前言:近期等保出现了openssh相关漏洞,所以改了一下之前的在线升级脚本,将Openssh升级至9.5p1,OpenSSL升级至1.1.1w,已测试放心食用。

相关环境

  • 系统:CentOS Linux release 7.9.2009 (Core)
  • OpenSSH版本: 9.5p1
  • OpenSSL版本:1.1.1w
  • zlib版本(需要外网下载,根据需要更换版本):1.2.12

联网升级安装

脚本蓝奏云下载(离线安装包也已经整理好相关脚本依赖,防止CSDN白嫖党,解压密码:laobai)

#创建安装目录
mkdir -p /root/OpenSSH/zlib/

将zlib-1.2.12.tar.gz依赖包上传至/root/OpenSSH/zlib/目录下运行压缩包中的脚本即可

#将脚本放入/root/OpenSSH目录下
cd /root/OpenSSH

#将下段代码复制粘贴后授权运行即可
chmod a+x UpdateOpenSSH.sh
./UpdateOpenSSH.sh

脚本下载(网页可能会有符号替换,不建议复制)

#!/bin/bash

clear
echo ------------------------------------------
echo        CentOS7 openssh升级到9.5p1
echo              (date +%F-%T)
echo         注意环境,使用前请做好测试!!!
echo ------------------------------------------
sleep 3s
clear
echo 安装进程开始  3
sleep 1s
clear
echo 安装进程开始  3  2
sleep 1s
clear
echo 安装进程开始  3  2  1
sleep 1s
clear
echo 刷新yum元数据缓存
sleep 2s

yum makecache
sleep 3s
clear
echo 检测安装telnet服务
sleep 1s
echo 尝试启动telnet服务
sleep 1s
cp /etc/securetty /etc/securetty.bak
grep  "pts/0"  /etc/securetty ||  echo 'pts/0' >> /etc/securetty
grep  "pts/1"  /etc/securetty ||  echo 'pts/1' >> /etc/securetty
systemctl restart telnet.socket &&  systemctl restart xinetd
ps -ef |grep xinetd | egrep -v grep > /dev/null
if [? -eq 0 ]
then
    echo 检测到telnet服务已启动……
    systemctl enable telnet.socket
    systemctl enable xinetd
        sleep 2s
else
    echo 未检测到telnet服务,开始安装服务……
    sleep 2s
    yum -y install xinetd telnet-server
    sleep 2s
    clear
    echo 安装telnet服务结束,启动服务……
    systemctl restart telnet.socket &&  systemctl restart xinetd
    systemctl enable telnet.socket
    systemctl enable xinetd
    sleep 1s
fi
clear
echo 关闭SElinux及防火墙并禁用……
sleep 2s
setenforce 0
sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/selinux/config
cat /etc/selinux/config
systemctl stop firewalld.service
systemctl disable firewalld.service
sleep 2s
clear
echo 安装程序依赖包……
sleep 2s
#yum -y localinstall ls packages/*.rpm
yum -y install gcc gcc-c++ make pam pam-devel openssl-devel pcre-devel perl zlib-devel
sleep 1s
clear
echo 停止并卸载原有ssh
sleep 3s
systemctl stop sshd
cp -r /etc/ssh /etc/ssh.old
cp -r /etc/init.d/ssh /etc/init.d/ssh.old
rpm -qa | grep openssh
sleep 1s
rpm -e `rpm -qa | grep openssh` --nodeps
rpm -qa | grep openssh
sleep 1s
clear

