Red Hat 7make install openssl3和openssh9以修复ssh安全漏洞

Posted 2023-05-14 至爱梵高·星空之谜

1.首先打云主机快照和块存储系统盘和数据盘快照,然后开两个终端用来测试和防止意外发生

2.查看系统环境

[root@localhost openssl-3.1.0]# hostnamectl
   Static hostname: localhost.localdomain
         Icon name: computer-vm
           Chassis: vm
        Machine ID: 95d38b45186d4efab7be029c546774ba
           Boot ID: 1c96300c538c435a84ead1959e5983a8
    Virtualization: vmware
  Operating System: CentOS Linux 7 (Core)
       CPE OS Name: cpe:/o:centos:centos:7
            Kernel: Linux 3.10.0-1160.el7.x86_64
      Architecture: x86-64

3.查看软件版本

[root@localhost ~]# rpm -qa | egrep -i \'openssl|openssh\'
openssh-clients-7.4p1-21.el7.x86_64
openssl-libs-1.0.2k-19.el7.x86_64
xmlsec1-openssl-1.2.20-7.el7_4.x86_64
openssh-7.4p1-21.el7.x86_64
openssh-server-7.4p1-21.el7.x86_64
openssl-1.0.2k-19.el7.x86_64

4.在通网的机器下载好依赖

[root@localhost openssl-3.1.0]# yum install yum-plugin-downloadonly -y

安装openssl需要的依赖包

[root@localhost openssl-3.1.0]# yum install --downloadonly --downloaddir=/tmp/rpms/perl perl-IPC-Cmd perl-Test-Simple
[root@localhost openssl-3.1.0]# yum localinstall /tmp/rpms/perl/*.rpm -y

执行编译需要的c语言编译器

[root@localhost openssl-3.1.0]# yum install --downloadonly --downloaddir=/tmp/rpms/gcc gcc gcc-c++
[root@localhost openssl-3.1.0]# yum localinstall /tmp/rpms/gcc/*.rpm -y

安装openssh需要的依赖包

[root@localhost openssh-9.3p1]# rpm -e --nodeps zlib-1.2.7-21.el7_9.x86_64 zlib-devel-1.2.7-21.el7_9.x86_64
[root@localhost openssl-3.1.0]# yum install --downloadonly --downloaddir=/tmp/rpms/zlib zlib zlib-devel
[root@localhost openssl-3.1.0]# yum localinstall /tmp/rpms/zlib/*.rpm -y

5.下载好源码

[root@localhost ~]# cd /usr/src/
[root@localhost ~]# yum install -y wget
[root@localhost src]# wget https://www.openssl.org/source/openssl-3.1.0.tar.gz  --no-check-certificate
[root@localhost src]# tar -zvxf openssl-3.1.0.tar.gz
[root@localhost src]# wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz  --no-check-certificate
[root@localhost src]# tar -zvxf openssh-9.3p1.tar.gz

6.因为openssl为openssh所依赖，我们先编译安装openssl

[root@localhost src]# cd /usr/src/openssl-3.1.0
[root@localhost src]# ./config

执行编译安装，时间大概十分钟

[root@localhost src]# make && make tests && make install

创建指向 libssl 和 libcrypto 的符号链接：

[root@localhost openssl-3.1.0]# ln -s /usr/local/lib64/libssl.so.3 /usr/lib64/libssl.so.3
[root@localhost openssl-3.1.0]# ln -s /usr/local/lib64/libcrypto.so.3 /usr/lib64/libcrypto.so.3

新开一个终端查看版本

[root@localhost openssl-3.1.0]# openssl version
OpenSSL 3.1.0 14 Mar 2023 (Library: OpenSSL 3.1.0 14 Mar 2023)

7.安装openssh

备份openssh文件和pam文件

[root@localhost openssh-9.3p1]# cp -r -a /etc/ssh/ /etc/ssh.bak/
[root@localhost openssh-9.3p1]# cp -r -a /etc/pam.d/ /etc/pam.d.bak/

编译安装openssh

[root@localhost ~]# cd /usr/src/openssh-9.3p1
[root@localhost openssh-9.3p1]# ./configure --prefix=/usr/local/openssh --with-ssl-dir=/usr/local/ssl
[root@localhost openssh-9.3p1]# make && make tests

新开一个终端看ssh版本

[root@localhost ~]# ssh -V
OpenSSH_9.3p1, OpenSSL 3.1.0 14 Mar 2023

8.打rpm，省去在服务器编译的时间和节约服务器资源，适合ansible批量部署

#### \'、\'嘿嘿
[root@localhost openssh-9.3p1]# mkdir -p /root/rpmbuild/SPECS,SOURCES
[root@localhost openssh-9.3p1]# cp /usr/src/openssl-3.1.0.tar.gz /root/rpmbuild/SOURCES/
[root@localhost openssh-9.3p1]# cd /root/rpmbuild/SPECS/
[root@localhost openssh-9.3p1]# vi openssl.spec
[root@localhost openssh-9.3p1]# rpmbuild -ba openssl.spec
[root@localhost openssh-9.3p1]# rpm -ivh openssl-3.1.0.rpm

Red Hat Enterprise 8.5 Install

Red Hat Enterprise 8.5下载

Red Hat Enterprise 系统下载	MobaXterm 远程连接工具
download包含6，7，8，9	download

语言选择

时区选择

 软件安装

 root密码设置

 网卡设置

 分区设置(分区方式可以同时在bios和EFI 模式下部署)

• /  (85G)
• /boot (1G)
• /swap  (8G)
• /boot/efi (4G)

 开始安装

 重新启动

安装完成