CentOS 6.8升级OpenSSH7.7p
2024-10-18 15:05:17
近期因centos 6.x 默认openssh扫描存在大量漏洞,基于安全考虑,需要将openssh_5.3p1升级为最新版,网上查了很多教程,发现openssh存在大量依赖,不解决依赖问题很难保证其他服务政策。而openssl又被大量程序依赖。实在是头疼。最后发现一个不破坏各种依赖又可以完美升级的方案
注:curl wget yum等依赖openssl gitlab依赖openssh因卸载openssh与openssl编译安装导致各种依赖程序被破坏,虽然最后升级成功,但是wget curl 和代码库被破坏。
1、下载openssh7.7p源码包
http://www.openssh.com/portable.html
下载之后解压看readme和install
1. Prerequisites
---------------- A C compiler. Any C89 or better compiler should work. Where supported,
configure will attempt to enable the compiler's run-time integrity checking
options. Some notes about specific compilers:
- clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
(CC=clang LDFLAGS=--rtlib=compiler-rt ./configure) You will need working installations of Zlib and libcrypto (LibreSSL /
OpenSSL) Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/ libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/ LibreSSL/OpenSSL should be compiled as a position-independent library
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
If you must use a non-position-independent libcrypto, then you may need
to configure OpenSSH --without-pie. Note that because of API changes,
OpenSSL 1.1.x is not currently supported. The remaining items are optional.
官方给出的文档中提到的先决条件openssh安装依赖zlib1.1.4并且openssl>=1.0.1版本就可以了。那么直接看当前系统的openssl版本是多少
[root@zabbix-serv ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@zabbix-serv ~]# rpm -q zlib
zlib-1.2.3-29.el6.x86_64
[root@zabbix-serv ~]# rpm -q zlib-devel
zlib-devel-1.2.3-29.el6.x86_64
发现自带的openssl版本符合openssh7.7p的安装条件,自带的zlib也符合OpenSSH7.7P的依赖。那么就直接安装吧。
2、打包OpenSSH
mkdir -p /usr/src/redhat/{SOURCES,SPECS}
cd /usr/src/redhat/SOURCES/
wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz
tar xf openssh-7.7p1.tar.gz
cp openssh-7.7p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
chown sshd:sshd /usr/src/redhat/SPECS/ -R
sed -i 's@%define no_gnome_askpass 0@%define no_gnome_askpass 1@g' /usr/src/redhat/SPECS/openssh.spec
sed -i 's@%define no_x11_askpass 0@%define no_x11_askpass 1@g' /usr/src/redhat/SPECS/openssh.spec
cp /usr/src/redhat/SOURCES/openssh-7.7p1.tar.gz ~/rpmbuild/SOURCES/
cd /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec
可以看到rpm包和yum安装的是一样的。
├── RPMS
│ └── x86_64
│ ├── openssh-7.7p1-1.el6.x86_64.rpm
│ ├── openssh-clients-7.7p1-1.el6.x86_64.rpm
│ ├── openssh-debuginfo-7.7p1-1.el6.x86_64.rpm
│ └── openssh-server-7.7p1-1.el6.x86_64.rpm
[root@zabbix-serv SPECS]# rpm -qa|grep openssh
openssh-clients-5.3p1-117.el6.x86_64
openssh-5.3p1-117.el6.x86_64
openssh-server-5.3p1-117.el6.x86_64
直接替换安装rpm包
[root@zabbix-serv x86_64]# rpm -Uvh *
Preparing... ########################################### [100%]
1:openssh ########################################### [ 25%]
2:openssh-clients ########################################### [ 50%]
3:openssh-server warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew
########################################### [ 75%]
4:openssh-debuginfo ########################################### [100%]
安装后查看各项依赖openssl的匀使用正常。这么安装比编译安装要好很多。
[root@zabbix-serv x86_64]# sshd -V
unknown option -- V
OpenSSH_7.7p1, OpenSSL 1.0.1e-fips 11 Feb 2013
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
[root@zabbix-serv x86_64]# ssh -V
OpenSSH_7.7p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@zabbix-serv x86_64]# curl baidu.com -I
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2018 16:37:49 GMT
Server: Apache
Last-Modified: Tue, 12 Jan 2010 13:48:00 GMT
ETag: "51-47cf7e6ee8400"
Accept-Ranges: bytes
Content-Length: 81
Cache-Control: max-age=86400
Expires: Thu, 26 Apr 2018 16:37:49 GMT
Connection: Keep-Alive
Content-Type: text/html [root@zabbix-serv x86_64]# wget -q baidu.com
[root@zabbix-serv x86_64]# yum list >>/dev/null
测试yum安装,依赖openssh的是否会将7.7p替换为5.3p
[root@zabbix-serv x86_64]# yum install openssh*
Loaded plugins: fastestmirror, security
Setting up Install Process
Examining openssh-7.7p1-1.el6.x86_64.rpm: openssh-7.7p1-1.el6.x86_64
openssh-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Examining openssh-clients-7.7p1-1.el6.x86_64.rpm: openssh-clients-7.7p1-1.el6.x86_64
openssh-clients-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Examining openssh-debuginfo-7.7p1-1.el6.x86_64.rpm: openssh-debuginfo-7.7p1-1.el6.x86_64
openssh-debuginfo-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Examining openssh-server-7.7p1-1.el6.x86_64.rpm: openssh-server-7.7p1-1.el6.x86_64
openssh-server-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Error: Nothing to do
最新文章
- SpringMVC单元测试之MockMVC,模拟登入用户
- UVA 10780 Again Prime No Time.(数学)
- PHP-递归扫描目录和删除目录
- tableView异步下载图片/SDWebImage图片缓存原理
- ExtJs 可查询的下拉框
- hiho(1081),SPFA最短路,(非主流写法)
- JAVA使用HBASE常用方法
- haxm intelx86加速模拟器的安装
- [uwp开发]数据绑定那些事(1)
- 内存模型(memory models)和命名空间(namespace)
- 跳转APP(app之间互相通信)
- Javascript规范
- createjs 小游戏开发实战
- 学习Python不得不关注和学习的国外大神博客
- C#之不安全代码
- CentOS7 docker试水
- 关于Unsupported major.minor version 52.0解决办法(再次回顾)
- 字符串的比较【string和字符数组】
- spring cloud: eureka搭建
- Jekens Source Code Management None 源码管理没有Git