【openSSH】Linux openEuler-22.03-x86_64升级openSSH至10.2p1版本

HunterMichaelG2025-12-19 13:51

一 、 问题背景

OpenSSH(OpenBSD Secure Shell)是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。

该工具是SSH协议的开源实现,支持对所有的传输进行加密,可有效阻止窃听、连接劫持以及其他网络级的攻击。

CVE-2023-51767是OpenSSH 9.6及之前版本存在的内存比特翻转绕过认证漏洞,攻击者可利用硬件层缺陷绕过身份验证,建议立即升级至OpenSSH 9.7+版本修复

> OpenSSH 官方网站和源码包格式

OpenSSH 的官方下载地址: https://www.openssh.com/portable.html

OpenBSD 官方镜像:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/

在官网或镜像站,你可以找到各个版本的 OpenSSH 源码包,命名格式为:

```

openssh-X.XpY.tar.gz

X.X 是主版本号(如 10.0)

Y 是补丁号(如 p1)

```

二 、 升级操作

OenSSH官方只提供源码包,我们考虑自己将源码编译为rpm包来升级环境的OpenSSH。

当然编译过程也尽量简单化,这里我们直接使用开源的脚本进行编译。

https://github.com/boypt/openssh-rpms

```

yum groupinstall -y "Development Tools"

yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel perl perl-IPC-Cmd perl-Time-Piece

```

```

git clone https://github.com/boypt/openssh-rpms.git

cd openssh-rpms-main

将出现 source version.env 行改为 source ./version.env

grep "version.env" *.sh

compile.sh:source ./version.env

pullsrc.sh:source ./version.env

将出现 wget 的行加上 --no-check-certificate 参数,避免因为证书问题导致源码下载失败。

grep "wget" pullsrc.sh

wget --no-check-certificate OPENSSLMIR/OPENSSLSRC

wget --no-check-certificate OPENSSHMIR/OPENSSHSRC

wget --no-check-certificate ASKPASSMIR/ASKPASSSRC

```

```

sh pullsrc.sh

sh compile.sh

Obsoletes: ssh-server

处理文件:openssh-debuginfo-10.2p1-1.oe2203.x86_64

Provides: openssh-debuginfo = 10.2p1-1.oe2203 openssh-debuginfo(x86-64) = 10.2p1-1.oe2203

Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <=

Recommends: openssh-debugsource(x86-64) = 10.2p1-1.oe2203

处理文件:openssh-debugsource-10.2p1-1.oe2203.x86_64

Provides: openssh-debugsource = 10.2p1-1.oe2203 openssh-debugsource(x86-64) = 10.2p1-1.oe2203

Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <=

检查未打包文件:/usr/lib/rpm/check-files /root/openssh-rpms/el7/BUILDROOT/openssh-10.2p1-1.oe2203.x86_64

已写至:/root/openssh-rpms/el7/SRPMS/openssh-10.2p1-1.oe2203.src.rpm

已写至:/root/openssh-rpms/el7/RPMS/x86_64/openssh-server-10.2p1-1.oe2203.x86_64.rpm

已写至:/root/openssh-rpms/el7/RPMS/x86_64/openssh-10.2p1-1.oe2203.x86_64.rpm

已写至:/root/openssh-rpms/el7/RPMS/x86_64/openssh-debugsource-10.2p1-1.oe2203.x86_64.rpm

已写至:/root/openssh-rpms/el7/RPMS/x86_64/openssh-clients-10.2p1-1.oe2203.x86_64.rpm

已写至:/root/openssh-rpms/el7/RPMS/x86_64/openssh-debuginfo-10.2p1-1.oe2203.x86_64.rpm

正在执行(%clean):/bin/sh -e /var/tmp/rpm-tmp.7hwYPZ

  • umask 022

  • cd /root/openssh-rpms/el7/BUILD

  • cd openssh-10.2p1

  • rm -rf /root/openssh-rpms/el7/BUILDROOT/openssh-10.2p1-1.oe2203.x86_64

  • RPM_EC=0

++ jobs -p

  • exit 0

~/openssh-rpms

