前期准备
(先使用Telnet远程连接工具,连接服务器,确保Telnet连接正常,SSH连接后进行漏洞修复升级(防止修复失败,导致远程连接无法连接时,可以通过另一个远程工具连接进行恢复)
telnet安装与开启:https://www.cnblogs.com/aerfazhe/p/19098482
准备离线升级安装包
OpenSSH下载地址:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/
OpenSSL下载地址:https://openssl-library.org/source/
下载zlib地址:https://zlib.net/zlib-1.3.1.tar.gz
修复注意事项:确保系统中有OpenSSH版本依赖的对应OpenSSL版本,可能会导致以下错误:
checking for OpenSSL... configure: error: OpenSSL version is too old
查看openssh版本:sshd -V
查看openssl版本:openssl version
查看zlib版本:zlib-config --version / pkg-config --modversion zlib
将下载的离线升级安装包上传到需要安装的Centos 操作系统中,,具体如下:
创建升级安装包及脚本存放目录
mkdir -p /opt/bugfixes/openssh
将升级OpenSSH依赖包和安装包放入该目录下。
升级脚本
-
创建一个脚本文件
touch upgrade_openssh1.0.sh -
进入编辑模式
vim upgrade_openssh1.0.sh,将下面内容复制到文件中,根据自己的使用场景和路径进行修改。
查看代码#!/bin/bash
Author:created by wk
Date:2025-09-22 11:19
State: opensshd upgrade script
定义安装包变量名称
ZLIB_NAME="zlib-1.3.1"
OPENSSL_NAME="openssl-3.4.1"
OPENSSH_NAME="openssh-10.0p1"
DATE="$(date '+%Y%m%d')"
OPENSSH_PATH="/opt/bugfixes/openssh"检查执行权限
check_permiss(){
if [ "$(whoami)" != "root" ]; then
echo -e "\033[31m错误:必须使用 root 用户执行此脚本!\033[0m" >&2
exit 1
fi
}环境检查
check_environment() {
echo -e "\033[34m---------------- 正在检查系统环境.... --------\033[0m"
if grep -q "CentOS Linux release 7" /etc/redhat-release && [ "$(uname -m)" == "x86_64" ] ; then
echo -e "\033[32m------------ 系统环境检查通过 ------------\033[0m"
else
echo -e "\033[31m-------- 错误:仅支持CentoOS 7 64位 操作系统!----------\033[0m" >&2
exit 1
fi
}安装依赖包 openssl、zlib
build_zlib(){
echo -e "\033[34m--------- old zlib-version:(pkg-config --modversion zlib) ------\033[0m" echo -e "\033[34m--------- make install zlib..... ----------\033[0m" cd OPENSSH_PATH
tar -zxf {ZLIB_NAME}.tar.gz cd {ZLIB_NAME}
./configure --prefix=/usr/local/zlib --libdir=/lib64/
make && make install
echo -e "\033[32m-------- zlib install successful ----------\033[0m"
echo -e "\033[34m-------- new zlib-version:$(pkg-config --modversion zlib) ----------\033[0m"
}build_openssl(){
echo -e "\033[34m--------- old openssl-version:(openssl version) ------\033[0m" echo -e "\033[34m--------- make install openssl..... ----------\033[0m" # install perl-IPC-Cmd and Dumper module yum -y install perl-IPC-Cmd yum install 'perl(Data::Dumper)' -y cd OPENSSH_PATH
tar -zxf {OPENSSL_NAME}.tar.gz cd {OPENSSL_NAME}
./config --prefix=/usr/local/openssl
make && make install
# bak update openssl
mv /usr/bin/openssl /usr/bin/openssl.{DATE}.bak cp /usr/local/openssl/bin/openssl /usr/bin/ echo '/usr/local/openssl/lib64/' >> /etc/ld.so.conf # add DLL ldconfig # update DLL echo -e "\033[32m-------- openssl install successful ----------\033[0m" echo -e "\033[34m-------- new openssl-version:(openssl version) ----------\033[0m"
