开源项目地址:https://github.com/boypt/openssh-rpms.git
原因:2024.07.01日,openssh被报出最新的漏洞(CVE-2024-6387)
现所有的服务器在影响范围内都需要升级
这里采用制作rpm,然后传到需要升级的服务器上进行安装升级
目前官方发布的openssh和openssl最新的版本为:
openssh:openssh-9.8p1.tar.gz
openssl:openssl-3.0.14.tar.gz
支持的版本
CentOS 5/6/7/8/Stream 8/9
Amazon Linux 1/2/2023
UnionTech OS Server 20
openEuler 22.03 (LTS-SP1)
AnolisOS 7.9/8.6
本次实验的操作系统:
# 本次实验的操作系统:
[root@ceshi]# cat /etc/redhat-release
Anolis OS release 7.9
[root@ceshi]# uname -a
Linux ceshi 3.10.0-1160.an7.x86_64 #1 SMP Thu Oct 14 16:04:36 CST 2021 x86_64 x86_64 x86_64 GNU/Linux
1、安装编译打包环境
yum groupinstall -y "Development Tools"
yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel
2、准备源码(下载开源项目)
# 操作(可能需要外网)
# 也可以从外网打包然后拉到服务器上再解压
git clone https://github.com/boypt/openssh-rpms.git
下载地址:https://download.csdn.net/download/qq_49152597/89532342?spm=1001.2014.3001.5503
# git或者解压后是这样的
[root@ceshi openssh-rpms-main]# ls
amzn1 amzn2 amzn2023 compile.sh docker docker.README.md downloads el5 el6 el7 pullsrc.sh README.md version.env
3、修改开源脚本
# 修改脚本pullsrc.sh
source version.env
改为
source ./version.env
# 修改脚本compile.sh
source version.env
改为
source ./version.env
# 添加ssh-copy-id命令
[root@ceshi openssh-rpms-main]# cd el7/SPECS/
[root@ceshi SPECS]# ls
openssh.spec
[root@ceshi SPECS]# vim openssh.spec
# 307 行后添加
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id
# 390行后添加
%attr(0755,root,root) %{_bindir}/ssh-copy-id
# 修改版本openssl的版本 version.env
# 修改:根据自己的需求改,这里都是目前最新的版本
#OPENSSLSRC=openssl-3.0.14.tar.gz
#OPENSSHSRC=openssh-9.8p1.tar.gz
[root@ceshi openssh-rpms-main]# cat version.env
OPENSSLSRC=openssl-3.0.14.tar.gz
OPENSSHSRC=openssh-9.8p1.tar.gz
ASKPASSSRC=x11-ssh-askpass-1.2.4.1.tar.gz
PERLSRC=perl-5.38.2.tar.gz
PKGREL=1
OPENSSHVER=${OPENSSHSRC%%.tar.gz}
OPENSSHVER=${OPENSSHVER##openssh-}
OPENSSLVER=${OPENSSLSRC%%.tar.gz}
OPENSSLVER=${OPENSSLVER##openssl-}
PERLVER=${PERLSRC%%.tar.gz}
PERLVER=${PERLVER##perl-}
4、将安装包放在downloads目录下
可以执行先执行下载脚本,如果下载不了就手动下载
[root@ceshi openssh-rpms-main]# ./pullsrc.sh
除了openssh和openssl包外还需要x11-ssh-askpass-1.2.4.1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
wget http://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
wget https://www.openssl.org/source/old/3.3/openssl-3.3.0.tar.gz
[root@ceshi downloads]# pwd
/root/shell20230926/openssh-rpms-main/downloads
[root@ceshi downloads]# ls
openssh-9.8p1.tar.gz openssl-3.0.14.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz
5、编译打包(执行开源脚本)
[root@ceshi openssh-rpms-main]# ./compile.sh el7
············
···········
写道:/root/shell20230926/openssh-rpms-main/el7/SRPMS/openssh-9.8p1-1.an7.src.rpm
写道:/root/shell20230926/openssh-rpms-main/el7/RPMS/x86_64/openssh-9.8p1-1.an7.x86_64.rpm
写道:/root/shell20230926/openssh-rpms-main/el7/RPMS/x86_64/openssh-clients-9.8p1-1.an7.x86_64.rpm
写道:/root/shell20230926/openssh-rpms-main/el7/RPMS/x86_64/openssh-server-9.8p1-1.an7.x86_64.rpm
写道:/root/shell20230926/openssh-rpms-main/el7/RPMS/x86_64/openssh-debuginfo-9.8p1-1.an7.x86_64.rpm
执行(%clean): /bin/sh -e /var/tmp/rpm-tmp.UnyfHU
+ umask 022
+ cd /root/shell20230926/openssh-rpms-main/el7/BUILD
+ cd openssh-9.8p1
+ rm -rf /root/shell20230926/openssh-rpms-main/el7/BUILDROOT/openssh-9.8p1-1.an7.x86_64
+ exit 0
~/shell20230926/openssh-rpms-main
# rpm包就在/root/shell20230926/openssh-rpms-main/el7/RPMS/x86_64/ 路径下
[root@ceshi openssh-rpms-main]# cd /root/shell20230926/openssh-rpms-main/el7/RPMS/x86_64/
[root@ceshi x86_64]# pwd
/root/shell20230926/openssh-rpms-main/el7/RPMS/x86_64
[root@ceshi x86_64]# ls
openssh-9.8p1-1.an7.x86_64.rpm openssh-debuginfo-9.8p1-1.an7.x86_64.rpm
openssh-clients-9.8p1-1.an7.x86_64.rpm openssh-server-9.8p1-1.an7.x86_64.rpm
6、安装测试
cd el7/RPMS/x86_64/
# 安装更新
yum localinstall openssh-*.rpm
# 授权
chmod 600 /etc/ssh/ssh_host_*
# 重启服务
systemctl restart sshd && systemctl enable sshd --now
# 检查服务状态
systemctl status sshd
# 验证
[root@ceshi x86_64]# ssh -V
OpenSSH_9.8p1, OpenSSL 3.0.14 4 Jun 2024
# 打包好的所有rpm就可以传到需要升级的服务器上了,直接执行安装更新就可以了