離線方式升級openssh

參考原文 https://blog.51cto.com/techsnail/2138927

老centOS服務器上的openssh7.4被網安掃描發現多個高危漏洞，要求必須升級。服務器不允許聯網，所以不能通過yum安裝依賴，而且升級openssl會影響到其他服務，需要單獨編譯一個openssl給openssh使用。最後再替換舊版本openssh服務。

寫下自己的升級過程。如果你們要參照我的升級步驟，請注意自己的防火牆設置。

本文可能對您有用的部分：1.離線安裝依賴  2.編譯安裝openssh和openssl 3.安全的升級過程

實際上ssh連接全程都不會斷開，但是爲了保險起見還是安裝一個telnet 。

#離線安裝方式
#如果還缺少依賴，可以用聯網的機器下載 yum install --downloadonly --downloaddir=/ [軟件名]
#上傳以下安裝包和依賴
openssh-8.0p1.tar.gz 
openssl-1.1.1d.tar.gz  
pam-devel-1.1.8-22.el7.x86_64.rpm  
tcp_wrappers-devel-7.6-77.el7.x86_64.rpm  
telnet-server-0.17-64.el7.x86_64.rpm  
zlib-devel-1.2.7-18.el7.x86_64.rpm
openssl-fips-2.0.16.tar.gz
glibc-headers-2.17-292.el7.x86_64.rpm
glibc-devel-2.17-292.el7.x86_64.rpm
cpp-4.8.5-39.el7.x86_64.rpm
kernel-headers-3.10.0-1062.1.2.el7.x86_64.rpm
gcc-4.8.5-39.el7.x86_64.rpm


#關selinux，安裝依賴
nano /etc/sysconfig/selinux
setenforce 0
getenforce
rpm -ivh cpp-4.8.5-39.el7.x86_64.rpm \
	kernel-headers-3.10.0-1062.1.2.el7.x86_64.rpm \
	gcc-4.8.5-39.el7.x86_64.rpm \
	glibc-devel-2.17-292.el7.x86_64.rpm \
	glibc-headers-2.17-292.el7.x86_64.rpm
rpm -ivh zlib-devel-1.2.7-18.el7.x86_64.rpm \
	pam-devel-1.1.8-22.el7.x86_64.rpm \
	tcp_wrappers-devel-7.6-77.el7.x86_64.rpm

 
#安裝配置telnet防止ssh不能連接以後尷尬gg。telnet不允許root登錄，所以新增用戶
useradd cc
passwd cc
rpm -ivh telnet-server-0.17-64.el7.x86_64.rpm
firewall-cmd --zone=work --add-port=23/tcp --permanent
firewall-cmd --reload
systemctl start telnet.socket
nano /etc/profile #把telnet啓動命令寫進開機運行腳本
#檢查telnet是否能登錄
'''
#安裝fips(編譯openssl時錯誤. 不安裝也還沒發現問題)
export FIPSDIR=/opt/fips-2.0.16
tar -zvxf openssl-fips-2.0.16.tar.gz
cd openssl-fips-2.0.16/
./config
make
make install

'''
#安裝openssl（帶fips時編譯錯誤）
tar zvxf openssl-1.1.1d.tar.gz
cd openssl-1.1.1d/
#./config --prefix=/opt/openssl1.1.l_20191021 --with-ssl-dir==/opt/openssl1.1.l_20191021/openssl fips --with-fipsdir=/opt/fips-2.0.16 zlib-dynamic shared -fPIC
./config --prefix=/opt/openssl1.1.l_20191021 --openssldir==/opt/openssl1.1.l_20191021/openssl

make
make install
echo '/opt/openssl1.1.l_20191021/lib' >> /etc/ld.so.conf
ldconfig

tar zxvf openssh-8.0p1.tar.gz
cd openssh-8.0p1
./configure \
	--prefix=/opt/openssh8.0p1_20191021 \
	--with-md5-passwords \
	--with-ssl-dir=/opt/openssl1.1.l_20191021 \
	--with-pam --with-tcp-wrappers
make
make install
echo 'export PATH=/opt/openssh8.0p1_20191021/bin:/opt/openssh8.0p1_20191021/sbin:$PATH' >> /etc/profile.d/path.sh
chmod +x /etc/profile.d/path.sh
/etc/profile.d/path.sh
echo 'export PATH=/opt/openssh8.0p1_20191021/bin:/opt/openssh8.0p1_20191021/sbin:$PATH' >> /etc/profile 
export PATH=/opt/openssh8.0p1_20191021/bin:/opt/openssh8.0p1_20191021/sbin:$PATH
ssh -V

#配置openssh
rpm -ql openssh-server | grep -i --color etc
cp /opt/openssh8.0p1_20191021/etc/sshd_config /opt/openssh8.0p1_20191021/etc/sshd_configBAK
#配置openssh服務。開啓密碼認證和管理員身份登錄。UsePAM一定要啓用，OpenSSH的安裝說明裏有提到，如果編譯時啓用了PAM支持，那麼就必須在sshd_config文件中啓用它
nano /opt/openssh8.0p1_20191021/etc/sshd_config
cp -a /etc/sysconfig/sshd /opt/openssh8.0p1_20191021/etc/sshd
#下面備份和修改/usr/lib/systemd/system/下的三個文件 sshd-keygen.service sshd.service [email protected]
cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshdOLD.service
cp /usr/lib/systemd/system/[email protected] /usr/lib/systemd/system/[email protected]
cp /usr/lib/systemd/system/sshd-keygen.service /usr/lib/systemd/system/sshd-keygenBAK.service
nano /usr/lib/systemd/system/sshd.service
'''

[Unit]
Description=OpenSSH server daemon
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target sshd-keygen.service
Wants=sshd-keygen.service

[Service]
Type=notify
#EnvironmentFile=/etc/sysconfig/sshd
EnvironmentFile=/opt/openssh8.0p1_20191021/etc/sshd
#ExecStart=/usr/sbin/sshd -D $OPTIONS
ExecStart=/opt/openssh8.0p1_20191021/sbin/sshd -D $OPTIONS
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartSec=42s

[Install]
WantedBy=multi-user.target


'''

nano /usr/lib/systemd/system/[email protected]
'''

[Unit]
Description=OpenSSH per-connection server daemon
Documentation=man:sshd(8) man:sshd_config(5)
Wants=sshd-keygen.service
After=sshd-keygen.service

[Service]
#EnvironmentFile=-/etc/sysconfig/sshd
EnvironmentFile=-/opt/openssh8.0p1_20191021/etc/sshd
#ExecStart=-/usr/sbin/sshd -i $OPTIONS
ExecStart=-/opt/openssh8.0p1_20191021/sbin/sshd -i $OPTIONS
StandardInput=socket


'''

nano /usr/lib/systemd/system/sshd-keygen.service
'''
[Unit]
Description=OpenSSH Server Key Generation
ConditionFileNotEmpty=|!/opt/openssh8.0p1_20191021/etc/ssh/ssh_host_rsa_key
ConditionFileNotEmpty=|!/opt/openssh8.0p1_20191021/etc/ssh/ssh_host_ecdsa_key
ConditionFileNotEmpty=|!/opt/openssh8.0p1_20191021/etc/ssh/ssh_host_ed25519_key
PartOf=sshd.service sshd.socket

[Service]
ExecStart=/opt/openssh8.0p1_20191021/bin/ssh-keygen #/usr/sbin/sshd-keygen 原來是這樣
Type=oneshot
RemainAfterExit=yes

'''

systemctl daemon-reload
#重啓計算機才能完全生效
reboot
#防火牆work區的計算機可以訪問22端口