下载安装包
#openssh
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz
#zlib
wget wget http://www.zlib.net/zlib-1.2.13.tar.gz
#openssl
wget https://www.openssl.org/source/openssl-1.1.1s.tar.gz
#pam-devel
wget https://github.com/linux-pam/linux-pam/releases/download/v1.3.1/Linux-PAM-1.3.1.tar.xz
安装依赖
apt install -y g++, perl, make
zlib
tar xvf zlib-1.2.13.tar.gz
cd zlib-1.2.13
./configure --prefix=/usr/local/zlib
make -j 8
make install
pam
tar -xf Linux-PAM-1.3.1.tar.xz
cd Linux-PAM-1.3.1
./configure
make && make install
openssl升级
#解压
tar -zxvf openssl-1.1.1s.tar.gz -C .
cd openssl-1.1.1s
#编译前环境配置
./config --prefix=/usr/local/openssl
#编译安装
make
make install
#添加所缺函数库
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf
#ubuntu系统需要加入到/etc/so.conf.d/libc.conf
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf.d/libc.conf
#更新函数库
ldconfig -v
#将旧版本openssl移除
mv /usr/bin/openssl /usr/bin/openssl_old_bak
#将新版本openssl软链接到/usr/bin/目录下
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
#检查版本
which openssl
openssl version -a
升级ssh
#解压
tar -xzvf openssh-9.1p1.tar.gz -C .
cd openssh-9.1p1
#编译前环境配置
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/openssl --with-md5-passwords --mandir=/usr/share/man --with-zlib=/usr/local/zlib --without-hardening
#编译
make
make install
#配置sshd_config文件
echo 'PermitRootLogin yes' >>/usr/local/openssh/etc/sshd_config
echo 'PubkeyAuthentication yes' >>/usr/local/openssh/etc/sshd_config
echo 'PasswordAuthentication yes' >>/usr/local/openssh/etc/sshd_config
#备份原来sshd相应配置文件并复制新文件到指定目录
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd.bak
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
mv /usr/bin/ssh /usr/bin/ssh.bak
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
mv /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub.bak
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
#查看ssh版本
ssh -V
OpenSSH_9.1p1, OpenSSL 1.1.1s 1 Nov 2022
新建文件夹,不然无法启动ssh
mkdir /var/empty
升级后,systemctl不能启动sshd
#移除sh.service
mv /lib/systemd/system/ssh.service .
systemctl daemon-reload
systemctl start ssh
systemctl enable ssh
#其它启动方式
/etc/init.d/ssh restart
如果需要升级的机器无法联网,可以直接复制编译好的文件,离线安装。
#再已升级的机器上打包openssl和openssh
cd /usr/local/
tar -czvf openssh9.1p1.tar.gz openssh/
tar -czvf openssl_1.1.1s.tar.gz openssl/
#复制压缩包到待升级服务器,解压文件。
tar -xzvf openssl_1.1.1s.tar.gz -C /usr/local/
tar -xzvf openssh_9.01.tar.gz -C /usr/local/
#ubuntu系统需要加入到/etc/so.conf.d/libc.conf
echo "/usr/local/openssl/lib" >>/etc/ld.so.conf.d/libc.conf
#更新函数库
ldconfig -v
#备份原来sshd相应配置文件并复制新文件到指定目录
mv /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd /usr/sbin/sshd.bak
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
mv /usr/bin/ssh /usr/bin/ssh.bak
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
mv /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub.bak
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
#新建文件夹
mkdir /var/empty
#移除sh.service
mv /lib/systemd/system/ssh.service .
systemctl daemon-reload
systemctl start ssh
systemctl enable ssh
#其它启动方式
/etc/init.d/ssh restart
参考:
Ubuntu解决OpenSSH安全漏洞之升级OpenSSH最新版方法,技术小学生|Linux运维|Win系统运维|Mysql|MsSql数据库运维知识 (tag.gg)
(21条消息) OpenSSH 安全漏洞(CVE-2021-28041)修复(升级OpenSSH至最新版本(8.6p1))_骑恐龙去钓鱼的博客-CSDN博客_cve-2021-28041
(21条消息) Ubuntu 16.04升级OpenSSH_geekfly的博客-CSDN博客
(21条消息) centos/redhat /Linux升级openssh,亲测无坑。_Bolgzhang的博客-CSDN博客
安装升级、配置OpenSSH - 墨天轮 (modb.pro)