Rocky Linux 9.4基于官方源码制作openssh 9.8p1二进制rpm包 —— 筑梦之路

筑梦之路 2024-07-16 10:07:02 阅读 66

2024年7月1日,openssh 9.8版本发布,主要修复了CVE-2024-6387安全漏洞。

由于centos 7的生命周期在6月30日终止,因此需要逐步替换到Rocky Linux,后续会有更多分享关于Rocky Linux的文章。

环境说明

1. 操作系统版本

<code>cat /etc/os-release

NAME="Rocky Linux"code>

VERSION="9.4 (Blue Onyx)"code>

ID="rocky"code>

ID_LIKE="rhel centos fedora"code>

VERSION_ID="9.4"code>

PLATFORM_ID="platform:el9"code>

PRETTY_NAME="Rocky Linux 9.4 (Blue Onyx)"code>

ANSI_COLOR="0;32"code>

LOGO="fedora-logo-icon"code>

CPE_NAME="cpe:/o:rocky:rocky:9::baseos"code>

HOME_URL="https://rockylinux.org/"code>

BUG_REPORT_URL="https://bugs.rockylinux.org/"code>

SUPPORT_END="2032-05-31"code>

ROCKY_SUPPORT_PRODUCT="Rocky-Linux-9"code>

ROCKY_SUPPORT_PRODUCT_VERSION="9.4"code>

REDHAT_SUPPORT_PRODUCT="Rocky Linux"code>

REDHAT_SUPPORT_PRODUCT_VERSION="9.4"code>

2. 内核版本和CPU架构

uname -r

5.14.0-427.16.1.el9_4.x86_64

arch

x86_64

3. openssl版本

openssl version

OpenSSL 3.0.7 1 Nov 2022 (Library: OpenSSL 3.0.7 1 Nov 2022)

准备工作

 1. 安装编译工具和依赖包

dnf install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel libXt-devel gtk2-devel make perl krb5-devel -y

2. 下载所需要的源码

# openssh源码包

wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz

# imake rpm包

wget http://rpmfind.net/linux/epel/9/Everything/x86_64/Packages/i/imake-1.0.8-6.el9.x86_64.rpm

# x11源码包

wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

3. 创建所需目录和安装imake包

# 创建制作rpm包的目录结构

mkdir -p rpmbuild/{SPECS,SOURCES}

# 安装imake rpm包

rpm -ivh imake-1.0.8-6.el9.x86_64.rpm

# 将源码拷贝到对应的目录

cp openssh-9.8p1.tar.gz rpmbuild/SOURCES/

cp x11-ssh-askpass-1.2.4.1.tar.gz rpmbuild/SOURCES/

4. 修改spec文件

tar -zxvf openssh-9.8p1.tar.gz

cp openssh-9.8p1/contrib/redhat/openssh.spec rpmbuild/SPECS/

cd rpmbuild/SPECS/

修改openssh.spec文件,主要添加ssh-copy-id命令,启用openssl版本显示

编译制作rpm二进制包

# 制作二进制rpm包和src源码包

rpmbuild -ba openssh.spec

# 二进制rpm包

ls -lh RPMS/x86_64/

total 5.8M

-rw-r--r-- 1 root root 524K Jul 2 13:00 openssh-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 32K Jul 2 13:00 openssh-askpass-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 43K Jul 2 13:00 openssh-askpass-debuginfo-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 16K Jul 2 13:00 openssh-askpass-gnome-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 27K Jul 2 13:00 openssh-askpass-gnome-debuginfo-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 609K Jul 2 13:00 openssh-clients-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 1.4M Jul 2 13:00 openssh-clients-debuginfo-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 1001K Jul 2 13:00 openssh-debuginfo-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 678K Jul 2 13:00 openssh-debugsource-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 496K Jul 2 13:00 openssh-server-9.8p1-1.el9.x86_64.rpm

-rw-r--r-- 1 root root 1.1M Jul 2 13:00 openssh-server-debuginfo-9.8p1-1.el9.x86_64.rpm

# src源码rpm包

ls -lh SRPMS/

total 1.9M

-rw-r--r-- 1 root root 1.9M Jul 2 13:00 openssh-9.8p1-1.el9.src.rpm

检查验证

对rpm包在干净的环境上安装检查验证,主要验证用户权限、登陆测试等方面。

<code># 安装依赖包

dnf install chkconfig initscripts

# 安装openssh 9.8p1版本

yum localinstall openssh-*.rpm

# 设置权限

chmod 600 /etc/ssh/ssh_host*

#授权

mv /etc/ssh/sshd_config /etc/ssh/sshd_config_bak

echo "PermitRootLogin yes" >> /etc/ssh/sshd_config #允许root远程登录

#配置认证

mv /etc/pam.d/sshd /etc/pam.d/sshd-bak

cat > /etc/pam.d/sshd <<EOF

#%PAM-1.0

auth required pam_sepermit.so

auth include password-auth

account required pam_nologin.so

account include password-auth

password include password-auth

## pam_selinux.so close should be the first session rule

session required pam_selinux.so close

session required pam_loginuid.so

## pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open env_params

session optional pam_keyinit.so force revoke

session include password-auth

EOF

# 重启服务

systemctl restart sshd



声明

本文内容仅代表作者观点,或转载于其他网站,本站不以此文作为商业用途
如有涉及侵权,请联系本站进行删除
转载本站原创文章,请注明来源及作者。