发布于gray

CentOS7制作rpm包升级OpenSSH

之前有写过编译安装的方式升级OpenSSH,为了能更好管理包版本,记录下CentOS制作rpm包升级OpenSSH的过程。网上也有很多关于制作OpenSSH的rpm包过程,也是根据各自需求记录分享一下。

系统环境

系统:CentOS7 x86_64
OpenSSH版本:7.4p1
OpenSSL版本:1.0.2k-fips

升级需求

  1. 升级OpenSSH到9.1p1
  2. 保留原版pam.d下的sshd文件权限
  3. 保留ssh-copy-id功能

前期准备

  • 升级前关闭selinux
# 修改如下配置,重启系统生效
vi /etc/selinx/config   
SELINUX=disabled

# 立即生效
setenforce  0
getenforce
  • 备份配置
cp /etc/pam.d/sshd /etc/pam.d/sshd_bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth_bak
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
cp /etc/ssh/ssh_config /etc/ssh/ssh_config_bak
cp -r /etc/ssh /etc/ssh_bak
  • 源码包准备
openssh-9.1p1下载地址:
curl -O https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz

ssh-askpass下载链接(可选):
curl -O https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
  • 安装依赖包
yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip libXt-devel imake gtk2-devel

制作rpm包

  • 创建编译目录
mkdir -p rpmbuild/{SOURCES,SPECS}
  • 解压包
tar -zxvf openssh-9.1p1.tar.gz
  • 拷贝源码包到SOURCES目录(x11-ssh-askpass-1.2.4.1.tar.gz可选)
cp openssh-9.1p1.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz ~/rpmbuild/SOURCES/
cp /etc/pam.d/sshd ~/rpmbuild/SOURCES/       # 升级保留系统原版pam文件
cp openssh-9.2p1/contrib/ssh-copy-id ~/rpmbuild/SOURCES/         # 升级保留ssh-copy-id
  • 记录下原版系统默认pam的sshd文件
#%PAM-1.0
auth       required pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      password-auth
session    include      postlogin
# Used with polkit to reauthorize users in remote sessions
-session   optional     pam_reauthorize.so prepare
  • 拷贝spec文件到SPECS目录
cp openssh-9.1p1/contrib/redhat/openssh.spec ~/rpmbuild/SPECS/

定制修改openssh.spec文件

cd ~/rpmbuild/SPECS/
vim openssh.spec
 Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
 Source2: sshd       # 添加Source2
 Source3: ssh-copy-id    # 添加Source3
  • 注释掉openssl依赖
#BuildRequires: openssl-devel < 1.1
  • 注释并新增如下行,升级后保留原pam的ssh文件
#install -m644 contrib/redhat/sshd.pam     $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 $RPM_SOURCE_DIR/sshd     $RPM_BUILD_ROOT/etc/pam.d/sshd
  • 在如下行后新增ssh-copy-id行,升级后保留ssh-copy-id
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd
install -m755 $RPM_SOURCE_DIR/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/ssh-copy-id
  • 在%pre server区域下面新增如下行,安装前备份ssh配置
cp -r /etc/ssh /etc/ssh_bak
  • 在%post server区域下面新增如下行(根据需求增删)
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
sed -i -e "s/#X11Forwarding no/X11Forwarding yes/g" /etc/ssh/sshd_config
echo "KexAlgorithms [email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1" >> /etc/ssh/sshd_config
chmod +x /etc/init.d/sshd
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

说明:
1. 允许root登录;升级为8.6后默认为不允许root登录
2. 允许使用PAM登录认证;
3. 允许使用X11Forwarding图形模块;
4. 增加认证支持(默认openssh 8.6,默认不支持部分低版本的认证模式),不添加会造成低版本的连接器如:CRT等,客户端连接失败
5. 给/etc/init.d/sshd 执行权限
6. 三个文件 ssh_host_rsa_key、ssh_host_ecdsa_key、ssh_host_ed25519_key 为你要文件,8.6版本缩小了权限,只允许root查看,否者启动sshd服务会报错

