openssh升級

當前狀況

[root@osboxes osboxes]# uname -vor
3.10.0-693.11.1.el7.x86_64 #1 SMP Mon Dec 4 23:52:40 UTC 2017 GNU/Linux
[root@osboxes osboxes]# date
Mon Dec 11 09:15:20 GMT 2017
[root@osboxes osboxes]# openssl version
OpenSSL 1.0.2k-fips  26 Jan 2017
[root@osboxes osboxes]# ssh -V
OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017
[root@osboxes osboxes]#

目標

• 升級openssh到7.6p1
• 升級openssl到1.0.2n

  過程

  1. 檢查依賴關係

[root@osboxes osboxes]# yum deplist openssh 
  dependency: libcrypto.so.10()(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7
  dependency: libcrypto.so.10(OPENSSL_1.0.1_EC)(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7
  dependency: libcrypto.so.10(OPENSSL_1.0.2)(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7
  dependency: libcrypto.so.10(libcrypto.so.10)(64bit)
   provider: openssl-libs.x86_64 1:1.0.2k-8.el7

2. 安裝openssl

   wget https://www.openssl.org/source/openssl-1.0.2n.tar.gz
   tar xvf openssl-1.0.2n.tar.gz 
   cd openssl-1.0.2n/
   ./config --prefix=/usr/local/ssl -fPIC
   make
   make install
   [root@osboxes ssl]# openssl version
   OpenSSL 1.0.2k-fips  26 Jan 2017
   [root@osboxes bin]# /usr/local/ssl/bin/openssl version
   OpenSSL 1.0.2n  7 Dec 2017
   [root@osboxes ssl]# which openssl
   /usr/bin/openssl
   [root@osboxes bin]# mv /usr/bin/openssl /usr/bin/openssl.1.0.2k-fips
   [root@osboxes bin]# ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
   [root@osboxes bin]# openssl version
   OpenSSL 1.0.2n  7 Dec 2017
   [root@osboxes tmp]# ssh -V
   OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017

3. 安裝openssh

#yum remove openssh-server openssh
#rm -rf /etc/ssh/
[root@osboxes tmp]# wget https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
[root@osboxes tmp]# cd openssh-7.6p1/
[root@osboxes openssh-7.6p1]#  ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-ssl-dir=/usr/local/ssl --with-md5-passwords --without-hardening
[root@osboxes openssh-7.6p1]# make
[root@osboxes openssh-7.6p1]# make install
[root@osboxes openssh-7.6p1]# ssh -V
OpenSSH_7.6p1, OpenSSL 1.0.2n  7 Dec 2017
#/usr/sbin/sshd   //啓動sshd 
#yum install -y openssh-server   //以便將ssh加入service unit

4. 啓用selinux的，重啓sshd service以前：

grep sshd /var/log/audit/audit.log | audit2allow -M mypol
semodule -i mypol.pp