[关闭]
@cdmonkey 2021-12-21T07:38:21.000000Z 字数 5529 阅读 1019

OpenSSH-rpm

未分类

https://codeday.me/bug/20180226/137445.html
https://mritd.me/2016/09/13/%E5%9F%BA%E4%BA%8E%E5%AE%98%E6%96%B9-rpm-%E5%BF%AB%E9%80%9F%E5%88%9B%E5%BB%BA%E8%87%AA%E5%AE%9A%E4%B9%89-rpm

相关知识

https://blog.csdn.net/pushme_pli/article/details/78817532

Build 一个 RPM 包需要:

(1)首先要准备 .spec 文件;
(2)然后是使用 rpmbuild 这个工具。

一般的 RPM 包主要由两部分构成:

(1)即将被解压的文件(binary 或是 source)
(2)脚本(包含 Install 及 Uninstall 各自的 Pre、post 脚本)

OpenSSL

https://www.cnblogs.com/xshrim/p/6472679.html
http://www.winseliu.com/blog/2016/10/20/ssh-upgrade-on-centos6

  1. yum install perl-WWW-Curl
  1. wget http://172.16.132.241/soft/openssl-1.0.2o.tar.gz

创建相关目录:

  1. [root@Ansible01 ~]# mkdir rpmbuild
  2. [root@Ansible01 ~]# cd rpmbuild/
  3. [root@Ansible01 rpmbuild]# mkdir -pv {BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

准备SPEC文件:

  1. [root@kvm-node2 SOURCES]# cd ~/rpmbuild/SPECS/
  2. tar zxvf ../SOURCES/openssl-1.0.2o.tar.gz openssl-1.0.2o/openssl.spec
  3. mv openssl-1.0.2o/openssl.spec openssl-1.0.2o.spec && rm -rf openssl-1.0.2o

Apache

https://apr.apache.org/download.cgi
https://segmentfault.com/a/1190000005160311

首先安装依赖包:

  1. yum install -y pcre-devel initscripts autoconf libuuid-devel openldap-devel lua-devel libxml2-devel libtool doxygen zlib-devel libselinux-devel

其次还要安装 apr、apr-util,这一步非常重要,并且不能使用 yum 安装,版本低,不符合要求。安装过程是下载源码包,然后构建为 rpm 安装包,最后进行安装。

apr-util

  1. # 安装依赖包:
  2. yum install -y db4-devel postgresql-devel mysql-devel sqlite-devel unixODBC-devel nss-devel
  3. # 下载及构建:
  4. wget http://mirrors.sorengard.com/apache//apr/apr-util-1.6.1.tar.bz2
  5. rpmbuild -tb apr-util-1.6.1.tar.bz2

rpm 包创建完成后会有好几个包,安装下面这两个即可:

  1. apr-util-1.6.1-1.x86_64.rpm
  2. apr-util-devel-1.6.1-1.x86_64.rpm

apr

创建 apr 安装包时需要对 spec 文件动下手脚:

  1. # apr.spec
  2. %check
  3. # Run non-interactive tests
  4. pushd test
  5. make %{?_smp_mflags} all CFLAGS=-fno-strict-aliasing
  6. make check || continue   # 注意:需要将 exit 1 变为 continue
  7. popd

然后:

  1. rpmbuild -bb apr.spec

httpd

  1. [root@ldap01 SOURCES]# cd ~/rpmbuild/SPECS/
  2. tar jxvf ../SOURCES/httpd-2.4.34.tar.bz2 httpd-2.4.34/httpd.spec
  3. mv httpd-2.4.34/httpd.spec httpd-2.4.34.spec && rm -rf httpd-2.4.34
  4. rpmbuild -bb httpd-2.4.34.spec

OpenSSH

http://chuansong.me/n/341283051929
http://blog.51cto.com/lijichao/542924
http://blog.51cto.com/10730576/1892059
http://sharadchhetri.com/2015/01/18/how-to-create-openssh-rpm-package-and-its-upgrade/

安装依赖包:

  1. yum install openssl-devel pam-devel rpm-build rpmdevtools zlib-devel krb5-devel glibc glibc-devel gcc

创建必要目录:

  1. mkdir rpmbuild && cd rpmbuild && mkdir -pv {BUILD,BUILDROOT,RPMS,SOURCES,SPECS,SRPMS}

首先要下载源码包:

  1. [root@kvm-node2 ~]# cd ~/rpmbuild/SOURCES/
  2. wget http://172.16.132.241/soft/openssh-7.7p1.tar.gz
  3. wget http://172.16.132.241/soft/openssh-7.7p1.tar.gz.asc
  4. wget http://ftp.riken.jp/Linux/momonga/6/Everything/SOURCES/x11-ssh-askpass-1.2.4.1.tar.gz
  5. # 导入公钥至公钥库:
  6. wget -O- https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/DJM-GPG-KEY.asc | gpg --import
  7. # 导入操作会输出一些信息:
  8. --2018-06-27 11:07:44--  https://openbsd.hk/pub/OpenBSD/OpenSSH/portable/DJM-GPG-KEY.asc
  9. gpg: directory '/root/.gnupg' created
  10. gpg: new configuration file '/root/.gnupg/gpg.conf' created
  11. gpg: WARNING: options in '/root/.gnupg/gpg.conf' are not yet active during this run
  12. gpg: keyring '/root/.gnupg/secring.gpg' created
  13. gpg: keyring '/root/.gnupg/pubring.gpg' created
  14. ...
  15. gpg: /root/.gnupg/trustdb.gpg: trustdb created
  16. gpg: key 86FF9C48: public key "Damien Miller (Personal Key) <djm@mindrot.org>" imported
  17. gpg: Total number processed: 1
  18. gpg:               imported: 1

