由于系统原装的openssh存在高危的漏洞,安全扫描不过,故制作出最新版本的rpm包修复openssh高危漏洞。
1.安装基础环境工具
dnf install wget make gcc perl rpm-build gtk2-devel krb5-devel libXt-devel openssl-devel pam-devel -y
wget http://www.rpmfind.net/linux/centos/8-stream/PowerTools/x86_64/os/Packages/imake-1.0.7-11.el8.x86_64.rpm
dnf localinstall imake-1.0.7-11.el8.x86_64.rpm -y
2.下载源码包到 /root/rpmbuild/SOURCES/ 目录下
wget https://pkgs.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.2p1.tar.gz
3.解压 openssh 源码包
tar -zxvf openssh-9.2p1.tar.gz
4.拷贝 openssh.spec 文件
mkdir /root/rpmbuild/SOURCES
cp openssh-9.2p1/contrib/redhat/openssh.spec /root/rpmbuild/SOURCES
5.修改 /root/rpmbuild/SOURCES/openssh.spec 文件
注释掉 openssl-devel < 1.1 ##否则会报错
6.制作RPM包
rpmbuild -ba openssh.spec
7.制作完安装包
`[root@localhost ~]# tree rpmbuild/RPMS/x86_64/
rpmbuild/RPMS/x86_64/
├── openssh-9.2p1-1.el8.x86_64.rpm
├── openssh-askpass-9.2p1-1.el8.x86_64.rpm
├── openssh-askpass-debuginfo-9.2p1-1.el8.x86_64.rpm
├── openssh-askpass-gnome-9.2p1-1.el8.x86_64.rpm
├── openssh-askpass-gnome-debuginfo-9.2p1-1.el8.x86_64.rpm
├── openssh-clients-9.2p1-1.el8.x86_64.rpm
├── openssh-clients-debuginfo-9.2p1-1.el8.x86_64.rpm
├── openssh-debuginfo-9.2p1-1.el8.x86_64.rpm
├── openssh-debugsource-9.2p1-1.el8.x86_64.rpm
├── openssh-server-9.2p1-1.el8.x86_64.rpm
└── openssh-server-debuginfo-9.2p1-1.el8.x86_64.rpm
0 directories, 11 files
`
遇到问题:
1.
[root@localhost SPECS]# rpmbuild -ba openssh.spec error: Failed build dependencies: openssl-devel < 1.1 is needed by openssh-9.2p1-1.el8.x86_64
解决方法 注释/root/rpmbuild/SOURCES/openssh.spec 文件 openssl-devel < 1.1
`configure: error: PAM headers not found
error: Bad exit status from /var/tmp/rpm-tmp.ni9gQB (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.ni9gQB (%build)
解决方法 安装 pam-devel
dnf install pam-devel -y`
安装升级openssh时候需要注意以下几点:
1.提前备份原openssh的配置文件便于有问题时候恢复;
2.注意pam模块的使用,开启pam模块且pam.d 下的sshd配置不正确会导致登录失败;
3.要保证可以登录到带外,防止升级失败系统登录不上;