CentOS 6.8升級OpenSSH7.7p

近期因centos 6.x 默認openssh掃描存在大量漏洞，基於安全考慮，須要將openssh_5.3p1升級爲最新版，網上查了不少教程，發現openssh存在大量依賴，不解決依賴問題很難保證其餘服務政策。而openssl又被大量程序依賴。實在是頭疼。最後發現一個不破壞各類依賴又能夠完美升級的方案

注：curl wget yum等依賴openssl   gitlab依賴openssh因卸載openssh與openssl編譯安裝致使各類依賴程序被破壞，雖然最後升級成功，可是wget curl 和代碼庫被破壞。

一、下載openssh7.7p源碼包

http://www.openssh.com/portable.html

下載以後解壓看readme和install

1. Prerequisites
----------------

A C compiler.  Any C89 or better compiler should work.  Where supported,
configure will attempt to enable the compiler's run-time integrity checking
options.  Some notes about specific compilers:
 - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)

You will need working installations of Zlib and libcrypto (LibreSSL /
OpenSSL)

Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
http://www.gzip.org/zlib/

libcrypto (LibreSSL or OpenSSL >= 1.0.1 < 1.1.0)
LibreSSL http://www.libressl.org/ ; or
OpenSSL http://www.openssl.org/

LibreSSL/OpenSSL should be compiled as a position-independent library
(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
If you must use a non-position-independent libcrypto, then you may need
to configure OpenSSH --without-pie.  Note that because of API changes,
OpenSSL 1.1.x is not currently supported.

The remaining items are optional.

官方給出的文檔中提到的先決條件openssh安裝依賴zlib1.1.4而且openssl>=1.0.1版本就能夠了。那麼直接看當前系統的openssl版本是多少

[root@zabbix-serv ~]# openssl version
OpenSSL 1.0.1e-fips 11 Feb 2013
[root@zabbix-serv ~]# rpm -q zlib
zlib-1.2.3-29.el6.x86_64
[root@zabbix-serv ~]# rpm -q zlib-devel
zlib-devel-1.2.3-29.el6.x86_64

發現自帶的openssl版本符合openssh7.7p的安裝條件，自帶的zlib也符合OpenSSH7.7P的依賴。那麼就直接安裝吧。

二、打包OpenSSH

mkdir -p /usr/src/redhat/{SOURCES,SPECS}
cd /usr/src/redhat/SOURCES/
wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz
tar xf openssh-7.7p1.tar.gz
cp openssh-7.7p1/contrib/redhat/openssh.spec /usr/src/redhat/SPECS/
chown sshd:sshd /usr/src/redhat/SPECS/ -R
sed -i 's@%define no_gnome_askpass 0@%define no_gnome_askpass 1@g' /usr/src/redhat/SPECS/openssh.spec
sed -i 's@%define no_x11_askpass 0@%define no_x11_askpass 1@g' /usr/src/redhat/SPECS/openssh.spec
cp /usr/src/redhat/SOURCES/openssh-7.7p1.tar.gz ~/rpmbuild/SOURCES/
cd /usr/src/redhat/SPECS/
rpmbuild -ba openssh.spec

能夠看到rpm包和yum安裝的是同樣的。

├── RPMS
│   └── x86_64
│   ├── openssh-7.7p1-1.el6.x86_64.rpm
│   ├── openssh-clients-7.7p1-1.el6.x86_64.rpm
│   ├── openssh-debuginfo-7.7p1-1.el6.x86_64.rpm
│   └── openssh-server-7.7p1-1.el6.x86_64.rpm

[root@zabbix-serv SPECS]# rpm -qa|grep openssh
openssh-clients-5.3p1-117.el6.x86_64
openssh-5.3p1-117.el6.x86_64
openssh-server-5.3p1-117.el6.x86_64

直接替換安裝rpm包

[root@zabbix-serv x86_64]# rpm -Uvh *
Preparing...                ########################################### [100%]
   1:openssh                ########################################### [ 25%]
   2:openssh-clients        ########################################### [ 50%]
   3:openssh-server         warning: /etc/ssh/sshd_config created as /etc/ssh/sshd_config.rpmnew
########################################### [ 75%]
   4:openssh-debuginfo      ########################################### [100%]

安裝後查看各項依賴openssl的勻使用正常。這麼安裝比編譯安裝要好不少。

[root@zabbix-serv x86_64]# sshd -V
unknown option -- V
OpenSSH_7.7p1, OpenSSL 1.0.1e-fips 11 Feb 2013
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]
[root@zabbix-serv x86_64]# ssh -V
OpenSSH_7.7p1, OpenSSL 1.0.1e-fips 11 Feb 2013
[root@zabbix-serv x86_64]# curl baidu.com -I
HTTP/1.1 200 OK
Date: Wed, 25 Apr 2018 16:37:49 GMT
Server: Apache
Last-Modified: Tue, 12 Jan 2010 13:48:00 GMT
ETag: "51-47cf7e6ee8400"
Accept-Ranges: bytes
Content-Length: 81
Cache-Control: max-age=86400
Expires: Thu, 26 Apr 2018 16:37:49 GMT
Connection: Keep-Alive
Content-Type: text/html

[root@zabbix-serv x86_64]# wget -q baidu.com
[root@zabbix-serv x86_64]# yum list >>/dev/null

測試yum安裝，依賴openssh的是否會將7.7p替換爲5.3p

[root@zabbix-serv x86_64]# yum install openssh*
Loaded plugins: fastestmirror, security
Setting up Install Process
Examining openssh-7.7p1-1.el6.x86_64.rpm: openssh-7.7p1-1.el6.x86_64
openssh-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Examining openssh-clients-7.7p1-1.el6.x86_64.rpm: openssh-clients-7.7p1-1.el6.x86_64
openssh-clients-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Examining openssh-debuginfo-7.7p1-1.el6.x86_64.rpm: openssh-debuginfo-7.7p1-1.el6.x86_64
openssh-debuginfo-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Examining openssh-server-7.7p1-1.el6.x86_64.rpm: openssh-server-7.7p1-1.el6.x86_64
openssh-server-7.7p1-1.el6.x86_64.rpm: does not update installed package.
Error: Nothing to do