  • ssh-askpass如果不要可以把下面两条值改为1(可选)
# Do we want to disable building of x11-askpass? (1=yes 0=no)
%global no_x11_askpass 1

# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 1
  • 在%files clients区域下面添加如下行
%attr(0755,root,root) %{_bindir}/ssh-copy-id

构建rpm包

rpmbuild -ba openssh.spec

...
Checking for unpackaged file(s): /usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssh-9.1p1-1.el7.x86_64
Wrote: /root/rpmbuild/SRPMS/openssh-9.1p1-1.el7.src.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-9.1p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-clients-9.1p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-server-9.1p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-9.1p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-9.1p1-1.el7.x86_64.rpm
Wrote: /root/rpmbuild/RPMS/x86_64/openssh-debuginfo-9.1p1-1.el7.x86_64.rpm
Executing(%clean): /bin/sh -e /var/tmp/rpm-tmp.LvGyDU
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-9.1p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-9.1p1-1.el7.x86_64
+ exit 0

最后显示+ exit 0表示无报错构建成功

升级安装

升级可以根据实际环境rpm -qa | grep openssh查询,选择所需包安装,一般安装如下三个包就可以
使用yum方式升级安装方便解决依赖跟版本回退问题

cd ~/rpmbuild/RPMS/x86_64/
yum localinstall openssh-9.1p1-1.el7.x86_64.rpm openssh-server-9.1p1-1.el7.x86_64.rpm openssh-clients-9.1p1-1.el7.x86_64.rpm
或者
rpm -Uvh openssh-9.1p1-1.el7.x86_64.rpm openssh-server-9.1p1-1.el7.x86_64.rpm openssh-clients-9.1p1-1.el7.x86_64.rpm

最后

rm -rf /etc/ssh/ssh*key
systemctl daemon-reload
# 再开一个ssh窗口,避免升级失败重启服务后无法远程连接
systemctl restart sshd
systemctl status sshd
systemctl enable sshd

## 检查pam的ssh文件,是否跟原版系统文件一样
cat /etc/pam.d/sshd

## 检查ssh-copy-id文件
whereis ssh-copy-id
ssh-copy-id: /usr/bin/ssh-copy-id

验证

ssh -V
OpenSSH_9.1p1, OpenSSL 1.0.2k-fips  26 Jan 2017

rpm -qa | grep openssh
openssh-9.1p1-1.el7.x86_64
openssh-clients-9.1p1-1.el7.x86_64
openssh-server-9.1p1-1.el7.x86_64

回退

升级后验证功能使用异常,可以进行版本回退

yum history list openssh
Loaded plugins: fastestmirror
ID     | Login user               | Date and time    | Action(s)      | Altered
-------------------------------------------------------------------------------
    21 | gray <gray>              | 2023-01-16 22:23 | Update         |    3 EE
    20 | gray </gray><gray>              | 2023-01-16 22:12 | Downgrade      |    3 EE
    19 | gray </gray><gray>              | 2023-01-16 22:07 | Update         |    3 EE
    18 | gray </gray><gray>              | 2023-01-16 21:08 | Downgrade      |    3 EE
    17 | gray </gray><gray>              | 2023-01-16 19:07 | Update         |    3 EE
    16 | gray </gray><gray>              | 2023-01-16 19:02 | Downgrade      |    3 EE
    15 | gray </gray><gray>              | 2023-01-16 18:50 | Update         |    3 EE
     2 | root <root>              | 2022-10-23 17:18 | I, O, U        |  286 EE
     1 | System <unset>           | 2022-10-23 17:02 | Install        |  302   
history list

yum history undo <id>

参考文档

https://www.cnblogs.com/santia-god/p/16455528.html
https://www.jianshu.com/p/0882b0502960
https://www.cnblogs.com/dyh004/p/10402393.html

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据