ARM服务器UOS系统升级OpenSSH源码安装
1. 介绍
openssh官网
openssl库: https://openssl-library.org/source/
zlib库: https://www.zlib.net/
远程登录Linux服务器使用的SSH服务需要我们在Linux系统上安装OpenSSH软件。本文介绍在UOS系统上升级安装OpenSSH。
2. 安装环境
系统:UOS 20
CPU:ARM
# uname -r
5.10.0-74.3.uel20.aarch64 <<<内核版本
# lsb_release -a
No LSB modules are available.
Distributor ID: Uos
Description: UOS Server 20
Release: 20
2.1 安装包准备
从官网下载openssh安装包。此外还需从官网下载openssh源码编译依赖openssl库和zlib库。
// 当前使用的安装包版本
openssh-9.8p1.tar.gz
openssl-3.3.1.tar.gz
zlib-1.2.11.tar.gz
2.2 当前SSH版本
# ssh -V
OpenSSH_8.2p1, OpenSSL 1.1.1k FIPS 25 Mar 2021
2.2.1 备份SSH文件
- 备份
/etc/pam.d/内passwd sshd system-auth。
cp /etc/pam.d/passwd /home/
cp /etc/pam.d/sshd /home/
cp /etc/pam.d/system-auth /home/
- 转移备份openssl原始文件。
mv /usr/bin/openssl /usr/bin/openssl.bak
- 转移备份openssh原始文件
cp -rf /etc/ssh /etc/ssh.bak
2.3 安装编译依赖
yum install -y gcc* perl pam* make openssl-devel
Complete!
3. 源码编译安装zlib
3.1 解压安装包
tar -zxvf zlib-1.2.11.tar.gz
// 进入解压后的目录
cd zlib-1.2.11
3.2 编译配置
[zlib-1.2.11]# ./configure
Checking for gcc...
Checking for shared library support...
Building shared library libz.so.1.2.11 with gcc.
Checking for size_t... Yes.
Checking for off64_t... Yes.
Checking for fseeko... Yes.
Checking for strerror... Yes.
Checking for unistd.h... Yes.
Checking for stdarg.h... Yes.
Checking whether to use vs[n]printf() or s[n]printf()... using vs[n]printf().
Checking for vsnprintf() in stdio.h... Yes.
Checking for return value of vsnprintf()... Yes.
Checking for attribute(visibility) support... Yes.
3.3 编译及安装
[zlib-1.2.11]# make && make install
ln -s libz.so.1.2.11 libz.so
ln -s libz.so.1.2.11 libz.so.1
gcc -O3 -D_LARGEFILE64_SOURCE=1 -DHAVE_HIDDEN -o examplesh example.o -L. libz.so.1.2.11
chmod 644 /usr/local/include/zlib.h /usr/local/include/zconf.h
4. 源码编译安装openssl
4.1 解压安装包
tar -zxvf openssl-3.3.1.tar.gz
// 进入解压后的目录
cd openssl-3.3.1
4.2 编译配置
配置安装路径及共享模块库。
[openssl-3.3.1]# ./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib
**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL.md file first) ***
*** ***
**********************************************************************
4.3 编译及安装
[openssl-3.3.1]# make -j 32 && make install
ln -sf /usr/local/openssl/include/openssl /usr/include/openssl
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -sf /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3
ln -sf /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
4.4 添加库路径
echo "/usr/local/openssl/lib" > /etc/ld.so.conf.d/openssl.conf
ldconfig
4.5 设置编译环境变量
export PATH=/usr/local/openssl/bin:$PATH
export LD_LIBRARY_PATH=/usr/local/openssl/lib:$LD_LIBRARY_PATH
5. 源码编译安装openssh
5.1 解压安装包
tar -zxvf openssh-9.8p1.tar.gz
// 进入解压后的目录
cd openssh-9.8p1
5.2 编译配置
配置安装路径及zlib路径和加密算法
[openssh-9.8p1]# ./configure --prefix=/usr/local/openssh/ --sysconfdir=/etc/ssh/ --with-ssl-dir=/usr/local/openssl/ --with-zlib --without-openssl-header-check
OpenSSH has been configured with the following options:
User binaries: /usr/local/openssh/bin
System binaries: /usr/local/openssh/sbin
Configuration files: /etc/ssh
Askpass program: /usr/local/openssh/libexec/ssh-askpass
Manual pages: /usr/local/openssh/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
5.3 编译及安装
[openssh-9.8p1]# make -j 16&& make install
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
/usr/local/openssh/sbin/sshd -t -f /etc/ssh/sshd_config
/etc/ssh/sshd_config line 77: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 78: Unsupported option GSSAPICleanupCredentials
/etc/ssh/sshd_config line 94: Unsupported option UsePAM
/etc/ssh/sshd_config line 141: Deprecated option RSAAuthentication
/etc/ssh/sshd_config line 143: Deprecated option RhostsRSAAuthentication
sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication yes/g' /etc/ssh/sshd_config
sed -i 's/GSSAPICleanupCredentials no/#GSSAPICleanupCredentials no/g' /etc/ssh/sshd_config
sed -i 's/UsePAM yes/#UsePAM yes/g' /etc/ssh/sshd_config
sed -i 's/RSAAuthentication yes/#RSAAuthentication yes/g' /etc/ssh/sshd_config
sed -i 's/RhostsRSAAuthentication no/#RhostsRSAAuthentication no/g' /etc/ssh/sshd_config
ln -sf /usr/local/openssh/sbin/sshd /usr/sbin/sshd
ln -sf /usr/local/openssh/bin/ssh /usr/bin/ssh
ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
ln -s /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan
ln -s /usr/local/openssh/bin/scp /usr/bin/scp
5.4 配置ssh服务权限
systemctl daemon-reload
systemctl restart sshd
查看当前SSH版本确认成功升级SSH。
[openssh-9.8p1]# ssh -V
OpenSSH_9.8p1, OpenSSL 3.3.1 4 Jun 2024
如果遇到报错:
[openssh-9.8p1]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.
则执行:
cp /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service_bak
sed -i 's|ExecStart=/usr/sbin.*|ExecStart=/usr/sbin/sshd -D|g' /usr/lib/systemd/system/sshd.service
systemctl daemon-reload
systemctl restart sshd
浙公网安备 33010602011771号