropbear

echo OPTIONS=\' -w -R -p 44444 \' | sudo tee /etc/sysconfig/dropbear

systemctl enable dropbear
systemctl restart dropbear


$ wget -c https://vault.centos.org/7.9.2009/os/Source/SPackages/openssh-7.4p1-21.el7.src.rpm
rpm -i openssh-7.4p1-21.el7.src.rpm

openssh8.4p1 下载地址:ftp://mirrors.sonic.net/pub/OpenBSD/OpenSSH/portable/openssh-8.4p1.tar.gz
/x11-ssh-askpass 下载地址:http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-1.2.4.1.tar.gz


## 编译 rpm 
$ sudo yum install gtk2-devel libX11-devel openldap-devel autoconf automake audit-libs-devel groff pam-devel tcp_wrappers-devel fipscheck-devel systemd-devel libedit-devel xauth libXt-devel imake


####  以下所有操作都是在普通用户下进行,不能使用 root 
mkdir -p ~/rpmbuild/{SOURCES,SPECS,SRPMS}
cp openssh-8.4p1.tar.gz ~/rpmbuild/SOURCES
cp x11-ssh-askpass-1.2.4.1.tar.gz ~/rpmbuild/SOURCES

cd ~/rpmbuild/SOURCES
tar zxf openssh-8.4p1.tar.gz
cp ~/rpmbuild/SOURCES/openssh-8.4p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/

cd ~/rpmbuild/SPECS

sed -i -e "s/_askpass 0/_askpass 1/g" openssh.spec 
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh.spec 
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/BuildRequires: openssl-devel < 1.1/#BuildRequires: openssl-devel < 1.1/g"  openssh.spec

# %pre server 后面加  cp -r /etc/ssh /etc/ssh_bak
sed -i '/%pre server/acp -r /etc/pam.d/sshd /etc/pam.d/sshd.bak'  openssh.spec 
sed -i '/%pre server/acp -r /etc/ssh /etc/ssh_bak'  openssh.spec 

# %post server 后面加  chmod  600  /etc/ssh/ssh_host_*_key
sed -i '/%post server/achmod  600  /etc/ssh/ssh_host_*_key'  openssh.spec

# 默认的 pam.sshd 有问题,会覆盖 /etc/pam.d/ssh 导致无法登录

cat > ~/rpmbuild/SOURCES/sshd.pam <<EOF
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare


EOF

sed -i '/^Source1.*/aSource2: sshd.pam'  openssh.spec
sed -i '/^%clean/iinstall -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd'  openssh.spec


# 编译
rpmbuild -ba openssh.spec
rm -rf ~/rpmbuild/RPMS/x86_64/openssh-debuginfo-*
ls ~/rpmbuild/RPMS/x86_64

openssh-8.4p1-1.el7.x86_64.rpm          
openssh-askpass-gnome-8.4p1-1.el7.x86_64.rpm  
openssh-askpass-8.4p1-1.el7.x86_64.rpm  
openssh-clients-8.4p1-1.el7.x86_64.rpm        
openssh-server-8.4p1-1.el7.x86_64.rpm




# 升级 脚本  install.sh
work_path=$(dirname $(readlink -f $0))
cd $work_path
pwd

yum --disablerepo=\*  install -y libtom*.rpm dropbear*.rpm openssl*.rpm
echo OPTIONS=\'  -R -p 20044 \' | sudo tee /etc/sysconfig/dropbear
cat /etc/sysconfig/dropbear
systemctl enable dropbear
systemctl restart dropbear
yum --disablerepo=\*  install -y openssh*.rpm lib*.rpm
systemctl restart sshd
systemctl status sshd

ss -tanpl |egrep 'dropbear|sshd'
ssh -V

# rpm 包
dropbear-2017.75-1.el7.x86_64.rpm
install.sh
libICE-1.0.9-9.el7.x86_64.rpm
libSM-1.2.2-2.el7.x86_64.rpm
libtomcrypt-1.17-26.el7.x86_64.rpm
libtommath-0.42.0-6.el7.x86_64.rpm
libX11-1.6.7-3.el7_9.x86_64.rpm
libX11-common-1.6.7-3.el7_9.noarch.rpm
libXau-1.0.8-2.1.el7.x86_64.rpm
libxcb-1.13-1.el7.x86_64.rpm
libXt-1.1.5-3.el7.x86_64.rpm
openssh-8.4p1-1.el7.x86_64.rpm
openssh-askpass-8.4p1-1.el7.x86_64.rpm
openssh-clients-8.4p1-1.el7.x86_64.rpm
openssh-server-8.4p1-1.el7.x86_64.rpm




TODO:

#cat /etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare




# 启动脚本 init 改为 systemd
Source1 一行后面加上这些:

Source2: sshd.pam
Source3: sshd.init
Source6: ssh-keycat.pam
Source7: sshd.sysconfig
Source9: sshd@.service
Source10: sshd.socket
Source11: sshd.service
Source12: sshd-keygen.service
Source13: sshd-keygen

%clean 前面加上这些: 

install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/sysconfig/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
install -d $RPM_BUILD_ROOT%{_libdir}/fipscheck


install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 %{SOURCE6} $RPM_BUILD_ROOT/etc/pam.d/ssh-keycat
install -m755 %{SOURCE3} $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
install -m644 %{SOURCE7} $RPM_BUILD_ROOT/etc/sysconfig/sshd
install -m755 %{SOURCE13} $RPM_BUILD_ROOT/%{_sbindir}/sshd-keygen
install -d -m755 $RPM_BUILD_ROOT/%{_unitdir}
install -m644 %{SOURCE9} $RPM_BUILD_ROOT/%{_unitdir}/sshd@.service
install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.service


%endif

%if ! %{no_x11_askpass}
%files askpass
前面加上:
%attr(0640,root,root) %config(noreplace) /etc/sysconfig/sshd
%attr(0644,root,root) %{_unitdir}/sshd.service
%attr(0644,root,root) %{_unitdir}/sshd@.service
%attr(0644,root,root) %{_unitdir}/sshd.socket
%attr(0644,root,root) %{_unitdir}/sshd-keygen.service
%attr(0755,root,root) %{_sbindir}/sshd-keygen
%attr(0644,root,root) %config(noreplace) /etc/pam.d/ssh-keycat

参考: https://blog.csdn.net/u011394161/article/details/108995428

相关文章

网友评论

      本文标题:CentOS 7 升级 openssh 8.4p1

      本文链接:https://www.haomeiwen.com/subject/jcbvnktx.html

      延伸阅读

      深度阅读

      • 您也可以注册成为美文阅读网的作者,发表您的原创作品、分享您的心情!

      栏目导航

      热点阅读

      关于我们|服务条款|联系我们|CentOS 7 升级 openssh 8.4p1|投稿指南|网站地图|RSS订阅|排版工具|手机版

      提供经典美文摘抄,优美散文欣赏,现代诗歌精选,短篇小说,心情随笔,表白情书范文,故事会在线阅读欣赏

      Copyright © 2014-2023 Haomeiwen.com All Rights Reserved. 好美文阅读网 版权所有

      备案信息:桂公网安备 45052102000051号 · 桂ICP备13007215号-3

      本站所收录作品、热点评论等信息部分来源互联网,目的只是为了系统归纳学习和传递资讯

      所有作品版权归原创作者所有,与本站立场无关,如不慎侵犯了你的权益,请联系我们告知,我们将做删除处理!