OpenSSH 9.8p1 rpm包构建与升级

rpmbuild入门知识
openssh/ssl二进制升级

前言

紧接openssl升级完成后直接开整,必须先完成openssl升级再来这个页面学习

第一步与openssl一致,可以直接跳过

一、资源准备

系统 centos_7.6、x86架构

1.下载openssh、openssl二进制包

1、下载openssh源码包
[root@localhost ~]# wget  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
--2025-01-06 11:02:15--  https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.8p1.tar.gz
Resolving cdn.openbsd.org (cdn.openbsd.org)... 146.75.115.52, 2a04:4e42:15::820
Connecting to cdn.openbsd.org (cdn.openbsd.org)|146.75.115.52|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1910393 (1.8M) [application/octet-stream]
Saving to: ‘openssh-9.8p1.tar.gz’

38% [=========================================>               729,088     49.9KB/s  eta 22s

2、下载openssl源码包
[root@localhost ~]# wget https://github.com/openssl/openssl/archive/refs/tags/OpenSSL_1_1_1s.tar.gz

2.安装rpmbuild工具

[root@localhost ~]# yum install -y rpm-build
[root@localhost ~]# yum install rpmdevtools
[root@localhost ~]# yum install rpmlint -y #spec文件检查工具
[root@localhost ~]# vim /root/.rpmmacros
%_topdir /export/rpmbuild  #/root/.rpmmacros文件是存储各种宏定义,比如_topdir宏的值来自定义打包路径

创建rpmbuild目录

[root@localhost ~]# cd /export/
[root@localhost /export]# rpmdev-setuptree
[root@localhost /export]# cd rpmbuild && ls
BUILD  RPMS  SOURCES  SPECS  SRPMS

3.拷贝源码包到SOURCES目录下

[root@localhost ~]# mv openssh-9.8p1.tar.gz /export/rpmbuild/SOURCES
[root@localhost ~]# mv OpenSSL_1_1_1s.tar.gz /export/rpmbuild/SOURCES

4.系统开启telnet，防止意外导致shh无法连接

[root@localhost ~]# yum install -y telnet-server
[root@localhost ~]# yum install -y telnet
[root@localhost ~]# yum install -y xinetd #也可以不装
[root@localhost ~]# systemctl start telnet.socket && systemctl start xinetd.service

#因为默认情况下系统是不允许root用户telnet远程登录的。如果要使用root用户直接登录，需设置如下内容
[root@localhost ~]# echo  'pts/0'  >> /etc/securetty 
[root@localhost ~]# echo  'pts/1'  >> /etc/securetty

#开启telnet连接
[root@localhost ~]# telnet localhost
输入用户名
输入密码
完成登录

5.编译工具安装

[root@localhost ~]# yum install -y gcc make  gcc-c++ perl perl-WWW-Curl

至此,前期资源准备完成

6.补充说明

1、OpenSSH-9.8p1依赖OpenSSL-1.1.1及以上版本, 因此需要先升级openssl

2、OpenSSH-8.6后默认为不允许root登录

3、较新版本的CentOS7中 pam_stack.so模块已经被弃用删除, 请备份 /etc/pam.d/sshd

4、默认允许使用PAM登录认证；

5、默认允许使用X11Forwarding图形模块；

6、需修改ssh_host_rsa_key、ssh_host_ecdsa_key、ssh_host_ed25519_key这三个文件的权限,
	OpenSSH-8.6之后缩小了这三个文件的权限为0600, 大于该权限将会导致SSHD启动失败

二、OpenSSH rpm包构建

1. 从源码提取SPEC 文件到SPEC目录下

代码如下（示例）：

[root@localhost SOURCES]# tar -xf openssh-9.8p1.tar.gz -C ../SPECS openssh-9.8p1/contrib/redhat/openssh.spec --strip-components=3
[root@localhost SOURCES]# vim ../SPECS/openssh.spec
%global ver 9.8p1
%global rel 1%{?dist}

# OpenSSH privilege separation requires a user & group ID
%global sshd_uid    74
%global sshd_gid    74

# Version of ssh-askpass
%global aversion 1.2.4.1

# Do we want to disable building of x11-askpass? (1=yes 0=no)
%global no_x11_askpass 0

# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 0

# Do we want to link against a static libcrypto? (1=yes 0=no)
%global static_libcrypto 0

# Do we want smartcard support (1=yes 0=no)
%global scard 0

# Use GTK2 instead of GNOME in gnome-ssh-askpass
%global gtk2 1

# Use build6x options for older RHEL builds
# RHEL 7 not yet supported
%if 0%{?rhel} > 6
%global build6x 0
%else
%global build6x 1
%endif

%global without_openssl 0
# build without openssl where 1.1.1 is not available
%if 0%{?fedora} <= 28
%global without_openssl 1
%endif
%if 0%{?rhel} <= 7
%global without_openssl 1
%endif

# Do we want kerberos5 support (1=yes 0=no)
%global kerberos5 1

# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%global no_x11_askpass 1}
%{?skip_gnome_askpass:%global no_gnome_askpass 1}

