Linux Centos7 升级最新版OpenSSH-9.6p1详细步骤(附脚本)

GaoSJiang 2024-07-16 12:07:03 阅读 97

        最近公司系统在进行三级等保测评,其中有一项高危漏洞是Linux服务器的SSH版本太低存在安全风险,要求整改升级到最新版本,此篇文章记录SSH升级步骤和脚本

鸣谢:本文参考文章,在该作者文章的所提供的脚本基础上进行修改而来:Linux OpenSSH-9.0p1最新版升级步骤详细(附脚本)_ssh升级脚本-CSDN博客

环境准备及软件下载相关步骤,请参考以上作者原文章,写的非常详细,这里只对一些优化和改进的地方进行记录。

编写脚本,该脚本在参考原文脚本的基础上修改(完整脚本,直接复制可用)

<code>#!/bin/bash

#

#########################################################

# Function :openssh-9.6p1 update #

# Platform :Centos7.X #

# Version :2.0 #

# Date :2022-05-01 #

#########################################################

clear

export LANG="en_US.UTF-8"code>

#修改1:此处的zlib原来的版本zlib-1.2提示下载失败,改完最新版本号可正常下载,

#最新版本可在此地址查看:https://www.zlib.net/,截止本文修改日期最新版本为1.3.1

#openssl和openssh下载不同的版本在此处修改版本号即可

zlib_version="zlib-1.3.1"code>

openssl_version="openssl-1.1.1q"code>

openssh_version="openssh-9.6p1"code>

#安装包地址,这里存在一个问题,如果文件夹没有提前建好,后续执行脚本将报错

file="/opt"code>

#默认编译路径

default="/usr/local"code>

date_time=`date +%Y-%m-%d—%H:%M`

#安装目录

file_install="$file/openssh_install"code>

file_backup="$file/openssh_backup"code>

file_log="$file/openssh_log"code>

#修改2:为了解决文件夹不存在的问题,我这里添加了创建文件夹的脚本---start

if [ ! -d "$file_install" ]; then

mkdir "$file_install"

fi

if [ ! -d "$file_backup" ]; then

mkdir "$file_backup"

fi

if [ ! -d "$file_log" ]; then

mkdir "$file_log"

fi

if [ ! -d "$file_install/zlib" ]; then

mkdir "$file_install/zlib"

fi

#修改2:为了解决文件夹不存在的问题,我这里添加了创建文件夹的脚本---end

#源码包链接

zlib_download="https://www.zlib.net/$zlib_version.tar.gz"code>

openssl_download="https://www.openssl.org/source/$openssl_version.tar.gz"code>

openssh_download="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/$openssh_version.tar.gz"code>

Install_make()

{

# Check if user is root

if [ $(id -u) != "0" ]; then

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 当前用户为普通用户,必须使用root用户运行,脚本退出中......" "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 4

exit

fi

#判断是否安装wget

echo -e "\033[33m 正在安装Wget...... \033[0m"

sleep 2

echo ""

if ! type wget >/dev/null 2>&1; then

yum install -y wget

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " wget已经安装了:" "\033[32m Please continue\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

fi

#判断是否安装tar

echo -e "\033[33m 正在安装TAR...... \033[0m"

sleep 2

echo ""

if ! type tar >/dev/null 2>&1; then

yum install -y tar

else

echo ""

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " tar已经安装了:" "\033[32m Please continue\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

fi

echo ""

#安装相关依赖包

echo -e "\033[33m 正在安装依赖包...... \033[0m"

sleep 3

echo ""

yum install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers

if [ $? -eq 0 ];then

echo ""

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 安装软件依赖包成功 " "\033[32m Success\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

sleep 4

exit

fi

echo ""

}

Install_backup()

{

#创建文件(可修改)

mkdir -p $file_install

mkdir -p $file_backup

mkdir -p $file_log

mkdir -p $file_backup/zlib

mkdir -p $file_backup/ssl

mkdir -p $file_backup/ssh

mkdir -p $file_log/zlib

mkdir -p $file_log/ssl

mkdir -p $file_log/ssh

#备份文件(可修改)

cp -rf /usr/bin/openssl $file_backup/ssl/openssl_$date_time.bak > /dev/null

cp -rf /etc/init.d/sshd $file_backup/ssh/sshd_$date_time.bak > /dev/null

cp -rf /etc/ssh $file_backup/ssh/ssh_$date_time.bak > /dev/null

cp -rf /usr/lib/systemd/system/sshd.service $file_backup/ssh/sshd_$date_time.service.bak > /dev/null

cp -rf /etc/pam.d/sshd.pam $file_backup/ssh/sshd_$date_time.pam.bak > /dev/null

}

Remove_openssh()

