OpenSSH源码版本升级亲测支持在RHEL4.x,RHEL5.x,RHEL6.x,RHEL7.x,Suse11.x,Suse12.x 可用,配合saltstack能够批量执行大批量设备openssh版本升级。node
但愿能够对平常运维处理漏洞工做的童靴有些许帮助,提升工做效率,减小无效工做时间。
linux
#!/bin/bash
#################################################################
###### update openssl openssh scirpt #########
##### Author:kl #####
###### Date:2014/07/13 #####
###### LastModified:2016/06/02 #######
#### Warning:start telnet service before use the script #####
#################################################################
####################################################################################
# update openssh and openssl
#########
#####
##
####################################################################################
#Determine whether the current system installed gcc compiler tools
# Test list
# redhat6.3,redhat6.5,redhat6.6,suse11
zlib_version="zlib-1.2.11"
openssl_version="openssl-1.0.2r"
openssh_version="openssh-8.0p1"
#gcc_path=`which gcc`
#gcc_name=`basename $gcc_path`
DATE=$(date +%Y%m%d)
if ! rpm -qa|egrep 'which|util-linux' &> /dev/null || ! rpm -qa|grep util-linux &> /dev/null; then
echo "which is not installed" && exit
fi
# OS TYPE
#Distributor_ID=$(lsb_release -i)
# OS Version
if which lsb_release &> /dev/null; then
Distributor=`lsb_release -i|cut -c 17-`
else
echo "please install redhat-lsb package first." && exit
fi
Distributor_VE=$(lsb_release -a|grep Release|tr -cd '[0-9.]'|cut -d'.' -f1)
# Determine whether the root user
userid=`id -u`
if [ "$userid" -ne 0 ]; then
echo "sorry,only root can execute the script. "
exit
fi
# SET SELINUX=disabled
if [ "$Distributor" != "SUSE LINUX" ]; then
sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
setenforce 0
# pam-devel,tcp_wrappers-devel need be installed, Otherwise, the software will install failure
# Support for tcpwrappers/libwrap has been removed in openssh6.7
if ! rpm -qa|grep pam-devel &>/dev/null; then
echo "pam-devel is not installed" && exit
fi
fi
#if ! rpm -qa|grep tcp_wrappers-devel &>/dev/null; then
# echo "tcp_wrappers-devel not installed" && exit
#fi
# Check whether to open the telnet service
netstat -tnlp | grep -w 23
RETVAL3=$?
if [ $RETVAL3 -eq 0 ]; then
echo "telnet service is running------------[yes]"
else
echo "telnet service is not running--------[no]"
exit
fi
# Determine whether to install gcc package
if which gcc &> /dev/null; then
echo "gcc is installed----------------[yes]"
else
echo "gcc is not installed------------[no]"
exit
fi
# stop sshd service
netstat -tnlp | grep -w 22
RETVAL4=$?
if [ $RETVAL4 -eq 0 ]; then
service sshd stop
echo "stop sshd service --------------[yes]"
fi
if [ -e /etc/init.d/sshd ]; then
cp /etc/init.d/sshd /root
fi
# remove openssh*.rpm if exists
if rpm -qa | grep openssh &> /dev/null; then
rpm -qa | grep openssh > openssh_list.txt
while read line
do
rpm -e $line --nodeps
echo "remove $line success------------[yes]"
done
fi
###########install zlib ##################
tar -zxvf "${zlib_version}.tar.gz" > /dev/null
cd $zlib_version
./configure
RETVAL5=$?
if [ $RETVAL5 -ne 0 ]; then
echo "Configure zlib has encountered an error"
exit
fi
make
RETVAL6=$?
if [ $RETVAL6 -ne 0 ]; then
echo "make zlib has encountered an error"
exit
fi
make install
cd ..
echo "#########################################################"
echo "################ #################"
echo "################ zlib install success #################"
echo "################ #################"
echo "#########################################################"
sleep 2
########## install openssl #############
tar -zxvf "${openssl_version}.tar.gz" > /dev/null
cd $openssl_version
./config shared zlib
RETVAL7=$?
if [ $RETVAL7 -ne 0 ]; then
echo "Configure openssl has encountered an error"
exit
fi
make
RETVAL8=$?
