Linux Centos7 升级最新版OpenSSH-9.6p1详细步骤(附脚本)
GaoSJiang 2024-07-16 12:07:03 阅读 97
最近公司系统在进行三级等保测评,其中有一项高危漏洞是Linux服务器的SSH版本太低存在安全风险,要求整改升级到最新版本,此篇文章记录SSH升级步骤和脚本。
鸣谢:本文参考文章,在该作者文章的所提供的脚本基础上进行修改而来:Linux OpenSSH-9.0p1最新版升级步骤详细(附脚本)_ssh升级脚本-CSDN博客
环境准备及软件下载相关步骤,请参考以上作者原文章,写的非常详细,这里只对一些优化和改进的地方进行记录。
编写脚本,该脚本在参考原文脚本的基础上修改(完整脚本,直接复制可用)
<code>#!/bin/bash
#
#########################################################
# Function :openssh-9.6p1 update #
# Platform :Centos7.X #
# Version :2.0 #
# Date :2022-05-01 #
#########################################################
clear
export LANG="en_US.UTF-8"code>
#修改1:此处的zlib原来的版本zlib-1.2提示下载失败,改完最新版本号可正常下载,
#最新版本可在此地址查看:https://www.zlib.net/,截止本文修改日期最新版本为1.3.1
#openssl和openssh下载不同的版本在此处修改版本号即可
zlib_version="zlib-1.3.1"code>
openssl_version="openssl-1.1.1q"code>
openssh_version="openssh-9.6p1"code>
#安装包地址,这里存在一个问题,如果文件夹没有提前建好,后续执行脚本将报错
file="/opt"code>
#默认编译路径
default="/usr/local"code>
date_time=`date +%Y-%m-%d—%H:%M`
#安装目录
file_install="$file/openssh_install"code>
file_backup="$file/openssh_backup"code>
file_log="$file/openssh_log"code>
#修改2:为了解决文件夹不存在的问题,我这里添加了创建文件夹的脚本---start
if [ ! -d "$file_install" ]; then
mkdir "$file_install"
fi
if [ ! -d "$file_backup" ]; then
mkdir "$file_backup"
fi
if [ ! -d "$file_log" ]; then
mkdir "$file_log"
fi
if [ ! -d "$file_install/zlib" ]; then
mkdir "$file_install/zlib"
fi
#修改2:为了解决文件夹不存在的问题,我这里添加了创建文件夹的脚本---end
#源码包链接
zlib_download="https://www.zlib.net/$zlib_version.tar.gz"code>
openssl_download="https://www.openssl.org/source/$openssl_version.tar.gz"code>
openssh_download="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/$openssh_version.tar.gz"code>
Install_make()
{
# Check if user is root
if [ $(id -u) != "0" ]; then
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 当前用户为普通用户,必须使用root用户运行,脚本退出中......" "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 4
exit
fi
#判断是否安装wget
echo -e "\033[33m 正在安装Wget...... \033[0m"
sleep 2
echo ""
if ! type wget >/dev/null 2>&1; then
yum install -y wget
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " wget已经安装了:" "\033[32m Please continue\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
fi
#判断是否安装tar
echo -e "\033[33m 正在安装TAR...... \033[0m"
sleep 2
echo ""
if ! type tar >/dev/null 2>&1; then
yum install -y tar
else
echo ""
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " tar已经安装了:" "\033[32m Please continue\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
fi
echo ""
#安装相关依赖包
echo -e "\033[33m 正在安装依赖包...... \033[0m"
sleep 3
echo ""
yum install gcc gcc-c++ glibc make autoconf openssl openssl-devel pcre-devel pam-devel zlib-devel tcp_wrappers-devel tcp_wrappers
if [ $? -eq 0 ];then
echo ""
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 安装软件依赖包成功 " "\033[32m Success\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
sleep 4
exit
fi
echo ""
}
Install_backup()
{
#创建文件(可修改)
mkdir -p $file_install
mkdir -p $file_backup
mkdir -p $file_log
mkdir -p $file_backup/zlib
mkdir -p $file_backup/ssl
