一、背景说明

openeuler 22.03 默认安装的openssh 版本为8.8p1，经绿盟扫描，存在高危漏洞，需要升级到最新。

官网只提供编译安装包，而openeuler 22.03 为rpm方式安装。

为了方便升级，先通过编译安装包，制作rpm包，并进行升级

如下为做好的rpm升级包，可直接下载使用：

openssh 9.3p1 for bclinux euler& openeuler22.03版本，及升级指引
https://download.csdn.net/download/qyq88888/87767381https://download.csdn.net/download/qyq88888/87767381

 

1.1 系统版本查看 cat /etc/os-release

[root@localhost ~]# cat /etc/os-release 
NAME="openEuler"
VERSION="22.03 LTS"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 LTS"
ANSI_COLOR="0;31"

[root@localhost ~]# 

二、rpm包制作

2.1、安装制作的工具

  配置yum源

[root@localhost ~]# cat /etc/yum.repos.d/iso.repo 
[iso]
name=iso
baseurl=file:///iso
enabled=1
gpgcheck=0
[root@localhost ~]# 

安装依赖包
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel  libXt-devel gtk2-devel make perl -y

下载并安装imake

下载imake包
wget https://mirror.nju.edu.cn/openeuler/openEuler-22.03-LTS/everything/x86_64/Packages/imake-1.0.7-17.oe2203.x86_64.rpm


[root@localhost iso]# ls
imake-1.0.7-17.oe2203.x86_64.rpm  openEuler-22.03-LTS-SP1-x86_64-dvd.iso
[root@localhost iso]# yum localinstall -y imake-1.0.7-17.oe2203.x86_64.rpm
Last metadata expiration check: 0:13:48 ago on 2023年05月09日 星期二 14时40分01秒.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                       Architecture                                   Version                                                   Repository                                            Size
===================================================================================================================================================================================================================
Installing:
 imake                                         x86_64                                         1.0.7-17.oe2203                                           @commandline                                         240 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total size: 240 k
Installed size: 1.2 M
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Installing       : imake-1.0.7-17.oe2203.x86_64                                                                                                                                                              1/1 
  Verifying        : imake-1.0.7-17.oe2203.x86_64                                                                                                                                                              1/1 

Installed:
  imake-1.0.7-17.oe2203.x86_64                                                                                                                                                                                     

Complete!
[root@localhost iso]# 

yum install imake
验证imake是否安装成功

[root@localhost iso]# rpm -qa|grep imake
imake-1.0.7-17.oe2203.x86_64
[root@localhost iso]# 

mkdir -p /root/rpmbuild/

cd /root/rpmbuild

mkdir BUILD BUILDROOT RPMS SOURCES SPECS SRPMS

2.3 下载openssh9.3p1和x11-ssh-askpass-1.2.4.1.tar.gz

#将下载的文件放入SOURCES文件夹下
cd /root/rpmbuild/SOURCES/
#下载openssh9.3p1
wget  https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz

#下载x11-ssh-askpass-1.2.4.1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz

重新制作openssh压缩包
因为下载的包缺一个sshd.pam.old，需要将现在系统的/etc/pam.d/sshd，拷到编译的目录中。如果没有改文件，后续编译会报错。
tar -xvzf openssh-9.3p1.tar.gz
cd /root/rpmbuild/SOURCES/openssh-9.3p1
cp /etc/pam.d/sshd /root/rpmbuild/SOURCES/openssh-9.3p1/contrib/redhat/sshd.pam.old
#回到SOURCE目录，重新tar包
cd ..
tar -zcpf openssh-9.3p1.tar.gz openssh-9.3p1

2.4 修改openssh.spec配置

 #将openssh.spec配置文件拷贝到，编译目录下
 cp /root/rpmbuild/SOURCES/openssh-9.3p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS/
 cd /root/rpmbuild/SPECS
 
 #修改openssh.spec配置
 #1.不生成askpass包
 cat /root/rpmbuild/SPECS/openssh.spec | grep no_gnome_askpass
 cat /root/rpmbuild/SPECS/openssh.spec | grep no_x11_askpass
 
