分享一个openssh自动升级的python工具源代码
将需要的包上传即可。
备注:此工具暂时只支持centos。
代码如下:
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
OpenSSH 离线升级工具
支持交互式输入路径或命令行参数指定
兼容 Python 3.6+
"""
import os
import sys
import subprocess
import argparse
import tarfile
import shutil
from pathlib import Path
# 颜色输出
class Colors:
RED = '\033[31m'
GREEN = '\033[32m'
YELLOW = '\033[33m'
BLUE = '\033[34m'
NC = '\033[0m'
def print_colored(text, color=Colors.NC):
print(f"{color}{text}{Colors.NC}")
def run_cmd(cmd, check=True, shell=True, capture_output=False):
try:
if capture_output:
result = subprocess.run(cmd, shell=shell, check=check,
stdout=subprocess.PIPE, stderr=subprocess.PIPE,
universal_newlines=True)
return result.stdout.strip()
else:
subprocess.run(cmd, shell=shell, check=check)
except subprocess.CalledProcessError as e:
print_colored(f"命令执行失败: {cmd}", Colors.RED)
if capture_output:
print_colored(f"错误信息: {e.stderr}", Colors.RED)
else:
print_colored(f"错误信息: {str(e)}", Colors.RED)
sys.exit(1)
def get_ssh_version():
try:
version = run_cmd("ssh -V 2>&1", capture_output=True)
return version
except:
return "未安装或无法获取版本"
def check_root():
if os.geteuid() != 0:
print_colored("错误:必须使用 root 用户执行此脚本!", Colors.RED)
sys.exit(1)
def check_environment():
print_colored("\n[1/8] 正在检查系统环境...", Colors.BLUE)
redhat_release = Path("/etc/redhat-release")
if redhat_release.exists():
content = redhat_release.read_text()
if "CentOS Linux 7.9" not in content:
print_colored("警告:建议使用 CentOS 7.9,当前版本可能不完全兼容", Colors.YELLOW)
else:
print_colored("警告:未检测到 /etc/redhat-release,可能不是 RHEL/CentOS 系统", Colors.YELLOW)
arch = run_cmd("uname -m", capture_output=True)
if arch != "x86_64":
print_colored("错误:仅支持 64 位系统!", Colors.RED)
sys.exit(1)
print_colored("环境检查通过", Colors.GREEN)
def smart_extract(tar_path, extract_to="/opt"):
tar_path = Path(tar_path)
if not tar_path.exists():
print_colored(f"错误:文件不存在 - {tar_path}", Colors.RED)
sys.exit(1)
if tar_path.stat().st_size == 0:
print_colored(f"错误:文件 {tar_path.name} 大小为0,可能未完整下载", Colors.RED)
sys.exit(1)
print_colored(f"解压 {tar_path.name} 到 {extract_to} ...", Colors.NC)
try:
with tarfile.open(tar_path, 'r:*') as tar:
tar.extractall(path=extract_to)
members = tar.getmembers()
if members:
top_dir = members[0].name.split('/')[0]
return top_dir
else:
return tar_path.name.replace('.tar.gz', '').replace('.tgz', '').replace('.tar', '')
except (tarfile.ReadError, EOFError) as e:
print_colored(f"Python tarfile 解压失败:{e}", Colors.RED)
print_colored("尝试使用系统 tar 命令解压...", Colors.YELLOW)
try:
subprocess.run(f"tar -xf {tar_path} -C {extract_to}", shell=True, check=True)
for item in Path(extract_to).iterdir():
if item.is_dir() and not item.name.startswith('.'):
return item.name
return tar_path.name.replace('.tar.gz', '').replace('.tgz', '').replace('.tar', '')
