先上传openssl、openssh、curl源码包到/usr/local/opensslupgrade下。
升级前准备工作
1、安装相关工具和服务
yum install -y rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel libXt-devel initscripts libXt-devel gtk2-devel lrzsz unzip
2、开启telnet、xinetd服务
开启telnet服务和xinetd服务是开放后门,以防ssh升级出现问题导致断连。
yum install -y telnet*
yum install -y xinetd
service telnet start
service xinetd start
chkconfig telnet on
chkconfig xinetd on
3、临时放开主机23端口
也可以添加限制源地址访问的函数,参数为"-s X.X.X.X/X",或临时关闭防火墙。
#临时放开主机23端口,且不做源地址限制
iptables -I INPUT -p tcp -m tcp --dport 23 -j ACCEPT
接下来就可以进行升级操作了,其中,openssl以openssl-1.1.1w.tar.gz为例,openssh以openssh-9.5p1.tar.gz为例,curl以curl-7.88.1.zip为例。
注:升级过程中不能关闭终端,或者中断升级安装,若退出只能通过telnet连接。
一、升级openssl
解压openssl-1.1.1w.tar.gz到当前目录,并进行编译安装。
执行命令如下:
- tar xvf openssl-1.1.1w.tar.gz
- cd openssl-1.1.1w
- ./config --prefix=/usr/local/openssl-1.1.1w
- make
- make install
- mv /usr/bin/openssl /usr/bin/openssl.bak
- mv /usr/include/openssl /usr/include/openssl.bak
- mv /usr/lib64/libssl.so /usr/lib64/libssl.so.bak
- mv /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so.bak
- ln -sf /usr/local/openssl-1.1.1w/include/openssl /usr/include/openssl
- ln -s /usr/local/openssl-1.1.1w/bin/openssl /usr/bin/openssl
- ln -s /usr/local/openssl-1.1.1w/lib/libssl.so /usr/lib64/libssl.so
- ln -s /usr/local/openssl-1.1.1w/lib/libcrypto.so /usr/lib64/libcrypto.so
- echo '/usr/local/openssl-1.1.1w/lib' >> /etc/ld.so.conf
- ldconfig
此时,openssl安装完毕,可以使用'openssl version'命令验证,显示版本为升级的指定版本则代表升级成功。
[root@openeuder opensslupgrade]$ openssl version
OpenSSL 1.1.1w 11 Sep 2023
二、升级openssh
方式一:源码编译安装
解压openssh-9.5p1.tar.gz到当前目录,并进行编译安装。
注:在config编译时要添加指定使用的openssl参数,否则会在编译时出现报错,如下方示例
configure: error: Your OpenSSL headers do not match your
library. Check config.log for details.
If you are sure your installation is consistent, you can disable the check
by running "./configure --without-openssl-header-check".
Also see contrib/findssl.sh for help identifying header/library mismatches.
