Anolis8 制作OpenSSH9.4p1 RPM包🪬

Anolis8 制作OpenSSH9.4p1 RPM包🪬

1.下载源码包

下载OpenSSH9.4p1源码包

[root@iZ2zeam23ltaxefr0nzhn0Z ~]# wget https://mirrors.tuna.tsinghua.edu.cn/OpenBSD/OpenSSH/portable/openssh-9.4p1.tar.gz

下载imake包

 

[root@iZ2zeam23ltaxefr0nzhn0Z ~]# yum -y install imake

下载x11-ssh-askpass-1.2.4.1.tar.gz

[root@iZ2zeam23ltaxefr0nzhn0Z ~]# wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

2.安装基本环境

rpm-build 是一个工具集,用于构建和打包 RPM(Red Hat Package Manager)软件包。

[root@iZ2zeam23ltaxefr0nzhn0Z ~]# yum -y install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel  libXt-devel gtk2-devel make perl

3.使用rpm-build打包编译

rpmbuild基本配置

[root@iZ2zeam23ltaxefr0nzhn0Z ~]# tar -xvf openssh-9.4p1.tar.gz 
[root@iZ2zeam23ltaxefr0nzhn0Z ~]# cd /root/openssh-9.4p1/contrib/redhat/
[root@iZ2zeam23ltaxefr0nzhn0Z redhat]# ll
total 48
-rw-r--r-- 1 1000 1000    58 Aug 10 09:10 gnome-ssh-askpass.csh
-rw-r--r-- 1 1000 1000    70 Aug 10 09:10 gnome-ssh-askpass.sh
-rw-r--r-- 1 1000 1000 30082 Aug 10 09:10 openssh.spec
-rwxr-xr-x 1 1000 1000  1721 Aug 10 09:10 sshd.init
-rw-r--r-- 1 1000 1000   277 Aug 10 09:10 sshd.pam
# 解压之后,可以先初始化生成/root/rpmbuild目录,不用管提示错误
[root@iZ2zeam23ltaxefr0nzhn0Z redhat]# rpmbuild -ba openssh.spec 
[root@iZ2zeam23ltaxefr0nzhn0Z redhat]# cp openssh.spec /root/rpmbuild/SPECS/
[root@iZ2zeam23ltaxefr0nzhn0Z ~]# cp /root/openssh-9.4p1.tar.gz /root/rpmbuild/SOURCES/
[root@iZ2zeam23ltaxefr0nzhn0Z ~]# cp /root/x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES/

配置openssh.spec文件及权限

[root@iZ2zeam23ltaxefr0nzhn0Z ~]# cd /root/rpmbuild/SPECS/
[root@iZ2zeam23ltaxefr0nzhn0Z SPECS]# ll
total 32
-rw-r--r-- 1 root root 30082 Sep 27 16:04 openssh.spec
[root@iZ2zeam23ltaxefr0nzhn0Z SPECS]# vim openssh.spec
找到openssl配置
BuildRequires: openssl-devel >= 1.0.1
BuildRequires: openssl-devel < 1.1
# 修改为openssl-devel >= 1.1
BuildRequires: openssl-devel >= 1.0.1
BuildRequires: openssl-devel >= 1.1
[root@iZ2zeam23ltaxefr0nzhn0Z SPECS]# chown -R sshd:sshd /root/rpmbuild/SPECS/openssh.spec

使用rpmbuild打包

[root@iZ2zeam23ltaxefr0nzhn0Z SPECS]# rpmbuild -ba openssh.spec

4.打包压缩

生成的rpm包在/root/rpmbuild/RPMS/x86_64目录下

[root@iZ2zeam23ltaxefr0nzhn0Z ~]# cd /root/rpmbuild/RPMS/x86_64
[root@iZ2zeam23ltaxefr0nzhn0Z x86_64]# ll
total 6124
-rw-r--r-- 1 root root  707436 Sep 27 16:25 openssh-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root   50200 Sep 27 16:25 openssh-askpass-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root   60940 Sep 27 16:25 openssh-askpass-debuginfo-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root   31164 Sep 27 16:25 openssh-askpass-gnome-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root   42136 Sep 27 16:25 openssh-askpass-gnome-debuginfo-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root  674916 Sep 27 16:25 openssh-clients-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1430232 Sep 27 16:25 openssh-clients-debuginfo-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root 1082976 Sep 27 16:25 openssh-debuginfo-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root  765092 Sep 27 16:25 openssh-debugsource-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root  496324 Sep 27 16:25 openssh-server-9.4p1-1.an8.x86_64.rpm
-rw-r--r-- 1 root root  907696 Sep 27 16:25 openssh-server-debuginfo-9.4p1-1.an8.x86_64.rpm

