Ubuntu 16.04 升級OpenSSH至openssh-8.1p1

下載依賴庫

wget http://zlib.net/zlib-1.2.11.tar.gz

tar -xzf zlib-1.2.11.tar.gz && cd zlib-1.2.11/

./configure && make && make install

如果編譯報錯，請安裝gcc
查看當前gcc版本：gcc --version
wget http://ftp.gnu.org/gnu/gcc/gcc-7.4.0/gcc-7.4.0.tar.gz

cd gcc-7.4.0
##如果需要更換下載源，請修改文件中的base_url的值
#vim ./contrib/download_prerequisites
##下載依賴包
./contrib/download_prerequisites

如果輸出有fail，可去網站手動下載，放在源碼根目錄下。依賴包的網址爲：ftp://gcc.gnu.org/pub/gcc/infrastructrue/。

創建一個build目錄，在該目錄下編譯，避免污染源碼:

mkdir build
cd build
…/configure -enable-checking=release -enable-languages=c,c++ -disable-multilib

請執行安裝g++：#apt-get install g++ -y
再次編譯：

make //必須 在編譯目錄build下執行，該目錄下有configure生產的makefile文件，否則報錯：
make: *** No targets specified and no makefile found. Stop
我編譯時用了大概3個小時
make install

下載安裝OpenSSH

wget https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz

tar -xzf openssh-8.1p1.tar.gz && cd openssh-8.1p1/

root@bocepingtai:/home/ygcg/openssh-8.1p1# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/local/openssl-1.1.1d/

……
checking whether BROKEN_GETADDRINFO is declared... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h

OpenSSH has been configured with the following options:
                     User binaries: /usr/bin
                   System binaries: /usr/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/libexec/ssh-askpass
                      Manual pages: /usr/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/lib/sshd
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
                    Manpage format: doc
                       PAM support: yes
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
              MD5 password support: yes
                   libedit support: no
                   libldns support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: seccomp_filter

              Host: x86_64-pc-linux-gnu
          Compiler: cc
    Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE  
Preprocessor flags: -I/usr/local/openssl-1.1.1d//include  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
      Linker flags: -L/usr/local/openssl-1.1.1d/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie 
         Libraries: -lcrypto -ldl -lutil -lz  -lcrypt -lresolv
         +for sshd:  -lpam

PAM is enabled. You may need to install a PAM control file 
for sshd, otherwise password authentication may fail. 
Example PAM control files can be found in the contrib/ 
subdirectory

編譯常見錯誤處理

如果編譯時報錯：onfigure: error: PAM headers not found
請安裝：apt-get install libpam0g-dev

如果編譯時報錯：onfigure: error: OpenSSL headers missing - please install first or check config.log
請安裝：apt-get install libssl-dev

如果編譯時報錯：configure: error: : OpenSSL library not found
按如下處理：
檢查當前openssl版本及庫版本：
openssl -version
strings /usr/lib/libssl.so |grep OpenSSL
找到openssl的安裝文件，做軟連接到/usr/local/lib/下
ln -s /usr/local/openssl-1.1.1d/libssl.so /usr/lib/libssl.so
驗證：
strings /usr/lib/libssl.so |grep OpenSSL
這時可以出現ssl的最新版

如果還報錯：請編譯openssh時，加參數 --with-ssl-dir=/usr/local/openssl-1.1.1d/，指定openssl路徑。

執行安裝：make && make install

如果編譯時報錯：configure: error: *** working libcrypto not found, check config.log
上述錯誤是因爲缺少openssl-devel包或者libcrypto相關庫的位置不正確所致。

執行：
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/

openssl升級：https://www.openssl.org/source/下載
./config && make && make install
openssl version //驗證

驗證

root@bocepingtai:/home/ygcg/openssh-8.1p1# ssh -V
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019

重啓ssh服務驗證登錄

systemctl restart sshd //會一直卡着，是因爲ssh服務啓動完畢後，需通知Systemd，才能繼續往下執行，返回信號。
root@bocepingtai:/home/ygcg/openssh-8.1p1# systemctl restart sshd
Job for ssh.service failed because a timeout was exceeded. See “systemctl status ssh.service” and “journalctl -xe” for details.

可修改sh的systemctl文件/lib/systemd/system/ssh.service中Type一項：
Type=notify改爲Type=simple，這樣systemctl不會等待ssh返回的信號，systemctl daemon-reload並重啓sshd進程可以解決systemctl超時的問題。
sed -i “s/Type=notify/Type=simple/” /lib/systemd/system/ssh.service