编译OpenSSH 9.3p1的rpm包并升级

本文介绍如何通过openssh-9.3p1-1.el7.x86_64.tar.gz制作openssh的rpm安装包，并升级openssh到`openssh-9.3p1-1.el7.x86_64`。

# 下载源码包

OpenSSH需要依赖ZLIB和LibreSSL(替换OpenSSL)，因此需要从官网下载源码包。

所需的源码包列表如下：
-  `OpenSSH` : https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz?spm=a2c6h.25603864.0.0.686840adr8BtKK

- `zlib`：http://www.zlib.net/zlib-1.2.13.tar.gz

- `libressl`： https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-3.7.1.tar.gz

- `x11-ssh-askpass`： https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

# 编译rpm包

>注意：
操作环境: CentOS 7.9
操作用户：root

1. 创建两个目录SOURCES和SPECS

```bash
mkdir -p /root/ssh-build/{SOURCES,SPECS}
```
2. 进入SOURCES

```bash
cd /root/ssh-build/SOURCES/
```

3. 将上面下载的所有包都上传到`/root/ssh-build/SOURCES/`目录下

```bash
[root@localhost SOURCES]# tree .
.
├── libressl-3.7.1.tar.gz
├── openssh-9.3p1.tar.gz
├── x11-ssh-askpass-1.2.4.1.tar.gz
└── zlib-1.2.13.tar.gz

0 directories, 4 files
[root@localhost SOURCES]#
```

4. 解压

```bash
tar xfz openssh-9.3p1.tar.gz
```

5. 将解压出来的 `openssh.spec` 文件复制到 SPECS 目录

```bash
cp openssh-9.3p1/contrib/redhat/openssh.spec ../SPECS/
```

6. 执行授权

```bash
chown sshd:sshd /root/ssh-build/SPECS/openssh.spec
```

7. 备份默认文件

```bash
cp /root/ssh-build/SPECS/openssh.spec /root/ssh-build/SPECS/openssh.spec_def
```

8. 修改配置选项 【可选项】
- 关掉 no_gnome_askpass 参数
- 关掉 no_x11_askpass 参数

```bash
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" /root/ssh-build/SPECS/openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" /root/ssh-build/SPECS/openssh.spec
```

- 修改`openssh.spec`文件中的依赖项（编译失败后执行）

如果编译时报类似如下错：
```
error: Failed build dependencies:
        openssl-devel < 1.1 is needed by openssh-9.3p1-1.el7.x86_64
```
可执行如下命令后尝试重新编译
```bash
sed -i -e "s/BuildRequires: openssl-devel < 1.1/# BuildRequires: openssl-devel < 1.1/g" openssh.spec
```

9. 查看两个文件的不同之处（非必执行）

```bash
[root@localhost SPECS]# diff openssh.spec openssh.spec_def
12c12
< %global no_x11_askpass 1
---
> %global no_x11_askpass 0
15c15
< %global no_gnome_askpass 1
---
> %global no_gnome_askpass 0
103c103
< # BuildRequires: openssl-devel < 1.1
---
> BuildRequires: openssl-devel < 1.1
[root@localhost SPECS]#
```

10. 创建预编译目录

```bash
mkdir -p /root/rpmbuild/SOURCES/
cp /root/ssh-build/SOURCES/openssh-9.3p1.tar.gz /root/rpmbuild/SOURCES/
cp /root/ssh-build/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES/
```

11. 安装依赖

```bash
yum install rpm-build gcc make wget openssl-devel xmkmf -y
yum install krb5-devel pam-devel libX11-devel libXt-devel -y
```

