编译安装openssh9.4版本 | 穿着草鞋前往

【实验需求】

对 OpenSSH 9.3p2之前版本存在的安全问题进行修复

【实验脚本】

#!/bin/bash

DIR=`pwd`
openssl_package="openssl-1.1.1u"
openssh_package="openssh-9.4p1"
suffix="tar.gz"
openssl_download_url="https://www.openssl.org/source/old/1.1.1/openssl-1.1.1u.tar.gz"
openssh_download_url="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.4p1.tar.gz"

# 检测源码包文件
if ! [ -e ${DIR}/${openssl_package}.${suffix} ];then
    echo -e "\033[1,31mcan not find ${openssl_package} package,please download ${openssl_download_url}\033[0m" && exit 1
elif ! [ -e ${DIR}/${openssh_package}.${suffix} ];then
    echo -e "\033[1,31mcan not find ${openssl_package} package,please download ${openssh_download_url}\033[0m" && exit 2
fi

# 安装相关依赖包
yum -y install gcc zlib-devel openssl-devel pam-devel && echo -e "\033[1,32m依赖包安装成功\033[0m" || echo -e "\033[1,31m依赖包安装失败\033[0m"

# 编译安装openssl1.1.1u
echo -e "\033[1,32m开始编译安装openssl-1.1.1u\033[0m" && sleep 3

tar xvf ${DIR}/${openssl_package}.${suffix} -C /usr/local/src
cd /usr/local/src/${openssl_package}/
./config --prefix=/usr/local/openssl --shared
make -j && make install

cat >> /etc/ld.so.conf << EOF
/usr/local/openssl/lib
EOF
ldconfig


# 编译安装openssh9.4
echo -e "\033[1,32m开始编译安装openssh-9.4p1\033[0m" && sleep 3

\cp -a /etc/pam.d/sshd /root/
yum -y remove openssh
tar -xvf ${DIR}/${openssh_package}.${suffix} -C /usr/local/src
cd /usr/local/src/${openssh_package}/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-pam --with-zlib --with-md5-passwords --with-tcp-wrappers
make -j 2
chmod 0600 /etc/ssh/ssh_host_ed25519_key
chmod 0600 /etc/ssh/ssh_host_rsa_key
chmod 0600 /etc/ssh/ssh_host_ecdsa_key
make install

\cp contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
systemctl daemon-reload

echo -e "PermitRootLogin yes\nUsePAM yes" >> /etc/ssh/sshd_config
\cp -a /root/sshd /etc/pam.d/sshd

systemctl restart sshd
echo -e "\033[1;32mopenssh 升级成功\033[0m"