升级有很多教程,但是回滚没有很详细的教程,因为回滚操作很少操作,但是生产环境要有预案,虽然我的回滚解决办法有点蠢,但是没有时间去研究那摩多,当时,直接把有关原环境信息cp备份,然后回滚的时候还原。
亲测可用!!!
下载程序包
wget -O openssh-8.4p1.tar.gz https://openbsd.hk/pub/OpenBSD/OpenSSH/portable//openssh-8.4p1.tar.gz
wget -O zlib-1.2.11.tar.gz https://zlib.net/zlib-1.2.11.tar.gz
wget -O openssl-1.1.1g.tar.gz https://www.openssl.org/source/openssl-1.1.1g.tar.gz
##保证下载的文件在/home/data里,且文件名相同
tar -zxf openssl-1.1.1g.tar.gz
tar -zxf zlib-1.2.11.tar.gz
tar -zxf openssh-8.3p1.tar.gz
chown -R root:root /home/data
升级 OpenZlib
yum install -y gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel
yum install -y pam* zlib*
cd /home/data/zlib-1.2.11/
./configure --prefix=/usr/local/zlib
make && make install
备份原始openssl
find ./ -name openssl
##把有关openssl 的文件目录都备份
cp -ar /etc/pki/ca-trust/extracted/openssl /etc/pki/ca-trust/extracted/opensslbk
cp -ar /usr/bin/openssl /usr/bin/opensslbk
cp -ar /usr/lib64/openssl /usr/lib64/opensslbk
cp -ar /usr/include/openssl /usr/include/opensslbk
升级openssl
cd /home/data/openssl-1.1.1g/
./config --prefix=/usr/local/ssl -d shared
make && make install
echo ‘/usr/local/ssl/lib’ >> /etc/ld.so.conf
ldconfig
rm -rf /usr/bin/openssl
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
确定是否升级openssl成功
openssl version
备份ssh sshd openssh
find ./ -name ssh
find ./ -name sshd
find ./ -name openssh
##把有关ssh的文件目录都备份
cp -ar /etc/ssh /etc/sshbk
cp -ar /etc/selinux/targeted/active/modules/100/ssh /etc/selinux/targeted/active/modules/100/sshbk
cp -ar /usr/bin/ssh
cp -ar /usr/bin/ssh /usr/bin/sshbk
cp -ar /usr/libexec/openssh /usr/libexec/opensshbk
cp -ar /etc/pam.d/sshd /etc/pam.d/sshdbk
cp -ar /etc/sysconfig/sshd /etc/sysconfig/sshdbk
cp -ar /var/empty/sshd /var/empty/sshdbk
cp -ar /usr/sbin/sshd /usr/sbin/sshdbk
安装OpenSSH 8.3p1
cd /home/data/openssh-8.4p1
rm -rf /etc/ssh/*
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl --with-zlib --with-md5-passwords --with-pam
make
make install
修改sshd_config文件
vim /etc/ssh/sshd_config
PermitRootLogin yes
UseDNS no
UsePAM yes
最后一行添加下面内容
kexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
mv /usr/lib/systemd/system/sshd.service /tmp
重启ssh
systemctl restart sshd
注意:这一步可能要重启机器,或者pkill掉所有ssh进程,然后再去手动启动ssh启动脚本
验证
ssh -V
回滚
回滚 openssh
mv /tmp/sshd.service /usr/lib/systemd/system/
rm -rf /etc/init.d/sshd
rm -rf /etc/pam.d/sshd.pam
rm -rf /etc/ssh
cp -arf /etc/sshbk /etc/ssh
rm -rf /etc/selinux/targeted/active/modules/100/ssh
cp -arf /etc/selinux/targeted/active/modules/100/sshbk /etc/selinux/targeted/active/modules/100/ssh
rm -rf /usr/bin/ssh
cp -arf /usr/bin/sshbk /usr/bin/ssh
rm -rf /usr/libexec/openssh
cp -arf /usr/libexec/opensshbk /usr/libexec/openssh
rm -rf /etc/pam.d/sshd
cp -arf /etc/pam.d/sshdbk /etc/pam.d/sshd
rm -rf /etc/sysconfig/sshd
cp -arf /etc/sysconfig/sshdbk /etc/sysconfig/sshd
rm -rf /var/empty/sshd
cp -arf /var/empty/sshdbk /var/empty/sshd
rm -rf /usr/sbin/sshd
cp -arf /usr/sbin/sshdbk /usr/sbin/sshd
回滚openssl
rm -rf /etc/pki/ca-trust/extracted/openssl
cp -arf /etc/pki/ca-trust/extracted/opensslbk /etc/pki/ca-trust/extracted/openssl
rm -rf /usr/bin/openssl
cp -arf /usr/bin/opensslbk /usr/bin/openssl
rm -rf /usr/lib64/openssl
cp -arf /usr/lib64/opensslbk /usr/lib64/openssl
rm -rf /usr/include/openssl
cp -arf /usr/include/opensslbk /usr/include/openssl