OpenSSH 9.8p1 rpm包构建与升级

最新推荐文章于 2025-02-27 14:30:51 发布

50902636

最新推荐文章于 2025-02-27 14:30:51 发布

阅读量1.6k

点赞数 13

分类专栏： linux基础 # rpmbuild构建工具文章标签：运维 openssh升级 openssh漏洞

本文链接：https://blog.csdn.net/weixin_50902636/article/details/144972542

版权

rpmbuild入门知识
 openssh/ssl二进制升级

文章目录

前言
一、资源准备
二、OpenSSH rpm包构建
三、通过RPM包更新 OpenSSH
四、重启 OpenSSH并验证

前言

紧接openssl升级完成后直接开整,必须先完成openssl升级再来这个页面学习

第一步与openssl一致,可以直接跳过

一、资源准备

系统 centos_7.6、x86架构
在这里插入图片描述

old	new
openssh_7.4p1	openssh_9.8p1
OpenSSL 1.0.2k-fips	openssl-1.1.1s

1.下载openssh、openssl二进制包

1、下载openssh源码包
[root@localhost ~]# wget  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
--2025-01-06 11:02:15--  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 146.75.115.52, 2a04:4e42:15::820
Connecting to cdn.openbsd.org (cdn.openbsd.org)|146.75.115.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1910393 (1.8M) [application/octet-stream]
Saving to: ‘openssh-9.8p1.tar.gz’

38% [=========================================>               729,088     49.9KB/s  eta 22s

2、下载openssl源码包
[root@localhost ~]# wget https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_1_1_1s.tar.gz

2.安装rpmbuild工具

[root@localhost ~]# yum install -y rpm-build
[root@localhost ~]# yum install rpmdevtools
[root@localhost ~]# yum install rpmlint -y #spec文件检查工具
[root@localhost ~]# vim /root/.rpmmacros
%_topdir /export/rpmbuild  #/root/.rpmmacros文件是存储各种宏定义,比如_topdir宏的值来自定义打包路径

创建rpmbuild目录

[root@localhost ~]# cd /export/
[root@localhost /export]# rpmdev-setuptree
[root@localhost /export]# cd rpmbuild && ls
BUILD  RPMS  SOURCES  SPECS  SRPMS

在这里插入图片描述

3.拷贝源码包到SOURCES目录下

[root@localhost ~]# mv openssh-9.8p1.tar.gz /export/rpmbuild/SOURCES
[root@localhost ~]# mv OpenSSL_1_1_1s.tar.gz /export/rpmbuild/SOURCES

在这里插入图片描述

4.系统开启telnet，防止意外导致shh无法连接

[root@localhost ~]# yum install -y telnet-server
[root@localhost ~]# yum install -y telnet
[root@localhost ~]# yum install -y xinetd #也可以不装
[root@localhost ~]# systemctl start telnet.socket && systemctl start xinetd.service

#因为默认情况下系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录，需设置如下内容
[root@localhost ~]# echo  'pts/0'  >> /etc/securetty 
[root@localhost ~]# echo  'pts/1'  >> /etc/securetty

#开启telnet连接
[root@localhost ~]# telnet localhost
输入用户名
输入密码
完成登录

在这里插入图片描述

5.编译工具安装

[root@localhost ~]# yum install -y gcc make  gcc-c++ perl perl-WWW-Curl

至此,前期资源准备完成

6.补充说明

1、OpenSSH-9.8p1依赖OpenSSL-1.1.1及以上版本, 因此需要先升级openssl

2、OpenSSH-8.6后默认为不允许root登录

3、较新版本的CentOS7中 pam_stack.so模块已经被弃用删除, 请备份 /etc/pam.d/sshd

4、默认允许使用PAM登录认证；

5、默认允许使用X11Forwarding图形模块；

6、需修改ssh_host_rsa_key、ssh_host_ecdsa_key、ssh_host_ed25519_key这三个文件的权限,
	OpenSSH-8.6之后缩小了这三个文件的权限为0600, 大于该权限将会导致SSHD启动失败

二、OpenSSH rpm包构建

1. 从源码提取SPEC 文件到SPEC目录下

代码如下（示例）：

[root@localhost SOURCES]# tar -xf openssh-9.8p1.tar.gz -C ../SPECS openssh-9.8p1/contrib/redhat/openssh.spec --strip-components=3
[root@localhost SOURCES]# vim ../SPECS/openssh.spec
%global ver 9.8p1
%global rel 1%{
   ?dist}

# OpenSSH privilege separation requires a user & group ID
%global sshd_uid    74
%global sshd_gid    74

# Version of ssh-askpass
%global aversion 1.2.4.1

# Do we want to disable building of x11-askpass? (1=yes 0=no)
%global no_x11_askpass 0

# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 0

# Do we want to link against a static libcrypto? (1=yes 0=no)
%global static_libcrypto 0

# Do we want smartcard support (1=yes 0=no)
%global scard 0

# Use GTK2 instead of GNOME in gnome-ssh-askpass
%global gtk2 1

# Use build6x options for older RHEL builds
# RHEL 7 not yet supported
%if 0%{
   ?rhel} > 6
%global build6x 0
%else
%global build6x 1
%endif

%global without_openssl 0
# build without openssl where 1.1.1 is not available
%if 0%{
   ?fedora} <= 28
%global without_openssl 1
%endif
%if 0%{
   ?rhel} <= 7
%global without_openssl 1
%endif

# Do we want kerberos5 support (1=yes 0=no)
%global kerberos5 1

# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{
   ?skip_x11_askpass:%global no_x11_askpass 1}
%{
   ?skip_gnome_askpass:%global no_gnome_askpass 1}

# Add option to build without GTK2 for older platforms with only GTK+.
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
%{
   ?no_gtk2:%global gtk2 0}

# Is this a build for RHL 6.x or earlier?
%{
   ?build_6x:%global build6x 1}

# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{
   build6x

最低0.47元/天解锁文章