@cdmonkey
2026-03-23T09:43:44.000000Z
字数 5566
阅读 422
SSH
yum install -y telnet zlib zlib-devel gcc gcc-c++ make perl perl-IPC-Cmd pam pam-devel
[root@hidocker tools]# tar -zxvf openssl-3.4.1.tar.gz[root@hidocker tools]# cd openssl-3.4.1./config --prefix=/usr/local/openssl shared zlibmakemake install
进行升级
mv /usr/bin/openssl /usr/bin/openssl.oldmv /usr/include/openssl /usr/include/openssl.oldln -s /usr/local/openssl/bin/openssl /usr/bin/opensslln -s /usr/local/openssl/include/openssl /usr/include/openssl#echo "/usr/local/openssl/lib" >> /etc/ld.so.confldconfig -v
检查版本时有报错:
openssl: error while loading shared libraries: libssl.so.3: cannot open shared object file: No such file or directory
创建两个软链:
ln -s /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/libssl.so.3ln -s /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3
再次检查版本:
[root@hidocker ~]# openssl version -aOpenSSL 3.4.1 11 Feb 2025 (Library: OpenSSL 3.4.1 11 Feb 2025)built on: Tue Mar 11 05:27:39 2025 UTCplatform: linux-x86_64...
首先进行备份。
cp -a /etc/pam.d/sshd /etc/pam.d/sshd-$(date +%Y-%m-%d)cp -a /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac-$(date +%Y-%m-%d)cp -a /etc/ssh/sshd_config /etc/ssh/sshd_config-$(date +%Y-%m-%d)cp -a /etc/ssh/ssh_config /etc/ssh/ssh_config-$(date +%Y-%m-%d)cp -a /usr/bin/ssh-copy-id /usr/bin/ssh-copy-id-$(date +%Y-%m-%d)
先把老版本卸载掉。
rpm -e --nodeps `rpm -qa | grep openssh`
安装:
[root@hidocker tools]# tar -zxvf openssh-9.9p2.tar.gz[root@hidocker tools]# cd openssh-9.9p2/./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh \--with-ssl-dir=/usr/local/openssl --with-ssl-engine \--with-pam --with-zlib --with-md5-passwords
上面的配置指令执行完后,最后将显示:
PAM is enabled. You may need to install a PAM control filefor sshd, otherwise password authentication may fail.Example PAM control files can be found in the contrib/subdirectory
进行编译安装:
makemake install
安装完成后检查版本信息:
[root@hidocker ~]# /usr/local/openssh/bin/ssh -VOpenSSH_9.9p2, OpenSSL 3.4.1 11 Feb 2025
一堆软链:
ln -s /usr/local/openssh/bin/scp /usr/bin/scpln -s /usr/local/openssh/bin/ssh /usr/bin/sshln -s /usr/local/openssh/bin/ssh-add /usr/bin/ssh-addln -s /usr/local/openssh/bin/ssh-agent /usr/bin/ssh-agentln -s /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygenln -s /usr/local/openssh/bin/ssh-keyscan /usr/bin/ssh-keyscanln -s /usr/local/openssh/sbin/sshd /usr/sbin/sshd
还有个服务启停脚本:
[root@hidocker openssh-9.9p2]# cp -a contrib/redhat/sshd.init /etc/rc.d/init.d/sshd[root@hidocker openssh-9.9p2]# chmod u+x /etc/rc.d/init.d/sshd
最后还原配置:
/etc/ssh
mv /etc/ssh/sshd_config /etc/ssh/sshd_config-9.9p2mv /etc/ssh/ssh_config /etc/ssh/ssh_config-9.9p2# 请确认要还原的配置文件cp -a /etc/ssh/sshd_config-2025-03-11 /etc/ssh/sshd_configcp -a /etc/ssh/ssh_config-2025-03-11 /etc/ssh/ssh_config
/etc/pam.d
cp -a /etc/pam.d/sshd-2025-03-11 /etc/pam.d/sshd
这时就能够启动服务了:
systemctl daemon-reload && systemctl start sshd && /sbin/chkconfig sshd on
参考内容:
操作场景:
[root@Almalinux9-63 ~]# cat /etc/redhat-releaseAlmaLinux release 9.7 (Moss Jungle Cat)[root@Almalinux9-63 ~]# ssh -VOpenSSH_8.7p1, OpenSSL 3.5.1 1 Jul 2025
首先是安装一些依赖包:
dnf groupinstall -y "Development Tools"dnf install -y make rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel perldnf install -y systemd-devel
把项目文件进行解压:
unzip openssh-rpms-main.zipcd openssh-rpms-main
把下载的 OpenSSH、OpenSSL 源文件放置于 downloads 目录。
[root@Almalinux9-63 openssh-rpms-main]# ll downloads/total 19548-rw-r--r-- 1 root root 1944499 Mar 23 15:59 openssh-9.9p2.tar.gz-rw-r--r-- 1 root root 18035615 Mar 23 15:59 openssl-3.3.6.tar.gz-rw-r--r-- 1 root root 29229 Jan 28 11:22 x11-ssh-askpass-1.2.4.1.tar.gz
而后相应的,就要修改 version.env 这个文件(三处需要修改):
# custom defined componentsOPENSSLSRC=openssl-3.3.6.tar.gz # <-- 按实际情况配置OPENSSHSRC=openssh-9.9p2.tar.gz # <-- 按实际情况配置ASKPASSSRC=x11-ssh-askpass-1.2.4.1.tar.gz# Package release versionPKGREL=1# WITH_OPENSSL:# 0: build without openssl (using openssh internal crypto)# 1: use system openssl# 2: build openssl statically# undefined: let the script decide (default)WITH_OPENSSL=2 # <-- 去掉注释...
