Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1250292
  • 博文数量: 220
  • 博客积分: 0
  • 博客等级: 民兵
  • 技术积分: 1769
  • 用 户 组: 普通用户
  • 注册时间: 2015-03-13 16:19
个人简介

努力, 努力, 再努力

文章分类

全部博文(220)

文章存档

2018年(8)

2017年(46)

2016年(75)

2015年(92)

我的朋友

分类: 系统运维

2017-02-01 00:06:58

15:48 2017/2/9  完结

一.需求说明
    
   openssl存在心脏流血漏洞,openssh也屡屡曝出各种漏洞,软件升级就是必须要做的事
   原本是可以用源码的方式来升级。但缺点是安装过程麻烦,需要的时间长,不适合批量升级
   openssh的升级还存在一定的风险,openssh是linux系统通用的远程访问工具,如果升级过程出问题,将导致无法远程
   必须登录本机才能恢复
   因此,需要采取一种简单,安全,平滑的升级方案,即通过制作RPM包的方式升级,通过fpm来制作rpm包
   centos6.5, 6.8默认openssh版本是v5.3p1, 通过安装rpm包,升级至v7.4p1, openssl默认版本是1.0.1e,这个版本存在"心脏流血"漏洞,因此,仅升级openssh而不升级openssl是不能提升系统安全级别
   制作rpm包的要求是简单,方便,安全的将openssl, openssh升级到指定版本(openssl-1.0.2j, openssh-7.4p1), 如果需要卸载,即可恢复到系统默认版本,此过程不会造成无法通过ssh远程访问

二. 环境描述

    1. 系统及内核:
    CentOS release 6.5 (Final)   内核:2.6.32-431.el6.x86_64
        centOS release 6.8 (Final)   内核:2.6.32-642.13.1.el6.x86_64

    2. ruby版本:ruby-2.4.0
       由于fpm是ruby语言写的,因此,要安装ruby源码包和安装源

    3. gem版本:2.6.8  
       验证命令:gem -v
    
    4. fpm版本:1.8.0
       验证命令:fpm -v

    5. openssl-fips版本:
    openssl-fips-2.0.14

    5. openssl版本

       系统默认版本:openssl-1.0.1e-15   升级后版本:openssl-1.0.2j-fips

    验证命令: openssl version

    6. openssh版本

       系统默认版本: openssh-5.3p1    升级后版本: openssh-7.4p1  

    验证命令: 客户端程序:ssh -V   服务端程序:sshd -V
    

三. 安装ruby和fpm

    1. 下载ruby:

      wget

      注:不能使用yum安装,因为yum源,包括epel源,ruby的版本1.8.7太低,安装fpm会失败(rubygems-1.3.7)

    2. 解压,配置,编译,安装ruby-2.4:
       tar zxvf ruby-2.4-stable.tar.gz
       cd ruby-2.4.0
       yum install gcc gcc-c++ automake autoconf zlib zlib-devel openssl-devel pam-devel -y
       ./configure --prefix=/usr && make && make install

       注:如果当前系统时间不正确,例如当前系统时间在软件发行释放日期之前 ./configure 命令就会报错

    部分输出:

installing binary commands:   /usr/bin
installing base libraries:    /usr/lib
installing arch files:        /usr/lib/ruby/2.4.0/x86_64-linux
installing pkgconfig data:    /usr/lib/pkgconfig
installing command scripts:   /usr/bin
installing library scripts:   /usr/lib/ruby/2.4.0
installing common headers:    /usr/include/ruby-2.4.0
installing manpages:          /usr/share/man/man1
installing extension objects: /usr/lib/ruby/2.4.0/x86_64-linux
installing extension objects: /usr/lib/ruby/site_ruby/2.4.0/x86_64-linux
installing extension objects: /usr/lib/ruby/vendor_ruby/2.4.0/x86_64-linux
installing extension headers: /usr/include/ruby-2.4.0/x86_64-linux
installing extension scripts: /usr/lib/ruby/2.4.0
installing extension scripts: /usr/lib/ruby/site_ruby/2.4.0
installing extension scripts: /usr/lib/ruby/vendor_ruby/2.4.0
installing extension headers: /usr/include/ruby-2.4.0/ruby
installing default gems:      /usr/lib/ruby/gems/2.4.0 (build_info, cache, doc, extensions, gems, specifications)
                              bigdecimal 1.3.0
                              io-console 0.4.6
                              json 2.0.2
                              openssl 2.0.2
                              psych 2.2.2
                              rdoc 5.0.0
installing bundle gems:       /usr/lib/ruby/gems/2.4.0 (build_info, cache, doc, extensions, gems, specifications)
                              test-unit 3.2.3
                              net-telnet 0.1.1
                              rake 12.0.0
                              power_assert 0.4.1
                              did_you_mean 1.1.0
                              xmlrpc 0.2.1
                              minitest 5.10.1
installing rdoc:              /usr/share/ri/2.4.0/system
installing capi-docs:         /usr/share/doc/ruby

