经过多次试验,终于在网上找到一个简单容易,而且成功升级的脚本,分享给大家。
1,前期准备:需要下载2个安装包,下载网址如下:
openssh下载网址 http://www.openssh.com/portable.html openssh-8.4p1.tar.gz
openssl 下载网址 https://ftp.openssl.org/source/ openssl-1.1.1i.tar.gz
2,为了防止升级失败,无法登录服务器,可以先启用telnet服务。
安装telnet-server以及xinetd:
yum install xinetd telnet-server -y
编辑/etc/securetty文件,在文件最后加上pts1到3,效果如下:
vi /etc/securetty
xvc0
pts/0
pts/1
pts/2
pts/3
设置允许开机时启动:
systemctl enable xinetd
systemctl enable telnet.socket
启动telnet服务:
systemctl start telnet.socket
systemctl start xinetd
确认telnet可以登录服务器后,开始升级。
3,在网上找到的脚本:
#!/bin/bash
# author:wangxinyu
# company:lx
# version: v8.4
# date: Fri Oct 16 18:16:23 CST 2020
# state: Continuously updated
#
# 使用前提 :
# 1. 配置好yum源
# 2. 防止断连,开启telnet服务
# 3. 上传最新版的软件包
#
#需要手动修改的变量
version="ssh_8.4" #定义版本号
soft_dir="/home/my" # 上传安装包的目录
ssl_media="openssl-1.1.1i.tar.gz" #软件包名
ssh_media="openssh-8.4p1.tar.gz" # 软件包名
#
ssl_soft="/$soft_dir/$ssl_media"
ssh_soft="/$soft_dir/$ssh_media"
#
if [ -f "${ssl_soft}" -a -f "${ssh_soft}" ];then
filepath="/$soft_dir/$version" # 定义工作目录
mkdir -p $filepath
else
echo "`date +%H:%M:%S`--install media is not exist" |tee -a $filepath/check_point.log
echo "`date +%H:%M:%S`--exitd" |tee -a ./check_point.log
exit;
fi
#安装升级所需依赖包
function InstallDeploy(){
echo "`date +%H:%M:%S`--install the Depend on the package.." |tee -a $filepath/check_point.log
yum -y install gcc pam-devel zlib-devel perl openssl-devel
echo "`date +%H:%M:%S`--install completed " |tee -a $filepath/check_point.log
}
#
function Unpack(){
echo "`date +%H:%M:%S`--Unpack the package.... " |tee -a $filepath/check_point.log
cd $filepath
tar xvf /$soft_dir/openssl-1.1.1h.tar.gz
tar xvf /$soft_dir/openssh-8.4p1.tar.gz
echo "`date +%H:%M:%S`--Unpack completed " |tee -a $filepath/check_point.log
}
function Backup(){
echo "`date +%H:%M:%S`--Backup important files..." |tee -a $filepath/check_point.log
\cp -af /usr/lib64/openssl /usr/lib64/openssl.old
\cp -af /usr/bin/openssl /usr/bin/openssl.old
\cp -af /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/openssl.old
\cp -af /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
\cp -af /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old
\cp -arf /etc/ssh/ /etc/ssh_`date +%F`
echo "`date +%H:%M:%S`--Backup completed " |tee -a $filepath/check_point.log
}
function Installopenssl(){
echo "`date +%H:%M:%S`--Installopenssl...." |tee -a $filepath/check_point.log
cd $filepath/openssl*/
echo "`date +%H:%M:%S`--start to install openssl........." |tee -a $filepath/check_point.log
./config --prefix=/usr/local --openssldir=/usr/local/openssl
make && make install &&
# 加载动态库
echo "/usr/local/lib64/" >> /etc/ld.so.conf
ldconfig
echo "`date +%H:%M:%S`--openssl upgrade complete..." |tee -a $filepath/check_point.log
echo "`date +%H:%M:%S`--version: `openssl version`" |tee -a $filepath/check_point.log
echo "`date +%H:%M:%S`--Installopenssl completed " |tee -a $filepath/check_point.log
}
function Installopenssh(){
echo "`date +%H:%M:%S`--Installopenssh...." |tee -a $filepath/check_point.log
cd $filepath/openssh*/
echo "`date +%H:%M:%S`--start to install openssh..." |tee -a $filepath/check_point.log
./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--with-md5-passwords \
--with-pam \
--with-tcp-wrappers \
--with-ssl-dir=/usr/local/openssl \
--with-zlib=/usr/local/lib64 \
--without-hardening
make &&
chmod 600 /etc/ssh/ssh_host*
make install &&
echo "`date +%H:%M:%S`--Installopenssh completed " |tee -a $filepath/check_point.log
}
function Configssh(){
echo "`date +%H:%M:%S`--Config ssh...." |tee -a $filepath/check_point.log
cd $filepath/openssh*/
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bk
cp contrib/redhat/sshd.init /etc/init.d/sshd
chmod a+x /etc/init.d/sshd
cp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chkconfig --add sshd
chkconfig sshd on
systemctl enable sshd
echo "KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1" >> /etc/ssh/sshd_config
#sed -i 's/PermitRootLogin/#&/' /etc/ssh/sshd_config
#echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "`date +%H:%M:%S`--Config ssh...." |tee -a ./check_point.log
echo "`date +%H:%M:%S`--Restart ssh service...." |tee -a $filepath/check_point.log
systemctl restart sshd
echo "`date +%H:%M:%S`--Restart ssh completed " |tee -a $filepath/check_point.log
}
function start(){
InstallDeploy
Unpack
Backup
Installopenssl
Installopenssh
Configssh
}
start
升级结果:OpenSSH_8.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
警告:慎重升级!
我是因为安全审计需要,必须升级ssh。在这个过程中,我整垮了3台试验机,试了很多种升级方案,直到找到现在这个脚本,我是在试验机上升级成功了2次,才正式在生产机器上升级的。
目前这个脚本好处是从升级开始到结束,ssh会话一直没中断过。虽然还不是很完美,但应对检查应该是可以了。