# Add option to build without GTK2 for older platforms with only GTK+.
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
%{?no_gtk2:%global gtk2 0}

# Is this a build for RHL 6.x or earlier?
%{?build_6x:%global build6x 1}

# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%global _sysconfdir /etc
%endif

# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%global static_libcrypto 1}

# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%global scard 1}

# Is this a build for the rescue CD (without PAM)? (1=yes 0=no)
%global rescue 0
%{?build_rescue:%global rescue 1}

# Turn off some stuff for resuce builds
%if %{rescue}
%global kerberos5 0
%endif

Summary: The OpenSSH implementation of SSH protocol version 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: https://www.openssh.com/portable.html
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts >= 5.00
%else
Requires: initscripts >= 5.20
%endif
BuildRequires: perl
%if ! %{without_openssl}
BuildRequires: openssl-devel >= 1.1.1
%endif
BuildRequires: /bin/login
%if ! %{build6x}
BuildRequires: glibc-devel, pam
%else
BuildRequires: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildRequires: /usr/include/X11/Xlib.h
# Xt development tools
BuildRequires: libXt-devel
# Provides xmkmf
BuildRequires: imake
# Rely on relatively recent gtk
BuildRequires: gtk2-devel
%endif
%if ! %{no_gnome_askpass}
BuildRequires: pkgconfig
%endif
%if %{kerberos5}
BuildRequires: krb5-devel
BuildRequires: krb5-libs
%endif

%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients

%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif

%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras

%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras

%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.

OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to separate libraries.

This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.

%description clients
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
You'll also need to install the openssh package on OpenSSH clients.

%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. You also need to have the openssh
package installed.

%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.

%description askpass-gnome
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
environment.

%prep

%if ! %{no_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif

%build
%if %{rescue}
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endif

%configure \
	--sysconfdir=%{_sysconfdir}/ssh \
	--libexecdir=%{_libexecdir}/openssh \
	--datadir=%{_datadir}/openssh \
	--with-default-path=/usr/local/bin:/bin:/usr/bin \
	--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
	--with-privsep-path=%{_var}/empty/sshd \
	--mandir=%{_mandir} \
	--with-mantype=man \
	--disable-strip \
        --with-ssl-dir=/usr/openssl \
%if %{scard}
	--with-smartcard \
%endif
%if %{rescue}
	--without-pam \
%else
	--with-pam \
%endif
%if %{kerberos5}
	 --with-kerberos5=$K5DIR \
%endif


%if %{static_libcrypto}
perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
%endif

make

%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
%configure --libexecdir=%{_libexecdir}/openssh
xmkmf -a
make
popd
%endif

# Define a variable to toggle gnome1/gtk2 building.  This is necessary
# because RPM doesn't handle nested %if statements.
%if %{gtk2}
	gtk2=yes
%else
	gtk2=no
%endif

%if ! %{no_gnome_askpass}
pushd contrib
if [ $gtk2 = yes ] ; then
	make gnome-ssh-askpass2
	mv gnome-ssh-askpass2 gnome-ssh-askpass
else
	make gnome-ssh-askpass1
	mv gnome-ssh-askpass1 gnome-ssh-askpass
fi
popd
%endif

%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshd

make install DESTDIR=$RPM_BUILD_ROOT

install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
#install -m644 contrib/redhat/sshd.pam  $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m644 /etc/pam.d/sshd     $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd

%if ! %{no_x11_askpass}
install x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
%endif

%if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif

%if ! %{scard}
	 rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
%endif

%if ! %{no_gnome_askpass}
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%endif

perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*

%clean
rm -rf $RPM_BUILD_ROOT

%triggerun server -- ssh-server
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; then
	touch /var/run/sshd.restart
fi

%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk	'BEGIN {IGNORECASE=1}
	 /^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}
	 END {exit sawhostkey}' /etc/ssh/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified.  Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; then
	echo HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_config
	echo HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
fi

%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then
	/sbin/chkconfig --add sshd
	if test -f /var/run/sshd.restart ; then
		rm -f /var/run/sshd.restart
		/sbin/service sshd start > /dev/null 2>&1 || :
	fi
fi

%pre server
cp -Rf /etc/ssh{,.back}
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \
	-g sshd -M -r sshd 2>/dev/null || :

%post server
sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
sed -i -e "s/#X11Forwarding no/X11Forwarding yes/g" /etc/ssh/sshd_config
chmod +x /etc/init.d/sshd
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key
/sbin/chkconfig --add sshd

%postun server
/sbin/service sshd condrestart > /dev/null 2>&1 || :

%preun server
if [ "$1" = 0 ]
then
	/sbin/service sshd stop > /dev/null 2>&1 || :
	/sbin/chkconfig --del sshd
fi

%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
%endif

%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%endif

%if ! %{rescue}
%files server
%defattr(-,root,root)
%dir %attr(0111,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
%endif

%if ! %{no_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
%{_libexecdir}/openssh/ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
%endif

%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%endif

%changelog
* Wed Mar 13 2024 wanghuaizhuang <wangjinming@live.cn>
- modify from source code of www.openssh.org