    验证版本:
        [root@salt-master ruby-2.4.0]# gem -v
        2.6.8

    3. 添加Ruby China镜像仓库
   
           gem sources --add
    
    输出: added to sources

       注: gem sources -a 淘宝镜像已经无法添加成功

            [root@salt-master ~]# gem sources -a
            Error fetching :
                bad response Not Found 404 (specs.4.8.gz)
   
            gem sources -a 阿里云镜像可以安装成功,但不能安装fpm

    4. 移除原生的Ruby仓库

       gem sources --remove

    输出: removed from sources

    5. 查看现有的源
        
       gem sources -l

    6. 安装fpm

       gem install fpm

    部分输出:

    Done installing documentation for io-like, ffi, ruby-xz, stud, mustache, insist, dotenv, clamp, cabin, pleaserun, json, childprocess, backports, arr-pm, archive-tar-minitar, fpm after 9 seconds
16 gems installed

    7. fpm的选项说明

    支持的源类型包
    
    dir: 将目录打包成所需要的类型,可以用于源码编译安装的软件包
     rpm: 对rpm进行转换
     gem: 对rubygem包进行转换
     python: 将Python模块打包成相应的类型

    支持的目标类型包:
    
        rpm: 转换为rpm包
        deb: 转换为deb包
        solaris: 转换为solaris包
        puppet: 转换为puppet包

    -a  硬件体系架构,如-a x86_64

         -p  表示生成的rpm包放在哪里,制作的rpm安装包存放路径,不想放在当前目录下就需要指定;

    -C  表示打包的文件放在哪里,如果make install DESTDIR=/tmp/openssl, 那么打包文件就放在/tmp/openssl

    -f 第二次包时目录下如果有同名安装包存在,则覆盖它;

    -s 指定源类型

    -t 指定目标类型,即想要制作为什么包

    -n 指定包的名字

    -v 指定包的版本号

    -d 生成的package依赖于什么软件,通常为-d 'name' 或这 -d 'name > version'

    --url 添加一个url, 如--url ''

        --iteration 指定系统发行版本,如--iteration el6

    --description 软件包描述

    --conflicts 与其他什么软件冲突

    --post-install 软件包安装完成之后所要运行的脚本;同--offer-install

    --pre-install 软件包安装完成之前所要运行的脚本;同--before-install

    --post-uninstall 软件包卸载完成之后所要运行的脚本;同--offer-remove

    --pre-uninstall 软件包卸载完成之前所要运行的脚本;同—before-remove



四. 安装openssl-fips-2.0.14

        0. 为什么要安装openssl-fips ?

    这里引用openssl官方网站的一段内容:
    
    内容链接:https://www.openssl.org/docs/fips/SecurityPolicy-1.1.1.pdf

    The FIPS object module is designed for use in conjunction with the separate API libraries provided by the OpenSSL project. Applications linked with the FIPS object module and with         the separate OpenSSL libraries can use the FIPS validated cryptographic functions of the FIPS object module and the high level support and encapsulation features of OpenSSL
    

    1. 下载openssl-fips-2.0.14
      wget

    2. 解压,配置,编译,安装

      tar zxvf openssl-fips-2.0.14.tar.gz
       cd openssl-fips-2.0.14
      ./config && make && make install

