准备工作
制作RPM包,需要依赖以下命令,因此需要安装对应的包
- gcc
- rpmbuild
- rpmlint(可选)
OpenSSH官网信息
制作RPM包
- 将openssh-9.0p1.tar.gz放在rpmbuild对应的工作目录下。比如,rpmbuild默认安装后,工作目录如下:
/root/rpmbuild/
├── BUILD
├── RPMS
├── SOURCES
├── SPECS
└── SRPMS
因此,将openssh-9.0p1.tar.gz放在SOURCES目录下。
- 提取openssh的spec文件,这个文件就是用来制作rpm包的配置文件。命令如下:
tar -xfz /root/rpmbuild/SOURCES/openssh-9.0p1.tar.gz /root/rpmbuild/SPECS/openssh-9.0p1/contrib/redhat/openssh.spec
- 执行打包命令:
rpmbuild -bb /root/rpmbuild/SPECS/openssh.spec
- 打包过程中可能遇到的问题:
[root@localhost rpmbuild]# rpmbuild -bb SPECS/openssh.spec
error: Failed build dependencies:
openssl-devel < 1.1 is needed by openssh-9.0p1-1.el7.centos.x86_64
查看系统是否安装了openssl-devel,以及版本是否符合条件。openssh.specs文件中明确了openssl-devel的版本:
BuildRequires: openssl-devel >= 1.0.1
BuildRequires: openssl-devel < 1.1
不存在则安装相应的版本:
yum install -y openssl-devel
但实际情况可能是即使安装了正确的版本,还是报上面那个错误。可以直接修改openssh.specs文件,将BuildRequires: openssl-devel < 1.1 删除或者在这行的起始位置加#进行注释。
#BuildRequires: openssl-devel < 1.1
另外,还需要修改openssh.specs文件中的两个变量值:
# Do we want to disable building of x11-askpass? (1=yes 0=no)
%global no_x11_askpass 1
# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 1
将no_x11_askpass 和no_gnome_askpass的值都改为1,不编译这两个模块。
为了避免修改的文件有误导致编译再次失败,可用rpmlint命令对修改的配置文件进行校验。
rpmlint /root/rpmbuild/SPECS/openssh.spec
如果遇到如下问题:
configure: error: PAM headers not found
error: Bad exit status from /var/tmp/rpm-tmp.c0SmcP (%build)
RPM build errors:
Bad exit status from /var/tmp/rpm-tmp.c0SmcP (%build)
则需要安装pam-devel,devel就是包含头文件的包:
yum install -y pam-devel
最后重新编译:
rpmbuild -bb /root/rpmbuild/SPECS/openssh.spec
应该就能打包成功了,打包好的rpm文件在以下目录:
[root@localhost x86_64]# pwd
/root/rpmbuild/RPMS/x86_64
[root@localhost x86_64]# ll | grep ssh
-rw-r--r-- 1 root root 665872 May 24 16:13 openssh-9.0p1-1.el7.centos.x86_64.rpm
-rw-r--r-- 1 root root 655388 May 24 16:13 openssh-clients-9.0p1-1.el7.centos.x86_64.rpm
-rw-r--r-- 1 root root 3108720 May 24 16:13 openssh-debuginfo-9.0p1-1.el7.centos.x86_64.rpm
-rw-r--r-- 1 root root 465228 May 24 16:13 openssh-server-9.0p1-1.el7.centos.x86_64.rpm
安装或者升级
- 检查是否已安装,执行以下命令:
rpm -qa | grep openssh
如果未安装,则进行安装:
rpm -i openssh*.rpm
注意,这里是用的openssh*,因为有依赖,所以除了debuginfo那个包,其他的都需要安装上。
- 已安装,则直接升级,如果升级之前,需要备份配置文件,则备份如下配置即可:
/etc/ssh/ssh_config
/etc/ssh/sshd_config
/etc/pam.d/sshd
3.备份完成,执行以下命令进行升级:
rpm -U openssh*.rpm
检查是否升级成功:
rpm -qa | grep openssh
- 升级成功,如需使用升级前的配置,则将之前备份的三个文件还原。然后重启sshd服务:
systemctl restart sshd
重启可能会失败,使用以下命令查看失败原因:
systemctl status sshd
输出信息如下:
May 25 13:21:52 localhost.localdomain sshd[13077]: Unable to load host key "/etc/ssh/ssh_host_ed25519_key": bad permissions
May 25 13:21:52 localhost.localdomain sshd[13077]: Unable to load host key: /etc/ssh/ssh_host_ed25519_key
May 25 13:21:52 localhost.localdomain sshd[13077]: sshd: no hostkeys available -- exiting.
May 25 13:21:52 localhost.localdomain sshd[13077]: [FAILED]
进入/etc/ssh/目录,将key相关的文件都删掉:
[root@localhost ssh]# rm -rf *key*
再次重启sshd服务,并查看sshd的运行状态是否正常:
systemctl restart sshd
systemctl status sshd
如果启动正常,但通过ssh无法登录服务器,则需要查看系统日志,命令如下:
[root@localhost pam.d]# cat /var/log/secure
......
May 25 13:28:39 localhost sshd[30480]: PAM unable to dlopen(/usr/lib64/security/pam_stack.so): /usr/lib64/security/pam_stack.so: cannot open shared object file: No such file or directory
May 25 13:28:39 localhost sshd[30480]: PAM adding faulty module: /usr/lib64/security/pam_stack.so
如果出现上述的错误信息,提示找不到pam_stack.so模块,则说明/etc/pam.d/sshd文件没有被恢复为之前的备份文件。
如果还是无法使用ssh登录,则继续查看系统日志:
[root@localhost pam.d]# cat /var/log/secure
......
May 25 13:40:41 localhost sshd[28873]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10 user=root
May 25 13:40:41 localhost sshd[28873]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 25 13:40:43 localhost sshd[28873]: Failed password for root from 10.10.10.10 port 59430 ssh2
May 25 13:40:46 localhost sshd[28873]: pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root"
May 25 13:40:49 localhost sshd[28873]: Failed password for root from 10.10.10.10 port 59430 ssh2
提示requirement “uid >= 1000” not met by user “root”,则需要修改/etc/ssh/sshd_config下的配置:
PermitRootLogin yes
该参数表示允许root用户使用ssh方式登录。修改完成后,需要重启sshd服务。