centos7升级openssh9.3p1

制作rpm包

安装依赖包

yum install -y rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel xmkmf libXt-devel initscripts libXt-devel imake gtk2-devel lrzsz

创建制作rpm相关目录

mkdir -pv /root/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

下载openssh和x11-ssh-askpass安装包

cd /root/rpmbuild/SOURCES/
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz
tar -xf openssh-9.3p1.tar.gz
#下载x11-ssh-askpass-1.2.4.1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz

编辑编译配置文件

cp openssh-9.3p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
cd /root/rpmbuild/SPECS/
#不生产ask包
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" openssh.spec
#修改openssl-devel的报错
sed -i '/openssl-devel < 1.1/s/^/#/' openssh.spec
#修改PreReq的报错
sed -i '/PreReq:/s/^/#/' openssh.spec

编译文件

rpmbuild -ba openssh.spec
#生产rpm文件
[root@localhost SPECS]# ls /root/rpmbuild/RPMS/x86_64/
openssh-9.3p1-1.el7.x86_64.rpm          openssh-debuginfo-9.3p1-1.el7.x86_64.rpm
openssh-clients-9.3p1-1.el7.x86_64.rpm  openssh-server-9.3p1-1.el7.x86_64.rpm

升级openssh

yum localinstall openssh-9.3p1-1.el7.x86_64.rpm openssh-clients-9.3p1-1.el7.x86_64.rpm openssh-server-9.3p1-1.el7.x86_64.rpm -y

验证openssh是否升级成功

#修改文件权限
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

#检查是否有配置错误
sshd -t
#/etc/pam.d/sshd配置丢失，从其他机器拷贝一份配置过来

#注释掉/etc/pam.d/password-auth /etc/pam.d/system-auth中uid >= 1000的行，否则root不能登陆
sed -i '/uid < 1000/s/^/#/' /etc/pam.d/password-auth
sed -i '/uid < 1000/s/^/#/' /etc/pam.d/system-auth

#修改/etc/ssh/sshd_config
sed -i '/^#PermitRootLogin yes/s/^#//' /etc/ssh/sshd_config

#重启sshd服务
systemctl restart sshd

遇到的问题

读写权限不对

现象

[root@localhost x86_64]# sshd -t
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_rsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_rsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ecdsa_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ecdsa_key
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
Unable to load host key: /etc/ssh/ssh_host_ed25519_key
sshd: no hostkeys available -- exiting.

解决方法

chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

重启后服务正常，但是无法正常登陆

现象

Mar 25 17:44:22 localhost sshd[56496]: PAM adding faulty module: /usr/lib64/security/pam_stack.so

[root@localhost x86_64]# tail -f /var/log/secure
Mar 25 17:44:10 localhost polkitd[584]: Registered Authentication Agent for unix-process:56480:1949117 (system bus name :1.71 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8)
Mar 25 17:44:10 localhost sshd[56494]: Server listening on 0.0.0.0 port 22.
Mar 25 17:44:10 localhost sshd[56494]: Server listening on :: port 22.
Mar 25 17:44:10 localhost polkitd[584]: Unregistered Authentication Agent for unix-process:56480:1949117 (system bus name :1.71, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, locale zh_CN.UTF-8) (disconnected from bus)
Mar 25 17:44:22 localhost sshd[56496]: PAM unable to dlopen(/usr/lib64/security/pam_stack.so): /usr/lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
Mar 25 17:44:22 localhost sshd[56496]: PAM adding faulty module: /usr/lib64/security/pam_stack.so
Mar 25 17:44:22 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:25 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:27 localhost sshd[56496]: Failed password for root from 192.168.184.1 port 2515 ssh2
Mar 25 17:44:27 localhost sshd[56496]: Connection closed by authenticating user root 192.168.184.1 port 2515 [preauth]

解决方法

[root@localhost pam.d]# grep pam_stack.so *
sshd:auth       required     pam_stack.so service=system-auth
sshd:account    required     pam_stack.so service=system-auth
sshd:password   required     pam_stack.so service=system-auth
sshd:session    required     pam_stack.so service=system-auth
#查找在那个配置文件中启用了改模块。注释改行配置
[root@localhost pam.d]# grep pam_stack.so * -l
sshd