mkdir -p $file_backup/ssh
mkdir -p $file_log/zlib
mkdir -p $file_log/ssl
mkdir -p $file_log/ssh
#备份文件(可修改)
cp -rf /usr/bin/openssl $file_backup/ssl/openssl_$date_time.bak > /dev/null
cp -rf /etc/init.d/sshd $file_backup/ssh/sshd_$date_time.bak > /dev/null
cp -rf /etc/ssh $file_backup/ssh/ssh_$date_time.bak > /dev/null
cp -rf /usr/lib/systemd/system/sshd.service $file_backup/ssh/sshd_$date_time.service.bak > /dev/null
cp -rf /etc/pam.d/sshd.pam $file_backup/ssh/sshd_$date_time.pam.bak > /dev/null
}
Remove_openssh()
{
##并卸载原有的openssh(可修改)
rpm -e --nodeps `rpm -qa | grep openssh`
}
Install_tar()
{
#下载的源码包,检查是否解压(可修改)
#if [ -e $file/$zlib_version.tar.gz ] && [ -e $file/$openssl_version.tar.gz ] && [ -e /$file/$openssh_version.tar.gz ];then
#echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"
#else
#echo -e "\033[33m 未发现本地源码包,链接检查获取中........... \033[0m "
#echo ""
#cd $file
#wget --no-check-certificate $zlib_download
#wget --no-check-certificate $openssl_download
#wget --no-check-certificate $openssh_download
#echo ""
#fi
#zlib
echo -e "\033[33m 正在下载Zlib软件包...... \033[0m"
sleep 3
echo ""
if [ -e $file/$zlib_version.tar.gz ] ;then
echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"
else
echo -e "\033[33m 未发现zlib本地源码包,链接检查获取中........... \033[0m "
sleep 1
echo ""
cd $file
wget --no-check-certificate $zlib_download
echo ""
fi
#openssl
echo -e "\033[33m 正在下载Openssl软件包...... \033[0m"
sleep 3
echo ""
if [ -e $file/$openssl_version.tar.gz ] ;then
echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"
else
echo -e "\033[33m 未发现openssl本地源码包,链接检查获取中........... \033[0m "
echo ""
sleep 1
cd $file
wget --no-check-certificate $openssl_download
echo ""
fi
#openssh
echo -e "\033[33m 正在下载Openssh软件包...... \033[0m"
sleep 3
echo ""
if [ -e /$file/$openssh_version.tar.gz ];then
echo -e " 下载软件源码包已存在 " "\033[32m Please continue\033[0m"
else
echo -e "\033[33m 未发现openssh本地源码包,链接检查获取中........... \033[0m "
echo ""
sleep 1
cd $file
wget --no-check-certificate $openssh_download
fi
}
echo ""
echo ""
#安装zlib
Install_zlib(){
echo -e "\033[33m 1.1-正在解压Zlib软件包...... \033[0m"
sleep 3
echo ""
cd $file && mkdir -p $file_install && tar -xzf zlib*.tar.gz -C $file_install > /dev/null
if [ -d $file_install/$zilb_version ];then
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " zilb解压源码包成功" "\033[32m Success\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " zilb解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 4
exit
fi
echo -e "\033[33m 1.2-正在编译安装Zlib服务.............. \033[0m"
sleep 3
echo ""
#这里原脚本写法:cd $file_install/zlib*,我遇到了cd目录失败问题,将此处修改如下
cd $file_install/$zlib_version
echo -e "$pwd"
./configure --prefix=$default/$zlib_version > $file_log/zlib/zlib_configure_$date_time.txt #> /dev/null 2>&1
if [ $? -eq 0 ];then
echo -e "\033[33m make... \033[0m"
make > /dev/null 2>&1
echo $?
echo -e "\033[33m make test... \033[0m"
make test > /dev/null 2>&1
echo $?
echo -e "\033[33m make install... \033[0m"
make install > /dev/null 2>&1
echo $?