执行命令如下:
- tar xvf openssh-9.5p1.tar.gz
- cd openssh-9.5p1
- mv /etc/ssh /etc/ssh.bak
- cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
- rpm -e `rpm -qa|grep openssh` --nodeps
- ./configure --prefix=/usr/local/openssh-9.5p1 --with-ssl-dir=/usr/local/openssl-1.1.1w --with-md5-passwords --with-pam --sysconfdir=/etc/ssh
- make
- make install
- mv /etc/init.d/sshd /etc/init.d/sshd.bak
- cp ./contrib/redhat/sshd.init /etc/init.d/sshd
- mv /usr/sbin/sshd /usr/sbin/sshd.bak
- ln -s /usr/local/openssh-9.5p1/sbin/sshd /usr/sbin/sshd
- ln -s /usr/local/openssh-9.5p1/bin/scp /usr/bin/scp
ln -s /usr/local/openssh-9.5p1/bin/sftp /usr/bin/sftp
ln -s /usr/local/openssh-9.5p1/bin/ssh /usr/bin/ssh
ln -s /usr/local/openssh-9.5p1/bin/ssh-add /usr/bin/ssh-add
ln -s /usr/local/openssh-9.5p1/bin/ssh-agent /usr/bin/ssh-agent
ln -s /usr/local/openssh-9.5p1/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/openssh-9.5p1/bin/ssh-keyscan /usr/bin/ssh-keyscan- service sshd restart
此时,openssh升级完毕,可以使用'ssh -V'命令查看openssh版本,显示版本为指定升级版本,则表示升级成功。
[root@openeuder ~]$ ssh -V
OpenSSH_9.5p1, OpenSSL 1.1.1w 11 Sep 2023
升级没问题后,再上面根据备份的sshd_config配置文件去更改现在有sshd_config配置文件。
方式二:通过rpm-build从源码包中生成出rpm安装包
1、创建rpm-build相关路径,命令如下
mkdir -pv /root/rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}
注:路径不要随意更改,该路径为rpm-build命令默认路径。
2、解压源码包,并将源码包迁移到/root/rpmbuild/SOURCES
- mkdir tar xvf openssh-9.5p1.tar.gz
- mv /etc/ssh /etc/ssh.bak
- cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
- cd /usr/local/opensslupgrade/openssh-9.5p1/contrib/redhat/
- cp -p sshd.pam sshd.pam.old && cp -p sshd.init sshd.init.old
- cd /usr/local/opensslupgrade/
- mv openssh-9.5p1.tar.gz openssh-9.5p1.tar.gz.bak
- tar -cvf openssh-9.5p1.tar.gz openssh-9.5p1/
- cp openssh-9.5p1.tar.gz /root/rpmbuild/SOURCES/openssh-9.5p1.tar.gz
3、解压spec编译文件
- cd /root/rpmbuild/SOURCES/
- tar -xf openssh-9.5p1.tar.gz openssh-9.5p1/contrib/redhat/openssh.spec
- mv openssh-9.5p1 /root/rpmbuild/SPECS
4、不生成askpass包
cd /root/rpmbuild/SPECS/openssh-9.5p1/contrib/redhat/
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" openssh.spec
5、解决openssl-devel < 1.1报错
sed -i '/openssl-devel < 1.1/s/^/#/' openssh.spec
6、编译openssh编码
rpmbuild -bb /root/rpmbuild/SPECS/openssh-9.5p1/contrib/redhat/openssh.spec
编译结束之后,没有报错则代表编译成功。
7、查看编译完成后的rpm文件
注:不同操作系统在/root/rpmbuild/RPMS/目录下生成的目录名不同,会自动监测当前系统架构,如X86_64。
[root@openeuder ~]$ ls -lh /root/rpmbuild/RPMS/x86_64
-rw-r--r-- 1 root root 625K Mar 27 11:45 openssh-9.5p1-1.x86_64.rpm
-rw-r--r-- 1 root root 593K Mar 27 11:45 openssh-clients-9.5p1-1.x86_64.rpm
-rw-r--r-- 1 root root 2.7M Mar 27 11:45 openssh-debuginfo-9.5p1-1.x86_64.rpm
-rw-r--r-- 1 root root 718K Mar 27 11:45 openssh-debugsource-9.5p1-1.x86_64.rpm
-rw-r--r-- 1 root root 442K Mar 27 11:45 openssh-server-9.5p1-1.x86_64.rpm
8、卸载原rpm安装的openssh,并rpm安装新生成的openssh,同时开启sshd服务开机自启
- cd /root/rpmbuild/RPMS/x86_64
- rpm -e `rpm -qa|grep openssh` --nodeps
- rpm ivh *.rpm
- chkconfig sshd on
此时,openssl和openssh升级全部完毕,但是突然发现无法使用yum命令,报错如下:
[root@openeuder ~]$ yum install -y lrzsz