    部分输出如下:

    for i in fipsld fips_standalone_sha1 ; \
    do \
        echo "installing $i"; \
        cp $i /usr/local/ssl/fips-2.0/bin/$i.new; \
        chmod 755 /usr/local/ssl/fips-2.0/bin/$i.new; \
        mv -f /usr/local/ssl/fips-2.0/bin/$i.new /usr/local/ssl/fips-2.0/bin/$i; \
    done
    installing fipsld
    installing fips_standalone_sha1
    cp -p -f fipscanister.o fipscanister.o.sha1 \
        fips_premain.c fips_premain.c.sha1 \
        /usr/local/ssl/fips-2.0/lib/; \
    chmod 0444 /usr/local/ssl/fips-2.0/lib/fips*
    make[1]: Leaving directory `/root/openssl-fips-2.0.14/fips'
    making install in test...
    make[1]: Entering directory `/root/openssl-fips-2.0.14/test'
    make[1]: Nothing to be done for `install'.
    make[1]: Leaving directory `/root/openssl-fips-2.0.14/test'

    
    3. 安装后在/usr/local/ssl目录下生成fips-2.0
    [root@wdcp ssl]# ls /usr/local/ssl/fips-2.0/
    bin  include  lib
    

五. 安装openssl-1.0.2j并制作rpm包

    1. 下载openssl
     
       wget --no-check-certificate

       注1: openssl的版本: 0.9.8f, 1.0.0x, 1.0.1x, 1.0.2x, 1.1.0是各自独立发展的版本,且openssl官方已经声明,今后不在维护升级0.9.8f, 1.0.0x, 1.0.1x 这3个版本

       注2.  openssh7.4p1支持1.0.0x, 1.0.1x, 1.0.2x, 但不支持最新的版本1.1.0系列的openssl

    2. 解压,配置,编译,安装到本地目录/tmp/openssl:
    
           tar zxvf openssl-1.0.2j.tar.gz

           cd openssl-1.0.2j

    mkdir /tmp/openssl

           ./config fips shared zlib && make && make install INSTALL_PREFIX=/tmp/openssl  #末尾没有斜杠/,安装目录在/tmp/openssl/usr/local/ssl


    注1: ./config share zlib 默认安装目录/usr/local/ssh,以共享库方式编译,支持zlib压缩,必须安装zlib, zlib-devel包

        make install DESTDIR=/tmp/openssl 命令不生效,需要使用 make install INSTALL_PREFIX=

        注2: fips参数指编译时使用fips选项,在/usr/local/ssl/fips-2.0里查找相关的头文件和库文件


    3. 安装后,卸载后的脚本

    mkdir /tmp/scr

[root@salt-master scr]# cat post_install_ssl.sh
#!/bin/bash
#date: 2017-02-06
#author: songjianhao
#desc: backup and replace old version openssl-1.0.1e


#get old openssl version
oldver=$(rpm -qa |grep openssl-1.0.1|awk -F'-' '{print $2}')
mv /usr/bin/openssl /usr/bin/openssl_$oldver

#Backup openssl-oldver lib and include file
rpm -qa |grep openssl-devel >/dev/null 2>&1
if [ $? -eq 0 ];then
   mv /usr/include/openssl /usr/include/openssl_$oldver
   mv /usr/lib64/libcrypto.so /usr/lib64/libcrypto.so_$oldver
   mv /usr/lib64/libssl.so /usr/lib64/libssl.so_$oldver
   mv /usr/lib64/pkgconfig/libcrypto.pc /usr/lib64/pkgconfig/libcrypto.pc_$oldver
   mv /usr/lib64/pkgconfig/libssl.pc /usr/lib64/pkgconfig/libssl.pc_$oldver
   mv /usr/lib64/pkgconfig/openssl.pc /usr/lib64/pkgconfig/openssl.pc_$oldver
 
fi

#Replace openssl-oldver lib and include file with new openssl 1.0.2j
ln -s /usr/local/ssl/bin/openssl /usr/bin/openssl
ln -s /usr/local/ssl/include/openssl /usr/include/openssl
ln -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
ln -s /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64/libssl.so
ln -s /usr/local/ssl/lib/pkgconfig/libcrypto.pc /usr/lib64/pkgconfig/libcrypto.pc
ln -s /usr/local/ssl/lib/pkgconfig/libssl.pc /usr/lib64/pkgconfig/libssl.pc
ln -s /usr/local/ssl/lib/pkgconfig/openssl.pc /usr/lib64/pkgconfig/openssl.pc


#create shortcut of share object file of ssh deamon
[ ! -L /lib64/libcrypto.so.1.0.0 ] && ln -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0

echo /usr/local/ssl/lib >> /etc/ld.so.conf

======================================================================================================================