```

!image.png(https://upload-images.jianshu.io/upload_images/12979420-47ce5e4886b7f86f.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)

```

systemctl restart sshd

Job for sshd.service failed because the control process exited with error code.

See "systemctl status sshd.service" and "journalctl -xeu sshd.service" for details.

root@localhost x86_64#

root@localhost x86_64# systemctl status sshd

× sshd.service - SYSV: OpenSSH server daemon

Loaded: loaded (/etc/rc.d/init.d/sshd; generated)

Active: failed (Result: exit-code) since Sat 2025-11-29 17:42:20 CST; 10s ago

Docs: man:systemd-sysv-generator(8)

Process: 39751 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=255/EXCEPTION)

Tasks: 14 (limit: 8950)

Memory: 794.4M

CGroup: /system.slice/sshd.service

├─ 8566 "sshd: root priv" "" "" ""

├─ 8570 "sshd: root priv" "" "" ""

├─ 8571 "sshd: root@pts/0" "" "" "" ""

├─ 8575 "sshd: root@notty" "" "" "" ""

├─ 8576 /usr/libexec/openssh/sftp-server -l INFO -f AUTH

├─ 8629 -bash

├─ 8761 "sshd: root priv" "" "" ""

├─ 8765 "sshd: root priv" "" "" ""

├─ 8766 "sshd: root@pts/1" "" "" "" ""

├─ 8768 -bash

├─ 8828 "sshd: root@notty" "" "" "" ""

├─ 8829 /usr/libexec/openssh/sftp-server -l INFO -f AUTH

├─39760 systemctl status sshd

└─39761 less

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8629 (bash) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8761 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8765 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8766 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8768 (bash) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8828 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8829 (sftp-server) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 39742 (systemctl) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 39743 (systemd-tty-ask) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: Failed to start SYSV: OpenSSH server daemon.

```

```

journalctl -u sshd -b

11月 29 17:42:20 localhost.localdomain systemd1: Starting SYSV: OpenSSH server daemon...

11月 29 17:42:20 localhost.localdomain sshd39751: Starting sshd:

11月 29 17:42:20 localhost.localdomain sshd39759: /etc/ssh/sshd_config line 142: Deprecated option RSAAuthentication

11月 29 17:42:20 localhost.localdomain sshd39759: /etc/ssh/sshd_config line 144: Deprecated option RhostsRSAAuthentication

11月 29 17:42:20 localhost.localdomain sshd39759: /etc/ssh/sshd_config: line 159: Bad configuration option: GSSAPIKexAlgorithms

11月 29 17:42:20 localhost.localdomain sshd39759: /etc/ssh/sshd_config: terminating, 1 bad configuration options

11月 29 17:42:20 localhost.localdomain sshd39751: 失败

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Control process exited, code=exited, status=255/EXCEPTION

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Failed with result 'exit-code'.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8566 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8570 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8571 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8575 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8576 (sftp-server) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8629 (bash) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8761 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8765 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8766 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8768 (bash) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8828 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 8829 (sftp-server) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 39742 (systemctl) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: sshd.service: Unit process 39743 (systemd-tty-ask) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd1: Failed to start SYSV: OpenSSH server daemon.

```

```

cat /etc/ssh/sshd_config

RSAAuthentication yes

RhostsRSAAuthentication no

GSSAPIKexAlgorithms gss-group14-sha256-,gss-group16-sha512-,gss-curve25519-sha256-

```

从错误信息来看,OpenSSH 10.2p1 已经不再支持一些旧的配置选项。

你需要更新你的 `/etc/ssh/sshd_config` 文件来解决这些问题。

具体处理方案如下:

  1. **删除或注释掉已废弃的选项**:

  • `RSAAuthentication` 和 `RhostsRSAAuthentication` 是已废弃的选项,可以安全删除

  • `GSSAPIKexAlgorithms` 在新版本中已被移除

  1. 修改建议:

```bash

备份当前配置文件

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

编辑配置文件

sudo vi /etc/ssh/sshd_config

```

找到并删除或注释掉以下行:

```

RSAAuthentication yes

RhostsRSAAuthentication no

GSSAPIKexAlgorithms gss-group14-sha256-,gss-group16-sha512-,gss-curve25519-sha256-

```

  1. 如果你需要使用 GSSAPI 相关的密钥交换算法,可以替换为:

```

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

```

  1. 保存修改后,测试配置文件是否正确:

```bash

sudo sshd -t

```

如果没有显示错误,再重新启动 sshd 服务:

```bash

sudo systemctl restart sshd

```

  1. 如果你确实需要 GSSAPI 相关的功能,可能需要查看 OpenSSH 10.2p1 的文档,了解新的配置方式。

这些修改应该能解决你的问题。

OpenSSH 的新版本移除了一些旧的加密算法和认证方式,以提高安全性,所以配置需要相应更新。

```

sed -i '/RSAAuthentication/s/^/#/' /etc/ssh/sshd_config

sed -i '/GSSAPIKexAlgorithms/s/^/#/' /etc/ssh/sshd_config

echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256" >> /etc/ssh/sshd_config

```

```

systemctl resart sshd

systemctl enable sshd

systemctl status sshd

rpm -qa| grep openssh

openssh-10.2p1-1.oe2203.x86_64

openssh-server-10.2p1-1.oe2203.x86_64

openssh-clients-10.2p1-1.oe2203.x86_64

ssh -V

OpenSSH_10.2p1, OpenSSL 3.0.18 30 Sep 2025

```

!image.png(https://upload-images.jianshu.io/upload_images/12979420-12fa7b9aa0b88989.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)

!image.png(https://upload-images.jianshu.io/upload_images/12979420-9e1f8acd368115f5.png?imageMogr2/auto-orient/strip|imageView2/2/w/1240)

三、制作一键安装脚本

> install_openssh-10.2p1-oe2203.sh

```

#!/bin/bash

if ! yum -y localinstall *.rpm --disablerepo=* ; then

echo "OpenSSH rpm 安装失败!"

exit 1

fi

sed -i '/RSAAuthentication/s/^/#/' /etc/ssh/sshd_config

sed -i '/GSSAPIKexAlgorithms/s/^/#/' /etc/ssh/sshd_config

echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256" >> /etc/ssh/sshd_config

systemctl daemon-reload

systemctl restart sshd

systemctl enable sshd

systemctl status sshd

echo "#-------------------------------------------------#"

rpm -qa | grep openssh

ssh -V

```

四、 参考

CentOS7.x上编译rpm升级OpenSSH至 9.8p1,解决 CVE-2024-6387安全漏洞问题

https://www.jianshu.com/p/46011da1047c

A script to backport openssh rpm package from upstream

https://github.com/boypt/openssh-rpms

相关推荐
izcll1 天前
ubuntu系统安装软件的方法
linux·运维·ubuntu
森G1 天前
78、框架分析------服务器源码解析----云视频服务项目
服务器·c++·qt
云飞云共享云桌面1 天前
传统工作站 vs 云飞云共享云桌面:制造业设计云桌面选型深度对比
运维·服务器·前端·网络·3d·架构·制造
JAVA面经实录9171 天前
操作系统面试题
java·服务器·数据库·计算机网络·面试
小刘|1 天前
Spring AI Alibaba 集成和风天气 API 实战
java·服务器·前端
暮云星影1 天前
全志linux开发屏幕适配(一)屏幕参数设置说明
linux·arm开发
Maynor9961 天前
我用 Codex 给自己的网站上线了一个智能体客服:从 Dify 到服务器部署,全程实战复盘
运维·服务器
聚名网1 天前
域名net,com,cn有区别吗?有哪些不同呢?
服务器·开发语言·php
java_cj1 天前
深入kubectl create源码:从YAML到Pod的完整链路拆解
运维·云原生·容器·kubernetes
小小小花儿1 天前
SSH密钥配置(免密连接远程服务器)
服务器·ssh
热门推荐
012026年6月AI行业全景:从百模大战到Agent元年,这30天发生了什么?022026 AI 编程工具终极实战指南:Cursor vs Claude Code vs Copilot,开发者该怎么选?03【AI】2026 年具身智能模型和世界模型总结042026 年 AI 编程工具终极横评:Cursor vs Claude Code vs Copilot vs Windsurf05GitHub 镜像站点06HTTP 与 HTTPS 的区别:从原理到实战详解072026年6月AI大模型全景报告:GPT-5.6、Claude Opus 4.8、Gemini 3.5,中美AI三足鼎立谁主沉浮?08上线仅72小时被强制下架:Claude Fable 5 的短命09Codex 下载安装指南:Windows 和 macOS 官方版下载10AI科技热点日报 | 2026年6月1日