工作需要需要對跑在CentOS7下的openssh-server-7.4p1-21.el7.x86_64進行版本升級,此處經過借鑒多處網絡資源,進行rpm打包,進行知識回顧及解決問題。
一、測試的CentOS7環境准備,測試前環境做下快照
# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017
# cat /etc/redhat-release
CentOS Linux release 7.9.2009 (Core)
# uname -a
Linux umail-stable 3.10.0-1160.el7.x86_64 #1 SMP Mon Oct 19 16:18:59 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
安裝工具、依賴包:
# yum -y install rpmbuild openssh openssl openssl-devel zlib zlib-devel pam pam-devel tcp_wrappers tcp_wrappers-devel gcc gcc-c++ make automake autoconf libtool
下載源碼包,創建打包目錄
# wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz
# mkdir -p /root/rpmbuild/{SOURCES,SPECS}
# mv openssh-7.9p1.tar.gz /root/rpmbuild/SOURCES/
# cd /root/rpmbuild/SOURCES/ && tar xf openssh-7.9p1.tar.gz && cd openssh-7.9p1
二、rpmbuild制作rpm包
1、參照一些資料,先對源碼包做下處理
①、根據 CSDN——HunterMichaelG作者的文章 及openssh.spec文件中279行對源碼中的sshd.pam做下修改
# vi /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
... ...
276 %if %{build6x}
277 install -m644 contrib/redhat/sshd.pam.old $RPM_BUILD_ROOT/etc/pam.d/sshd
278 %else
279 install -m644 contrib/redhat/sshd.pam $RPM_BUILD_ROOT/etc/pam.d/sshd
280 %endif
... ...
# 修改如下
# cat /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/sshd.pam
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
②、對sshd.conf文件提前做下更改, 復制32行到33行,將prohibit-password改為yes
# vi /root/rpmbuild/SOURCES/openssh-7.9p1/sshd_config
... ...
32 #PermitRootLogin prohibit-password
33 PermitRootLogin yes
... ...
③ 、對openssh.spec的12和15行做下更改,刪除103行 BuildRequires: openssl-devel < 1.1及裝包后權限處理
# sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
# sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
# sed -i '/BuildRequires: openssl-devel < 1.1/d' /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
# 新增 裝包后的權限處理,340行增加key文件的權限處理 chmod 600 /etc/ssh/ssh_host_*_key ,先要打包系統執行一次,權限不對打包報錯
# chmod 600 /etc/ssh/ssh_host_*_key
# sed -i '/%post server/a chmod 600 /etc/ssh/ssh_host_*_key' /root/rpmbuild/SOURCES/openssh-7.9p1/contrib/redhat/openssh.spec
④、復制openssh.spec到SPECS打包目錄下
#cp -a openssh.spec /root/rpmbuild/SPECS/
2、處理掉下載的源碼包,將處理后的源碼包重新打包
# cd /root/rpmbuild/SOURCES/
# rm -f openssh-7.9p1.tar.gz
# tar zcf openssh-7.9p1.tar.gz -C /root/rpmbuild/SOURCES/ openssh-7.9p1
# rm -rf openssh-7.9p1
3、開始打包
# cd /root/rpmbuild/SPECS
# rpmbuild -bb openssh.spec
# ls /root/rpmbuild/RPMS/x86_64/
openssh-7.9p1-1.el7.x86_64.rpm
openssh-clients-7.9p1-1.el7.x86_64.rpm
openssh-debuginfo-7.9p1-1.el7.x86_64.rpm
openssh-server-7.9p1-1.el7.x86_64.rpm
4、升級測試
# cd /root/rpmbuild/RPMS/x86_64/
# rpm -Uvh openssh-*
# # ssh -V
OpenSSH_7.9p1, OpenSSL 1.0.2k-fips 26 Jan 2017
# 發現因為我的sshd文件改過,升級后sshd文件沒被替換,手動替換下
# ll /etc/ssh/sshd_config*
-rw------- 1 root root 3891 May 9 2020 /etc/ssh/sshd_config
-rw------- 1 root root 3149 Mar 1 21:45 /etc/ssh/sshd_config.rpmnew
# mv /etc/ssh/sshd_config{,-bak}
# mv /etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config
# /etc/init.d/sshd restart
# 替換完查看新配置文件
# egrep -v "^$|^#" /etc/ssh/sshd_config
PermitRootLogin yes
AuthorizedKeysFile .ssh/authorized_keys
Subsystem sftp /usr/libexec/openssh/sftp-server
# 從其他機器連過來測試下,沒啥問題, 有點怪怪的,沒啥事不建議做升級。
# 漏洞什么的,執行 yum update openssh openssh sudo 就可以了。
# 修改默認ssh端口,堡壘機加上配置/etc/hosts.allow 、/etc/hosts.deny這2個文件,應該是不會無端受到大神照顧的
5、回退快照,做下測試實驗
三、引用資料,感謝各位大佬
HunterMichaelG https://blog.csdn.net/michaelwoshi/article/details/108154328
村口王鐵匠 https://www.cnblogs.com/liao-lin/p/10286722.html
獨指蝸牛 https://blog.51cto.com/techsnail/2138927