最后,执行 ./compile.sh 就行了。
报错:
...error: File not found: /root/openssh-rpm/openssh-rpms-main/el7/BUILDROOT/openssh-9.9p2-1.el9.x86_64/usr/libexec/openssh/sshd-authRPM build errors:line 84: Its not recommended to have unversioned Obsoletes: Obsoletes: sshline 114: Its not recommended to have unversioned Obsoletes: Obsoletes: ssh-clientsline 119: Its not recommended to have unversioned Obsoletes: Obsoletes: ssh-serverline 131: Its not recommended to have unversioned Obsoletes: Obsoletes: ssh-extrasline 137: Its not recommended to have unversioned Obsoletes: Obsoletes: ssh-extrasFile not found: /root/openssh-rpm/openssh-rpms-main/el7/BUILDROOT/openssh-9.9p2-1.el9.x86_64/usr/libexec/openssh/sshd-auth
目前解决办法:
[root@Almalinux9-63 openssh-rpms-main]# vim el7/SPECS/openssh.spec%attr(0755,root,root) %{_libexecdir}/openssh/sshd-auth # <-- 把这行注释掉
升级 OpenSSH 过程中,要确保主机指纹信息(Host Keys)不变,核心原则是:不要重新生成主机密钥文件。
OpenSSH 指纹是基于 /etc/ssh/ 目录下的主机私钥文件(像是 ssh_host_rsa_key、ssh_host_ecdsa_key、 ssh_host_ed25519_key 等)生成。只要这些文件没有变化,无论 OpenSSH 软件版本怎样升级,客户端连接时这个指纹信息就不变!
请参见千问回答:https://www.qianwen.com/share/chat/d5e6ba94b19e4e5d9da8388464d545f4
备份配置文件:
cd /etc/ssh/mkdir backup_$(date +%F)cp -a ssh* backup_2026-03-23/
经初步验证,ssh_config 将被更新,需要小心!
[root@Almalinux9-63 ssh]# diff backup_2026-03-23/ssh_config ssh_config1c1< # $OpenBSD: ssh_config,v 1.35 2020/07/17 03:43:42 dtucker Exp $---> # $OpenBSD: ssh_config,v 1.36 2023/08/02 23:04:38 djm Exp $...
备份 PAM 文件:
cd /etc/pam.d/mkdir backup_$(date +%F)cp -a sshd backup_2026-03-23/
经初步验证,这个 sshd PAM 文件没有变化。
[root@Almalinux9-63 ~]# ssh-keygen -lf /etc/ssh/ssh_host_rsa_key3072 SHA256:b1xvM4FYiPt0mV4oBxLcdOVDoUuOeNH+w8dkyabxlyE /etc/ssh/ssh_host_rsa_key.pub (RSA)[root@Almalinux9-63 ~]# ssh-keygen -lf /etc/ssh/backup_2026-03-23/ssh_host_rsa_key3072 SHA256:b1xvM4FYiPt0mV4oBxLcdOVDoUuOeNH+w8dkyabxlyE /etc/ssh/backup_2026-03-23/ssh_host_rsa_key.pub (RSA)
参考内容: