linux下源码编译升级ssh版本过程

记录打补丁之ssh源码编译升级过程安装前软件准备升级步骤结尾及一些坑

记录打补丁之ssh源码编译升级过程

应安全报告要求需要修复操作系统中的ssh协议，原因为ssh版本较低，升级版本后就能解决问题。

OpenSSH 百度解释为：

OpenSSH 是 SSH （Secure SHell） 协议的免费开源实现。SSH协议族可以用来进行远程控制， 或在计算机之间传送文件。而实现此功能的传统方式，如telnet(终端仿真协议)、 rcp ftp、 rlogin、rsh都是极为不安全的，并且会使用明文传送密码。OpenSSH提供了服务端后台程序和客户端工具，用来加密远程控制和文件传输过程中的数据，并由此来代替原来的类似服务。

简单的解释就是ssh是安全的提供加密通道需要连接服务器、计算机等终端的一个工具，并且这个工具是开源的，官网链接为: /.截止4月最新的版本为OpenSSH 8.2。

安装前软件准备

openssh-8.2p1.tar.gz

在openssh官网左下角选择你要下载ssh对应的操作系统然后进行下载，这里我选择的是linux，然后下载最新的8.2版本。

openssl-1.0.2u.tar.gz

升级ssh需要下载openssl,openssl官网地址为 /.openssl是一款开源的加密工具，提供给ssh协议传输过程的加密工作。百度百科解释为：在计算机网络上，OpenSSL是一个开放源代码的软件库包，应用程序可以使用这个包来进行安全通信，避免窃听，同时确认另一端连接者的身份。这个包广泛被应用在互联网的网页服务器上。

zlib-1.2.11.tar.gz

zlib包是提供压缩的一个软件，百度百科解释为：zlib是提供数据压缩用的函式库，由Jean-loup Gailly与Mark Adler所开发。官网地址为/.网站显示的1.2.11版本还是提供的。

升级步骤

服务器背景

[root@emessage ~]# lsb_release -a //服务器为红帽6.5LSB Version: :base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarchDistributor ID: RedHatEnterpriseServerDescription: Red Hat Enterprise Linux Server release 6.5 (Santiago)Release: 6.5Codename: Santiago[root@emessage ~]# ssh -V //ssh版本为5.3OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar

上传相关软件并解压

[root@emessage ~]# tar -zxvf zlib-1.2.11.tar.gz [root@emessage ~]# tar -zxvf openssl-1.0.2u.tar.gz [root@emessage ~]# tar -zxvf openssh-8.2p1.tar.gz

yum安装相关软件包

[root@emessage ~]# yum -y install gcc libcap libcap-devel glibc-devel pam-devel krb5-devel krb5-libs xinetd telnet-serverLoaded plugins: product-id, refresh-packagekit, security, subscription-managerThis system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.rhel7| 3.9 kB00:00 ... rhel7/primary_db | 3.1 MB00:00 ... Setting up Install ProcessPackage gcc-4.4.7-4.el6.x86_64 already installed and latest versionPackage libcap-2.16-5.5.el6.x86_64 already installed and latest versionPackage glibc-devel-2.12-1.132.el6.x86_64 already installed and latest versionPackage pam-devel-1.1.1-17.el6.x86_64 already installed and latest versionPackage krb5-devel-1.10.3-10.el6_4.6.x86_64 already installed and latest versionPackage krb5-libs-1.10.3-10.el6_4.6.x86_64 already installed and latest versionResolving Dependencies--> Running transaction check---> Package libcap-devel.x86_64 0:2.16-5.5.el6 will be installed---> Package telnet-server.x86_64 1:0.17-47.el6_3.1 will be installed---> Package xinetd.x86_64 2:2.3.14-39.el6_4 will be installed--> Finished Dependency ResolutionDependencies Resolved======================================================================================================================Package Arch Version Repository Size======================================================================================================================Installing:libcap-devel x86_64 2.16-5.5.el6 rhel7 24 ktelnet-server x86_64 1:0.17-47.el6_3.1 rhel7 37 kxinetd x86_64 2:2.3.14-39.el6_4 rhel7 122 kTransaction Summary======================================================================================================================Install 3 Package(s)Total download size: 183 kInstalled size: 328 kDownloading Packages:----------------------------------------------------------------------------------------------------------------------Total 597 kB/s | 183 kB00:00Running rpm_check_debugRunning Transaction TestTransaction Test SucceededRunning TransactionWarning: RPMDB altered outside of yum.Installing : 2:xinetd-2.3.14-39.el6_4.x86_64 1/3 Installing : 1:telnet-server-0.17-47.el6_3.1.x86_64 2/3 Installing : libcap-devel-2.16-5.5.el6.x86_64 3/3 rhel7/productid| 1.7 kB00:00 ... Verifying : libcap-devel-2.16-5.5.el6.x86_64 1/3 Verifying : 2:xinetd-2.3.14-39.el6_4.x86_64 2/3 Verifying : 1:telnet-server-0.17-47.el6_3.1.x86_64 3/3 Installed:libcap-devel.x86_64 0:2.16-5.5.el6 telnet-server.x86_64 1:0.17-47.el6_3.1 xinetd.x86_64 2:2.3.14-39.el6_4 Complete!

