一、背景说明

BClinux8.6 默认安装的openssh 版本为8.0,经绿盟扫描,存在高危漏洞,需要升级到最新。

官网只提供编译安装包,而BClinux8.6 为rpm方式安装。

为了方便升级,先通过编译安装包,制作rpm包,并进行升级

如下为做好的rpm升级包,可直接下载使用:

openssh 9.3p1 for bclinux & 龙蜥Anolis 8.6版本

https://download.csdn.net/download/qyq88888/87764971?spm=1001.2014.3001.5503BClinux8.6 制作openssh9.3p1 rpm升级包和升级实战-LMLPHPhttps://download.csdn.net/download/qyq88888/87764971?spm=1001.2014.3001.5503

1.1 系统版本查看 cat /etc/os-release

[root@localhost ~]# cat /etc/os-release 
NAME="BigCloud Enterprise Linux"
VERSION="8.6 (Core)"
ID="bclinux"
ID_LIKE="rhel fedora"
VERSION_ID="8.6"
PLATFORM_ID="platform:an8"
PRETTY_NAME="BigCloud Enterprise Linux 8.6 (Core)"
ANSI_COLOR="0;31"
CPE_NAME="cpe:/o:bclinux:bclinux:8"
HOME_URL="https://mirrors.bclinux.org/"
BUG_REPORT_URL="https://bugs.bclinux.org/"

BCLINUX_BUGZILLA_PRODUCT="BigCloud Enterprise Linux 8 (Core)"
BCLINUX_BUGZILLA_PRODUCT_VERSION=8.6
BCLINUX_SUPPORT_PRODUCT="BigCloud Enterprise Linux 8 (Core)"
BCLINUX_SUPPORT_PRODUCT_VERSION=8.6

[root@localhost ~]# 

二、rpm包制作

2.1、安装制作的工具

dnf install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel  libXt-devel gtk2-devel make perl -y

安装imake

dnf install imake

验证imake是否安装成功

[root@localhost ~]# rpm -qa|grep imake
imake-1.0.7-11.el8.x86_64
[root@localhost ~]# 

2.2下载源码

wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
 
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz


2.3 初始化

##拷贝源码包到相应目录

mkdir -p /root/rpmbuild/SOURCES
cp openssh-9.3p1.tar.gz x11-ssh-askpass-1.2.4.1.tar.gz /root/rpmbuild/SOURCES

解压
tar -zxf openssh-9.3p1.tar.gz 


##解压源码包,拷贝spec文件
mkdir -p /root/rpmbuild/SPECS/

[root@localhost openssh-9.3p1]# find ./ -name openssh.spec
./contrib/redhat/openssh.spec
./contrib/suse/openssh.spec

[root@localhost openssh-9.3p1]# cp ./contrib/redhat/openssh.spec /root/rpmbuild/SPECS/


##尝试构建rpm包,提示报错:
[root@localhost SPECS]# rpmbuild -ba openssh.spec
错误:构建依赖失败:
        openssl-devel < 1.1 被 openssh-9.3p1-1.el8.bclinux.x86_64 需要
[root@localhost SPECS]# 


cd /root/rpmbuild/SPECS/
vi openssh.spec
注释如下行
#BuildRequires: openssl-devel < 1.1

2.4 rpm打包

再次执行成功:
rpmbuild -ba openssh.spec
等待编译完成

...
提示:
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Recommends: openssh-debugsource(x86-64) = 9.3p1-1.el8.bclinux
检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssh-9.3p1-1.el8.bclinux.x86_64
已写至:/root/rpmbuild/SRPMS/openssh-9.3p1-1.el8.bclinux.src.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-clients-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-server-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-askpass-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-debugsource-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-clients-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-server-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-askpass-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-askpass-gnome-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
正在执行(%clean):/bin/sh -e /var/tmp/rpm-tmp.q7XydL
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-9.3p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-9.3p1-1.el8.bclinux.x86_64
+ exit 0
[root@localhost SPECS]# 

2.5 查看制作后的rpm包

查看制作完成后生成的包:

