1. openssh官方只提供源碼包,我們選擇自己將源碼編譯爲rpm包來升級環境的openssh,需要安裝的環境爲CentOS7
https://www.openssl.org/source/
https://www.openssh.com/releasenotes.html
wget https://github.com/boypt/openssh-rpms/archive/refs/heads/main.zip unzip main.zip cd openssh-rpms-main/
compile.sh:編譯腳本el5、el6、el7:對應CentOS5、6、7三個系統,編譯相關的參數由SPECS目錄下的openssh.spec控制。
編譯好的rpm包放在RPMS目錄下。
pullsrc.sh:openssh相關源碼下載腳本
version.env:定義了openssh及openssl源碼的版本信息
2. 修改相關的配置
爲wget增加不檢查證書的參數 --no-check-certificate
# grep wget pullsrc.sh wget --no-check-certificate $OPENSSLMIR/$OPENSSLSRC wget --no-check-certificate $OPENSSHMIR/$OPENSSHSRC wget --no-check-certificate $ASKPASSMIR/$ASKPASSSRC
openssh源碼中是沒有ssh-copy-id相關參數的,如果直接編譯安裝,會發現安裝後沒有ssh-copy-id命令,因此如果需要用到該命令,需要修改編譯參數控制文件openssh.spec (大概在305行的位置)
# vim el7/SPECS/openssh.spec +305 # 插入以下內容 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id
在388行的位置再繼續插入以下內容,保存退出
%attr(0755,root,root) %{_bindir}/ssh-copy-id
修改openssl版本否會編譯失敗
[root@VM-0-12-centos openssh-rpms-main]# cat version.env #OPENSSLSRC=openssl-3.0.11.tar.gz # 註釋此版本 OPENSSLSRC=openssl-1.1.1v.tar.gz # 修改爲1.1.1 OPENSSHSRC=openssh-9.4p1.tar.gz ASKPASSSRC=x11-ssh-askpass-1.2.4.1.tar.gz PKGREL=4 OPENSSHVER=${OPENSSHSRC%%.tar.gz} OPENSSHVER=${OPENSSHVER##openssh-} OPENSSLVER=${OPENSSLSRC%%.tar.gz} OPENSSLVER=${OPENSSLVER##openssl-}
3. 安裝編譯環境
yum groupinstall -y "Development Tools" yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel
4.拉取源碼並編輯打包
# bash pullsrc.sh # ll downloads/ total 11500 -rw-r--r-- 1 root root 1845094 Aug 10 11:15 openssh-9.4p1.tar.gz -rw-r--r-- 1 root root 9893443 Aug 1 22:09 openssl-1.1.1v.tar.gz -rw-r--r-- 1 root root 29229 Sep 20 08:54 x11-ssh-askpass-1.2.4.1.tar.gz
5.執行源碼打包腳本
# bash compile.sh # $? # 檢查執行結果是否成功,爲0則成功 # ll el7/RPMS/x86_64/ total 15412 -rw-r--r-- 1 root root 5154360 Sep 25 22:11 openssh-9.4p1-4.el7.x86_64.rpm -rw-r--r-- 1 root root 5181812 Sep 25 22:11 openssh-clients-9.4p1-4.el7.x86_64.rpm -rw-r--r-- 1 root root 3911620 Sep 25 22:11 openssh-debuginfo-9.4p1-4.el7.x86_64.rpm -rw-r--r-- 1 root root 1527116 Sep 25 22:11 openssh-server-9.4p1-4.el7.x86_64.rpm
6. 安裝以上四個文件即可,或者使用ansible批量推送安裝
# cat update_ssh9.4.yaml - hosts: "{{ server_group }}" tasks: - name: Copy OpenSSH Update file copy: src=files/openssh-9.4p1/{{ item }} dest=/tmp/ with_items: - openssh-9.4p1-4.el7.x86_64.rpm - openssh-clients-9.4p1-4.el7.x86_64.rpm - openssh-debuginfo-9.4p1-4.el7.x86_64.rpm - openssh-server-9.4p1-4.el7.x86_64.rpm - name: Install OpenSSH yum: name={{ packages }} state=present vars: packages: - /tmp/openssh-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm - name: Del Histroy OpenSSH file file: path={{ item }} state=absent with_items: - /tmp/openssh-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm # ansible-playbook update_ssh9.4.yaml -e server_group=192.168.78.11
備註:如果使用openssl-3.0.11.tar.gz編譯可能會報以下錯誤
RPM build errors: Bad exit status from /var/tmp/rpm-tmp.LsYNDz (%prep) Aborted, error 1 in command: rpmbuild -ba SPECS/openssh.spec --target $(uname -m) --define "_topdir $PWD" --define "opensslver ${OPENSSLVER}" --define "opensshver ${OPENSSHVER}" --define "opensshpkgrel ${PKGREL}" --define 'no_gtk2 1' --define 'skip_gnome_askpass 1' --define 'skip_x11_askpass 1'
參考鏈接:https://zhuanlan.zhihu.com/p/652906168