[root@salt-master scr]# cat post_uninstall_ssl.sh
#!/bin/bash
#date: 2017-02-06
#author: songjianhao
#desc: restore old version openssl-1.0.1e after uninstall openssl-1.0.2j rpm

#get old openssl version
oldver=$(rpm -qa |grep openssl-1.0.1|awk -F'-' '{print $2}')

rm -f /usr/bin/openssl
mv /usr/bin/openssl_$oldver /usr/bin/openssl

#restore old version openssl-devel lib and include file or delete openssl-1.0.2j lib and include soft link file
rpm -qa |grep openssl-devel >/dev/null 2>&1
if [ $? -eq 0 ];then
   mv -f /usr/include/openssl_$oldver  /usr/include/openssl
   mv -f /usr/lib64/libcrypto.so_$oldver /usr/lib64/libcrypto.so
   mv -f /usr/lib64/libssl.so_$oldver /usr/lib64/libssl.so
   mv -f /usr/lib64/pkgconfig/libcrypto.pc_$oldver /usr/lib64/pkgconfig/libcrypto.pc
   mv -f /usr/lib64/pkgconfig/libssl.pc_$oldver /usr/lib64/pkgconfig/libssl.pc
   mv -f /usr/lib64/pkgconfig/openssl.pc_$oldver /usr/lib64/pkgconfig/openssl.pc
else
   rm -rf /usr/include/openssl
   rm -f /usr/lib64/libcrypto.so
   rm -f /usr/lib64/libssl.so
   rm -f /usr/lib64/pkgconfig/libcrypto.pc
   rm -f /usr/lib64/pkgconfig/libssl.pc
   rm -f /usr/lib64/pkgconfig/openssl.pc
fi

#delete openssl-1.0.2j all file  
rm -rf /usr/local/ssl

#create shortcut of share object file of ssh deamon
rm -f /lib64/libcrypto.so.1.0.0
sed -i "\/usr\/local\/ssl\/lib/d" /etc/ld.so.conf

=============================================================================================

    给脚本添加执行权限
    chmod +x post_install_ssl.sh
    chmod +x post_uninstall_ssl.sh

    cd /root

    4. 使用fpm制作openssl的rpm包

       (1)安装依赖包:yum install rpm-build -y

       (2)使用fpm制作rpm包
                                       
[root@salt-master ~]# fpm -f -s dir -t rpm -n openssl -v 1.0.2j -d openssl -d openssl-devel -a x86_64 -C /tmp/openssl -p /root --iteration 1.el6 --url http://blog.chinaunix.net/uid-30162103-id-5759030.html --post-install /tmp/scr/post_install_ssl.sh --post-uninstall /tmp/scr/post_uninstall_ssl.sh --description "Update to openssl-1.0.2j in centos6.5 and centos6.8 by songjianhao"  

    注意:由于windows记事本的问题,需要一行一行的复制

    输出如下:

       /usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/1.8.7/fixnum/div.rb:1: warning: constant ::Fixnum is deprecated
    /usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/1.8.7/fixnum/fdiv.rb:1: warning: constant ::Fixnum is deprecated
    /usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/2.1.0/bignum/bit_length.rb:1: warning: constant ::Bignum is deprecated
    /usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/2.1.0/fixnum/bit_length.rb:1: warning: constant ::Fixnum is deprecated
    Created package {:path=>"/root/openssl-1.0.2j-1.el6.x86_64.rpm"}

六. 安装openssh-7.4p1并制作rpm包

     1. 下载openssh

       wget ftp://mirror.jmu.edu/pub/OpenBSD/OpenSSH/portable/openssh-7.4p1.tar.gz

     2. 安装依赖包

           #yum install zlib zlib-devel openssl-devel pam-devel -y

    rpm -ivh openssl-1.0.2j-1.el6.x86_64.rpm

    [root@fpm ~]# openssl version
    OpenSSL 1.0.2j-fips  26 Sep 2016

     3. 解压,配置,编译,安装:

           tar zxvf openssh-7.4p1.tar.gz
           cd openssh-7.4p1
    mkdir /tmp/openssh
    ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/ssl  --mandir=/usr/share/man
           make && make install DESTDIR=/tmp/openssh

       注意:如果没有安装pam-devel或者openssl-devel或者./configure 后没有--without-hardening, ./configure时会报openssl header目录找不到,如下:

       checking whether getpgrp requires zero arguments... yes
    checking OpenSSL header version... not found
    configure: error: OpenSSL version header not found.