[root@localhost x86_64]# ls -lrth /root/rpmbuild/RPMS/x86_64/
总用量 6.2M
-rw-r--r-- 1 root root 700K 5月   8 19:15 openssh-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root 655K 5月   8 19:15 openssh-clients-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root 484K 5月   8 19:15 openssh-server-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root  50K 5月   8 19:15 openssh-askpass-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root  31K 5月   8 19:15 openssh-askpass-gnome-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root 748K 5月   8 19:15 openssh-debugsource-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root 1.1M 5月   8 19:15 openssh-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root 1.5M 5月   8 19:15 openssh-clients-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root 921K 5月   8 19:15 openssh-server-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root  61K 5月   8 19:15 openssh-askpass-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
-rw-r--r-- 1 root root  42K 5月   8 19:15 openssh-askpass-gnome-debuginfo-9.3p1-1.el8.bclinux.x86_64.rpm
[root@localhost x86_64]# 

三、使用制作好的rpm包进行升级

3.1 升级前备份

##利用制作的rpm包对openssh进行升级
升级前检查
[root@localhost x86_64]# rpm -qa|grep openssh
openssh-8.0p1-13.0.1.an8.x86_64
openssh-server-8.0p1-13.0.1.an8.x86_64
openssh-clients-8.0p1-13.0.1.an8.x86_64
[root@localhost x86_64]# 

##备份配置文件
[root@localhost x86_64]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.20230508


##升级只需准备如下3个包
openssh-clients-9.3p1-1.el8.bclinux.x86_64.rpm
openssh-9.3p1-1.el8.bclinux.x86_64.rpm
openssh-server-9.3p1-1.el8.bclinux.x86_64.rpm

3.2 开始升级

dnf install ./*.rpm 

[root@localhost ~]# dnf install ./*.rpm 
无法连接BC-Linux的YUM源服务器。
上次元数据过期检查:3:41:27 前,执行于 2023年05月08日 星期一 15时41分00秒。
依赖关系解决。
===================================================================================================================================================
 软件包                               架构                        版本                                     仓库                               大小
===================================================================================================================================================
升级:
 openssh                              x86_64                      9.3p1-1.el8.bclinux                      @commandline                      699 k
 openssh-clients                      x86_64                      9.3p1-1.el8.bclinux                      @commandline                      654 k
 openssh-server                       x86_64                      9.3p1-1.el8.bclinux                      @commandline                      484 k

事务概要
===================================================================================================================================================
升级  3 软件包

总计:1.8 M
确定吗?[y/N]: y
下载软件包:
运行事务检查
事务检查成功。
运行事务测试
事务测试成功。
运行事务
  准备中  :                                                                                                                                    1/1 
  运行脚本: openssh-9.3p1-1.el8.bclinux.x86_64                                                                                                 1/1 
  升级    : openssh-9.3p1-1.el8.bclinux.x86_64                                                                                                 1/6 
  升级    : openssh-clients-9.3p1-1.el8.bclinux.x86_64                                                                                         2/6 
  运行脚本: openssh-server-9.3p1-1.el8.bclinux.x86_64                                                                                          3/6 
  升级    : openssh-server-9.3p1-1.el8.bclinux.x86_64                                                                                          3/6 
  运行脚本: openssh-server-9.3p1-1.el8.bclinux.x86_64                                                                                          3/6 
  运行脚本: openssh-server-8.0p1-13.0.1.an8.x86_64                                                                                             4/6 
  清理    : openssh-server-8.0p1-13.0.1.an8.x86_64                                                                                             4/6 
  运行脚本: openssh-server-8.0p1-13.0.1.an8.x86_64                                                                                             4/6 
  清理    : openssh-clients-8.0p1-13.0.1.an8.x86_64                                                                                            5/6 
  清理    : openssh-8.0p1-13.0.1.an8.x86_64                                                                                                    6/6 
  运行脚本: openssh-8.0p1-13.0.1.an8.x86_64                                                                                                    6/6 
  验证    : openssh-9.3p1-1.el8.bclinux.x86_64                                                                                                 1/6 
  验证    : openssh-8.0p1-13.0.1.an8.x86_64                                                                                                    2/6 
  验证    : openssh-clients-9.3p1-1.el8.bclinux.x86_64                                                                                         3/6 
  验证    : openssh-clients-8.0p1-13.0.1.an8.x86_64                                                                                            4/6 
  验证    : openssh-server-9.3p1-1.el8.bclinux.x86_64                                                                                          5/6 
  验证    : openssh-server-8.0p1-13.0.1.an8.x86_64                                                                                             6/6 