except subprocess.CalledProcessError:
print_colored("系统 tar 命令也解压失败,文件可能严重损坏。", Colors.RED)
sys.exit(1)
def install_dependencies(dep_file):
print_colored("\n[2/8] 安装基础依赖...", Colors.BLUE)
dep_path = Path(dep_file)
if not dep_path.exists():
print_colored(f"错误:依赖文件不存在: {dep_file}", Colors.RED)
skip = input("是否跳过依赖安装并继续?(y/n) [n]: ").strip().lower()
if skip in ('y', 'yes'):
print_colored("跳过依赖安装,请注意系统必须已具备编译环境!", Colors.YELLOW)
return
else:
sys.exit(1)
temp_dir = Path("/opt/deps_temp")
temp_dir.mkdir(exist_ok=True)
try:
top_dir_name = smart_extract(dep_file, extract_to=str(temp_dir))
except SystemExit:
skip = input("依赖包解压失败,是否跳过依赖安装并继续?(y/n) [n]: ").strip().lower()
if skip in ('y', 'yes'):
print_colored("跳过依赖安装,请注意系统必须已具备编译环境!", Colors.YELLOW)
shutil.rmtree(temp_dir, ignore_errors=True)
return
else:
shutil.rmtree(temp_dir, ignore_errors=True)
sys.exit(1)
extract_dir = temp_dir / top_dir_name
if not extract_dir.exists():
rpm_files = list(temp_dir.glob("**/*.rpm"))
if not rpm_files:
print_colored("错误:解压后未找到 RPM 包", Colors.RED)
shutil.rmtree(temp_dir)
sys.exit(1)
print_colored(f"找到 {len(rpm_files)} 个 RPM 包(分散存放),开始安装...", Colors.NC)
rpm_list = " ".join(f"'{f}'" for f in rpm_files)
run_cmd(f"rpm -ivh {rpm_list} --nodeps --force")
else:
os.chdir(extract_dir)
rpm_files = list(Path(".").glob("*.rpm"))
if not rpm_files:
print_colored("错误:yilai 目录下未找到任何 RPM 包", Colors.RED)
os.chdir("/opt")
shutil.rmtree(temp_dir)
sys.exit(1)
print_colored(f"在目录 '{top_dir_name}' 中找到 {len(rpm_files)} 个 RPM 包,开始安装...", Colors.NC)
run_cmd("rpm -ivh *.rpm --nodeps --force")
os.chdir("/opt")
shutil.rmtree(temp_dir)
print_colored("依赖包安装完成", Colors.GREEN)
def build_zlib(zlib_file):
print_colored("\n[3/8] 编译安装 zlib...", Colors.BLUE)
zlib_path = Path(zlib_file)
if not zlib_path.exists():
print_colored(f"错误:zlib 源码包不存在: {zlib_file}", Colors.RED)
sys.exit(1)
dir_name = smart_extract(zlib_file)
extract_dir = Path("/opt") / dir_name
os.chdir(extract_dir)
run_cmd("./configure --prefix=/usr/local/zlib")
run_cmd("make")
run_cmd("make install")
with open("/etc/ld.so.conf", "a") as f:
f.write("/usr/local/zlib/lib\n")
run_cmd("ldconfig -v")
print_colored("zlib 安装完成", Colors.GREEN)
def build_openssl(openssl_file):
print_colored("\n[4/8] 编译安装 OpenSSL...", Colors.BLUE)
ssl_path = Path(openssl_file)
if not ssl_path.exists():
print_colored(f"错误:OpenSSL 源码包不存在: {openssl_file}", Colors.RED)
sys.exit(1)
if "3." in ssl_path.name:
print_colored("警告:您正在使用 OpenSSL 3.x 版本,在 CentOS 7 下可能与 OpenSSH 存在链接问题。", Colors.YELLOW)
print_colored("强烈建议使用 OpenSSL 1.1.1 系列(如 openssl-1.1.1o.tar.gz)。", Colors.YELLOW)
cont = input("是否继续尝试?(y/n) [n]: ").strip().lower()
if cont not in ('y', 'yes'):
print_colored("用户取消操作,退出脚本。", Colors.YELLOW)
sys.exit(0)
dir_name = smart_extract(openssl_file)