只需要打包这三个就行 
openssh-9.4p1-1.an8.x86_64.rpm 
openssh-clients-9.4p1-1.an8.x86_64.rpm 
openssh-server-9.4p1-1.an8.x86_64.rpm
[root@iZ2zeam23ltaxefr0nzhn0Z x86_64]# tar -zcvf openssh9.4p1.tar.gz openssh-9.4p1-1.an8.x86_64.rpm openssh-clients-9.4p1-1.an8.x86_64.rpm openssh-server-9.4p1-1.an8.x86_64.rpm

5.升级SSH版本

将打包好的压缩包上传到需要升级的服务器,需提前备份好/etc/pam.d/sshd文件,升级ssh版本会重置sshd文件。

备份sshd文件

 [root@iZ2zeam23ltaxefr0nzhn0Z ~]# cd /etc/pam.d/
 [root@iZ2zeam23ltaxefr0nzhn0Z pam.d]# cp sshd sshd.bak

升级

[root@iZ2zeam23ltaxefr0nzhn0Z x86_64]# cp openssh9.4p1.tar.gz /opt/
[root@iZ2zeam23ltaxefr0nzhn0Z x86_64]# cd /opt/
[root@iZ2zeam23ltaxefr0nzhn0Z opt]# ll
total 1784
-rw-r--r-- 1 root root 1823193 Sep 27 16:33 openssh9.4p1.tar.gz
[root@iZ2zeam23ltaxefr0nzhn0Z opt]# tar -xvf openssh9.4p1.tar.gz 
openssh-9.4p1-1.an8.x86_64.rpm
openssh-clients-9.4p1-1.an8.x86_64.rpm
openssh-server-9.4p1-1.an8.x86_64.rpm
[root@iZ2zeam23ltaxefr0nzhn0Z opt]# yum -y install ./*.rpm
[root@iZ2zeam23ltaxefr0nzhn0Z opt]# ssh -V
OpenSSH_9.4p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021

 [root@iZ2zeam23ltaxefr0nzhn0Z opt]# cat > /etc/pam.d/sshd <<EOF
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
EOF

重启sshd

[root@iZ2zeam23ltaxefr0nzhn0Z pam.d]# cd
[root@iZ2zeam23ltaxefr0nzhn0Z ~]# systemctl restart sshd
[root@iZ2zeam23ltaxefr0nzhn0Z ~]# ssh -V
OpenSSH_9.4p1, OpenSSL 1.1.1k FIPS 25 Mar 2021

 

-----------------------------------------------------------------------------------------------------------------------

6. 使用ansible批量升级

先将制作好的OpenSSH包复制到目前主机。

[root@localhost ~]# for i in $(cat ip.list);do echo $i; scp -r /root/openssh9.4 $i:/tmp/;done

通过 ansible 批量升级 OpenSSH 版本。

通过主机清单来控制要升级的目标主机。

[root@localhost ~]# cd /etc/ansible/playbook
[root@localhost playbook]# vim iplist
---
all:
  hosts:
    172.16.5.102:
    172.16.5.103:
    172.16.5.104:
    172.16.5.105:
    172.16.5.137:
    172.16.5.138:
    172.16.5.139:
    172.16.5.140:
    172.16.5.141:
    172.16.5.142:

可以用这个命令来查看定义好的主机。

[root@localhost playbook]# ansible-inventory -i iplist --list
{
    "_meta": {
        "hostvars": {}
    }, 
    "all": {
        "children": [
            "ungrouped"
        ]
    }, 
    "ungrouped": {
        "hosts": [
            "172.16.5.102", 
            "172.16.5.103", 
            "172.16.5.104", 
            "172.16.5.105", 
            "172.16.5.137", 
            "172.16.5.138", 
            "172.16.5.139", 
            "172.16.5.140", 
            "172.16.5.141", 
            "172.16.5.142"
        ]
    }
}

编写playbook

主要是添加这个key算法,升级高版本OpenSSH后,有些算法会禁用,这里开启 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com

[root@localhost ~]# cd /etc/ansible/playbook
[root@localhost playbook]# vim update_ssh.yml
​
- hosts: all
  tasks:
    - name: Install OpenSSH RPM
      command: rpm -ivh --force --nodeps --replacepkgs --replacefiles /tmp/openssh9.4/openssh-*.rpm
      args:
        warn: false
    - name: Add or update KexAlgorithms in sshd_config
      lineinfile:
        path: /etc/ssh/sshd_config
        regexp: '^KexAlgorithms\s+'
        line: KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,sntrup761x25519-sha512@openssh.com
        state: present
        backup: yes
      notify: Restart sshd
    - name: Test sshd configuration
      command: sshd -t
      changed_when: false
      check_mode: no
​
  handlers:
    - name: Restart sshd
      service:
        name: sshd
        state: restarted

执行ansible-playbook命令升级。

[root@localhost playbook]# ansible-playbook --syntax-check update_ssh.yml
[root@localhost playbook]# ansible-playbook -i iplist update_ssh.yml

 

posted @ 2023-09-27 16:40  Noleaf  阅读(620)  评论(0)    收藏  举报