由于最新版本的openssh 8.5p1没有rpm安装包,所以需要源码安装

openssh源码包地址: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz
升级脚本

  1. #! /bin/bash
  3. yum install -y make gcc gcc-c++  openssl-devel zlib zlib-devel pam-devel
  5. cd /usr/local/src/updatessh && tar  -zxvf openssh-8.5p1.tar.gz && cd openssh-8.5p1
  7. ./configure  --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam  --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
  9. rm -rf /etc/ssh/ssh_host_*
  11. make && make install
  13. sed -i 's/GSSAPIAuthentication no/#GSSAPIAuthentication no/g' /etc/ssh/sshd_config
  14. sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication no/g' /etc/ssh/sshd_config
  15. sed -i 's/GSSAPICleanupCredentials no/#GSSAPICleanupCredentials no/g' /etc/ssh/sshd_config
  16. sed -i 's/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials no/g' /etc/ssh/sshd_config
  17. sed -i 's/^#PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config
  19. /usr/sbin/sshd -t -f /etc/ssh/sshd_config  2>sshd_config_check
  21. if `cat sshd_config_check | grep 'Unsupported' wc -l` -ne 0
  22. then
  23.     echo "配置文件有问题"
  24.     echo "终止操作"
  25.     exit 1
  26. fi
  28. cp  /usr/local/src/updatessh/openssh-8.5p1/opensshd.init /etc/init.d/sshd.init && chmod  u+x /etc/init.d/sshd.init
  30. /etc/init.d/sshd.init start
  32. mv  /usr/lib/systemd/system/sshd.service  /usr/local/src
  34. touch /usr/lib/systemd/system/sshd.service
  36. echo '# Automatically generated by systemd-sysv-generator
  38. [Unit]
  39. Documentation=man:systemd-sysv-generator(8)
  40. SourcePath=/etc/rc.d/init.d/sshd.init
  41. Description=SYSV: OpenSSH server daemon
  43. [Service]
  44. Type=forking
  45. Restart=no
  46. TimeoutSec=5min
  47. IgnoreSIGPIPE=no
  48. KillMode=process
  49. GuessMainPID=no
  50. RemainAfterExit=no
  51. PIDFile=/var/run/sshd.pid
  52. ExecStart=/etc/rc.d/init.d/sshd.init start
  53. ExecStop=/etc/rc.d/init.d/sshd.init stop
  54. ExecReload=/etc/rc.d/init.d/sshd.init reload' >/usr/lib/systemd/system/sshd.service
  56. systemctl daemon-reload
  57. systemctl restart sshd
  58. ssh -V

ansible-role脚本

  1. mkdir -p role_updatessh/{default,files,handlers,meta,tasks,templates,vars}
  2. vim role_updatessh/tasks/main.yml
  3. - include: UploadFiles.yml
  4. - include: RemoteExcuteScript.yml
  7. vim role_updatessh/UploadFiles.yml
  8. - name: CopyFiles
  9.   copy: 
  10.     src: updatessh.tar.gz
  11.     dest: /usr/local/src/
  12. - name: Unarchive
  13.   unarchive: 
  14.     remote_src: yes
  15.     src: /usr/local/src/updatessh.tar.gz
  16.     dest: /usr/local/src/
  18. vim role_updatessh/RemoteExcuteScript.yml
  19. - name: ExcuteRemoteScript
  20.   shell: cd /usr/local/src/updatessh && sh -x updatessh.sh
  22. vim role_updatessh.yml
  23. ---
  24. - name: updatessh
  25.   hosts: 172.16.0.11
  26.   remote_user: root
  27.   roles:
  28.     - role_updatessh

注意openssh的源码包和脚本文件压缩后需要放到ansible的files目录下(updatessh.tar.gz)

注意事项

新版openssh已经取消了对GSS验证的支持,如果老的sshd配置文件中有相关开启的选项则sshd服务会无法启动,一定要使用#验证版本sshd -V;sshd -t -f /etc/ssh/sshd_config命令来验证sshd配置文件。验证通过后再使用systemctl restart sshd 替换老的sshd进程为新版sshd进程,否则如果是实体机,就要跑机房了。(本脚本会使用ansible更新sshd,如果出错也会跑机房,慎重使用)

文档更新时间: 2021-05-18 15:54   作者:张尚