{

##并卸载原有的openssh(可修改)

rpm -e --nodeps `rpm -qa | grep openssh`

}

Install_tar()

{

#下载的源码包,检查是否解压(可修改)

#if [ -e $file/$zlib_version.tar.gz ] && [ -e $file/$openssl_version.tar.gz ] && [ -e /$file/$openssh_version.tar.gz ];then

#echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"

#else

#echo -e "\033[33m 未发现本地源码包,链接检查获取中........... \033[0m "

#echo ""

#cd $file

#wget --no-check-certificate $zlib_download

#wget --no-check-certificate $openssl_download

#wget --no-check-certificate $openssh_download

#echo ""

#fi

#zlib

echo -e "\033[33m 正在下载Zlib软件包...... \033[0m"

sleep 3

echo ""

if [ -e $file/$zlib_version.tar.gz ] ;then

echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"

else

echo -e "\033[33m 未发现zlib本地源码包,链接检查获取中........... \033[0m "

sleep 1

echo ""

cd $file

wget --no-check-certificate $zlib_download

echo ""

fi

#openssl

echo -e "\033[33m 正在下载Openssl软件包...... \033[0m"

sleep 3

echo ""

if [ -e $file/$openssl_version.tar.gz ] ;then

echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"

else

echo -e "\033[33m 未发现openssl本地源码包,链接检查获取中........... \033[0m "

echo ""

sleep 1

cd $file

wget --no-check-certificate $openssl_download

echo ""

fi

#openssh

echo -e "\033[33m 正在下载Openssh软件包...... \033[0m"

sleep 3

echo ""

if [ -e /$file/$openssh_version.tar.gz ];then

echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"

else

echo -e "\033[33m 未发现openssh本地源码包,链接检查获取中........... \033[0m "

echo ""

sleep 1

cd $file

wget --no-check-certificate $openssh_download

fi

}

echo ""

echo ""

#安装zlib

Install_zlib(){

echo -e "\033[33m 1.1-正在解压Zlib软件包...... \033[0m"

sleep 3

echo ""

cd $file && mkdir -p $file_install && tar -xzf zlib*.tar.gz -C $file_install > /dev/null

if [ -d $file_install/$zilb_version ];then

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " zilb解压源码包成功" "\033[32m Success\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " zilb解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 4

exit

fi

echo -e "\033[33m 1.2-正在编译安装Zlib服务.............. \033[0m"

sleep 3

echo ""

#这里原脚本写法:cd $file_install/zlib*,我遇到了cd目录失败问题,将此处修改如下

cd $file_install/$zlib_version

echo -e "$pwd"

./configure --prefix=$default/$zlib_version > $file_log/zlib/zlib_configure_$date_time.txt #> /dev/null 2>&1

if [ $? -eq 0 ];then

echo -e "\033[33m make... \033[0m"

make > /dev/null 2>&1

echo $?

echo -e "\033[33m make test... \033[0m"

make test > /dev/null 2>&1

echo $?

echo -e "\033[33m make install... \033[0m"

make install > /dev/null 2>&1

echo $?

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 编译安装压缩库失败,脚本退出中..." "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 4

exit

fi

if [ -e $default/$zlib_version/lib/libz.so ];then

sed -i '/zlib/'d /etc/ld.so.conf

echo "$default/$zlib_version/lib" >> /etc/ld.so.conf

echo "$default/$zlib_version/lib" >> /etc/ld.so.conf.d/zlib.conf

ldconfig -v > $file_log/zlib/zlib_ldconfig_$date_time.txt > /dev/null 2>&1

/sbin/ldconfig

fi

}

echo ""

echo ""

