参考:https://www.cnblogs.com/fsckzy/p/10834550.html Centos 升级至 OpenSSH 8 rpm包制作
RPM打包使用的是rpmbuild命令,这个命令来自rpm-build软件包,这个是必装的。
yum install rpm-build -y #安装rpm-build软件,以提供rpmbuild命令
69 ssh -V
70 rpm -qa openssh
71 yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -y
72 mkdir -p /root/rpmbuild/{SOURCES,SPECS}
73 cd /root/rpmbuild/SOURCES
74 wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
75 yum install wget
76 wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.0p1.tar.gz
77 wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
78 tar zxvf openssh-8.0p1.tar.gz openssh-8.0p1/contrib/redhat/openssh.spec
79 mv openssh-8.0p1/contrib/redhat/openssh.spec ../SPECS/
80 chown sshd:sshd /root/rpmbuild/SPECS/openssh.spec
81 cp /root/rpmbuild/SPECS/openssh.spec /root/rpmbuild/SPECS/openssh.spec_def
82 sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
83 sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
84 cd /root/rpmbuild/SPECS/
85 rpmbuild -ba openssh.spec #第一次失败
87 vi openssh.spec #去除依赖
89 rpmbuild -ba openssh.spec #第二次失败
92 sudo yum -y install gcc gcc-c++ #安装gcc、gc++
93 make -v
100 rpmbuild -ba openssh.spec #第三次失败
101 yum install zlib-devel #安装zlib
102 rpmbuild -ba openssh.spec #第四次失败
103 yum install -y openssl-devel
104 rpmbuild -ba openssh.spec #第五次失败
105 yum -y install pam-devel #安装pam
106 rpmbuild -ba openssh.spec #成功
通过rpmbuild编译生成的rpm包如下:
安装openssh:
rpm -Uvh *.rpm
至此,升级完成,但因为OPENSSH升级后,/etc/ssh/sshd_config会被还原至默认状态,还需要进行相应配置:
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
systemctl restart sshd
/etc/pam.d/sshd也文件会被覆盖,我们进行还原:
[root@localhost ssh]# true> /etc/pam.d/sshd
[root@localhost ssh]# vi /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
## pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
查看升级后的openssh版本号:升级到8.0版本了
[root@localhost ssh]# ssh -V
OpenSSH_8.0p1, OpenSSL 1.0.2k-fips 26 Jan 2017
注意:如果新开终端连接的时,root密码报错,并且已经根据上面后续操作,那可能就是SElinux的问题,我们进行临时禁用:
setenforce 0
即可正常登录,然后修改/etc/selinux/config 文件进行永久禁用SElinux:
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
重启机器才会生效显示:
[root@uap ~]# getenforce
Disabled