已升级:
  openssh-9.3p1-1.el8.bclinux.x86_64         openssh-clients-9.3p1-1.el8.bclinux.x86_64         openssh-server-9.3p1-1.el8.bclinux.x86_64        

完毕!
[root@localhost ~]# 




[root@localhost ~]# ssh -V
OpenSSH_9.3p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021
[root@localhost ~]#

3.3 升级后ssh服务出现异常

此时千万不要退出登录,否则将再也无法登录

[root@localhost ~]# systemctl restart sshd
Job for sshd.service failed because the control process exited with error code.
See "systemctl status sshd.service" and "journalctl -xe" for details.
[root@localhost ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; generated)
   Active: failed (Result: exit-code) since Mon 2023-05-08 19:23:16 CST; 10s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3535454 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
  Process: 3535993 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=1/FAILURE)
 Main PID: 939 (code=exited, status=0/SUCCESS)

5月 08 19:23:16 localhost.localdomain sshd[3536002]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
5月 08 19:23:16 localhost.localdomain sshd[3536002]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5月 08 19:23:16 localhost.localdomain sshd[3536002]: Permissions 0640 for '/etc/ssh/ssh_host_ed25519_key' are too open.
5月 08 19:23:16 localhost.localdomain sshd[3536002]: It is required that your private key files are NOT accessible by others.
5月 08 19:23:16 localhost.localdomain sshd[3536002]: This private key will be ignored.
5月 08 19:23:16 localhost.localdomain sshd[3536002]: sshd: no hostkeys available -- exiting.
5月 08 19:23:16 localhost.localdomain sshd[3535993]: [失败]
5月 08 19:23:16 localhost.localdomain systemd[1]: sshd.service: Control process exited, code=exited status=1
5月 08 19:23:16 localhost.localdomain systemd[1]: sshd.service: Failed with result 'exit-code'.
5月 08 19:23:16 localhost.localdomain systemd[1]: Failed to start SYSV: OpenSSH server daemon.
[root@localhost ~]# 

3.4、异常处理

##修改权限为600,并再次重启sshd
[root@localhost ~]# chmod 0600 /etc/ssh/ssh_host_ed25519_key
[root@localhost ~]# systemctl restart sshd


##再次查看sshd服务状态
[root@localhost ~]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemon
   Loaded: loaded (/etc/rc.d/init.d/sshd; generated)
   Active: active (running) since Mon 2023-05-08 19:25:18 CST; 10s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 3535454 ExecStop=/etc/rc.d/init.d/sshd stop (code=exited, status=0/SUCCESS)
  Process: 3536161 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)
 Main PID: 3536171 (sshd)
    Tasks: 1 (limit: 101087)
   Memory: 904.0K
   CGroup: /system.slice/sshd.service
           └─3536171 sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups

5月 08 19:25:18 localhost.localdomain sshd[3536170]: This private key will@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5月 08 19:25:18 localhost.localdomain sshd[3536170]: @         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
5月 08 19:25:18 localhost.localdomain sshd[3536170]: @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
5月 08 19:25:18 localhost.localdomain sshd[3536170]: Permissions 0640 for '/etc/ssh/ssh_host_ecdsa_key' are too open.
5月 08 19:25:18 localhost.localdomain sshd[3536170]: It is required that your private key files are NOT accessible by others.
5月 08 19:25:18 localhost.localdomain sshd[3536170]: This private key will be ignored.
5月 08 19:25:18 localhost.localdomain sshd[3536171]: Server listening on 0.0.0.0 port 22.
5月 08 19:25:18 localhost.localdomain sshd[3536171]: Server listening on :: port 22.
5月 08 19:25:18 localhost.localdomain sshd[3536161]: [  确定  ]
5月 08 19:25:18 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.
[root@localhost ~]# 

3.5、尝试登录

##再次ssh该主机,正常访问
[root@localhost ~]# rpm -qa|grep openssh
openssh-clients-9.3p1-1.el8.bclinux.x86_64
openssh-9.3p1-1.el8.bclinux.x86_64
openssh-server-9.3p1-1.el8.bclinux.x86_64
[root@localhost ~]# 


##查看ssh版本
[root@localhost ~]# ssh -V
OpenSSH_9.3p1, OpenSSL 1.1.1k  FIPS 25 Mar 2021
[root@localhost ~]#
05-08 23:31