编译环境
系统版本: CentOS 7
软件版本:
- openssh-8.8p1.tar.gz
- x11-ssh-askpass-1.2.4.1.tar.gz
编译 OpenSSH
- 依赖包
yum install rpm-build zlib-devel openssl-devel gcc krb5-devel pam-devel libX11-devel libXt-devel gtk2-devel imake -y
- 创建编译目录
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
- 下载 openssh-8.8p1编译包和 x11-ssh-askpass 依赖包并解压修改配置
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.8p1.tar.gz
安装包上传至/root/rpmbuild/SOURCES目录下
cd /root/rpmbuild/SOURCES
tar -zvxf openssh-8.8p1.tar.gz
cp openssh-8.8p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
vim /root/rpmbuild/SPECS/openssh.spec
# 注释掉 BuildRequires: openssl-devel < 1.1 这一行
- 开始编译
rpmbuild -ba /root/rpmbuild/SPECS/openssh.spec
编译成功后 RPM 软件包存放在 /root/rpmbuild/RPMS/x86_64/ 目录下
cd /root/rpmbuild/RPMS/x86_64/ && ll
编译 OpenSSL
升级 OpenSSH
前提条件
必须使用多台物理机在不用网络环境下(有线连接和手机热点连接)打开多个SSH终端,避免因为网络中断安装失败,导致 SSH 连接不上主机。
安装过程中不能断开当前 SSH 终端连接,必须在 OpenSSH 服务启动后并且测试新的 SSH 终端可以连接的情况下断开。否则主机将无法连接进入终端。
安装 OpenSSH
- 备份 PAM
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
以下为 /etc/pam.d/sshd 内容备份
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
- 安装 OpenSSH RPM 软件包 (会自动处理依赖关系)
cd /root/rpmbuild/RPMS/x86_64/
yum install openssh-8.8p1-1.el7.x86_64.rpm openssh-clients-8.8p1-1.el7.x86_64.rpm openssh-server-8.8p1-1.el7.x86_64.rpm
- 允许 Root 用户登录
注意检查/etc/ssh/sshd_config中是否启用密码登录,即PasswordAuthentication yes
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
- 给予权限
cd /etc/sshd
chmod 600 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
- 恢复 PAM
cp /etc/pam.d/sshd.bak /etc/pam.d/sshd
- 重启 OpenSSH 并检查启动状态
ssh -V
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
systemctl enable sshd
至此,升级完成,先别关闭当前SSH终端,直接新开一个终端,连接到服务器测试。
降级 OpenSSH
正常情况下,降级是不会覆盖 /etc/pam.d/sshd 和 vi /etc/ssh/sshd_config , 但保险起见还是对文件进行备份检查。
- 备份 PAM
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak2
- 降级
yum downgrade openssh openssh-clients openssh-server
- 检查配置文件
vi /etc/ssh/sshd_config
PermitRootLogin yes
PasswordAuthentication yes
- 检查 PAM 如果被修改则恢复
cat /etc/pam.d/sshd
- 重启服务
ssh -V
systemctl daemon-reload
systemctl restart sshd
systemctl status sshd
systemctl enable sshd
至此,降级完成,先别关闭当前SSH终端,直接新开一个终端,连接到服务器测试。
标签:sshd,rpmbuild,OpenSSH,CentOS7,etc,ssh,openssh,8.8,pam From: https://www.cnblogs.com/Likfees/p/16963189.html