extract_dir = Path("/opt") / dir_name
os.chdir(extract_dir)
run_cmd("make clean 2>/dev/null", check=False)
os.environ['CFLAGS'] = '-std=gnu99 -O2 -fPIC'
print_colored("已设置 CFLAGS=-std=gnu99 -O2 -fPIC", Colors.NC)
run_cmd("./config --prefix=/usr/local/ssl -d shared")
run_cmd("make")
run_cmd("make install")
with open("/etc/ld.so.conf", "a") as f:
f.write("/usr/local/ssl/lib\n")
run_cmd("ldconfig -v")
if not verify_openssl_install():
print_colored("OpenSSL 安装验证失败,请检查编译日志。", Colors.RED)
sys.exit(1)
print_colored("OpenSSL 安装完成并通过验证", Colors.GREEN)
def verify_openssl_install():
libdir = Path("/usr/local/ssl/lib")
incdir = Path("/usr/local/ssl/include/openssl")
if not incdir.exists():
print_colored("错误:OpenSSL 头文件目录缺失", Colors.RED)
return False
libcrypto_so = libdir / "libcrypto.so"
libssl_so = libdir / "libssl.so"
libcrypto_a = libdir / "libcrypto.a"
libssl_a = libdir / "libssl.a"
if libcrypto_so.exists() and libssl_so.exists():
print_colored("OpenSSL 动态库 (.so) 存在", Colors.NC)
return True
elif libcrypto_a.exists() and libssl_a.exists():
print_colored("OpenSSL 静态库 (.a) 存在,将使用静态链接", Colors.YELLOW)
return True
else:
print_colored("错误:未找到 OpenSSL 库文件", Colors.RED)
return False
def get_openssl_version():
openssl_bin = Path("/usr/local/ssl/bin/openssl")
if openssl_bin.exists():
try:
version_str = subprocess.check_output([str(openssl_bin), "version"],
universal_newlines=True).strip()
parts = version_str.split()
if len(parts) >= 2:
return parts[1]
except:
pass
return "unknown"
def install_openssh(openssh_file):
print_colored("\n[5/8] 升级 OpenSSH...", Colors.BLUE)
ssh_path = Path(openssh_file)
if not ssh_path.exists():
print_colored(f"错误:OpenSSH 源码包不存在: {openssh_file}", Colors.RED)
sys.exit(1)
print_colored("卸载旧版本 OpenSSH...", Colors.NC)
run_cmd("rpm -e --nodeps openssh-server openssh openssh-clients 2>/dev/null", check=False)
dir_name = smart_extract(openssh_file)
extract_dir = Path("/opt") / dir_name
os.chdir(extract_dir)
sys_ssl_inc = Path("/usr/include/openssl")
sys_ssl_inc_backup = Path("/usr/include/openssl.bak")
if sys_ssl_inc.exists():
print_colored("备份系统 OpenSSL 头文件目录...", Colors.NC)
shutil.move(str(sys_ssl_inc), str(sys_ssl_inc_backup))
try:
run_cmd("ldconfig")
libdir = Path("/usr/local/ssl/lib")
use_static = False
if not (libdir / "libcrypto.so").exists():
use_static = True
print_colored("未找到动态库,将使用静态链接", Colors.YELLOW)
extra_cflags = "-I/usr/local/ssl/include"
ssl_version = get_openssl_version()
if ssl_version.startswith("3."):
extra_cflags += " -DOPENSSL_API_COMPAT=0x10100000L"
print_colored("已为 OpenSSL 3.x 添加兼容性宏", Colors.NC)
os.environ['CFLAGS'] = extra_cflags
os.environ['CPPFLAGS'] = extra_cflags
if use_static:
os.environ['LDFLAGS'] = f"-L{libdir}"
os.environ['LIBS'] = f"{libdir}/libcrypto.a {libdir}/libssl.a -ldl -lpthread"
