openssh升級到openssh-9.4p1

1. openssh官方只提供源碼包，我們選擇自己將源碼編譯爲rpm包來升級環境的openssh，需要安裝的環境爲CentOS7

https://www.openssl.org/source/

https://www.openssh.com/releasenotes.html

wget https://github.com/boypt/openssh-rpms/archive/refs/heads/main.zip
unzip main.zip 
cd openssh-rpms-main/

compile.sh：編譯腳本el5、el6、el7：對應CentOS5、6、7三個系統，編譯相關的參數由SPECS目錄下的openssh.spec控制。
編譯好的rpm包放在RPMS目錄下。
pullsrc.sh：openssh相關源碼下載腳本
version.env：定義了openssh及openssl源碼的版本信息

 2. 修改相關的配置

爲wget增加不檢查證書的參數 --no-check-certificate

# grep wget pullsrc.sh 
  wget --no-check-certificate $OPENSSLMIR/$OPENSSLSRC
  wget --no-check-certificate $OPENSSHMIR/$OPENSSHSRC
  wget --no-check-certificate $ASKPASSMIR/$ASKPASSSRC

openssh源碼中是沒有ssh-copy-id相關參數的，如果直接編譯安裝，會發現安裝後沒有ssh-copy-id命令，因此如果需要用到該命令，需要修改編譯參數控制文件openssh.spec （大概在305行的位置）

# vim el7/SPECS/openssh.spec +305   # 插入以下內容
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id

在388行的位置再繼續插入以下內容，保存退出

%attr(0755,root,root) %{_bindir}/ssh-copy-id

修改openssl版本否會編譯失敗

[root@VM-0-12-centos openssh-rpms-main]# cat version.env 
#OPENSSLSRC=openssl-3.0.11.tar.gz    # 註釋此版本
OPENSSLSRC=openssl-1.1.1v.tar.gz     # 修改爲1.1.1
OPENSSHSRC=openssh-9.4p1.tar.gz
ASKPASSSRC=x11-ssh-askpass-1.2.4.1.tar.gz
PKGREL=4

OPENSSHVER=${OPENSSHSRC%%.tar.gz}
OPENSSHVER=${OPENSSHVER##openssh-}
OPENSSLVER=${OPENSSLSRC%%.tar.gz}
OPENSSLVER=${OPENSSLVER##openssl-}

3. 安裝編譯環境

yum groupinstall -y "Development Tools"
yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel

4.拉取源碼並編輯打包

# bash pullsrc.sh
# ll downloads/
total 11500
-rw-r--r-- 1 root root 1845094 Aug 10 11:15 openssh-9.4p1.tar.gz
-rw-r--r-- 1 root root 9893443 Aug  1 22:09 openssl-1.1.1v.tar.gz
-rw-r--r-- 1 root root   29229 Sep 20 08:54 x11-ssh-askpass-1.2.4.1.tar.gz

5.執行源碼打包腳本

# bash compile.sh
# $?    # 檢查執行結果是否成功，爲0則成功
# ll el7/RPMS/x86_64/
total 15412
-rw-r--r-- 1 root root 5154360 Sep 25 22:11 openssh-9.4p1-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 5181812 Sep 25 22:11 openssh-clients-9.4p1-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 3911620 Sep 25 22:11 openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
-rw-r--r-- 1 root root 1527116 Sep 25 22:11 openssh-server-9.4p1-4.el7.x86_64.rpm

6. 安裝以上四個文件即可，或者使用ansible批量推送安裝

# cat update_ssh9.4.yaml 
- hosts: "{{ server_group }}"
  tasks: 

    - name: Copy OpenSSH Update file
      copy: src=files/openssh-9.4p1/{{ item }} dest=/tmp/
      with_items:
        - openssh-9.4p1-4.el7.x86_64.rpm
        - openssh-clients-9.4p1-4.el7.x86_64.rpm
        - openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
        - openssh-server-9.4p1-4.el7.x86_64.rpm

    - name: Install OpenSSH
      yum: name={{ packages }} state=present
      vars:
        packages:
          - /tmp/openssh-9.4p1-4.el7.x86_64.rpm
          - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm
          - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
          - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm

    - name: Del Histroy OpenSSH file
      file: path={{ item }} state=absent
      with_items:
        - /tmp/openssh-9.4p1-4.el7.x86_64.rpm
        - /tmp/openssh-clients-9.4p1-4.el7.x86_64.rpm
        - /tmp/openssh-debuginfo-9.4p1-4.el7.x86_64.rpm
        - /tmp/openssh-server-9.4p1-4.el7.x86_64.rpm
# ansible-playbook update_ssh9.4.yaml -e server_group=192.168.78.11

備註：如果使用openssl-3.0.11.tar.gz編譯可能會報以下錯誤

RPM build errors:
    Bad exit status from /var/tmp/rpm-tmp.LsYNDz (%prep)
Aborted, error 1 in command: rpmbuild -ba SPECS/openssh.spec --target $(uname -m) --define "_topdir $PWD" --define "opensslver ${OPENSSLVER}" --define "opensshver ${OPENSSHVER}" --define "opensshpkgrel ${PKGREL}" --define 'no_gtk2 1' --define 'skip_gnome_askpass 1' --define 'skip_x11_askpass 1'

參考鏈接：https://zhuanlan.zhihu.com/p/652906168