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 编译安装压缩库失败,脚本退出中..." "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 4
exit
fi
if [ -e $default/$zlib_version/lib/libz.so ];then
sed -i '/zlib/'d /etc/ld.so.conf
echo "$default/$zlib_version/lib" >> /etc/ld.so.conf
echo "$default/$zlib_version/lib" >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v > $file_log/zlib/zlib_ldconfig_$date_time.txt > /dev/null 2>&1
/sbin/ldconfig
fi
}
echo ""
echo ""
Install_openssl(){
echo -e "\033[33m 2.1-正在解压Openssl...... \033[0m"
sleep 3
echo ""
cd $file && tar -xvzf openssl*.tar.gz -C $file_install > /dev/null
if [ -d $file_install/$openssl_version ];then
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " OpenSSL解压源码包成功" "\033[32m Success\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " OpenSSL解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 4
exit
fi
echo ""
echo -e "\033[33m 2.2-正在编译安装Openssl服务...... \033[0m"
sleep 3
echo ""
cd $file_install/$openssl_version
./config shared zlib --prefix=$default/$openssl_version > $file_log/ssl/ssl_config_$date_time.txt #> /dev/null 2>&1
if [ $? -eq 0 ];then
echo -e "\033[33m make clean... \033[0m"
make clean > /dev/null 2>&1
echo $?
echo -e "\033[33m make -j 4... \033[0m"
make -j 4 > /dev/null 2>&1
echo $?
echo -e "\033[33m make install... \033[0m"
make install > /dev/null 2>&1
echo $?
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 编译安装OpenSSL失败,脚本退出中..." "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 4
exit
fi
mv /usr/bin/openssl /usr/bin/openssl_$date_time.bak #先备份
if [ -e $default/$openssl_version/bin/openssl ];then
sed -i '/openssl/'d /etc/ld.so.conf
echo "$default/$openssl_version/lib" >> /etc/ld.so.conf
ln -s $default/$openssl_version/bin/openssl /usr/bin/openssl
ln -s $default/$openssl_version/lib/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s $default/$openssl_version/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
ldconfig -v > $file_log/ssl/ssl_ldconfig_$date_time.txt > /dev/null 2>&1
/sbin/ldconfig
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 编译安装OpenSSL " "\033[32m Success\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
echo -e "\033[33m 2.3-正在输出 OpenSSL 版本状态.............. \033[0m"
sleep 3
echo ""
echo -e "\033[32m====================== OpenSSL veriosn ===================== \033[0m"
echo ""
openssl version -a
echo ""
echo -e "\033[32m======================================================= \033[0m"
sleep 2
else
echo ""
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " OpenSSL软连接失败,脚本退出中..." "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
fi
}
echo ""
echo ""
Install_openssh(){
echo -e "\033[33m 3.1-正在解压OpenSSH...... \033[0m"
sleep 3
echo ""
cd $file && tar -xvzf openssh*.tar.gz -C $file_install > /dev/null
if [ -d $file_install/$openssh_version ];then
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " OpenSSh解压源码包成功" "\033[32m Success\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " OpenSSh解压源码包失败,脚本退出中......" "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 4
exit
fi
echo ""
echo -e "\033[33m 3.2-正在编译安装OpenSSH服务...... \033[0m"
sleep 3
echo ""
mv /etc/ssh /etc/ssh_$date_time.bak #先备份
cd $file_install/$openssh_version
./configure --prefix=$default/$openssh_version --sysconfdir=/etc/ssh --with-ssl-dir=$default/$openssl_version --with-zlib=$default/$zlib_version > $file_log/ssh/ssh_configure_$date_time.txt #> /dev/null 2>&1
if [ $? -eq 0 ];then
echo -e "\033[33m make -j 4... \033[0m"
make -j 4 > /dev/null 2>&1
echo $?
echo -e "\033[33m make install... \033[0m"
make install > /dev/null 2>&1
echo $?