      注意:./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/ssl  --mandir=/usr/share/man 正确输出如下:

     OpenSSH has been configured with the following options:
                     User binaries: /usr/local/openssh/bin
                   System binaries: /usr/local/openssh/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/local/openssh/libexec/ssh-askpass
                      Manual pages: /usr/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/openssh/bin
                    Manpage format: doc
                       PAM support: yes
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support:
                     S/KEY support: no
              MD5 password support: yes
                   libedit support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: rlimit

              Host: x86_64-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE
Preprocessor flags: -I/usr/local/ssl
      Linker flags: -L/usr/local/ssl  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-all -pie
         Libraries: -lcrypto -lrt -ldl -lutil -lz  -lcrypt -lresolv
         +for sshd:  -lpam

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory



     4. 安装前,安装后,卸载后的脚本

    [root@salt-master scr]# cat pre_install_ssh.sh
#!/bin/bash
#date: 2017-02-01
#author:songjh
#desc: backup: configure file of openssh

OLDVER=$(rpm -qa |grep openssh-server |awk -F- '{print $3}')

mv /etc/ssh/sshd_config /etc/ssh/sshd_config_$OLDVER
mv /etc/ssh/ssh_config /etc/ssh/ssh_config_$OLDVER
mv /etc/ssh/moduli /etc/ssh/moduli_$OLDVER

=====================================================================================

[root@salt-master scr]# cat post_install_ssh.sh
#!/bin/bash
#date: 2017-02-01
#author: songjh
#desc: backup: backup old version of openssh

OLDVER=$(rpm -qa |grep openssh-server |awk -F- '{print $3}')

#backup opensshd-server bin and config file
mv /usr/sbin/sshd /usr/sbin/sshd_$OLDVER
ln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd

mv /usr/libexec/openssh/sftp-server /usr/libexec/openssh/sftp-server_$OLDVER
ln -s /usr/local/openssh/libexec/sftp-server /usr/libexec/openssh/sftp-server

mv /usr/bin/scp /usr/bin/scp_$OLDVER
ln -s /usr/local/openssh/bin/scp /usr/bin/scp

mv /usr/bin/sftp /usr/bin/sftp_$OLDVER
ln -s /usr/local/openssh/bin/sftp /usr/bin/sftp

mv /usr/bin/ssh /usr/bin/ssh_$OLDVER
ln -s /usr/local/openssh/bin/ssh /usr/bin/ssh

mv /usr/bin/ssh-add /usr/bin/ssh-add_$OLDVER
ln -s /usr/local/openssh/bin/ssh-add /usr/bin/ssh-add

mv /usr/bin/ssh-agent /usr/bin/ssh-agent_$OLDVER
ln -s /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agent

mv /usr/bin/ssh-keyscan /usr/bin/ssh-keyscan_$OLDVER
ln -s /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscan

mv /usr/libexec/openssh/ssh-pkcs11-helper /usr/libexec/openssh/ssh-pkcs11-helper_$OLDVER
ln -s /usr/local/openssh/libexec/ssh-pkcs11-helper /usr/libexec/openssh/ssh-pkcs11-helper

mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen_$OLDVER
ln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen

mv /usr/libexec/openssh/ssh-keysign /usr/libexec/openssh/ssh-keysign_$OLDVER
ln -s /usr/local/openssh/libexec/ssh-keysign /usr/libexec/openssh/ssh-keysign

#create shortcut of share object file of ssh deamon
[ ! -L /lib64/libcrypto.so.1.0.0 ] && ln -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0

#modify sshd_config
sed -i '/^#PermitRootLogin/s/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i '/^#UsePAM/s/#UsePAM no/UsePAM yes/' /etc/ssh/sshd_config

/etc/init.d/sshd reload

=====================================================================================

[root@salt-master scr]# cat post_uninstall_ssh.sh
#!/bin/bash
#date: 2017-02-01
#author: songjh
#desc: restore oldver of openssh

OLDVER=$(rpm -qa |grep openssh-server |awk -F- '{print $3}')

#restore old version opensshd-server bin and config file
mv -f /etc/ssh/sshd_config_$OLDVER /etc/ssh/sshd_config
mv -f /usr/sbin/sshd_$OLDVER /usr/sbin/sshd
mv -f /usr/libexec/openssh/sftp-server_$OLDVER /usr/libexec/openssh/sftp-server