echo 判断是否需要安装wget
WGET=`rpm -qa | grep wget`
if [WGET -z ];then
    yum install -y wget
fi
echo 准备文件和参数
echo ################################################################
echo 服务器无法联网下载的可以将所需要的升级包放到/root/OpenSSH目录下
echo ################################################################
file=/root/OpenSSH
#zlib=http://www.zlib.net/zlib-1.2.12.tar.gz
openssl=https://www.openssl.org/source/openssl-1.1.1w.tar.gz
openssh=https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.5p1.tar.gz 
echo 创建目录
mkdir -pfile/zlib
mkdir -p file/openssl
mkdir -pfile/openssh
echo 联网通过wget下载安装包
cd file
#echo 开始下载zlib
#wgetzlib
echo 开始下载openssl
wget --no-check-certificate openssl
echo 开始下载openssh
wget --no-check-certificateopenssh
###安装相关依赖包###
yum install -y gcc make perl zlib zlib-devel pam pam-devel

echo 安装zlib
sleep 2s
tar -xzf zlib*.tar.gz -C file/zlib 
sleep 2s
cdfile/zlib/zlib*
./configure --prefix=/usr/local/zlib && make && make install
ls -l /usr/local/zlib
cd ..
sleep 1s
clear
echo 配置zlib
grep  "/usr/local/zlib/lib"  /etc/ld.so.conf.d/zlib.conf ||  echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
ldconfig -v
sleep 1s
clear
echo 安装openssl
sleep 5s
mv -f /usr/bin/openssl /usr/bin/openssl.old
mv -f /usr/include/openssl /usr/include/openssl.old
mv -f /usr/lib64/openssl /usr/lib64/openssl.old
rm -rf /usr/local/ssl
cd file
tar -xzf openssl*.tar.gz -Cfile/openssl
cd file/openssl/openssl*
./config --prefix=/usr/local/ssl --openssldir=/usr/local/ssl shared zlib && make && make install
cd ..
sleep 5s
clear
echo 配置openssl
sleep 5s
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
grep  "/usr/local/ssl/lib"  /etc/ld.so.conf.d/ssl.conf ||  echo '/usr/local/ssl/lib' >> /etc/ld.so.conf.d/ssl.conf
grep  "/usr/local/lib"  /etc/ld.so.conf.d/ssl.conf ||  echo '/usr/local/lib' >> /etc/ld.so.conf.d/ssl.conf
ldconfig -v
openssl version -a
sleep 5s
clear
echo 安装openssh
sleep 5s
rm -rf /etc/ssh
cdfile
tar -xzf openssh*.tar.gz -C file/openssh
cdfile/openssh/openssh*
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-openssl-includes=/usr/local/ssl/include --with-ssl-dir=/usr/local/ssl   --with-zlib --with-md5-passwords
make
sleep 5s
sudo chmod 600 /etc/ssh/ssh_host_rsa_key
sudo chmod 600 /etc/ssh/ssh_host_ecdsa_key
sudo chmod 600 /etc/ssh/ssh_host_ed25519_key
make install
cd ..
pwd
sleep 5s
clear
echo 配置openssh
sleep 10s
echo "PasswordAuthentication yes"   >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
echo 'Banner /etc/issue' >> /etc/ssh/sshd_config
cp -p openssh-9.5p1/contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
sudo chmod 600 /etc/ssh/ssh_host_rsa_key
sudo chmod 600 /etc/ssh/ssh_host_ecdsa_key
sudo chmod 600 /etc/ssh/ssh_host_ed25519_key
chkconfig --add sshd
chkconfig sshd on
systemctl restart sshd
sleep 10s
clear
systemctl status sshd
if [ $? -eq 0 ]
then
    clear
    echo SSH安装并运行成功,开始关闭并禁用telnet
    sleep 1s
    systemctl stop telnet.socket &&  systemctl stop xinetd
    systemctl disable telnet.socket &&  systemctl disable xinetd
    sleep 1s
    echo 升级完成,安装ssh2扩展支持
    sleep 5s
    yum install libssh2 -y
    clear
    echo 安装进程结束
    sleep 5s
else
    echo SSH未成功安装或配置,安装进程即将退出,请检查日志……
    sleep 5s
fi

升级成功

#输入命令查看升级效果
ssh -V
OpenSSH_9.5p1, OpenSSL 1.1.1w  11 Sep 2023