升级Openssh
#!/bin/bash
SSH='openssh-8.1p1.tar.gz'
SSH_FILE='openssh-8.1p1'
wget_ssh() {
yum -y install wget >/dev/null 2>&1
wget -P /tmp/ 10.161.12.246/openssh/"$SSH" >/dev/null 2>&1
if [ $? -ne 0 ];then
echo " $SSH file down load error"
exit 1
fi
}
linux7_install_Packages() {
mkdir /etc/yum.repos.d/bak >/dev/null 2>&1
yes | mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak
cat <<EOF > /etc/yum.repos.d/cBSS-7.repo
[cBSS-7]
name=cBSS-7
baseurl=http://10.161.12.246/redhat7.7
enabled=1
gpgcheck=0
EOF
yum clean all >/dev/null 2>&1
yum makecache >/dev/null 2>&1
yum -y install gcc gcc-c++ openssl-devel libstdc++* libcap* pam-devel >/dev/null 2>&1
if [ $? -ne 0 ];then
echo 'install Packages failed7'
exit 1
fi
}
linux6_install_Packages() {
mkdir /etc/yum.repos.d/bak >/dev/null 2>&1
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak
cat <<EOF > /etc/yum.repos.d/cBSS-6.repo
[cBSS-6]
name=cBSS-6
baseurl=http://10.161.12.246/redhat6.10
enabled=1
gpgcheck=0
EOF
yum clean all >/dev/null 2>&1
yum makecache >/dev/null 2>&1
yum -y install gcc gcc-c++ openssl-devel libstdc++* libcap* wget pam-devel >/dev/null 2>&1
if [ $? -ne 0 ];then
echo 'install Packages failed6'
exit 1
fi
}
install_ssh() {
cp /etc/ssh/sshd_config /etc/ssh/sshd_config-bak
cp /etc/pam.d/sshd /etc/pam.d/sshd-bak-2020
yum -y remove openssh >/dev/null 2>&1
tar -xf /tmp/"$SSH" -C /tmp
cd /tmp/"$SSH_FILE"
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/local/openssl >/dev/null 2>&1
if [ $? -eq 0 ];then
echo 'configure sucess'
else
echo 'configure failed'
yum -y install openssh-server openssh openssh-clients >/dev/null 2>&1
if [ $? -eq 0 ];then
echo 'ssh rollback'
else
yum -y install telnet-server >/dev/null 2>&1
sleep 3
sed -i '/disable/s/yes/no/g' /etc/xinetd.d/telnet
service xinetd restart
echo 'telnet install sucess'
exit 1
fi
fi
make >/dev/null 2>&1 && make install >/dev/null 2>&1
if [ $? = 0 ];then
echo 'make sucess'
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_dsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
echo 'PermitRootLogin no' >> /etc/ssh/sshd_config
sed -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs
else
echo 'make failed'
yum -y install openssh-server openssh openssh-clients >/dev/null 2>&1
if [ $? -eq 0 ];then
echo 'ssh rollback `ssh -V`'
else
yum -y install telnet-server >/dev/null 2>&1
sleep 3
sed -i '/disable/s/yes/no/g' /etc/xinetd.d/telnet
service xinetd restart
echo 'telnet install sucess'
exit 1
fi
fi
}
pam_config() {
if [ ! -e "/etc/pam.d/sshd" ];then
echo 'pam sshd file not exist'
echo 'UsePAM yes' >> /etc/ssh/sshd_config
echo '#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare' > /etc/pam.d/sshd
chmod 644 /etc/pam.d/sshd
else
echo 'UsePAM yes' >> /etc/ssh/sshd_config
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
echo '#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare' > /etc/pam.d/sshd
chmod 600 /etc/pam.d/sshd
fi
}
linux6_postlogin() {
cat <<EOF > /etc/pam.d/postlogin
session [success=1 default=ignore] pam_succeed_if.so service !~ gdm* service !~ su* quiet
session [default=1] pam_lastlog.so nowtmp showfailed
session optional pam_lastlog.so silent noupdate showfailed
EOF
}
linux7_add_server() {
systemctl daemon-reload
systemctl restart sshd
systemctl enable sshd >/dev/null 2>&1
ssh -V
}
linux6_add_server() {
service daemon-reload
chkconfig --add sshd
chkconfig sshd on
linux6_postlogin
service sshd restart
ssh -V
}
release=`cat /etc/redhat-release 2>&1 | grep '7' | wc -l`
if [ -e /etc/redhat-release ]; then
if [ $release == 1 ];then
wget_ssh
linux7_install_Packages
install_ssh
pam_config
linux7_add_server
else
wget_ssh
linux6_install_Packages
install_ssh
pam_config
linux6_add_server
fi
else
echo 'This system not REDHAT 6 and 7'
exit 1
fi