进行验证时会报错,暂时不知怎样解决,先跳过验证过程。

  1. [root@kvm-node2 SOURCES]# gpg openssh-7.7p1.tar.gz.asc
  2. gpg: Signature made Mon Apr  2 13:39:42 2018 CST using RSA key ID 6D920D30
  3. gpg: Can't' check signature: No public key

How to Verify OpenSSH Source
https://www.tidgubi.com/2016/02/how-to-verify-openssh-source/

准备SPEC文件:

  1. [root@kvm-node2 SOURCES]# cd ~/rpmbuild/SPECS/
  2. tar zxvf ../SOURCES/openssh-7.7p1.tar.gz openssh-7.7p1/contrib/redhat/openssh.spec
  3. mv openssh-7.7p1/contrib/redhat/openssh.spec openssh-7.7p1.spec && rm -rf openssh-7.7p1
  4. #
  5. sed -i -e "s/%define no_gnome_askpass 0/%define no_gnome_askpass 1/g" openssh-7.7p1.spec
  6. sed -i -e "s/%define no_x11_askpass 0/%define no_x11_askpass 1/g" openssh-7.7p1.spec
  7. sed -i -e "s/BuildPreReq/BuildRequires/g" openssh-7.7p1.spec

编译生成RPM:

  1. [root@kvm-node2 SPECS]# rpmbuild -bb openssh-7.7p1.spec

至此,rpm 包制作成功。

  1. [root@kvm-node2 x86_64]# cd ~/rpmbuild/RPMS/x86_64 && ls
  2. openssh-7.7p1-1.el6.x86_64.rpm
  3. openssh-clients-7.7p1-1.el6.x86_64.rpm
  4. openssh-debuginfo-7.7p1-1.el6.x86_64.rpm
  5. openssh-server-7.7p1-1.el6.x86_64.rpm

OpenSSH 8.5

额外依赖包:

  1. yum install libX11-devel libXt-devel imake gtk2-devel

CentOS 8

基本操作同上,只是 imake 这个包有些周折。

需要启用 PowerTools 这个仓库:

  1. dnf config-manager --set-enabled PowerTools
  2. # 然后进行安装就行:
  3. yum install imake

有些配置条目已经废止:

  1. sed -i '/KeyRegenerationInterval/d' /etc/ssh/sshd_config
  2. sed -i '/ServerKeyBits/d' /etc/ssh/sshd_config
  3. sed -i '/RSAAuthentication/d' /etc/ssh/sshd_config
  4. sed -i '/RhostsRSAAuthentication/d' /etc/ssh/sshd_config
  5. sed -i '/UsePrivilegeSeparation/d' /etc/ssh/sshd_config

其他操作

解压 rpm

  1. rpm2cpio openssl-1.0.2k-12.el7.x86_64.rpm | cpio -div
  2. ./etc/pki/CA
  3. ./etc/pki/CA/certs
  4. ./etc/pki/CA/crl
  5. ./etc/pki/CA/newcerts
  6. ./etc/pki/CA/private
  7. ./etc/pki/tls/certs/Makefile
  8. ...
  9. 1652 blocks

排错

  1. error: Failed build dependencies:
  2.         openssl-devel < 1.1 is needed by openssh-7.9p1-1.el7.centos.x86_64

请参见:

https://blog.csdn.net/qq_42609381/article/details/82855043

PAM

自制 rpm 包经验证将覆盖 /etc/pam.d/sshd 文件,并且新配置文件不能用,问题很严重,因而升级前最好进行备份。这里记录下 CentOS6 的配置:

  1. #%PAM-1.0
  2. auth       required     pam_sepermit.so
  3. auth       include      password-auth
  4. account    required     pam_nologin.so
  5. account    include      password-auth
  6. password   include      password-auth
  7. # pam_selinux.so close should be the first session rule
  8. session    required     pam_selinux.so close
  9. session    required     pam_loginuid.so
  10. # pam_selinux.so open should only be followed by sessions to be executed in the user context
  11. session    required     pam_selinux.so open env_params
  12. session    optional     pam_keyinit.so force revoke
  13. session    include      password-auth

其他文档:

https://blog.csdn.net/ligaoman521/article/details/109190699
https://my.oschina.net/u/4113630/blog/4810155
https://docs.junyangz.com/ops/upgrade-openssh-to-7.7p1-in-centos6

添加新批注
在作者公开此批注前,只有你和作者可见。
回复批注