安装zlib包

[root@emessage ~]# pwd/root[root@emessage ~]# cd zlib-1.2.11[root@emessage zlib-1.2.11]# [root@emessage zlib-1.2.11]# ./configure --shared //编译Checking for gcc...Checking for shared library support...Building shared library libz.so.1.2.11 with gcc.Checking for size_t... Yes.Checking for off64_t... Yes.Checking for fseeko... Yes.Checking for strerror... Yes.Checking for unistd.h... Yes.Checking for stdarg.h... Yes.Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().Checking for vsnprintf() in stdio.h... Yes.Checking for return value of vsnprintf()... Yes.Checking for attribute(visibility) support... Yes.[root@emessage zlib-1.2.11]# make && make install //安装

安装升级openssl

[root@emessage ~]# cd openssl-1.0.2u[root@emessage openssl-1.0.2u]# ./config --prefix=/usr --shared //编译--------------------中间省略--------------------make[1]: Nothing to be done for `links'.make[1]: Leaving directory `/root/openssl-1.0.2u/test'making links in tools...make[1]: Entering directory `/root/openssl-1.0.2u/tools'make[1]: Nothing to be done for `links'.make[1]: Leaving directory `/root/openssl-1.0.2u/tools'generating dummy tests (if needed)...make[1]: Entering directory `/root/openssl-1.0.2u/test'md2test.c => dummytest.crc5test.c => dummytest.cjpaketest.c => dummytest.cmake[1]: Leaving directory `/root/openssl-1.0.2u/test'Configured for linux-x86_64.[root@emessage openssl-1.0.2u]# make && make install //安装

安装升级openssh

[root@emessage ~]# cd openssh-8.2p1[root@emessage openssh-8.2p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-zlib --with-ssl-dir=/usr --with-md5-passwords --mandir=/usr/share/man --with-kerberos5=/usr/lib64/libkrb5.so --with-ld-opt="-lstdc++" --with-cpp_test_module //编译--------------------中间省略--------------------Solaris process contract support: noSolaris project support: noSolaris privilege support: noIP address in $DISPLAY hack: noTranslate v4 in v6 hack: yesBSD Auth support: noRandom number source: OpenSSL internal ONLYPrivsep sandbox style: rlimitPKCS#11 support: yesU2F/FIDO support: yesHost: x86_64-pc-linux-gnuCompiler: ccCompiler flags: -g -O2 -pipe -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE Preprocessor flags: -I/usr/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE Linker flags: -L/usr/lib -Wl,-z,retpolineplt -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie Libraries: -lcrypto -lrt -ldl -lutil -lz -lcrypt -lresolv+for sshd: -lpamPAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory[root@emessage openssh-8.2p1]# make && make install //安装--------------------中间省略--------------------/usr/bin/install -c -m 0755 -s ssh-pkcs11-helper /usr/libexec/ssh-pkcs11-helper/usr/bin/install -c -m 0755 -s ssh-sk-helper /usr/libexec/ssh-sk-helper/usr/bin/install -c -m 0755 -s sftp /usr/bin/sftp/usr/bin/install -c -m 0755 -s sftp-server /usr/libexec/sftp-server/usr/bin/install -c -m 644 ssh.1.out /usr/share/man/man1/ssh.1/usr/bin/install -c -m 644 scp.1.out /usr/share/man/man1/scp.1/usr/bin/install -c -m 644 ssh-add.1.out /usr/share/man/man1/ssh-add.1/usr/bin/install -c -m 644 ssh-agent.1.out /usr/share/man/man1/ssh-agent.1/usr/bin/install -c -m 644 ssh-keygen.1.out /usr/share/man/man1/ssh-keygen.1/usr/bin/install -c -m 644 ssh-keyscan.1.out /usr/share/man/man1/ssh-keyscan.1/usr/bin/install -c -m 644 moduli.5.out /usr/share/man/man5/moduli.5/usr/bin/install -c -m 644 sshd_config.5.out /usr/share/man/man5/sshd_config.5/usr/bin/install -c -m 644 ssh_config.5.out /usr/share/man/man5/ssh_config.5/usr/bin/install -c -m 644 sshd.8.out /usr/share/man/man8/sshd.8/usr/bin/install -c -m 644 sftp.1.out /usr/share/man/man1/sftp.1/usr/bin/install -c -m 644 sftp-server.8.out /usr/share/man/man8/sftp-server.8/usr/bin/install -c -m 644 ssh-keysign.8.out /usr/share/man/man8/ssh-keysign.8/usr/bin/install -c -m 644 ssh-pkcs11-helper.8.out /usr/share/man/man8/ssh-pkcs11-helper.8/usr/bin/install -c -m 644 ssh-sk-helper.8.out /usr/share/man/man8/ssh-sk-helper.8/bin/mkdir -p /etc/ssh/etc/ssh/ssh_config already exists, install will not overwrite/etc/ssh/sshd_config already exists, install will not overwrite/etc/ssh/moduli already exists, install will not overwritessh-keygen: generating new host keys: ECDSA ED25519 /usr/sbin/sshd -t -f /etc/ssh/sshd_config

查看升级后的ssh版本，并重启服务

[root@emessage openssh-8.2p1]# ssh -V //版本升级成功OpenSSH_8.2p1, OpenSSL 1.0.2u 20 Dec [root@emessage openssh-8.2p1]# service sshd restartStopping sshd:[ OK ]Starting sshd:[ OK ]

结尾及一些坑

在编译安装openssh时如果报configure: error: PAM headers not found 错误，解决方法是需要安装pam-devel的rpm包 yum install –y pam-devel

在编译安装openssh时如果遇到 error: /usr/lib64/libkrb5.so/include: Not a directory，解决方法是安装的时候增加编译参数可以跳过–with-ld-opt="-lstdc++" --with-cpp_test_module

在编译安装openssh时如果遇到 fatal error: krb5.h: No such file or directory，yum install krb5-devel.x86_64 // 安装krb5-devel

安装出现报错

/etc/ssh/sshd_config line 124: Deprecated option UsePrivilegeSeparation@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Permissions 0640 for '/etc/ssh/ssh_host_rsa_key' are too open.It is required that your private key files are NOT accessible by others.This private key will be ignored.Error loading host key "/etc/ssh/ssh_host_rsa_key": bad permissionsCould not load host key: /etc/ssh/ssh_host_rsa_key@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ WARNING: UNPROTECTED PRIVATE KEY FILE!@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@Permissions 0660 for '/etc/ssh/ssh_host_ecdsa_key' are too open.It is required that your private key files are NOT accessible by others.This private key will be ignored.Error loading host key "/etc/ssh/ssh_host_ecdsa_key": bad permissionsCould not load host key: /etc/ssh/ssh_host_ecdsa_keysshd: no hostkeys available -- exiting.make: [check-config] Error 1 (ignored)

此问题是权限问题所致，修改报错文件的权限为600即可

[root@localhost openssh-7.9p1]# cd /etc/ssh/[root@localhost ssh]# ll-rw------- 1 root root 242153 Mar 20 moduli-rw-r--r-- 1 root root 2123 Mar 20 ssh_config-rw------- 1 root root 4442 Mar 20 sshd_config-rw------- 1 root root 3907 Apr 11 sshd_config.rpmnew-rw-------. 1 root root 4465 Jan 18 15:17 sshd_config.rpmsave-rw-------. 1 root root 1405 Jan 2 10:28 ssh_host_dsa_key-rw-r--r--. 1 root root 616 Jan 2 10:28 ssh_host_dsa_key.pub-rw-------. 1 root root 227 Dec 28 16:28 ssh_host_ecdsa_key-rw-r--r--. 1 root root 162 Dec 28 16:28 ssh_host_ecdsa_key.pub-rw-------. 1 root root 419 Jan 2 10:16 ssh_host_ed25519_key-rw-r--r--. 1 root root 108 Jan 2 10:16 ssh_host_ed25519_key.pub-rw-------. 1 root root 1675 Dec 28 16:28 ssh_host_rsa_key-rw-r--r--. 1 root root 382 Dec 28 16:28 ssh_host_rsa_key.pub修改ssh_host_ecdsa_key和ssh_host_rsa_key权限组为root 且为600