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" openssh.spec

#2.解决openssl-devel < 1.1报错
cat /root/rpmbuild/SPECS/openssh.spec | grep openssl-devel
sed -i '/openssl-devel < 1.1/s/^/#/' openssh.spec

#3.解决PreReq报错
cat /root/rpmbuild/SPECS/openssh.spec | grep PreReq
sed -i '/PreReq/s/^/#/' openssh.spec

#4.解决Obsoletes报错
cat /root/rpmbuild/SPECS/openssh.spec | grep Obsoletes
sed -i '/Obsoletes:/s/^/#/' openssh.spec

2.5 编译源码包，制作成rpm包
 

cd /root/rpmbuild/SPECS/
rpmbuild -ba openssh.spec

提示
......
处理文件：openssh-debugsource-9.3p1-1.x86_64
Provides: openssh-debugsource = 9.3p1-1 openssh-debugsource(x86-64) = 9.3p1-1
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
检查未打包文件：/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssh-9.3p1-1.x86_64
已写至：/root/rpmbuild/SRPMS/openssh-9.3p1-1.src.rpm
已写至：/root/rpmbuild/RPMS/x86_64/openssh-clients-9.3p1-1.x86_64.rpm
已写至：/root/rpmbuild/RPMS/x86_64/openssh-9.3p1-1.x86_64.rpm
已写至：/root/rpmbuild/RPMS/x86_64/openssh-debugsource-9.3p1-1.x86_64.rpm
已写至：/root/rpmbuild/RPMS/x86_64/openssh-server-9.3p1-1.x86_64.rpm
已写至：/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-9.3p1-1.x86_64.rpm
正在执行(%clean)：/bin/sh -e /var/tmp/rpm-tmp.buozEu
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-9.3p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-9.3p1-1.x86_64
+ RPM_EC=0
++ jobs -p
+ exit 0
[root@localhost SPECS]# 
[root@localhost SPECS]# 

 #编译完成后的软件在，debug的包不用下载安装
 

[root@localhost SPECS]# ls -lrth /root/rpmbuild/RPMS/x86_64/
总用量 5.8M
-rw-r--r-- 1 root root 622K  5月  9 15:53 openssh-clients-9.3p1-1.x86_64.rpm
-rw-r--r-- 1 root root 620K  5月  9 15:53 openssh-9.3p1-1.x86_64.rpm
-rw-r--r-- 1 root root 715K  5月  9 15:53 openssh-debugsource-9.3p1-1.x86_64.rpm
-rw-r--r-- 1 root root 448K  5月  9 15:53 openssh-server-9.3p1-1.x86_64.rpm
-rw-r--r-- 1 root root 3.4M  5月  9 15:53 openssh-debuginfo-9.3p1-1.x86_64.rpm
[root@localhost SPECS]# 

三、升级openssh

下载制作好的rpm后，上传到其他主机升级openssh。

3.1 升级前检查

[root@localhost SPECS]# rpm -qa|grep openssh
openssh-clients-8.8p1-2.oe2203.x86_64
openssh-8.8p1-2.oe2203.x86_64
openssh-server-8.8p1-2.oe2203.x86_64
[root@localhost SPECS]#

只用了3个rpm包

3.2 备份openssh配置文件

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.20230509

3.3 升级openssh 

yum localinstall -y openssh-clients-9.3p1-1.x86_64.rpm openssh-9.3p1-1.x86_64.rpm openssh-server-9.3p1-1.x86_64.rpm

3.4 检查sshd的配置文件是否正常。

[root@localhost x86_64]# sshd -t
/etc/ssh/sshd_config line 142: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 144: Deprecated option RhostsRSAAuthentication
/etc/ssh/sshd_config: line 159: Bad configuration option: GSSAPIKexAlgorithms
/etc/ssh/sshd_config: terminating, 1 bad configuration options
[root@localhost x86_64]#

报错159行有问题，将/etc/ssh/sshd_config第159行配置注释掉。

[root@localhost x86_64]# cat -n /etc/ssh/sshd_config|grep GSSAPIKexAlgorithms
   159  #GSSAPIKexAlgorithms gss-group14-sha256-,gss-group16-sha512-,gss-curve25519-sha256-
[root@localhost x86_64]# 