2.修改 .SPEC 文件 %pre server 区域新增如下配置, 备份ssh配置

cp -Rf /etc/ssh{,.back}

3.修改 .SPEC 文件 %post server 区域下面新增如下配置, 配置sshd

sed -i -e "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
sed -i -e "s/#UsePAM no/UsePAM yes/g" /etc/ssh/sshd_config
sed -i -e "s/#X11Forwarding no/X11Forwarding yes/g" /etc/ssh/sshd_config
chmod +x /etc/init.d/sshd
chmod 600 /etc/ssh/ssh_host_rsa_key
chmod 600 /etc/ssh/ssh_host_ecdsa_key
chmod 600 /etc/ssh/ssh_host_ed25519_key

4.修改 .SPEC 文件 %install 保留原pam配置

# 注释这行
#install -m644 contrib/redhat/sshd.pam  $RPM_BUILD_ROOT/etc/pam.d/sshd

# 增加此行
install -m644 /etc/pam.d/sshd     $RPM_BUILD_ROOT/etc/pam.d/sshd

5.修改%configure 选项，指定openssl路径

--with-ssl-dir=/usr/openssl \  # 根据前面 安装 openssl 的路径决定的
# %if ! %{without_openssl}
#       --without-openssl \
# %endif 

6.检查 .SPEC 文件

[root@localhost SOURCES]# rpmlint ../SPECS/openssh.spec 
../SPECS/openssh.spec:95: W: unversioned-explicit-obsoletes ssh
../SPECS/openssh.spec:132: W: unversioned-explicit-obsoletes ssh-clients
../SPECS/openssh.spec:137: W: unversioned-explicit-obsoletes ssh-server
../SPECS/openssh.spec:147: W: unversioned-explicit-obsoletes ssh-extras
../SPECS/openssh.spec:153: W: unversioned-explicit-obsoletes ssh-extras
../SPECS/openssh.spec:217: W: mixed-use-of-spaces-and-tabs (spaces: line 217, tab: line 208)
0 packages and 1 specfiles checked; 0 errors, 6 warnings.

7. 执行构建命令

[root@localhost SPECS]# rpmbuild -ba openssh.spec

8.编译过程遇到的错误及修复

8.1.错误1

错误：坏文件：/root/rpmbuild/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz: 没有那个文件或目录

修复

下载地址 https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/
[root@localhost SOURCES]# rz x11-ssh-askpass-1.2.4.1.tar.gz #上传到SOURCE目录下

上传完成后重新执行rpmbuild -ba openssh.spec命令

8.2.错误2

错误：构建依赖失败：
	/usr/include/X11/Xlib.h 被 openssh-9.8p1-1.el7.x86_64 需要
	libXt-devel 被 openssh-9.8p1-1.el7.x86_64 需要
	imake 被 openssh-9.8p1-1.el7.x86_64 需要
	gtk2-devel 被 openssh-9.8p1-1.el7.x86_64 需要
	krb5-devel 被 openssh-9.8p1-1.el7.x86_64 需要

修复==安装缺少的依赖,安装完成后重新构建

[root@localhost SPECS]# yum -y install Xlib libXt-devel imake gtk2-devel krb5-devel

8.3.错误3

configure: error: PAM headers not found
错误：/var/tmp/rpm-tmp.P9BVFu (%build) 退出状态不好


RPM 构建错误：
    /var/tmp/rpm-tmp.P9BVFu (%build) 退出状态不好

修复==安装缺少的PAM,安装完成后重新构建

[root@localhost SPECS]# yum -y install pam-devel

8.4.错误4

``修复==将发现已安装的文件添加到%files下方即可,然后重新构建`

9.查看构建完成的rpm包

三、通过RPM包更新 OpenSSH

1.备份旧ssh配置文件及目录

[root@localhost SPECS]# cp -rp /etc/ssh/ /home/ssh-bak

2.备份旧ssh相关的二进制程序文件

[root@localhost SPECS]# cp -pr /usr/bin/ssh /usr/bin/ssh.bak

[root@localhost SPECS]# cp -rp /usr/sbin/sshd /usr/sbin/sshd.bak

[root@localhost SPECS]# cp -rp /etc/pam.d/sshd  /etc/pam.d/sshd.old

3.升级openssh

[root@localhost x86_64]# rpm -Uvh openssh-9.8p1-1.el7.x86_64.rpm openssh-server-9.8p1-1.el7.x86_64.rpm openssh-clients-9.8p1-1.el7.x86_64.rpm

四、重启 OpenSSH并验证

4.1.重启openssh

[root@localhost x86_64]# systemctl daemon-reload
[root@localhost x86_64]# systemctl restart sshd

4.2.验证

4.2.1 检查ssh目录下的文件及版本,可以看到有三个文件的属组是ssh_keys，但是不影响正常使用,如果不放心可以修改为root

4.2.2 测试xshell连接是否有问题

4.2.3 测试从其他机器ssh是否连接

4.2.4 测试scp功能是否正常

测试更新了openssh、openssl的192.168.56.162机器给其他机器传输文件

4.2.5 重启192.168.56.162机器后测试连接服务器是否正常

至此,openssh、openssl升级/验证完成