#restore old version openssh-clients bin and config file
mv -f /etc/ssh/ssh_config_$OLDVER /etc/ssh/ssh_config
mv -f /usr/bin/scp_$OLDVER /usr/bin/scp
mv -f /usr/bin/sftp_$OLDVER /usr/bin/sftp
mv -f /usr/bin/ssh_$OLDVER /usr/bin/ssh
mv -f /usr/bin/ssh-add_$OLDVER /usr/bin/ssh-add
mv -f /usr/bin/ssh-agent_$OLDVER /usr/bin/ssh-agent
mv -f /usr/bin/ssh-keyscan_$OLDVER /usr/bin/ssh-keyscan
mv -f /usr/libexec/openssh/ssh-pkcs11-helper_$OLDVER /usr/libexec/openssh/ssh-pkcs11-helper

#restore old version openssh file
mv -f /etc/ssh/moduli_$OLDVER /etc/ssh/moduli
mv -f /usr/bin/ssh-keygen_$OLDVER /usr/bin/ssh-keygen
mv -f /usr/libexec/openssh/ssh-keysign_$OLDVER /usr/libexec/openssh/ssh-keysign

#delete shortcut of share object file of ssh deamon
rm -f /lib64/libcrypto.so.1.0.0

#modify sshd_config
sed -i '/^#PermitRootLogin/s/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
sed -i '/^#UsePAM/s/#UsePAM no/UsePAM yes/' /etc/ssh/sshd_config


/etc/init.d/sshd reload     

=================================================================================================================

    添加可执行权限

    [root@wdcp scr]# chmod +x *


    5. 使用fpm制作openssh的rpm包

fpm -f -s dir -t rpm -n openssh -v 7.4p1 -d zlib-devel -d openssl-devel -d pam-devel -a x86_64  --iteration 1.el6 -C /tmp/openssh -p /root --url http://blog.chinaunix.net/uid-30162103-id-5759030.html --pre-install /tmp/scr/pre_install_ssh.sh --post-install /tmp/scr/post_install_ssh.sh --post-uninstall /tmp/scr/post_uninstall_ssh.sh --description "Update to openssh7.4p1 apply for centos6.5 and centos6.8 by songjianhao"

输出如下:
/usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/1.8.7/fixnum/div.rb:1: warning: constant ::Fixnum is deprecated
/usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/1.8.7/fixnum/fdiv.rb:1: warning: constant ::Fixnum is deprecated
/usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/2.1.0/bignum/bit_length.rb:1: warning: constant ::Bignum is deprecated
/usr/lib/ruby/gems/2.4.0/gems/backports-3.6.8/lib/backports/2.1.0/fixnum/bit_length.rb:1: warning: constant ::Fixnum is deprecated
Created package {:path=>"/root/openssh-7.4p1-1.el6.x86_64.rpm"}


七. 在centos6.5, 6.8中安装openssl-1.0.2j, openssh-7.4p1的rpm包测试

    1. 安装依赖包
      
       yum install zlib zlib-devel openssl-devel pam-devel -y

    2. 安装openssl-1.0.2j rpm包

    rpm -ivh openssl-1.0.2j-1.el6.x86_64.rpm

    注:卸载rpm包: rpm -e openssl-1.0.2j-1.el6.x86_64

    3. 验证openssl的版本: openssl version

    OpenSSL 1.0.2j-fips  26 Sep 2016

    4. 安装openssh-7.4p1的rpm包

    rpm -ivh --force openssh-7.4p1-1.el6.x86_64.rpm

        注意:要使用--force强制安装选项,覆盖同名的配置文件

    5. 验证:
 
        [root@salt-minion2 ~]# ssh -V
    OpenSSH_7.4p1, OpenSSL 1.0.2j-fips  26 Sep 2016

    [root@salt-minion2 ~]# sshd -V
    unknown option -- V
    OpenSSH_7.4p1, OpenSSL 1.0.2j-fips  26 Sep 2016
    usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

    6. 卸载openssh-7.4p1的rpm包,恢复到之前的版本openssh-5.3p1

    [root@ssh74 ~]# rpm -e openssh-7.4p1-1.el6.x86_64
    重新载入 sshd:[确定]