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 编译安装OpenSSH失败,脚本退出中......" "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 4
exit
fi
echo ""
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 编译安装OpenSSH " "\033[32m Success\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 2
echo -e "\033[32m==================== OpenSSH—file veriosn =================== \033[0m"
echo ""
/usr/local/$openssh_version/bin/ssh -V
echo ""
echo -e "\033[32m======================================================= \033[0m"
sleep 3
echo ""
echo -e "\033[33m 3.3-正在迁移OpenSSH配置文件...... \033[0m"
sleep 3
echo ""
#迁移sshd
if [ -f "/etc/init.d/sshd" ];then
mv /etc/init.d/sshd /etc/init.d/sshd_$date_time.bak
else
echo -e " /etc/init.d/sshd不存在 " "\033[31m Not backed up(可忽略)\033[0m"
fi
cp -rf $file_install/$openssh_version/contrib/redhat/sshd.init /etc/init.d/sshd;
chmod u+x /etc/init.d/sshd;
chkconfig --add sshd ##自启动
chkconfig --list |grep sshd;
chkconfig sshd on
#备份启动脚本,不一定有
if [ -f "/usr/lib/systemd/system/sshd.service" ];then
mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
else
echo -e " sshd.service不存在" "\033[31m Not backed up(可忽略)\033[0m"
fi
#备份复制sshd.pam文件
if [ -f "/etc/pam.d/sshd.pam" ];then
mv /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam_$date_time.bak
else
echo -e " sshd.pam不存在" "\033[31m Not backed up(可忽略)\033[0m"
fi
cp -rf $file_install/$openssh_version/contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
#迁移ssh_config
cp -rf $file_install/$openssh_version/sshd_config /etc/ssh/sshd_config
sed -i 's/Subsystem/#Subsystem/g' /etc/ssh/sshd_config
echo "Subsystem sftp $default/$openssh_version/libexec/sftp-server" >> /etc/ssh/sshd_config
cp -rf $default/$openssh_version/sbin/sshd /usr/sbin/sshd
cp -rf /$default/$openssh_version/bin/ssh /usr/bin/ssh
cp -rf $default/$openssh_version/bin/ssh-keygen /usr/bin/ssh-keygen
sed -i 's/#PasswordAuthentication\ yes/PasswordAuthentication\ yes/g' /etc/ssh/sshd_config
#grep -v "[[:space:]]*#" /etc/ssh/sshd_config |grep "PubkeyAuthentication yes"
echo 'PermitRootLogin yes' >> /etc/ssh/sshd_config
#重启sshd
service sshd start > /dev/null 2>&1
if [ $? -eq 0 ];then
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 启动OpenSSH服务成功" "\033[32m Success\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo ""
sleep 2
#删除源码包(可修改)
rm -rf $file/*$zlib_version.tar.gz
rm -rf $file/*$openssl_version.tar.gz
rm -rf $file/*$openssh_version.tar.gz
#rm -rf $file_install
echo -e "\033[33m 3.4-正在输出 OpenSSH 版本...... \033[0m"
sleep 3
echo ""
echo -e "\033[32m==================== OpenSSH veriosn =================== \033[0m"
echo ""
ssh -V
echo ""
echo -e "\033[32m======================================================== \033[0m"
else
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
echo -e " 启动OpenSSH服务失败,脚本退出中......" "\033[31m Error\033[0m"
echo -e "\033[33m--------------------------------------------------------------- \033[0m"
sleep 4
exit
fi
echo ""
}
End_install()
{
##sshd状态
echo ""
echo -e "\033[33m 输出sshd服务状态: \033[33m"
sleep 2
echo ""
systemctl status sshd.service
echo ""
echo ""
echo ""
sleep 1
echo -e "\033[33m==================== OpenSSH file =================== \033[0m"
echo ""
echo -e " Openssh升级安装目录请前往: "
cd $file_install && pwd
cd ~
echo ""
echo -e " Openssh升级备份目录请前往: "
cd $file_backup && pwd
cd ~
echo ""
echo -e " Openssh升级日志目录请前往: "
cd $file_log && pwd
cd ~
echo ""
echo -e "\033[33m======================================================= \033[0m"
}
Install_make
Install_backup
Remove_openssh
Install_tar
Install_zlib
Install_openssl
Install_openssh
End_install
上传脚本到Linux并转换sh脚本文件格式
windows电脑环境编辑的脚本文件上传到Linux环境可能会遇到的问题
[root@localhost soft]# sh sshupdate.sh
sshupdate.sh: line 120: syntax error near unexpected token `$'\r''
[root@localhost soft]#
原因分析:报错原因是因为脚本window操作系统和Linux操作系统换行符的编码不一样
解决办法:脚本在执行前需使用dos2unix命令转换文件格式
具体步骤:
#dos2unix命令安装:
yum -y install dos2unix
#转换文件格式,sshupdate.sh是你要转换的sh脚本,根据个人文件名称修改:
dos2unix sshupdate.sh
dos2unix: converting file sshupdate.sh to Unix format ...
执行脚本,等待完成
sh ./sshupdate.sh
测试验证
查看SSH版本
ssh -V
声明
本文内容仅代表作者观点,或转载于其他网站,本站不以此文作为商业用途
如有涉及侵权,请联系本站进行删除
转载本站原创文章,请注明来源及作者。