}build_openssh(){
echo -e "\033[34m--------- old openssh-version:(sshd -V 2>&1 | grep "OpenSSH") ------\033[0m" echo -e "\033[34m--------- backup openssh..... ----------\033[0m" # bak openssh cp -rf /etc/ssh /etc/ssh.{DATE}.bak
cp -rf /usr/bin/ssh /usr/bin/ssh.{DATE}.bak cp -rf /usr/bin/ssh-keygen /usr/bin/ssh-keygen.{DATE}.bak
cp -rf /usr/sbin/sshd /usr/sbin/sshd.{DATE}.bak cp -rf /etc/pam.d/sshd /etc/pam.d/sshd.{DATE}.bak
cp -rf /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam.{DATE}.bak echo -e "\033[34m--------- make install openssd..... ----------\033[0m" cd OPENSSH_PATH
tar -zxf {OPENSSH_NAME}.tar.gz cd {OPENSSH_NAME}
./configure
--prefix=/opt/openssh-10.0p1
--sysconfdir=/etc/ssh
--with-ssl-dir=/usr/local/openssl
--with-privsep-path=/var/lib/sshd
--with-zlib=/usr/local/zlib
--with-zlib-include=/usr/local/zlib/include
make && make install
sudo cp -rf /opt/openssh-10.0p1/sbin/sshd /usr/sbin/sshd
chmod 755 /usr/sbin/sshd
sudo cp -rf /opt/openssh-10.0p1/bin/ssh /usr/bin/ssh
chmod 755 /usr/bin/ssh
sudo cp -rf /opt/openssh-10.0p1/bin/ssh-keygen /usr/bin/ssh-keygen
chmod 755 /usr/bin/ssh-keygen
# enable execute script
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
echo -e "\033[32m-------- openssh install successful ----------\033[0m"
}最终升级检查
final_check(){
echo -e "\033[34m------------------- 最终检查 -------------------------\033[0m"
systemctl daemon-reload
service sshd restart
sshd -V 2>&1 | grep -q "OpenSSH_10.0p2"
if [ ? -eq 0 ]; then echo -e "\033[32m升级成功!当前SSH版本:(ssh -V 2>&1)\033[0m"
echo -e "\033[33m警告:请通过新SSH端口连接确认无误后,再关闭Telnet服务!\033[0m"
else
echo -e "\033[31m错误:升级失败,请检查日志!\033[0m"
exit 1
fi
}主函数方法
main() {
echo -e "\033[34m----------------- openssh upgrade script begin....... ------------\033[0m"
check_permiss
check_environment
build_zlib
build_openssl
build_openssh
final_check
echo -e "\033[34m---------------------- openssh upgrade script finish...... -----------------\033[0m"
}执行主函数
main
-
创建一个脚本文件
touch upgrade_openssh_start.sh -
进入编辑模式
vim upgrade_openssh_start.sh,将下面内容复制到文件中,根据自己的使用场景和路径进行修改。
查看代码#!/bin/bash
Author:created by wk
State:upgrade_openssh1.0.sh script start
Date:2025-09-23
LOG_PATH="/opt/bugfixes/openssh"
LOG_NAME="sshd_upgrade"
URGRADE_SCRIPT_PATH="/opt/bugfixes/openssh"
UPGRADE_SCRIPT_NAME="upgrade_openssh1.0"
DATE="$(date '+%Y%m%d')"nohub . {URGRADE_SCRIPT_PATH}/{UPGRADE_SCRIPT_NAME}.sh >> {LOG_PATH}/{LOG_NAME}.${DATE}.log 2>&1 &
-
赋予脚本执行权限:
-
chmod +x upgrade_openssh1.0.sh -
chmod +x upgrade_openssh_start.sh -
执行
upgrade_openssh_start.sh脚本:. upgrade_openssh_start.sh -
查看日志:
tail -f sshd_upgrade.log