Rocky Linux 9.4基于官方源码制作openssh 9.8p1二进制rpm包 —— 筑梦之路

2024年7月1日，openssh 9.8版本发布，主要修复了CVE-2024-6387安全漏洞。

由于centos 7的生命周期在6月30日终止，因此需要逐步替换到Rocky Linux，后续会有更多分享关于Rocky Linux的文章。

环境说明

1. 操作系统版本

cat /etc/os-release 
NAME="Rocky Linux"
VERSION="9.4 (Blue Onyx)"
ID="rocky"
ID_LIKE="rhel centos fedora"
VERSION_ID="9.4"
PLATFORM_ID="platform:el9"
PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"
ANSI_COLOR="0;32"
LOGO="fedora-logo-icon"
CPE_NAME="cpe:/o:rocky:rocky:9::baseos"
HOME_URL="https://rockylinux.org/"
BUG_REPORT_URL="https://bugs.rockylinux.org/"
SUPPORT_END="2032-05-31"
ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"
ROCKY_SUPPORT_PRODUCT_VERSION="9.4"
REDHAT_SUPPORT_PRODUCT="Rocky Linux"
REDHAT_SUPPORT_PRODUCT_VERSION="9.4"

2. 内核版本和CPU架构

uname -r
5.14.0-427.16.1.el9_4.x86_64

arch
x86_64

3. openssl版本

openssl version
OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

准备工作

 1. 安装编译工具和依赖包

dnf install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel  libXt-devel gtk2-devel make perl krb5-devel -y

2. 下载所需要的源码

# openssh源码包

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz

# imake rpm包

wget http://rpmfind.net/linux/epel/9/Everything/x86_64/Packages/i/imake-1.0.8-6.el9.x86_64.rpm

# x11源码包

wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

3. 创建所需目录和安装imake包

# 创建制作rpm包的目录结构

mkdir -p rpmbuild/{SPECS,SOURCES}

# 安装imake rpm包

rpm -ivh imake-1.0.8-6.el9.x86_64.rpm

# 将源码拷贝到对应的目录

cp openssh-9.8p1.tar.gz rpmbuild/SOURCES/

cp x11-ssh-askpass-1.2.4.1.tar.gz rpmbuild/SOURCES/

4. 修改spec文件

tar -zxvf openssh-9.8p1.tar.gz

cp openssh-9.8p1/contrib/redhat/openssh.spec rpmbuild/SPECS/

cd rpmbuild/SPECS/

修改openssh.spec文件，主要添加ssh-copy-id命令，启用openssl版本显示

编译制作rpm二进制包

# 制作二进制rpm包和src源码包

rpmbuild -ba openssh.spec

# 二进制rpm包

ls -lh RPMS/x86_64/

total 5.8M
-rw-r--r-- 1 root root  524K Jul  2 13:00 openssh-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root   32K Jul  2 13:00 openssh-askpass-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root   43K Jul  2 13:00 openssh-askpass-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root   16K Jul  2 13:00 openssh-askpass-gnome-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root   27K Jul  2 13:00 openssh-askpass-gnome-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root  609K Jul  2 13:00 openssh-clients-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root  1.4M Jul  2 13:00 openssh-clients-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root 1001K Jul  2 13:00 openssh-debuginfo-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root  678K Jul  2 13:00 openssh-debugsource-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root  496K Jul  2 13:00 openssh-server-9.8p1-1.el9.x86_64.rpm
-rw-r--r-- 1 root root  1.1M Jul  2 13:00 openssh-server-debuginfo-9.8p1-1.el9.x86_64.rpm

# src源码rpm包

ls -lh SRPMS/

total 1.9M
-rw-r--r-- 1 root root 1.9M Jul  2 13:00 openssh-9.8p1-1.el9.src.rpm

检查验证

对rpm包在干净的环境上安装检查验证，主要验证用户权限、登陆测试等方面。

# 安装依赖包

dnf install chkconfig  initscripts

# 安装openssh 9.8p1版本

yum localinstall openssh-*.rpm

# 设置权限

chmod 600 /etc/ssh/ssh_host*

#授权

mv /etc/ssh/sshd_config /etc/ssh/sshd_config_bak

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config  #允许root远程登录
 
#配置认证
mv /etc/pam.d/sshd /etc/pam.d/sshd-bak

cat > /etc/pam.d/sshd <<EOF
 
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
## pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
EOF

# 重启服务

systemctl  restart sshd