Ubuntu 16.04 升级OpenSSH至openssh-8.1p1

下载依赖库

wget http://zlib.net/zlib-1.2.11.tar.gz

tar -xzf zlib-1.2.11.tar.gz && cd zlib-1.2.11/

./configure && make && make install

如果编译报错，请安装gcc
查看当前gcc版本：gcc --version
wget http://ftp.gnu.org/gnu/gcc/gcc-7.4.0/gcc-7.4.0.tar.gz

cd gcc-7.4.0
##如果需要更换下载源，请修改文件中的base_url的值
#vim ./contrib/download_prerequisites
##下载依赖包
./contrib/download_prerequisites

如果输出有fail，可去网站手动下载，放在源码根目录下。依赖包的网址为：ftp://gcc.gnu.org/pub/gcc/infrastructrue/。

创建一个build目录，在该目录下编译，避免污染源码:

mkdir build
cd build
…/configure -enable-checking=release -enable-languages=c,c++ -disable-multilib

请执行安装g++：#apt-get install g++ -y
再次编译：

make //必须 在编译目录build下执行，该目录下有configure生产的makefile文件，否则报错：
make: *** No targets specified and no makefile found. Stop
我编译时用了大概3个小时
make install

下载安装OpenSSH

wget https://fastly.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.1p1.tar.gz

tar -xzf openssh-8.1p1.tar.gz && cd openssh-8.1p1/

root@bocepingtai:/home/ygcg/openssh-8.1p1# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/local/openssl-1.1.1d/

……
checking whether BROKEN_GETADDRINFO is declared... no
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h

OpenSSH has been configured with the following options:
                     User binaries: /usr/bin
                   System binaries: /usr/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/libexec/ssh-askpass
                      Manual pages: /usr/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/lib/sshd
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
                    Manpage format: doc
                       PAM support: yes
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
              MD5 password support: yes
                   libedit support: no
                   libldns support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: seccomp_filter

              Host: x86_64-pc-linux-gnu
          Compiler: cc
    Compiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE  
Preprocessor flags: -I/usr/local/openssl-1.1.1d//include  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
      Linker flags: -L/usr/local/openssl-1.1.1d/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie 
         Libraries: -lcrypto -ldl -lutil -lz  -lcrypt -lresolv
         +for sshd:  -lpam

PAM is enabled. You may need to install a PAM control file 
for sshd, otherwise password authentication may fail. 
Example PAM control files can be found in the contrib/ 
subdirectory

编译常见错误处理

如果编译时报错：onfigure: error: PAM headers not found
请安装：apt-get install libpam0g-dev

如果编译时报错：onfigure: error: OpenSSL headers missing - please install first or check config.log
请安装：apt-get install libssl-dev

如果编译时报错：configure: error: : OpenSSL library not found
按如下处理：
检查当前openssl版本及库版本：
openssl -version
strings /usr/lib/libssl.so |grep OpenSSL
找到openssl的安装文件，做软连接到/usr/local/lib/下
ln -s /usr/local/openssl-1.1.1d/libssl.so /usr/lib/libssl.so
验证：
strings /usr/lib/libssl.so |grep OpenSSL
这时可以出现ssl的最新版

如果还报错：请编译openssh时，加参数 --with-ssl-dir=/usr/local/openssl-1.1.1d/，指定openssl路径。

执行安装：make && make install

如果编译时报错：configure: error: *** working libcrypto not found, check config.log
上述错误是因为缺少openssl-devel包或者libcrypto相关库的位置不正确所致。

执行：
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-privsep-path=/var/lib/sshd --with-ssl-dir=/usr/

openssl升级：https://www.openssl.org/source/下载
./config && make && make install
openssl version //验证

验证

root@bocepingtai:/home/ygcg/openssh-8.1p1# ssh -V
OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019

重启ssh服务验证登录

systemctl restart sshd //会一直卡着，是因为ssh服务启动完毕后，需通知Systemd，才能继续往下执行，返回信号。
root@bocepingtai:/home/ygcg/openssh-8.1p1# systemctl restart sshd
Job for ssh.service failed because a timeout was exceeded. See “systemctl status ssh.service” and “journalctl -xe” for details.

可修改sh的systemctl文件/lib/systemd/system/ssh.service中Type一项：
Type=notify改为Type=simple，这样systemctl不会等待ssh返回的信号，systemctl daemon-reload并重启sshd进程可以解决systemctl超时的问题。
sed -i “s/Type=notify/Type=simple/” /lib/systemd/system/ssh.service