    验证:    恢复到之前的版本openssh-5.3p1    

    [root@ssh74 ~]# ssh -V
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013

    [root@ssh74 ~]# sshd -V
    sshd: illegal option -- V
    OpenSSH_5.3p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
            [-f config_file] [-g login_grace_time] [-h host_key_file]
            [-k key_gen_time] [-o option] [-p port] [-u len]

    7.  卸载openssl-1.0.2j rpm包,恢复到之前的openssl-1.0.1e

    [root@ssh74 ~]# rpm -e openssl-1.0.2j-1.el6.x86_64

    [root@ssh74 ~]# openssl version
    OpenSSL 1.0.1e-fips 11 Feb 2013

八. 制作rpm包过程中所遇到的故障

    1. 不要使用yum的方式安装ruby软件,因为无论是默认yum源还是epel源, ruby的版本都不能正常安装fpm, 要从官网下载ruby-2.4.0版本才可用

    下面是用yum源安装的gem: yum install -y ruby ruby-devel rubygems, 添加ruby-china镜像库gem sources --add 后遇到如下报错:

    [root@wdcp ~]# gem install fpm
    Building native extensions.  This could take a while...
    Building native extensions.  This could take a while...
    ERROR:  Error installing fpm:
    ruby-xz requires Ruby version >= 1.9.3.

    源码安装ruby,添加阿里云镜像,安装fpm的报错:

    [root@wdcp ~]# gem install fpm
    ERROR:  While executing gem ... (Gem::RemoteFetcher::FetchError)
        bad response Not Found 404 ()

    2. 不能使用淘宝ruby源,也不能使用阿里云,这两个都已经不可用,可以使用

    3. openssl源码不能使用make install DESTDIR=/tmp/openssl命令,不生效,需要使用 make install INSTALL_PREFIX=/tmp/openssl

    4. 在configure openssh源码时,如果没有安装pam-devel或者openssl-devel,会报openssl header目录找不到

       checking whether getpgrp requires zero arguments... yes
    checking OpenSSL header version... not found
    configure: error: OpenSSL version header not found.

       解决办法1:yum install openssl openssl-devel pam-devel -y

    另一个原因是: 安装了openssl-1.0.2j,但没有生成/usr/bin/openssl, /usr/include/openssl, /usr/lib64下的软链接,导致编译openssh时找不到openssl头文件库文件或者找到的openssl头文件与库文件    版本不匹配, 就会提示OpenSSL version header not found

        解决方法:详见/tmp/scr/post_install_ssl.sh里的内容

    5. 直接安装openssh-7.4p1的rpm包会遇到文件冲突

     rpm -ivh openssh-up-7.4p1-1.x86_64.rpm
    Preparing...                ########################################### [100%]
    file /etc/ssh/moduli from install of openssh-up-7.4p1-1.x86_64 conflicts with file from package openssh-5.3p1-94.el6.x86_64
    file /etc/ssh/ssh_config from install of openssh-up-7.4p1-1.x86_64 conflicts with file from package openssh-clients-5.3p1-94.el6.x86_64
    file /etc/ssh/sshd_config from install of openssh-up-7.4p1-1.x86_64 conflicts with file from package openssh-server-5.3p1-94.el6.x86_64

     解决办法:强制安装 --force

      rpm -ivh --force openssh-up-7.4p1-1.x86_64.rpm   
    Preparing...                ########################################### [100%]
       1:openssh-up             ########################################### [100%]

    6. openssh-7.4p1 rpm包安装后,启动openssh,找不到动态库文件 libcrypto.so.1.0.0

      [root@salt-minion2 lib64]# /etc/init.d/sshd.init.old restart
    /usr/sbin/sshd: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory
                                                           [失败]
    Shutting down sshd:
    Starting sshd: /usr/sbin/sshd: error while loading shared libraries: libcrypto.so.1.0.0: cannot open shared object file: No such file or directory
                                                           [失败]
    解决办法:

         必须安装openssl-1.0.2j, rpm -ivh openssl-1.0.2j-1.x86_64.rpm  

     必须做软链接,ln -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /lib64/libcrypto.so.1.0.0  

         注: ln -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /lib/libcrypto.so.1.0.0, 软链接做到/lib下无效