else:
os.environ['LDFLAGS'] = f"-L{libdir} -Wl,-rpath,{libdir}"
os.environ['LIBS'] = "-lcrypto -lssl"
os.environ['LD_LIBRARY_PATH'] = str(libdir)
run_cmd("./configure --prefix=/usr/local/openssh "
"--with-zlib=/usr/local/zlib "
"--with-ssl-dir=/usr/local/ssl "
"--without-openssl-header-check")
run_cmd("make")
run_cmd("make install")
finally:
if sys_ssl_inc_backup.exists():
shutil.move(str(sys_ssl_inc_backup), str(sys_ssl_inc))
print_colored("配置 SSH 服务...", Colors.NC)
sshd_config = Path("/usr/local/openssh/etc/sshd_config")
with open(sshd_config, "a") as f:
f.write("\nPermitRootLogin yes\n")
f.write("PubkeyAuthentication yes\n")
f.write("PasswordAuthentication yes\n")
shutil.copy(sshd_config, "/etc/ssh/sshd_config")
with open("/etc/ssh/sshd_config", "a") as f:
f.write("HostKeyAlgorithms ssh-rsa,ssh-dss\n")
# 复制服务端二进制
sshd_bin = Path("/usr/sbin/sshd")
if sshd_bin.exists():
sshd_bin.rename("/usr/sbin/sshd.bak")
shutil.copy("/usr/local/openssh/sbin/sshd", "/usr/sbin/sshd")
os.chmod("/usr/sbin/sshd", 0o755)
# 复制客户端工具(包括 scp, sftp, ssh-add, ssh-agent, ssh-keyscan 等)
print_colored("安装客户端工具 (scp, sftp, ssh-keygen, ssh-add ...)", Colors.NC)
src_bin_dir = Path("/usr/local/openssh/bin")
dst_bin_dir = Path("/usr/bin")
tools_to_copy = [
"scp", "sftp", "ssh", "ssh-add", "ssh-agent", "ssh-keygen",
"ssh-keyscan", "sftp-server", "ssh-keysign"
]
for tool in tools_to_copy:
src = src_bin_dir / tool
if src.exists():
dst = dst_bin_dir / tool
if dst.exists():
dst.rename(dst_bin_dir / f"{tool}.bak")
shutil.copy(src, dst)
os.chmod(dst, 0o755)
print_colored(f" 已安装: {tool}", Colors.NC)
else:
print_colored(f" 警告: 未找到 {tool},跳过", Colors.YELLOW)
# 启动脚本
init_script = Path("/opt") / dir_name / "contrib/redhat/sshd.init"
if init_script.exists():
shutil.copy(init_script, "/etc/init.d/sshd")
os.chmod("/etc/init.d/sshd", 0o755)
run_cmd("chkconfig --add sshd")
run_cmd("chkconfig sshd on")
print_colored("OpenSSH 安装完成,所有客户端工具已就绪", Colors.GREEN)
def final_check(old_version=""):
print_colored("\n[6/8] 执行最终检查...", Colors.BLUE)
run_cmd("systemctl daemon-reload")
run_cmd("systemctl restart sshd")
new_version = get_ssh_version()
if "OpenSSH_" in new_version:
print_colored("=" * 50, Colors.GREEN)
print_colored("升级成功!", Colors.GREEN)
if old_version:
print_colored(f"升级前版本:{old_version}", Colors.YELLOW)
print_colored(f"升级后版本:{new_version}", Colors.GREEN)
print_colored("=" * 50, Colors.GREEN)
print_colored("警告:请通过新 SSH 端口连接确认无误后,再关闭 Telnet 服务!", Colors.YELLOW)
# 验证 scp 是否可用
if Path("/usr/bin/scp").exists():
print_colored("scp 命令已安装,可以使用。", Colors.GREEN)
else:
print_colored(f"错误:升级失败,当前版本: {new_version}", Colors.RED)
sys.exit(1)
def prompt_file(prompt_text, default_path=None, allow_skip=False):
while True:
if default_path:
