升级Centos7的openssh到openssh-9.6p1版本 shell脚本 漏扫整改
#!/bin/bash
OPENSSH_VERSION=openssh-9.6p1
OPENSSL_VERSION=openssl-3.2.1
ZILB_VERSION=zlib-1.3.1
yum -y install wget tar gcc make
mkdir -p /opt/opensshUpgrade
cd /opt/opensshUpgrade
wget -c https://ftp.riken.jp/pub/OpenBSD/OpenSSH/portable/$OPENSSH_VERSION.tar.gz
wget -c https://www.openssl.org/source/$OPENSSL_VERSION.tar.gz
wget -c https://www.zlib.net/$ZILB_VERSION.tar.gz
tar xf $OPENSSH_VERSION.tar.gz -C /usr/local/src/
tar xf $OPENSSL_VERSION.tar.gz -C /usr/local/src/
tar xf $ZILB_VERSION.tar.gz -C /usr/local/src/
yum -y install gcc gcc-c++ kernel-devel
cd /usr/local/src/$ZILB_VERSION/
./configure --prefix=/usr/local/zlib && make -j && make install
mv /usr/bin/openssl /usr/bin/openssl.bak
mv /usr/include/openssl /usr/include/openssl.bak
cd /usr/local/src/$OPENSSL_VERSION/
./config --prefix=/usr/local/ssl -d shared
make -j && make install
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
echo '/usr/local/ssl/lib' >> /etc/ld.so.conf
ldconfig -v
mv /etc/ssh /etc/ssh.bak
cd /usr/local/src/$OPENSSH_VERSION/
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib=/usr/local/zlib
make -j && make install
yum autoremove openssh -y
mv /usr/sbin/sshd /usr/sbin/sshd.bak &>/dev/null
cp -rf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
mv /usr/bin/ssh /usr/bin/ssh.bak &>/dev/null
cp -rf /usr/local/openssh/bin/ssh /usr/bin/ssh
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak &>/dev/null
cp -rf /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
mv /etc/ssh/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub.bak &>/dev/null
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
cd /usr/local/src/openssh-9.0p1/contrib/redhat
cp sshd.init /etc/init.d/sshd
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
echo 'PubkeyAuthentication yes' >> /etc/ssh/sshd_config
echo 'PasswordAuthentication yes' >> /etc/ssh/sshd_config
systemctl stop sshd.service &>/dev/null
rm -rf /lib/systemd/system/sshd.service
systemctl daemon-reload
cp /usr/local/src/$OPENSSH_VERSION/contrib/redhat/sshd.init /etc/init.d/sshd
/etc/init.d/sshd restart
chkconfig --add sshd
systemctl enable --now sshd
systemctl status sshd| grep "Active: active (running)"
sshd -V
ssh -v
openssl version
if [ $? -eq 0 ]; then
echo -e "\033[32m[INFO] OpenSSH upgraded to 9.0p1 successfully!\033[0m"
else
echo -e "\033[31m[ERROR] OpenSSH upgraded to 9.0p1 faild!\033[0m"
fi