3.5 重启sshd服务。

systemctl restart sshd

测试ssh测试登陆是否正常。

[root@localhost x86_64]# sshd -t
/etc/ssh/sshd_config line 142: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 144: Deprecated option RhostsRSAAuthentication
[root@localhost x86_64]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
     Loaded: loaded (/etc/rc.d/init.d/sshd; generated)
     Active: active (running) since Tue 2023-05-09 16:09:35 CST; 13s ago
       Docs: man:systemd-sysv-generator(8)
    Process: 2753559 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
   Main PID: 2753588 (sshd)
      Tasks: 53 (limit: 47386)
     Memory: 4.4G
     CGroup: /system.slice/sshd.service
             ├─ 977240 "nginx: master process ./nginx"
             ├─ 977241 "nginx: worker process"
             ├─2309235 "sshd: sudoroot [priv]"
             ├─2309237 "sshd: sudoroot@pts/0"
             ├─2309238 -bash
             ├─2309296 sudo -i
             ├─2309297 -bash
             ├─2310076 "sshd: sudoroot [priv]"
             ├─2310090 "sshd: sudoroot@pts/1"
             ├─2310091 -bash
             ├─2310149 sudo -i
             ├─2310150 -bash
             ├─2311240 "sshd: sudoroot [priv]"
             ├─2311242 "sshd: sudoroot@pts/2,pts/3"
             ├─2311243 -bash
             ├─2311336 sudo -i
             ├─2311337 -bash
             ├─2311786 /usr/libexec/openssh/sftp-server -l INFO -f AUTH
             ├─2312598 -bash
             ├─2312656 sudo -i
             ├─2312657 -bash
             ├─2313421 "sshd: gms [priv]" "" "" "" ""
             ├─2313706 "sshd: gms@notty" "" "" "" "" ""
             ├─2313719 /usr/libexec/openssh/sftp-server -l INFO -f AUTH
             ├─2313779 /usr/libexec/openssh/sftp-server -l INFO -f AUTH
             ├─2313834 /usr/libexec/openssh/sftp-server -l INFO -f AUTH
             ├─2313889 /usr/libexec/openssh/sftp-server -l INFO -f AUTH
             ├─2313969 /usr/libexec/openssh/sftp-server -l INFO -f AUTH
             ├─2314077 /usr/libexec/openssh/sftp-server -l INFO -f AUTH
             ├─2748096 iostat 1
             ├─2753588 "sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups"
             ├─2753651 systemctl status sshd
             ├─2753652 less
             ├─2830851 "./bin/redis-server 10.1.4.239:7001 [cluster]"
             ├─2830853 "./bin/redis-server 10.1.4.239:7002 [cluster]"
             ├─2830855 "./bin/redis-server 10.1.4.239:7004 [cluster]"
             ├─2830856 "./bin/redis-server 10.1.4.239:7005 [cluster]"
             └─2830857 "./bin/redis-server 10.1.4.239:7006 [cluster]"

5月 09 16:09:34 localhost.localdomain systemd[1]: sshd.service: Found left-over process 2830857 (redis-server) in control group while starting unit. Ignoring.
5月 09 16:09:34 localhost.localdomain systemd[1]: This usually indicates unclean termination of a previous run, or service implementation deficiencies.
5月 09 16:09:34 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
5月 09 16:09:35 localhost.localdomain sshd[2753559]: Starting sshd:
5月 09 16:09:35 localhost.localdomain sshd[2753581]: /etc/ssh/sshd_config line 142: Deprecated option RSAAuthentication
5月 09 16:09:35 localhost.localdomain sshd[2753581]: /etc/ssh/sshd_config line 144: Deprecated option RhostsRSAAuthentication
5月 09 16:09:35 localhost.localdomain sshd[2753588]: Server listening on 0.0.0.0 port 22.
5月 09 16:09:35 localhost.localdomain sshd[2753588]: Server listening on :: port 22.
5月 09 16:09:35 localhost.localdomain sshd[2753559]: [  确定  ]
5月 09 16:09:35 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
[root@localhost x86_64]#