RHEL/CentOS升级OpenSSL和OpenSSH

发表于 | 更新于: | 阅读次数:
字数统计: 659

说明

  • 本文以openssl-1.0.2popenssh-7.9p1为例
  • 先编译安装新版本的OpenSSL,然后基于新版本的OpenSSL编译安装OpenSSH
  • RHEL/CentOS-6.x和7.x的操作类似

注意事项

  • 请不要盲目复制粘贴
  • 考虑好每一步的后果,做好备份
  • 先拿测试服务器做白老鼠测试,通过之后再通过自动化部署的方式升级

下载源代码

OpenSSL

官网地址

OpenSSH

官网地址

检查当前版本

1
2
3
4
5
6
# 检查openssl版本
openssl version
# 检查ssh版本
ssh -V
# 检查openssh-server版本
sshd --version

安装编译环境

1
yum install -y gcc make zlib-devel pam-devel libedit-devel krb5-devel

安装OpenSSL

解压源代码

1
tar xzf openssl-1.0.2p.tar.gz

编译安装

编译选项参照CentOS-7.x软件包的选项

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
cd openssl-1.0.2p.tar.gz
./config --prefix=/usr/local/openssl-1.0.2p \
         no-asm 386 \
         zlib \
         enable-camellia \
         enable-seed \
         enable-tlsext \
         enable-rfc3779 \
         enable-cms \
         enable-md2 \
         no-mdc2 \
         no-rc5 \
         no-ec2m \
         no-gost \
         no-srp \
         --with-krb5-flavor=MIT \
         shared
make depend && make && make install

备份旧版本的openssl

1
2
3
mv /usr/bin/openssl /usr/bin/openssl.`date +%Y%m%d`bak
mv /usr/include/openssl /usr/include/openssl.`date +%Y%m%d`bak
mv /usr/lib64/openssl/engines /usr/lib64/openssl/engines.`date +%Y%m%d`bak

创建软链接到新版本openssl

1
2
3
ln -sv /usr/local/openssl-1.0.2p/bin/openssl /usr/bin/openssl
ln -sv /usr/local/openssl-1.0.2p/include/openssl /usr/include/openssl
ln -sv /usr/local/openssl-1.0.2p/lib/engines/ /usr/lib64/openssl/engines

创建新版本的链接库

1
2
3
4
5
cat > /etc/ld.so.conf.d/openssl-1.0.2p.conf <<EOF
# OpenSSL 1.0.2p
/usr/local/openssl-1.0.2p/lib
EOF
ldconfig

检查openssl版本

1
openssl version

安装OpenSSH

解压源代码

1
tar xzf openssh-7.9p1.tar.gz

使用新版OpenSSL编译安装OpenSSH

1
2
3
4
5
6
7
8
9
10
cd openssh-7.9p1
./configure --prefix=/usr/local/openssh-7.9p1 \
            --with-ssl-dir=/usr/local/openssl-1.0.2p \
            --with-md5-passwords \
            --with-mantype=man \
            --disable-strip \
            --with-smartcard \
            --with-pam \
            --with-kerberos5
make && make install

备份替换OpenSSH

1
2
3
4
5
6
7
8
9
10
11
12
13
14
for binary in `ls /usr/local/openssh-7.9p1/bin/`;do
    mv /usr/bin/${binary} /usr/bin/${binary}.`date +%Y%m%d`bak
    ln -sv /usr/local/openssh-7.9p1/bin/${binary} /usr/bin/${binary}
done

for exec in `ls /usr/local/openssh-7.9p1/libexec/`;do
    mv /usr/libexec/openssh/${exec} /usr/libexec/openssh/${exec}.`date +%Y%m%d`bak
    ln -sv /usr/local/openssh-7.9p1/libexec/${exec} /usr/libexec/openssh/${exec}
done

for sbinary in `ls /usr/local/openssh-7.9p1/sbin/`;do
    mv /usr/sbin/${sbinary} /usr/sbin/${sbinary}.`date +%Y%m%d`bak
    ln -sv /usr/local/openssh-7.9p1/sbin/${sbinary} /usr/sbin/${sbinary}
done

链接配置目录到新版本的OpenSSH

1
2
3
mv /usr/local/openssh-7.9p1/etc /usr/local/openssh-7.9p1/etc.bak
ln -sv /etc/ssh /usr/local/openssh-7.9p1/etc
find /etc/ssh/ -name '*key' -exec chmod 0400 {} \;

检查SSH配置

1
sshd -t -f /etc/ssh/sshd_config

重启SSH服务

  • RHEL/CentOS-6.x
1
service sshd restart
  • RHEL/CentOS-7.x

修改/usr/lib/systemd/system/sshd.service

1
2
3
4
vim /usr/lib/systemd/system/sshd.service
...
Type=simple
...

重启sshd服务

1
2
systemctl daemon-reload
systemctl restart sshd

检查OpenSSH版本

1
2
ssh -V
sshd --version