linux openssh 升级最新版本

直接上脚本吧!

前提条件:

1、准备好本地yum源,防止突发情况无法回退

2、注意对应系统版本,此版本为centos7系列

#!/bin/bash


###升级penssl部分###
yum -y install openssl openssl-devel pcre pcre-devel zlib zlib-devel gcc gcc-c++ pam pam-devel vim
mv /usr/bin/openssl /usr/bin/openssl.old
mv /usr/include/openssl /usr/include/openssl.old
tar -zxvf openssl-1.1.1h.tar.gz && cd openssl-1.1.1h/
./config --prefix=/usr/local/openssl --openssldir=/usr/local/openssl shared zlib-dynamic && make && make install
mv /usr/lib64/libssl.so /usr/lib64/libssl.so.old
ln -s /usr/local/openssl/lib/libssl.so /usr/lib64/libssl.so
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v |grep libssl --color
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/openssl/include/openssl/ /usr/include/openssl
strings /usr/lib64/libssl.so |grep OpenSSL
openssl version -a

###升级openssh部分###
cp -arp /etc/pam.d /etc/pam.d.old
systemctl stop sshd.service
mv /etc/ssh /etc/ssh.old
yum -y remove openssh
cd /root/;tar -zxvf openssh-8.4p1.tar.gz && cd openssh-8.4p1
./configure --prefix=/usr/ --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/openssl --without-hardening
make && make install && install -v -m755 contrib/ssh-copy-id /usr/bin/  &&  install  -v  -m644  contrib/ssh-copy-id.1 /usr/share/man/man1/  &&  install  -v  -m755  -d /usr/share/doc/openssh-8.4p1 && install -v -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-8.4p1
cp ./contrib/redhat/sshd.init /etc/init.d/sshd
chkconfig --add sshd
sed -i "32 aPermitRootLogin yes" /etc/ssh/sshd_config
systemctl start sshd
systemctl restart sshd
systemctl status sshd
cd /root/openssh-8.4p1/ && cp contrib/redhat/sshd.pam /etc/pam.d/sshd
cat > /etc/pam.d/sshd << EOF
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
EOF
sed -i "s/UsePAM no/UsePAM yes/" /etc/ssh/sshd_config
sed -i "s/#UsePAM no/UsePAM yes/" /etc/ssh/sshd_config
sed -i "s/#UsePAM yes/UsePAM yes/" /etc/ssh/sshd_config
sed -i "s/#UseDNS no/UseDNS no/" /etc/ssh/sshd_config
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
sed -i "s/UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
systemctl restart sshd

#重启系统
#reboot
echo "请手动重启系统"

回退

#!/bin/bash
#检查备份的配置文件是否存在 
ls /etc/ | grep ssh.old
ls /usr/include/ | grep openssl.old
ls  /usr/bin/  | grep openssl.old
ls  /usr/lib64/  | grep libssl.so.old

#回退openssh
systemctl stop sshd
chkconfig --del sshd
rm -rf /etc/init.d/sshd
rm -rf /etc/ssh
mv /etc/ssh.old /etc/ssh
mv /etc/pam.d.old /etc/pam.d/
yum -y install openssh openssh-clients  openssh-server
systemctl restart sshd

#回退openssl
rm -rf /usr/include/openssl
rm -rf /usr/local/openssl
mv /usr/include/openssl.old /usr/include/openssl
rm -rf /usr/bin/openssl
mv /usr/bin/openssl.old /usr/bin/openssl
sed -ri '2d' /etc/ld.so.conf
rm -rf /usr/lib64/libssl.so
mv /usr/lib64/libssl.so.old /usr/lib64/libssl.so

发表评论

电子邮件地址不会被公开。 必填项已用*标注