由于最新版本的openssh 8.5p1没有rpm安装包,所以需要源码安装
openssh源码包地址: https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-8.5p1.tar.gz
升级脚本
#! /bin/bash
yum install -y make gcc gcc-c++ openssl-devel zlib zlib-devel pam-devel
cd /usr/local/src/updatessh && tar -zxvf openssh-8.5p1.tar.gz && cd openssh-8.5p1
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl --without-hardening
rm -rf /etc/ssh/ssh_host_*
make && make install
sed -i 's/GSSAPIAuthentication no/#GSSAPIAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPIAuthentication yes/#GSSAPIAuthentication no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPICleanupCredentials no/#GSSAPICleanupCredentials no/g' /etc/ssh/sshd_config
sed -i 's/GSSAPICleanupCredentials yes/#GSSAPICleanupCredentials no/g' /etc/ssh/sshd_config
sed -i 's/^#PermitRootLogin/PermitRootLogin/g' /etc/ssh/sshd_config
/usr/sbin/sshd -t -f /etc/ssh/sshd_config 2>sshd_config_check
if `cat sshd_config_check | grep 'Unsupported' wc -l` -ne 0
then
echo "配置文件有问题"
echo "终止操作"
exit 1
fi
cp /usr/local/src/updatessh/openssh-8.5p1/opensshd.init /etc/init.d/sshd.init && chmod u+x /etc/init.d/sshd.init
/etc/init.d/sshd.init start
mv /usr/lib/systemd/system/sshd.service /usr/local/src
touch /usr/lib/systemd/system/sshd.service
echo '# Automatically generated by systemd-sysv-generator
[Unit]
Documentation=man:systemd-sysv-generator(8)
SourcePath=/etc/rc.d/init.d/sshd.init
Description=SYSV: OpenSSH server daemon
[Service]
Type=forking
Restart=no
TimeoutSec=5min
IgnoreSIGPIPE=no
KillMode=process
GuessMainPID=no
RemainAfterExit=no
PIDFile=/var/run/sshd.pid
ExecStart=/etc/rc.d/init.d/sshd.init start
ExecStop=/etc/rc.d/init.d/sshd.init stop
ExecReload=/etc/rc.d/init.d/sshd.init reload' >/usr/lib/systemd/system/sshd.service
systemctl daemon-reload
systemctl restart sshd
ssh -V
ansible-role脚本
mkdir -p role_updatessh/{default,files,handlers,meta,tasks,templates,vars}
vim role_updatessh/tasks/main.yml
- include: UploadFiles.yml
- include: RemoteExcuteScript.yml
vim role_updatessh/UploadFiles.yml
- name: CopyFiles
copy:
src: updatessh.tar.gz
dest: /usr/local/src/
- name: Unarchive
unarchive:
remote_src: yes
src: /usr/local/src/updatessh.tar.gz
dest: /usr/local/src/
vim role_updatessh/RemoteExcuteScript.yml
- name: ExcuteRemoteScript
shell: cd /usr/local/src/updatessh && sh -x updatessh.sh
vim role_updatessh.yml
---
- name: updatessh
hosts: 172.16.0.11
remote_user: root
roles:
- role_updatessh
注意openssh的源码包和脚本文件压缩后需要放到ansible的files目录下(updatessh.tar.gz)
注意事项
新版openssh已经取消了对GSS验证的支持,如果老的sshd配置文件中有相关开启的选项则sshd服务会无法启动,一定要使用#验证版本sshd -V;sshd -t -f /etc/ssh/sshd_config
命令来验证sshd配置文件。验证通过后再使用systemctl restart sshd 替换老的sshd进程为新版sshd进程,否则如果是实体机,就要跑机房了。(本脚本会使用ansible更新sshd,如果出错也会跑机房,慎重使用)
文档更新时间: 2021-05-18 15:54 作者:张尚