Centos7 通过 rpm 升级 OpenSSH 8.3版本

背景

安全扫描，需要把OpenSSH升级到 8.3 版本，和8.0还是有点区别的，下面记录一下。

还是使用rpmbuild将tar包打成rpm包，不喜欢编译升级的，又要开启、关闭telnet服务，麻烦。

开始

yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel unzip -y
mkdir -p /root/rpmbuild/{SOURCES,SPECS}
cd /root/rpmbuild/SOURCES
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.3p1.tar.gz
wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
tar zxvf openssh-8.3p1.tar.gz openssh-8.3p1/contrib/redhat/openssh.spec
mv openssh-8.3p1/contrib/redhat/openssh.spec ../SPECS/
chown sshd:sshd /root/rpmbuild/SPECS/openssh.spec
cp /root/rpmbuild/SPECS/openssh.spec /root/rpmbuild/SPECS/openssh.spec_def
sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
cd /root/rpmbuild/SPECS/
rpmbuild -ba openssh.spec

第一个报错: error: Failed build dependencies:

/usr/include/X11/Xlib.h

error: Failed build dependencies: 
	/usr/include/X11/Xlib.h is needed by openssh-8.3.p1-1.el7.x86_64
	libXt-devel is needed by openssh-8.3.p1-1.el7.x86_64
	imake is needed by openssh-8.3.p1-1.el7.x86_64
    	gtk2-devel is needed by openssh-8.3.p1-1.el7.x86_64

解决方法：

yum install libXt-devel imake gtk2-devel -y

第二个报错: openssl-devel < 1.1 被 openssh-8.3p1-1.el7.x86_64 需要

构建依赖失败：openssl-devel < 1.1 被 openssh-8.3p1-1.el7.x86_64 需要 解决方法：

[root@localhost SPECS]# vim openssh.spec 注释掉 BuildRequires: openssl-devel < 1.1 这一行

第三个报错：RPM build errors:
Installed (but unpackaged) file(s) found:

RPM build errors:
	Installed (but unpackaged) file(s) found:
	/usr/libexec/openssh/ssh-sk-helper
	/usr/share/man/man8/ssh-sk-helper.8.gz

解决方法：

vi /usr/lib/rpm/macros

#%__check_files %{_rpmconfigdir}/check-files %{buildroot}
注释改行

打包成功

升级

# 升级
rpm -Uvh *.rpm
# 修改权限
cd /etc/ssh/
chmod 400 ssh_host_ecdsa_key ssh_host_ed25519_key ssh_host_rsa_key
# 允许 root登录
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
# 不修改这个文件，会出现密码是对的，却无法登陆。
cat <<EOF>/etc/pam.d/sshd
#%PAM-1.0
auth       required     pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
## pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
## pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
EOF
# 重启服务
systemctl restart sshd

升级成功