rhel8.5 OpenSSH&OpenSSL升级至最新版本

OpenSSL 1.1.1 版本已经达到了其生命周期（EOL）的尾声。 根据 OpenSSL 官方的声明，OpenSSL 1.1.1
版本将在 2023 年 9 月 11 日停止支持，届时它将不再收到公开的安全修复程序。 这意味着如果您继续使用 OpenSSL 1.1.1
版本，您的数据安全将面临巨大的风险

一、 升级准备

1.1 、下载升级包

1. rhel8.5: Red Hat Enterprise Linux release 8.5 (Ootpa)

2. OpenSSL:OpenSSL 3.2.0 23 Nov 2023

https://www.openssl.org/source
https://ftp.openssl.org/source

3. OpenSSH:

https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

1.2、配置本地yum仓库

[AppStream]
name = AppStream
enabled = yes
baseurl = file:///media/cdrom/AppStream
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
[BaseOS]
name = BaseOS
enabled = yes
baseurl = file:///media/cdrom/BaseOS/
gpgcheck = 1
gpgkey = file:///etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial

1.3安装telnet

yum install telnet* -y
systemctl  start telnet.socket
systemctl enable telnet.socket
mv /etc/securetty /etc/securetty.bak

二、升级openssl

OpenSSL 1.1.1k >>> 1.1.1w

2.1备份

cp /usr/bin/openssl{,.bak}
cp /usr/include/openssl{,.bak}
ldd /usr/local/bin/openssl|awk '{print $3}'|xargs -i cp {}{,.bak}

2.2安装依赖

gcc --version;rpm -qa pcre;yum list installed | grep zlib*;perl -version
yum -y install perl-IPC-Cmd perl-Pod-Html
yum -y install  gcc gcc-c++ zlib pcre

2.3编译安装openssl

tar -xvf openssl-1.1.1w.tar

cd openssl-1.1.1w

./config --prefix=/usr/local/openssl --openssldir=/usr/local/ssl threads zlib shared enable-camellia

#–openssldir=OPENSSLDIR：安装目录，默认是 /usr/local/ssl
#–prefix=安装目录，设置 lib include bin 目录的前缀，默认为 OPENSSLDIR 目录
#–shared /no-shared：是否生成动态连接库
#threads/no-threads : 是否编译支持多线程的库。默认支持
#zlib | zlib-dynamic | no-zlib : 使用静态的zlib压缩库 | 使用动态的zlib压缩库 | 不使用zlib压缩功能
#enable-camellia 算法
make clean
make test
make  && make install

2.4解决版本号与库版本不一致问题

a.添加软连接

ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl

b.添加动态库的环境变量，使用vi 或 vim 打开 /etc/ld.so.conf 文件

>echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
>/sbin/ldconfig

注意：openssl-3.0.12 的目录则为：/usr/local/ssl/lib64

2.4备份:依赖库

cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old
cp /usr/lib64/libcrypto.so.1.0.2k /usr/lib64/libcrypto.so.1.0.2k.old
cp /usr/lib64/libssl.so.10  /usr/lib64/libssl.so.10.old
cp /usr/lib64/libssl.so.1.0.2k /usr/lib64/libssl.so.1.0.2k.old

2.5卸载openssl

whereis openssl
#输出结果为openssl: /usr/lib64/openssl /usr/include/openssl
mv  /usr/bin/openssl  /usr/bin/openssl.old
mv /etc/ssl /etc/ssl.old
mv /usr/lib64/openssl /usr/lib64/openssl.old
yum remove openssl

2.6安装openssl

./config --prefix=/usr
make && make install
whereis openssl
#输出结果为openssl: /usr/bin/openssl /usr/lib64/openssl.old /usr/include/openssl /usr/share/man/man1/openssl.1ossl
openssl  version
#输出结果为OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)

三、升级openssh

mkdir /tmp/update-openssh && cd /tmp/update-openssh

3.1备份

#备份ssh
mv /etc/ssh /etc/ssh.bak
mv /usr/bin/ssh /usr/bin/ssh.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak
mv /etc/pam.d/sshd /etc/pam.d/sshd.bak

3.2卸载

#卸载openssh
rpm -qa|grep openssh
yum remove openssh

3.3 安装

./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-zlib --with-md5-passwords --with-pam -with-ssl-dir=/usr/local/lib64

#开始make
make
#如果make执行失败可以使用make clean
#开始make install
make install

3.4 修改配置

cp  contrib/redhat/sshd.init /etc/init.d/sshd
cp contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
echo "KexAlgorithms +diffie-hellman-group1-sha1">>/etc/ssh/sshd_config
echo "PermitRootLogin yes">>/etc/ssh/sshd_config
echo "PubkeyAuthentication yes">>/etc/ssh/sshd_config
chkconfig sshd on
chkconfig --add sshd
systemctl  enable sshd
systemctl  restart sshd
ssh -V

四、报错问题处理

4.1 Failed to set locale, defaulting to C.UTF-8

解决方法

echo "export LC_ALL=en_US.UTF8" >> /etc/profile
source /etc/profile

4.2 ssh: symbol lookup error: /lib64/libk5crypto.so.3: undefined symbol: EVP_KDF_ctrl, version OPENSSL_1_1_1b

解决方法

4.3 openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory

解决方法

ln -s /usr/local/openssl/lib/libssl.so.3 /usr/lib/libssl.so.3
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -s /usr/local/openssl/lib/libcrypto.so.3 /usr/lib/libcrypto.so.3
ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3

4.4 crypto/comp/c_zlib.c:27:11: fatal error: zlib.h: No such file or directory # include <zlib.h>

解决方法

yum -y install  zlib-devel

4.5 configure: error: PAM headers not found

解决方法

yum -y install pam-devel

4.6 PAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/subdirectory

4.7 It is required that your private key files are NOT accessible by others.This private key will be ignored.sshd: no hostkeys available – exiting.make: [Makefile:385: check-config] Error 1 (ignored)

解决方法

chmod 600 /etc/ssh/ssh_host_rsa_key /etc/ssh/ssh_host_ecdsa_key /etc/ssh/ssh_host_ed25519_key