popyone
发布于 2024-02-04 / 284 阅读
0
0

Openssh 编译覆盖安装(openssl 3.2.1)

安装telnet服务端

安全升级sshd的前提,先安装telnet服务端
① centos

yum install -y telnet-server telnet xinetd
systemctl start telnet.socket

② debian

apt install -y telnetd telnet xinetd

如果/etc/ xinetd.d/ 该路径下没有telnet文件,则构造一个telnet文件

vim /etc/xinetd.d/telnet

# default: on
# description: The telnet server serves telnet sessions; it uses \
#       unencrypted username/password pairs for authentication.
service telnet
{ 
   
        disable = no
        flags           = REUSE
        socket_type     = stream
        wait            = no
        user            = root
        server          = /usr/sbin/telnetd
        log_on_failure  += USERID

}

重启xinetd服务
systemctl restart xinetd

编译安装Openssh

用telnet登录,如果出现问题,可以恢复安装sshd

1、安装编译环境

apt install -y curl libssl-dev zlib1g-dev cmake gcc libpam0g-dev libsystemd-dev

2、编译安装openssl(略)

3、下载openssh源码
国外源

curl https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz -o /usr/local/src/openssh-9.6p1.tar.gz

国内镜像

curl https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz -o /usr/local/src/openssh-9.6p1.tar.gz

4、编译安装,覆盖安装

cd /usr/local/src/
tar zxf /usr/local/src/openssh-9.6p1.tar.gz
cd openssh-9.6p1/
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl/openssl3/lib --with-zlib --with-pam
  • #./configure
  • #–prefix=/usr 安装目录,如不配置,默认存放在/usr/local/sbin和bin
  • #–sysconfdir=/etc/ssh 配置文件目录,如不配置,默认存放/usr/local/etc
  • #–with-privsep-path 非特权用户的chroot目录
  • #–with-privsep-user=sshd 指定非特权用户为sshd
  • #–with-ssl-dir=/usr/local/openssl/openssl3/lib 指定 OpenSSL 的安装目录
  • #–with-zlib 指定zlib库的安装目录
  • #–with-pam

源码编译的openssh不支持systemd,下面是在github上找的修改方法,修改sshd源码,添加对systemd的支持
https://gist.github.com/roommen/18cd78d07b0fbc962de4e79c1d468f92?permalink_comment_id=4682416#gistcomment-4682416

5、 edit sshd.c
① add the following marked line:

127 #include "sk-api.h"
128 #include "srclimit.h"
129 #include "dh.h"
130 #include <systemd/sd-daemon.h>         <---- this line

②. add the following marked lines:

2097                 /* Signal systemd that we are ready to accept connections */     <---- this line
2098                 sd_notify (0, "READY=1");                                        <---- this line
2099
2100                 /* Accept a connection and return in a forked child */
2101                 server_accept_loop(&sock_in, &sock_out,
2102                     &newsock, config_s);

6、 install devel library
centos

sudo yum install -y systemd-devel

debian

apt install -y systemd-dev

7、 update the LIBS variable in the Makefile

51 #LIBS=-ldl -lutil  -lresolv
52 LIBS =-lcrypto -ldl -lutil -lz -lcrypt -lresolv -lsystemd

8、编译安装

make && make install

9、修改ssh服务(按照上面的安装路径进行安装就不用修改service文件)

vim /lib/systemd/system/ssh.service

[Unit]
Description=OpenBSD Secure Shell server
Documentation=man:sshd(8) man:sshd_config(5)
After=network.target auditd.service
ConditionPathExists=!/etc/ssh/sshd_not_to_be_run

[Service]
EnvironmentFile=-/etc/default/ssh
ExecStartPre=/usr/sbin/sshd -t
ExecStart=/usr/sbin/sshd -D $SSHD_OPTS
ExecReload=/usr/sbin/sshd -t
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=on-failure
RestartPreventExitStatus=255
Type=notify
RuntimeDirectory=sshd
RuntimeDirectoryMode=0755

[Install]
WantedBy=multi-user.target
Alias=sshd.service

6、修改sshd_config
对照历史文档修改sshd_config和ssh_config

vim /etc/ssh/sshd_config
......

7、重新载入服务

systemctl daemon-reload
systemctl restart sshd

8、软连接新的sftp-server

rm /usr/lib/sftp-server
ln -s /usr/libexec/sftp-server /usr/lib/sftp-server

9、查看版本号

ssh -V
OpenSSH_9.6p1, OpenSSL 3.2.1 30 Jan 2024

评论