【openSSH】Linux openEuler-22.03-x86_64升级openSSH至10.2p1版本

一 、 问题背景

OpenSSH（OpenBSD Secure Shell）是加拿大OpenBSD计划组的一套用于安全访问远程计算机的连接工具。

该工具是SSH协议的开源实现，支持对所有的传输进行加密，可有效阻止窃听、连接劫持以及其他网络级的攻击。

CVE-2023-51767是OpenSSH 9.6及之前版本存在的内存比特翻转绕过认证漏洞，攻击者可利用硬件层缺陷绕过身份验证，建议立即升级至OpenSSH 9.7+版本修复

> OpenSSH 官方网站和源码包格式

OpenSSH 的官方下载地址： https://www.openssh.com/portable.html

OpenBSD 官方镜像：https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/

在官网或镜像站，你可以找到各个版本的 OpenSSH 源码包，命名格式为：

```

openssh-X.XpY.tar.gz

X.X 是主版本号（如 10.0）

Y 是补丁号（如 p1）

```

二 、 升级操作

OenSSH官方只提供源码包，我们考虑自己将源码编译为rpm包来升级环境的OpenSSH。

当然编译过程也尽量简单化，这里我们直接使用开源的脚本进行编译。

https://github.com/boypt/openssh-rpms

```

yum groupinstall -y "Development Tools"

yum install -y imake rpm-build pam-devel krb5-devel zlib-devel libXt-devel libX11-devel gtk2-devel perl perl-IPC-Cmd perl-Time-Piece

```

```

git clone https://github.com/boypt/openssh-rpms.git

cd openssh-rpms-main

将出现 source version.env 行改为 source ./version.env

grep "version.env" *.sh

compile.sh:source ./version.env

pullsrc.sh:source ./version.env

将出现 wget 的行加上 --no-check-certificate 参数，避免因为证书问题导致源码下载失败。

grep "wget" pullsrc.sh

wget --no-check-certificate OPENSSLMIR/OPENSSLSRC

wget --no-check-certificate OPENSSHMIR/OPENSSHSRC

wget --no-check-certificate ASKPASSMIR/ASKPASSSRC

```

```

sh pullsrc.sh

sh compile.sh

Obsoletes: ssh-server

处理文件：openssh-debuginfo-10.2p1-1.oe2203.x86_64

Provides: openssh-debuginfo = 10.2p1-1.oe2203 openssh-debuginfo(x86-64) = 10.2p1-1.oe2203

Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <=

Recommends: openssh-debugsource(x86-64) = 10.2p1-1.oe2203

处理文件：openssh-debugsource-10.2p1-1.oe2203.x86_64

Provides: openssh-debugsource = 10.2p1-1.oe2203 openssh-debugsource(x86-64) = 10.2p1-1.oe2203

Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <=

检查未打包文件：/usr/lib/rpm/check-files /root/openssh-rpms/el7/BUILDROOT/openssh-10.2p1-1.oe2203.x86_64

已写至：/root/openssh-rpms/el7/SRPMS/openssh-10.2p1-1.oe2203.src.rpm

已写至：/root/openssh-rpms/el7/RPMS/x86_64/openssh-server-10.2p1-1.oe2203.x86_64.rpm

已写至：/root/openssh-rpms/el7/RPMS/x86_64/openssh-10.2p1-1.oe2203.x86_64.rpm

已写至：/root/openssh-rpms/el7/RPMS/x86_64/openssh-debugsource-10.2p1-1.oe2203.x86_64.rpm

已写至：/root/openssh-rpms/el7/RPMS/x86_64/openssh-clients-10.2p1-1.oe2203.x86_64.rpm

已写至：/root/openssh-rpms/el7/RPMS/x86_64/openssh-debuginfo-10.2p1-1.oe2203.x86_64.rpm

正在执行(%clean)：/bin/sh -e /var/tmp/rpm-tmp.7hwYPZ

• umask 022

• cd /root/openssh-rpms/el7/BUILD

• cd openssh-10.2p1

• rm -rf /root/openssh-rpms/el7/BUILDROOT/openssh-10.2p1-1.oe2203.x86_64

• RPM_EC=0

++ jobs -p

• exit 0

~/openssh-rpms