user_input = input(f"{prompt_text} [默认: {default_path}]: ").strip()
if not user_input:
user_input = default_path
else:
user_input = input(f"{prompt_text}: ").strip()
if allow_skip and user_input.lower() in ('skip', 's', ''):
return None
if not user_input:
print_colored("路径不能为空,请重新输入。", Colors.YELLOW)
continue
if Path(user_input).exists():
return user_input
else:
print_colored(f"文件不存在: {user_input}", Colors.RED)
choice = input("是否重新输入?(y/n) [y]: ").strip().lower()
if choice in ('n', 'no'):
print_colored("用户取消操作,退出脚本。", Colors.YELLOW)
sys.exit(0)
def main():
parser = argparse.ArgumentParser(description="OpenSSH 离线升级工具")
parser.add_argument("--dep", help="依赖包完整路径")
parser.add_argument("--zlib", help="zlib 源码包完整路径")
parser.add_argument("--openssl", help="OpenSSL 源码包完整路径")
parser.add_argument("--openssh", help="OpenSSH 源码包完整路径")
parser.add_argument("--skip-env-check", action="store_true", help="跳过环境检查")
args = parser.parse_args()
print_colored("========================================", Colors.BLUE)
print_colored(" OpenSSH 离线升级工具 (Python版) ", Colors.GREEN)
print_colored("========================================", Colors.BLUE)
check_root()
old_version = get_ssh_version()
print_colored(f"\n当前系统 SSH 版本:{old_version}", Colors.YELLOW)
if not args.skip_env_check:
check_environment()
else:
print_colored("警告:已跳过环境检查", Colors.YELLOW)
print_colored("\n>>> 请准备以下四个文件(必须全部存在):", Colors.YELLOW)
print_colored(" 1. 依赖包 (yilai.tar.gz) - 包含编译所需的 RPM 包", Colors.NC)
print_colored(" 2. zlib 源码包 (如 zlib-1.3.1.tar.gz)", Colors.NC)
print_colored(" 3. OpenSSL 源码包 (强烈建议使用 openssl-1.1.1o.tar.gz)", Colors.NC)
print_colored(" 4. OpenSSH 源码包 (如 openssh-9.9p1.tar.gz)", Colors.NC)
dep_file = args.dep or prompt_file("请输入依赖包路径", default_path="/opt/yilai.tar.gz")
zlib_file = args.zlib or prompt_file("请输入 zlib 源码包路径", default_path="/opt/zlib-1.3.1.tar.gz")
openssl_file = args.openssl or prompt_file("请输入 OpenSSL 源码包路径", default_path="/opt/openssl-1.1.1o.tar.gz")
openssh_file = args.openssh or prompt_file("请输入 OpenSSH 源码包路径", default_path="/opt/openssh-9.9p1.tar.gz")
print_colored("\n========================================", Colors.BLUE)
print_colored("即将使用以下文件进行升级:", Colors.GREEN)
print_colored(f"依赖包路径: {dep_file}", Colors.NC)
print_colored(f"zlib 包路径: {zlib_file}", Colors.NC)
print_colored(f"OpenSSL 包路径: {openssl_file}", Colors.NC)
print_colored(f"OpenSSH 包路径: {openssh_file}", Colors.NC)
print_colored("========================================", Colors.BLUE)
confirm = input("确认开始升级?(y/n) [y]: ").strip().lower()
if confirm not in ('', 'y', 'yes'):
print_colored("用户取消操作,退出脚本。", Colors.YELLOW)
sys.exit(0)
install_dependencies(dep_file)
build_zlib(zlib_file)
build_openssl(openssl_file)
install_openssh(openssh_file)
final_check(old_version)
if __name__ == "__main__":
main()
浙公网安备 33010602011771号