编译升级Openssh5.3至7.1

| |

编译生成OpenSSH RPM升级OpenSSH至7.1

安装编译所需工具

1
2
yum -y groupinstall "Development tools"
yum -y install pam-devel rpm-build rpmdevtools zlib-devel krb5-devel tcp_wrappers tcp_wrappers-devel tcp_wrappers-libs libX11-devel xmkmf libXt-devel wget

配置RPM编译环境

1
mkdir -pv rpmbuild/{BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

下载源码包

1
2
3
cd ~/rpmbuild/SOURCES/
wget http://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.1p2.tar.gz
wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz

配置SPEC文件

1
2
3
4
5
6
7
cd ~/rpmbuild/SPECS
tar xfz ../SOURCES/openssh-7.1p2.tar.gz openssh-7.1p2/contrib/redhat/openssh.spec
mv openssh-7.1p2/contrib/redhat/openssh.spec openssh-7.1p2.spec
rm -rf openssh-7.1p2
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh-7.1p2.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh-7.1p2.spec
sed -i -e "s/BuildPreReq/BuildRequires/g" openssh-7.1p2.spec

编译生成RPM

1
2
cd ~/rpmbuild/SPECS
rpmbuild -bb openssh-7.1p2.spec

查看生成的RPM

1
2
3
4
5
6
7
cd ~/rpmbuild/RPMS/x86_64
ls
-rw-r--r-- 1 root root 445248 Nov 18 10:28 openssh-7.1p2-1.x86_64.rpm
-rw-r--r-- 1 root root  41764 Nov 18 10:28 openssh-askpass-7.1p2-1.x86_64.rpm
-rw-r--r-- 1 root root 577584 Nov 18 10:28 openssh-clients-7.1p2-1.x86_64.rpm
-rw-r--r-- 1 root root  16960 Nov 18 10:28 openssh-debuginfo-7.1p2-1.x86_64.rpm
-rw-r--r-- 1 root root 390076 Nov 18 10:28 openssh-server-7.1p2-1.x86_64.rpm

卸载旧openssh

1
rpm -qa | grep openssh |xargs rpm -e  --nodeps

安装生成RPM包

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
yum install openssh-*
Loaded plugins: fastestmirror, refresh-packagekit, security
Setting up Install Process
Examining openssh-7.1p2-1.x86_64.rpm: openssh-7.1p2-1.x86_64
Marking openssh-7.1p2-1.x86_64.rpm to be installed
Loading mirror speeds from cached hostfile
 * base: mirrors.aliyun.com
 * epel: mirrors.ustc.edu.cn
 * extras: mirrors.aliyun.com
 * remi-safe: mirrors.tuna.tsinghua.edu.cn
 * updates: mirrors.aliyun.com
Examining openssh-askpass-7.1p2-1.x86_64.rpm: openssh-askpass-7.1p2-1.x86_64
Marking openssh-askpass-7.1p2-1.x86_64.rpm to be installed
Examining openssh-clients-7.1p2-1.x86_64.rpm: openssh-clients-7.1p2-1.x86_64
Marking openssh-clients-7.1p2-1.x86_64.rpm to be installed
Examining openssh-debuginfo-7.1p2-1.x86_64.rpm: openssh-debuginfo-7.1p2-1.x86_64
Marking openssh-debuginfo-7.1p2-1.x86_64.rpm to be installed
Examining openssh-server-7.1p2-1.x86_64.rpm: openssh-server-7.1p2-1.x86_64
Marking openssh-server-7.1p2-1.x86_64.rpm to be installed
Resolving Dependencies
--> Running transaction check
---> Package openssh.x86_64 0:7.1p2-1 will be installed
---> Package openssh-askpass.x86_64 0:7.1p2-1 will be installed
---> Package openssh-clients.x86_64 0:7.1p2-1 will be installed
---> Package openssh-debuginfo.x86_64 0:7.1p2-1 will be installed
---> Package openssh-server.x86_64 0:7.1p2-1 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================================================================================================================
 Package                                         Arch                                 Version                                 Repository                                                       Size
====================================================================================================================================================================================================
Installing:
 openssh                                         x86_64                               7.1p2-1                                 /openssh-7.1p2-1.x86_64                                         1.9 M
 openssh-askpass                                 x86_64                               7.1p2-1                                 /openssh-askpass-7.1p2-1.x86_64                                  73 k
 openssh-clients                                 x86_64                               7.1p2-1                                 /openssh-clients-7.1p2-1.x86_64                                 2.0 M
 openssh-debuginfo                               x86_64                               7.1p2-1                                 /openssh-debuginfo-7.1p2-1.x86_64                               0.0  
 openssh-server                                  x86_64                               7.1p2-1                                 /openssh-server-7.1p2-1.x86_64                                  937 k

Transaction Summary
====================================================================================================================================================================================================
Install       5 Package(s)

Total size: 4.9 M
Installed size: 4.9 M
Is this ok [y/N]: y
Downloading Packages:
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Warning: RPMDB altered outside of yum.
** Found 5 pre-existing rpmdb problem(s), 'yum check' output follows:
git-1.7.1-4.el6_7.1.x86_64 has missing requires of openssh-clients
gnome-user-share-2.28.2-3.el6.x86_64 has missing requires of httpd >= ('0', '2.2.0', None)
php-5.6.26-1.el6.remi.x86_64 has missing requires of httpd-mmn = ('0', '20051115', None)
python-meh-0.12.1-3.el6.noarch has missing requires of openssh-clients
systemtap-client-2.9-4.el6.x86_64 has missing requires of openssh-clients
  Installing : openssh-7.1p2-1.x86_64                                                                                                                                                           1/5 
  Installing : openssh-askpass-7.1p2-1.x86_64                                                                                                                                                   2/5 
  Installing : openssh-server-7.1p2-1.x86_64                                                                                                                                                    3/5 
  Installing : openssh-clients-7.1p2-1.x86_64                                                                                                                                                   4/5 
  Installing : openssh-debuginfo-7.1p2-1.x86_64                                                                                                                                                 5/5 
  Verifying  : openssh-askpass-7.1p2-1.x86_64                                                                                                                                                   1/5 
  Verifying  : openssh-server-7.1p2-1.x86_64                                                                                                                                                    2/5 
  Verifying  : openssh-7.1p2-1.x86_64                                                                                                                                                           3/5 
  Verifying  : openssh-clients-7.1p2-1.x86_64                                                                                                                                                   4/5 
  Verifying  : openssh-debuginfo-7.1p2-1.x86_64                                                                                                                                                 5/5 

Installed:
  openssh.x86_64 0:7.1p2-1        openssh-askpass.x86_64 0:7.1p2-1        openssh-clients.x86_64 0:7.1p2-1        openssh-debuginfo.x86_64 0:7.1p2-1        openssh-server.x86_64 0:7.1p2-1       
Complete!

将配置文件更新为新版本,避免某些参数变更造成无法远程登录

1
cp /etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config

制作ssh rpm 包升级后,ssh无法登录系统,报错如下:

1
2
PAM unable to dlopen(/lib64/security/pam_stack.so): /lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
PAM adding faulty module: /lib64/security/pam_stack.so

解决方法:
ssh rpm 升级后会修改/etc/pam.d/sshd 文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#%PAM-1.0
auth       required     pam_stack.so service=system-auth
account    required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
需要恢复原来的模样,如下:

#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

重启SSH服务

1
/etc/init.d/sshd restart