12. 执行编译

```bash
cd /root/ssh-build/SPECS/
rpmbuild -ba openssh.spec
```

13. 查看编译后的目录结构

```bash
[root@localhost SPECS]# ls -lh /root/rpmbuild/RPMS/x86_64/openssh-*|awk  '{print $5,$9}'
653K /root/rpmbuild/RPMS/x86_64/openssh-9.3p1-1.el7.x86_64.rpm
626K /root/rpmbuild/RPMS/x86_64/openssh-clients-9.3p1-1.el7.x86_64.rpm
3.2M /root/rpmbuild/RPMS/x86_64/openssh-debuginfo-9.3p1-1.el7.x86_64.rpm
462K /root/rpmbuild/RPMS/x86_64/openssh-server-9.3p1-1.el7.x86_64.rpm
[root@localhost SPECS]#
```

# 升级OpenSSH

## 备份配置

```bash
# 创建备份目录
mkdir -p /root/backup/openssh_updatebak_`date +%Y%m%d`

# 备份所有ssh文件
cd /root/backup/openssh_updatebak_`date +%Y%m%d`
tar -cvzf etc_ssh.tar.gz /etc/ssh

# 备份pam文件，升级后需要恢复原配置
mkdir -p /root/backup/openssh_updatebak_`date +%Y%m%d`/old/etc/pam.d
cd /root/backup/openssh_updatebak_`date +%Y%m%d`/old/etc/pam.d
cp /etc/pam.d/sshd sshd_`date +%Y%m%d`
cp /etc/pam.d/system-auth system-auth_`date +%Y%m%d`
cp /etc/pam.d/system-auth-ac system-auth-ac_`date +%Y%m%d`
```

## 开始升级

>提示：
附件提供编译后的完整rpm包，可直接安装使用

------------

1. 执行升级命令

```bash
rpm -Uvh /root/rpmbuild/RPMS/x86_64/*.rpm --force --nodeps
```

2. 把新的ssh文件备份，并恢复旧版本配置

```bash
# 备份新ssh配置
mkdir -p /root/backup/openssh_updatebak_`date +%Y%m%d`/new/etc/pam.d
cd /root/backup/openssh_updatebak_`date +%Y%m%d`/new/etc/pam.d
cp /etc/pam.d/sshd sshd_`date +%Y%m%d`
cp /etc/pam.d/system-auth system-auth_`date +%Y%m%d`
cp /etc/pam.d/system-auth-ac system-auth-ac_`date +%Y%m%d`

# 还原旧ssh配置
cd /root/backup/openssh_updatebak_`date +%Y%m%d`/old/etc/pam.d
rm -f /etc/pam.d/sshd; cp -p sshd_`date +%Y%m%d` /etc/pam.d/sshd
rm -f /etc/pam.d/system-auth; cp -p system-auth_`date +%Y%m%d` /etc/pam.d/system-auth
rm -f /etc/pam.d/system-auth-ac; cp -p system-auth-ac_`date +%Y%m%d` /etc/pam.d/system-auth-ac
```

3. 开启PAM并设置root用户可以远程连接

```bash
sed -i 's/#UsePAM no/UsePAM yes/g' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/g' /etc/ssh/sshd_config
```

4. 创建秘钥并缩小权限

```bash
ssh-keygen -A
chmod 600 /etc/ssh -R
```

5. 重启sshd服务，并检查版本

```bash
systemctl restart sshd
sshd  -V
```

# 附件[安装包]

[【附件】openssh-9.3p1-1.el7.x86_64.rpm](/media/attachment/2023/03/openssh-9.3p1-1.el7.x86_64.rpm)

[【附件】openssh-clients-9.3p1-1.el7.x86_64.rpm](/media/attachment/2023/03/openssh-clients-9.3p1-1.el7.x86_64_PtWsuJ2.rpm)

[【附件】openssh-debuginfo-9.3p1-1.el7.x86_64.rpm](/media/attachment/2023/03/openssh-debuginfo-9.3p1-1.el7.x86_64_WyMy4Cr.rpm)

[【附件】openssh-server-9.3p1-1.el7.x86_64.rpm](/media/attachment/2023/03/openssh-server-9.3p1-1.el7.x86_64_zwIB3ZA.rpm)