自学内容网 自学内容网

使用官网tar包制作OpenSSL及OpenSSH rpm包进行升级安装(OpenSSH_9.9p1, without OpenSSL未解决)

一、制作openssl-1.1.1w.rpm包

1、安装基础依赖包和rpmbuild及其依赖包

yum install  curl  which  make gcc perl  perl-WWW-Curl  rpm-build rpm-build rpmdevtools tree -y
yum install gcc-c++ glibc glibc-devel  openssl openssl-devel \
   pcre-devel zlib zlib-devel perl perl-devel make imake wget xmkmf \
  initscripts  krb5-devel pam-devel krb5-devel libX11-devel libXt-devel gtk2-devel autoconf libtool unzip gdb -y

此处注意若有报:没有可用软件包;自行配置本地yum源及ali源可以解决

2、创建rpmbuild目录

rpmdev-setuptree  
tree /root/rpmbuild

3、创建spec文件

spec文件可自定义名称,后缀为.spec即可。此处命名为openssl.spec与后续制作openssh区分开,现实使用时可以更为详细的标注版本号

此处注意ssl安装位置,下文安装位置为/usr/openssl

vim /root/rpmbuild/SPECS/openssl.spec
--------------------------------------------------------------------------
Summary: OpenSSL 1.1.1w for Centos
Name: openssl
Version: %{?version}%{!?version:1.1.1w}
Release: 1%{?dist}
Obsoletes: %{name} <= %{version}
Provides: %{name} = %{version}
URL: https://www.openssl.org/
License: GPLv2+

Source: https://www.openssl.org/source/%{name}-%{version}.tar.gz

BuildRequires: make gcc perl perl-WWW-Curl
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root
%global openssldir /usr/openssl

%description
OpenSSL RPM for version 1.1.1w on Centos

%package devel
Summary: Development files for programs which will use the openssl library
Group: Development/Libraries
Requires: %{name} = %{version}-%{release}

%description devel
OpenSSL RPM for version 1.1.1w on Centos (development package)

%prep
%setup -q

%build
./config --prefix=%{openssldir} --openssldir=%{openssldir}
make

%install
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}
%make_install

mkdir -p %{buildroot}%{_bindir}
mkdir -p %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libssl.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/lib/libcrypto.so.1.1 %{buildroot}%{_libdir}
ln -sf %{openssldir}/bin/openssl %{buildroot}%{_bindir}

%clean
[ "%{buildroot}" != "/" ] && %{__rm} -rf %{buildroot}

%files
%{openssldir}
%defattr(-,root,root)
/usr/bin/openssl
/usr/lib64/libcrypto.so.1.1
/usr/lib64/libssl.so.1.1

%files devel
%{openssldir}/include/*
%defattr(-,root,root)

%post -p /sbin/ldconfig

%postun -p /sbin/ldconfig

4、准备tar包

SSL网址:1.1.1 | Library

cd /root/rpmbuild/SOURCES
拖包
tar -zxvf openssl-1.1.1w.tar.gz

5、开始编译openssh.spec文件

rpmbuild -ba /root/rpmbuild/SPECS/openssl.spec   

6、验证

cd /root/rpmbuild/RPMS/x86_64 && ls

二、rpm升级至openssl-1.1.1w

openssl version

升级高版本openssl 切记有风险!  备份旧版openssl文件

迭代直接替换原有文件 – 如有需要建议备份以下文件

mkdir ~/ssl_bak
cp /usr/bin/openssl ~/ssl_bak
cp /usr/lib64/libcrypto.so.1.0.2k ~/ssl_bak
cp /usr/lib64/libssl.so.1.0.2k ~/ssl_bak

1、卸载 openssl并检查是否卸载

#卸载所有与 OpenSSL 相关的包,但不包括以 "libs" 开头的包
rpm -e `rpm -qa |grep openssl |grep -v libs` --nodeps
rpm -qa |grep openssl

############
注意openssl-libs-1.0.2k-26.el7_9.x86_64包不卸载!!!

2、升级验证

#强制安装 忽略依赖
rpm -ivh openssl-1.1.1w-1.el7.x86_64.rpm --nodeps --force
openssl version

3、替换原动态库

如需使用新版本开发,则需替换原来的软链接指向,即替换原动态库,进行版本升级。
替换/lib(lib64)和/usr/lib(lib64)和/usr/local/lib(lib64)存在的相应动态库:

ln -sf /usr/openssl/lib/libssl.so.1.1 /usr/lib64/libssl.so
ln -sf /usr/openssl/lib/libcrypto.so.1.1 /usr/lib64/libcrypto.so

三、制作openssh-9.9p1.rpm包

制作前先升openssl至1.1.1版本,方法自选

1、安装基础依赖包和rpmbuild依赖包(安装过可跳过该步骤

yum install rpm-build gcc gcc-c++ glibc glibc-devel openssl-devel \
    pcre-devel zlib zlib-devel perl perl-devel make imake wget xmkmf \
  initscripts  krb5-devel pam-devel krb5-devel libX11-devel libXt-devel gtk2-devel autoconf libtool unzip gdb -y