if [ $RETVAL8 -ne 0 ]; then
echo "make openssl has encountered an error"
exit
fi
make install
if [ -e /usr/bin/openssl ]; then
mv /usr/bin/openssl /usr/bin/openssl.OFF && ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
else
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
fi
if [ -e /usr/include/openssl ]; then
mv /usr/include/openssl /usr/include/openssl.OFF && ln -s /usr/local/ssl/include/openssl /usr/include/openssl
else
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
fi
## Add "/usr/local/ssl/lib" to /etc/ld.so.conf
ssl_lib=`grep -w "/usr/local/ssl/lib" /etc/ld.so.conf`
if [ ! -e "$ssl_lib" ]; then
echo "/usr/local/ssl/lib" >> /etc/ld.so.conf
fi
ldconfig -v
cd ..
echo "#########################################################"
echo "################ #################"
echo "################ openssl install sucess ################"
echo "################ #################"
echo "#########################################################"
sleep 2
############# install openssh ##############
if [ -e /etc/ssh ]; then
mv /etc/ssh /etc/ssh_$DATE
fi
tar -zxvf "${openssh_version}.tar.gz" > /dev/null
cd $openssh_version
if [ "$Distributor" != "SUSE LINUX" ]; then
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-pam --with-ssl-dir=/usr/local/ssl --with-md5-passwords
else
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-zlib --with-ssl-dir=/usr/local/ssl --with-md5-passwords
fi
RETVAL9=$?
if [ $RETVAL9 -ne 0 ]; then
echo "Configure openssh has encountered an error"
exit
fi
make
RETVAL10=$?
if [ $RETVAL10 -ne 0 -a $RETVAL10 -ne 0 ]; then
echo "make openssh has encountered an error"
exit
fi
make install
if [ "$Distributor" == "SUSE LINUX" ]; then
cd contrib/suse
cp rc.sshd /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
else
cd contrib/redhat
cp sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
fi
#A generic PAM configuration is included as "contrib/sshd.pam.generic",
#you may need to edit it before using it on your system.
cd ..
if [ "$Distributor" != "SUSE LINUX" ]; then
cp sshd.pam.generic /etc/pam.d/sshd
sed -i 's/\/lib\/security\///g' /etc/pam.d/sshd
fi
# Modify /etc/ssh/sshd_config
# Backup /etc/ssh/sshd_config
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
# The default set of ciphers and MACs has been altered to
# remove unsafe algorithms. In particular, CBC ciphers and arcfour*
# are disabled by default.
# Changes since OpenSSH 6.6
echo "KexAlgorithms diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,curve25519-sha256@libssh.org" >> /etc/ssh/sshd_config
echo "Ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc" >> /etc/ssh/sshd_config
echo "MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha1-96,hmac-md5-96" >> /etc/ssh/sshd_config
# Disable root access via ssh to server
#* The default for the sshd_config(5) PermitRootLogin option has changed from "yes" to "prohibit-password".
#* PermitRootLogin=without-password/prohibit-password now bans all
#interactive authentication methods, allowing only public-key,
#hostbased and GSSAPI authentication (previously it permitted
#keyboard-interactive and password-less authentication if those
#were enabled).
#PermitRootLogin prohibit-password is the default since version 7.0p1
sed -i 's/^#PermitRootLogin/PermitRootLogin/' /etc/ssh/sshd_config
#sed -i '/PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
sed -i '/PermitRootLogin/s/prohibit-password/no/' /etc/ssh/sshd_config
# Set 'UsePAM no' to 'UsePAM yes' to enable PAM authentication, account processing,
# and session processing
if [ "$Distributor" != "SUSE LINUX" ]; then
sed -i '/^#UsePAM no/a UsePAM yes' /etc/ssh/sshd_config
fi
# Start sshd process
service sshd start
# Disable telnet service
if netstat -tnlp | grep -w 22 &> /dev/null; then
if [[ "$Distributor" =~ "RedHat" && "$Distributor_VE" -eq 7 ]]; then
systemctl stop telnet.socket
else
sed -i '/disable/s/no/yes/' /etc/xinetd.d/telnet
service xinetd restart
fi
fi
echo "#########################################################"
echo "################ #################"
echo "################ openssh install sucess ################"
echo "################ #################"
echo "#########################################################"
echo "############### ssh version ################################################# "
echo "################################################################################### "
sshd -v
echo "#################################################################################### "
echo "#################################################################################### "