Traceback (most recent call last):
File "/usr/lib64/python3.7/site-packages/libdnf/error.py", line 14, in swig_import_helper
return importlib.import_module(mname)
File "/usr/lib64/python3.7/importlib/__init__.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
File "<frozen importlib._bootstrap>", line 1006, in _gcd_import
File "<frozen importlib._bootstrap>", line 983, in _find_and_load
File "<frozen importlib._bootstrap>", line 967, in _find_and_load_unlocked
File "<frozen importlib._bootstrap>", line 670, in _load_unlocked
File "<frozen importlib._bootstrap>", line 583, in module_from_spec
File "<frozen importlib._bootstrap_external>", line 1043, in create_module
File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
ImportError: /lib64/libcurl.so.4: symbol SSLv3_client_method version OPENSSL_1_1_0 not defined in file libssl.so.1.1 with link time referenceDuring handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "/usr/bin/yum", line 57, in <module>
from dnf.cli import main
File "/usr/lib/python3.7/site-packages/dnf/__init__.py", line 30, in <module>
import dnf.base
File "/usr/lib/python3.7/site-packages/dnf/base.py", line 29, in <module>
import libdnf.transaction
File "/usr/lib64/python3.7/site-packages/libdnf/__init__.py", line 8, in <module>
from . import error
File "/usr/lib64/python3.7/site-packages/libdnf/error.py", line 17, in <module>
_error = swig_import_helper()
File "/usr/lib64/python3.7/site-packages/libdnf/error.py", line 16, in swig_import_helper
return importlib.import_module('_error')
File "/usr/lib64/python3.7/importlib/__init__.py", line 127, in import_module
return _bootstrap._gcd_import(name[level:], package, level)
ModuleNotFoundError: No module named '_error'
所以,我们还需编译升级一下curl。
三、升级curl
解压curl-7.88.1.zip压缩包,并执行编译安装
- unzip curl-7.88.1.zip
- cd curl-7.88.1
- ./configure --prefix=/usr/local/curl-7.88.1 --with-openssl=/usr/local/openssl
- make
- make install
- mv /usr/bin/curl /usr/bin/curl.bak
- ln -sf /usr/local/curl-7.88.1/bin/curl /usr/bin/curl
- echo '/usr/local/curl-7.88.1/lib' >> /etc/ld.so.conf
- ldconfig
执行命令'curl --version'查看curl是否升级至指定版本,并验证yum命令是否恢复使用。
[root@openeuder bin]$ curl --version
curl 7.88.1 (x86_64-pc-linux-gnu) libcurl/7.88.1 OpenSSL/1.1.1w zlib/1.2.11
Release-Date: 2023-02-20
Protocols: dict file ftp ftps gopher gophers http https imap imaps mqtt pop3 pop3s rtsp smb smbs smtp smtps telnet tftp
Features: alt-svc AsynchDNS HSTS HTTPS-proxy IPv6 Largefile libz NTLM NTLM_WB SSL threadsafe TLS-SRP UnixSockets
[root@openeuder bin]$ yum install -y lrzsz
Last metadata expiration check: 7:27:13 ago on Thu 11 Apr 2024 07:06:09 AM CST.
Package lrzsz-0.12.20-46.oe1.x86_64 is already installed.
Dependencies resolved.
Nothing to do.
Complete!
至此,升级完毕。
四、关闭之前开启的telnet xinetd服务和防火墙
注:验证升级没问题后,再关闭相关后门服务。具体关闭操作需要和操作前开启后门的操作相呼应,以实际情况为准。
- service xinetd stop
- service telnet stop
- chkconfig xinetd off
- chkconfig telnet off
- iptables -I INPUT -p tcp -m tcp --dport 23 -j ACCEPT
额外——隐藏openssh版本号
在make编译安装之前,在解压后的openssh目录中修改version.h文件,将"SSH_VERSION "的值改成自定义即可。
注:需要在编译安装之前操作。