centos离线升级OpenSSH

背景：

• 漏洞扫描大量openssh安全漏洞，需升级openssh的版本
  

软件包下载地址：

http://www.zlib.net/zlib-1.2.13.tar.gz
https://www.openssl.org/source/openssl-1.1.1t.tar.gz
https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz

下载需要安装的依赖包：

• 需要在可以访问外网的机器上操作，之后将包放到内网服务器上

yum install --downloadonly --downloaddir=/usr/local/src/offline-package  autoconf rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel openssl prce pcre-devel zlib zlib-devel make wget krb5-devel pam-devel libX11-devel xmkmf libXt-devel initscripts libXt-devel imake gtk2-devel openssl openssl-devel pcre-devel pam-devel zlib-devel 

备份yum源，否则yum安装不成功：

mkdir /etc/yum.repos.d/bak
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak/
yum clean all

编译安装zlib：

cd /usr/local/src/upgrade-openssh
yum localinstall -y --skip-broken /usr/local/src/offline-package/*.rpm
tar xf zlib-1.2.13.tar.gz
cd /usr/local/src/upgrade-openssh/zlib-1.2.13
./configure --prefix=/usr/local/zlib
make && make install

编译安装openssl：

cd /usr/local/src/upgrade-openssh
tar xf openssl-1.1.1t.tar.gz
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
cd /usr/local/src/upgrade-openssh/openssl-1.1.1t
./config --prefix=/usr/local/openssl
cd openssl-1.1.1t/7 
./config --prefix=/usr/local/openssl
make && make install
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl /usr/include/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
#验证
openssl version

编译安装openssh：

tar xf openssh-9.3p1.tar.gz 
cd /usr/local/src/upgrade-openssh/openssh-9.3p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/openssl --with-zlib=/usr/local/zlib --without-hardening
make && make install
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo "UseDNS no" >> /etc/ssh/sshd_config
cp -a contrib/redhat/sshd.init /etc/init.d/sshd
cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chmod +x /etc/init.d/sshd
chkconfig --add sshd
systemctl enable sshd
chkconfig sshd on
mv /usr/lib/systemd/system/sshd.service  /tmp
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
chmod 600  /etc/ssh/ssh_host_rsa_key
sed -i 's/GSSAPIAuthentication/#GSSAPIAuthentication/g' /etc/ssh/ssh_config
sed -i 's/GSSAPIAuthentication/#GSSAPIAuthentication/g' /etc/ssh/sshd_config 
systemctl daemon-reload
systemctl restart sshd
#验证
ssh -V

make编译报错1：

/usr/bin/ld: cannot find -lz collect2: error: ld returned 1 exit status

undefined reference to `BIO_f_zlib‘ openssl编译报错
解决：
  make clean //清除上次的make命令所产生的object文件
  make // 重新编译

make编译报错2：

configure: error: *** zlib.h missing - please install first or check config.
解决
  安装zlib或者编译时指定zlib
  yum -y install zlib
  --with-zlib/usr/local/zlib