         在post_install_ssh.sh 已经解决上述问题

    7. 安装或卸载openssh-7.4p1的rpm包后,重启sshd服务进程无法远程登录, 已经在post_install_ssh.sh 和post_uninstall_ssh.sh 中解决

        解决办法:修改sshd_config,并且将修改写在“安装后”,“卸载后”的脚本里
    sed -i '/^#PermitRootLogin/s/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
    sed -i '/^#UsePAM/s/#UsePAM no/UsePAM yes/' /etc/ssh/sshd_config
 

    8. 双斜杠错误

    ./config shared zlib && make && make install INSTALL_PREFIX=/tmp/openssl/      最后的斜杠导致错误

    cp libcrypto.pc /tmp/openssl//usr/local/ssl/lib/pkgconfig            #双斜杠//
    chmod 644 /tmp/openssl//usr/local/ssl/lib/pkgconfig/libcrypto.pc
    cp libssl.pc /tmp/openssl//usr/local/ssl/lib/pkgconfig
    chmod 644 /tmp/openssl//usr/local/ssl/lib/pkgconfig/libssl.pc
    cp openssl.pc /tmp/openssl//usr/local/ssl/lib/pkgconfig
    chmod 644 /tmp/openssl//usr/local/ssl/lib/pkgconfig/openssl.pc
    
    9. 卸载openssl-devel-1.0.1e-48.el6_8.3.x86_64, 导致配置openssh-7.4p1过程失败

           由于在编译安装openssl-1.0.2j后,执行了如下命令:

    mv /usr/include/openssl /usr/include/openssl_$oldver
    
        ln -s /usr/local/ssl/include/openssl /usr/include/openssl

        卸载openssl-devel-1.0.1e包,会删除/usr/include/openssl下的头文件,而/usr/include/openssl是链接到/usr/local/ssl/include/openssl,即会删除编译安装的openssl-1.0.2j

        最终导致配置openssh-7.4p1时,./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/ssl  --mandir=/usr/share/man

        找不到openssl的头文件: “configure: error: OpenSSL version header not found.”

   10.  配置openssh-7.4p1时, 选项--with-ssl-dir=/usr/local/ssl 是指检查openssl的头文件即include目录里的文件和库文件即usr/local/lib里的文件都要找到,./configure 才能正常通过

    解决办法:在post_install_ssl.sh中加入如下语句

    ln -s /usr/local/ssl/lib/libcrypto.so.1.0.0 /usr/lib64/libcrypto.so
    ln -s /usr/local/ssl/lib/libssl.so.1.0.0 /usr/lib64/libssl.so
    ln -s /usr/local/ssl/lib/pkgconfig/libcrypto.pc /usr/lib64/pkgconfig/libcrypto.pc
    ln -s /usr/local/ssl/lib/pkgconfig/libssl.pc /usr/lib64/pkgconfig/libssl.pc
    ln -s /usr/local/ssl/lib/pkgconfig/openssl.pc /usr/lib64/pkgconfig/openssl.pc


        注意:  --with-ssl-dir=/usr/local/ssl/    最后的 “/”会产生双斜杠//错误,结果也会提示找不到openssl的头文件

                --with-ssl-dir=/usr/local/ssl/include   这种写法是错误的

    11. fpm制作rpm包时,提示Need executable 'rpmbuild' to convert dir to rpm {:level=>:error}

        没有安装rpm-build
    
    yum install rpm-build -y

    12. 有时会遇到成功编译了openssh-7.4p1,但仍然引用老版本的openssl-1.0.1e, 已经在post_install_ssl.sh脚本里解决

    [root@salt-minion2 ~]# ssh -V
    OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    [root@salt-minion2 ~]# sshd -V
    unknown option -- V
    OpenSSH_7.4p1, OpenSSL 1.0.1e-fips 11 Feb 2013
    usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]  


    11. 绝大多数错误都可以通过查看config.log 解决

        ./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-dir=/usr/local/ssl  --mandir=/usr/share/man 总是报错

        根据源码安装目录里的报错内容,分析,解决

   

阅读(4603) | 评论(1) | 转发(0) |
给主人留下些什么吧!~~

shakespark2017-03-17 10:15:27

写出了完整的步骤,遇到的坑和解决办法,为你点100个赞!

已经成功在centos6.3x64上安装了OpenSSH_7.4p1, OpenSSL 1.0.2k-fips


ps:提一点小小建议,如果这篇博客的排版能再改进一下就更好了!