Install_openssl(){

echo -e "\033[33m 2.1-正在解压Openssl...... \033[0m"

sleep 3

echo ""

cd $file && tar -xvzf openssl*.tar.gz -C $file_install > /dev/null

if [ -d $file_install/$openssl_version ];then

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " OpenSSL解压源码包成功" "\033[32m Success\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " OpenSSL解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 4

exit

fi

echo ""

echo -e "\033[33m 2.2-正在编译安装Openssl服务...... \033[0m"

sleep 3

echo ""

cd $file_install/$openssl_version

./config shared zlib --prefix=$default/$openssl_version > $file_log/ssl/ssl_config_$date_time.txt #> /dev/null 2>&1

if [ $? -eq 0 ];then

echo -e "\033[33m make clean... \033[0m"

make clean > /dev/null 2>&1

echo $?

echo -e "\033[33m make -j 4... \033[0m"

make -j 4 > /dev/null 2>&1

echo $?

echo -e "\033[33m make install... \033[0m"

make install > /dev/null 2>&1

echo $?

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 编译安装OpenSSL失败,脚本退出中..." "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 4

exit

fi

mv /usr/bin/openssl /usr/bin/openssl_$date_time.bak #先备份

if [ -e $default/$openssl_version/bin/openssl ];then

sed -i '/openssl/'d /etc/ld.so.conf

echo "$default/$openssl_version/lib" >> /etc/ld.so.conf

ln -s $default/$openssl_version/bin/openssl /usr/bin/openssl

ln -s $default/$openssl_version/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1

ln -s $default/$openssl_version/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1

ldconfig -v > $file_log/ssl/ssl_ldconfig_$date_time.txt > /dev/null 2>&1

/sbin/ldconfig

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 编译安装OpenSSL " "\033[32m Success\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

echo -e "\033[33m 2.3-正在输出 OpenSSL 版本状态.............. \033[0m"

sleep 3

echo ""

echo -e "\033[32m====================== OpenSSL veriosn ===================== \033[0m"

echo ""

openssl version -a

echo ""

echo -e "\033[32m======================================================= \033[0m"

sleep 2

else

echo ""

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " OpenSSL软连接失败,脚本退出中..." "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

fi

}

echo ""

echo ""

Install_openssh(){

echo -e "\033[33m 3.1-正在解压OpenSSH...... \033[0m"

sleep 3

echo ""

cd $file && tar -xvzf openssh*.tar.gz -C $file_install > /dev/null

if [ -d $file_install/$openssh_version ];then

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " OpenSSh解压源码包成功" "\033[32m Success\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " OpenSSh解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 4

exit

fi

echo ""

echo -e "\033[33m 3.2-正在编译安装OpenSSH服务...... \033[0m"

sleep 3

echo ""

mv /etc/ssh /etc/ssh_$date_time.bak #先备份

cd $file_install/$openssh_version

./configure --prefix=$default/$openssh_version --sysconfdir=/etc/ssh --with-ssl-dir=$default/$openssl_version --with-zlib=$default/$zlib_version > $file_log/ssh/ssh_configure_$date_time.txt #> /dev/null 2>&1

if [ $? -eq 0 ];then

echo -e "\033[33m make -j 4... \033[0m"

make -j 4 > /dev/null 2>&1

echo $?

echo -e "\033[33m make install... \033[0m"

make install > /dev/null 2>&1

echo $?

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 编译安装OpenSSH失败,脚本退出中......" "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 4

exit

fi

echo ""

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 编译安装OpenSSH " "\033[32m Success\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 2

echo -e "\033[32m==================== OpenSSH—file veriosn =================== \033[0m"

echo ""

/usr/local/$openssh_version/bin/ssh -V

echo ""

echo -e "\033[32m======================================================= \033[0m"

sleep 3

echo ""

echo -e "\033[33m 3.3-正在迁移OpenSSH配置文件...... \033[0m"

sleep 3

echo ""