2、安装rpmbuild和依赖(安装过可跳过该步骤

yum install rpm-build rpmdevtools tree -y  

3、创建rpmbuild目录(创建过可跳过该步骤

rpmdev-setuptree  
tree /root/rpmbuild

4、准备tar包

SSH网址:Index of /pub/OpenBSD/OpenSSH/portable/

还有x11-ssh-askpass-1.2.4.1.tar.gz

cd /root/rpmbuild/SOURCES
(自己拉或者wget,此处wget为8.9命令示例)
wget --no-check-certificate -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.9p1.tar.gz 
wget --no-check-certificate -c https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz

5、制作openssh.spec文件

tar -zxvf openssh-9.9p1.tar.gz
cp openssh-9.9p1/contrib/redhat/openssh.spec /root/rpmbuild/SPECS 
cd /root/rpmbuild/SPECS

6、修改openssh.spec文件

#注释掉BuildRequires: openssl-devel
sed -i -e "s/BuildRequires: openssl-devel < 1.1/# BuildRequires: openssl-devel < 1.1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%global no_gnome_askpass 0/%global no_gnome_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec
sed -i -e "s/%global no_x11_askpass 0/%global no_x11_askpass 1/g" /root/rpmbuild/SPECS/openssh.spec

 #######以下为验证/root/rpmbuild/SPECS/openssh.spec文件

vim /root/rpmbuild/SPECS/openssh.spec
-------------------------------------------------------------
#在openssh9.9.spec文件中的%post server处添加以下内容
cp -r /etc/ssh /etc/ssh.bak
cp -r /usr/bin/ssh /usr/bin/ssh.bak
sed -i -e  "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i "/#PermitRootLogin prohibit-password/c\PermitRootLogin yes" /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
sed -i  -e  "s/UsePAM yes/UsePAM no/g" /etc/ssh/sshd_config
systemctl restart sshd

#在openssh9.9.spec文件中的%configure处添加openssl的安装路径(此处疑问为ssl位置导致报错?
--with-openssl-includes=/usr/local/openssl/include \
--with-ssl-dir=/usr/local/openssl \

7、开始编译openssh.spec文件

rpmbuild -ba /root/rpmbuild/SPECS/openssh.spec   
cd /root/rpmbuild/RPMS/x86_64

####此处若有以下报错:

configure: error: cannot use --with-ssl-dir when OpenSSL disabled

错误:/var/tmp/rpm-tmp.iLX0dn (%build) 退出状态不好

需要去掉–with-ssl-dir配置(怀疑为导致升级后without Openssl,慎用吧)

sed -i -e '/with-privsep-path/a\  --with-openssl-includes=/usr/local/openssl/include \\' openssh.spec

openssh.spec 配置如下图

四、rpm升级至openssh-9.9

当前版本为7.4

ssh -V

升级前先升openssl至1.1.1版本,方法自选

openssl version

 

1、检查并安装telnet服务

rpm -q telnet-server
rpm -q telnet
yum install telnet* -y
systemctl enable telnet.socket
systemctl start telnet.socket
mv /etc/securetty /etc/securetty.bak
systemctl status telnet.socket 

2、安装依赖

yum -y install zlib*
yum -y install pam-*
yum -y install gcc
yum -y install openssl-devel

3、备份

mv /etc/ssh /etc/ssh.bak
mv /usr/bin/ssh /usr/bin/ssh.bak
mv /usr/sbin/sshd /usr/sbin/sshd.bak

4、卸载openssh

rpm -e openssh --nodeps
rpm -e openssh-clients --nodeps
rpm -e openssh-server --nodeps

5、检查openssh是否已经卸载

rpm -qa|grep openssh
ssh -V


 
6、安装openssh

cd /rpm包位置
rpm -ivh openssh* --nodeps


 
7、安装完成后,检查是否已经安装

rpm -qa|grep openssh
vim /etc/sysconfig/selinux
--------------------
SELINUX=disabled
---------------------

#重启服务并验证
systemctl restart sshd
systemctl status sshd
ssh -V

五、编译升级OpenSSL-1.1.1c

当前实验理论解释较少,无详细命令解析

#查看当前openssl版本
ssh -V
openssl version   ####这个更准确

1、官网下载openssl-1.1.1c.tar.gz包(也可以自己准备传进去

#进入准备存放tar包的文件夹(没有自己mkdir,自行决定)
cd data

#获取tar包
wget https://www.openssl.org/source/openssl-1.1.1c.tar.gz

2、解压

tar -zxvf openssl-1.1.1c.tar.gz
cd openssl-1.1.1c

3、编译安装

./config --prefix=/usr/local/openssl
make && make install

4、更新验证

mv /usr/bin/openssl /usr/bin/openssl.bak
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
echo "/usr/local/openssl/lib" >> /etc/ld.so.conf
ldconfig -v
openssl version


原文地址:https://blog.csdn.net/ZHUZIH6/article/details/133931034

免责声明:本站文章内容转载自网络资源,如本站内容侵犯了原著者的合法权益,可联系本站删除。更多内容请关注自学内容网(zxcms.com)!