#迁移sshd

if [ -f "/etc/init.d/sshd" ];then

mv /etc/init.d/sshd /etc/init.d/sshd_$date_time.bak

else

echo -e " /etc/init.d/sshd不存在 " "\033[31m Not backed up(可忽略)\033[0m"

fi

cp -rf $file_install/$openssh_version/contrib/redhat/sshd.init /etc/init.d/sshd;

chmod u+x /etc/init.d/sshd;

chkconfig --add sshd ##自启动

chkconfig --list |grep sshd;

chkconfig sshd on

#备份启动脚本,不一定有

if [ -f "/usr/lib/systemd/system/sshd.service" ];then

mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak

else

echo -e " sshd.service不存在" "\033[31m Not backed up(可忽略)\033[0m"

fi

#备份复制sshd.pam文件

if [ -f "/etc/pam.d/sshd.pam" ];then

mv /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam_$date_time.bak

else

echo -e " sshd.pam不存在" "\033[31m Not backed up(可忽略)\033[0m"

fi

cp -rf $file_install/$openssh_version/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam

#迁移ssh_config

cp -rf $file_install/$openssh_version/sshd_config /etc/ssh/sshd_config

sed -i 's/Subsystem/#Subsystem/g' /etc/ssh/sshd_config

echo "Subsystem sftp $default/$openssh_version/libexec/sftp-server" >> /etc/ssh/sshd_config

cp -rf $default/$openssh_version/sbin/sshd /usr/sbin/sshd

cp -rf /$default/$openssh_version/bin/ssh /usr/bin/ssh

cp -rf $default/$openssh_version/bin/ssh-keygen /usr/bin/ssh-keygen

sed -i 's/#PasswordAuthentication\ yes/PasswordAuthentication\ yes/g' /etc/ssh/sshd_config

#grep -v "[[:space:]]*#" /etc/ssh/sshd_config |grep "PubkeyAuthentication yes"

echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config

#重启sshd

service sshd start > /dev/null 2>&1

if [ $? -eq 0 ];then

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 启动OpenSSH服务成功" "\033[32m Success\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo ""

sleep 2

#删除源码包(可修改)

rm -rf $file/*$zlib_version.tar.gz

rm -rf $file/*$openssl_version.tar.gz

rm -rf $file/*$openssh_version.tar.gz

#rm -rf $file_install

echo -e "\033[33m 3.4-正在输出 OpenSSH 版本...... \033[0m"

sleep 3

echo ""

echo -e "\033[32m==================== OpenSSH veriosn =================== \033[0m"

echo ""

ssh -V

echo ""

echo -e "\033[32m======================================================== \033[0m"

else

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

echo -e " 启动OpenSSH服务失败,脚本退出中......" "\033[31m Error\033[0m"

echo -e "\033[33m--------------------------------------------------------------- \033[0m"

sleep 4

exit

fi

echo ""

}

End_install()

{

##sshd状态

echo ""

echo -e "\033[33m 输出sshd服务状态: \033[33m"

sleep 2

echo ""

systemctl status sshd.service

echo ""

echo ""

echo ""

sleep 1

echo -e "\033[33m==================== OpenSSH file =================== \033[0m"

echo ""

echo -e " Openssh升级安装目录请前往: "

cd $file_install && pwd

cd ~

echo ""

echo -e " Openssh升级备份目录请前往: "

cd $file_backup && pwd

cd ~

echo ""

echo -e " Openssh升级日志目录请前往: "

cd $file_log && pwd

cd ~

echo ""

echo -e "\033[33m======================================================= \033[0m"

}

Install_make

Install_backup

Remove_openssh

Install_tar

Install_zlib

Install_openssl

Install_openssh

End_install

上传脚本到Linux并转换sh脚本文件格式

 windows电脑环境编辑的脚本文件上传到Linux环境可能会遇到的问题

[root@localhost soft]# sh sshupdate.sh

sshupdate.sh: line 120: syntax error near unexpected token `$'\r''

[root@localhost soft]#

原因分析:报错原因是因为脚本window操作系统和Linux操作系统换行符的编码不一样

解决办法:脚本在执行前需使用dos2unix命令转换文件格式

具体步骤:

#dos2unix命令安装:

yum -y install dos2unix

#转换文件格式,sshupdate.sh是你要转换的sh脚本,根据个人文件名称修改:

dos2unix sshupdate.sh

dos2unix: converting file sshupdate.sh to Unix format ...

执行脚本,等待完成

sh ./sshupdate.sh

测试验证

查看SSH版本

ssh -V



声明

本文内容仅代表作者观点,或转载于其他网站,本站不以此文作为商业用途
如有涉及侵权,请联系本站进行删除
转载本站原创文章,请注明来源及作者。