```


```

systemctl restart sshd

Job for sshd.service failed because the control process exited with error code.

See "systemctl status sshd.service" and "journalctl -xeu sshd.service" for details.

root@localhost x86_64\]# \[root@localhost x86_64\]# systemctl status sshd × sshd.service - SYSV: OpenSSH server daemon Loaded: loaded (/etc/rc.d/init.d/sshd; generated) Active: failed (Result: exit-code) since Sat 2025-11-29 17:42:20 CST; 10s ago Docs: man:systemd-sysv-generator(8) Process: 39751 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=255/EXCEPTION) Tasks: 14 (limit: 8950) Memory: 794.4M CGroup: /system.slice/sshd.service ├─ 8566 "sshd: root \[priv\]" "" "" "" ├─ 8570 "sshd: root \[priv\]" "" "" "" ├─ 8571 "sshd: root@pts/0" "" "" "" "" ├─ 8575 "sshd: root@notty" "" "" "" "" ├─ 8576 /usr/libexec/openssh/sftp-server -l INFO -f AUTH ├─ 8629 -bash ├─ 8761 "sshd: root \[priv\]" "" "" "" ├─ 8765 "sshd: root \[priv\]" "" "" "" ├─ 8766 "sshd: root@pts/1" "" "" "" "" ├─ 8768 -bash ├─ 8828 "sshd: root@notty" "" "" "" "" ├─ 8829 /usr/libexec/openssh/sftp-server -l INFO -f AUTH ├─39760 systemctl status sshd └─39761 less 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 8629 (bash) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 8761 (sshd) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 8765 (sshd) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 8766 (sshd) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 8768 (bash) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 8828 (sshd) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 8829 (sftp-server) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 39742 (systemctl) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: sshd.service: Unit process 39743 (systemd-tty-ask) remains running after unit stopped. 11月 29 17:42:20 localhost.localdomain systemd\[1\]: Failed to start SYSV: OpenSSH server daemon. \`\`\` \`\`\` # journalctl -u sshd -b 11月 29 17:42:20 localhost.localdomain systemd\[1\]: Starting SYSV: OpenSSH server daemon... 11月 29 17:42:20 localhost.localdomain sshd\[39751\]: Starting sshd: 11月 29 17:42:20 localhost.localdomain sshd\[39759\]: /etc/ssh/sshd_config line 142: Deprecated option RSAAuthentication 11月 29 17:42:20 localhost.localdomain sshd\[39759\]: /etc/ssh/sshd_config line 144: Deprecated option RhostsRSAAuthentication 11月 29 17:42:20 localhost.localdomain sshd\[39759\]: /etc/ssh/sshd_config: line 159: Bad configuration option: GSSAPIKexAlgorithms 11月 29 17:42:20 localhost.localdomain sshd\[39759\]: /etc/ssh/sshd_config: terminating, 1 bad configuration options 11月 29 17:42:20 localhost.localdomain sshd\[39751\]: \[失败

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Control process exited, code=exited, status=255/EXCEPTION

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Failed with result 'exit-code'.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8566 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8570 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8571 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8575 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8576 (sftp-server) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8629 (bash) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8761 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8765 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8766 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8768 (bash) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8828 (sshd) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 8829 (sftp-server) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 39742 (systemctl) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: sshd.service: Unit process 39743 (systemd-tty-ask) remains running after unit stopped.

11月 29 17:42:20 localhost.localdomain systemd[1]: Failed to start SYSV: OpenSSH server daemon.

```

```

cat /etc/ssh/sshd_config

RSAAuthentication yes

RhostsRSAAuthentication no

GSSAPIKexAlgorithms gss-group14-sha256-,gss-group16-sha512-,gss-curve25519-sha256-

```

从错误信息来看，OpenSSH 10.2p1 已经不再支持一些旧的配置选项。

你需要更新你的 `/etc/ssh/sshd_config` 文件来解决这些问题。

具体处理方案如下：

1. **删除或注释掉已废弃的选项**：

• `RSAAuthentication` 和 `RhostsRSAAuthentication` 是已废弃的选项，可以安全删除

• `GSSAPIKexAlgorithms` 在新版本中已被移除

2. 修改建议：

```bash

备份当前配置文件

sudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

编辑配置文件

sudo vi /etc/ssh/sshd_config

```

找到并删除或注释掉以下行：

```

RSAAuthentication yes

RhostsRSAAuthentication no

GSSAPIKexAlgorithms gss-group14-sha256-,gss-group16-sha512-,gss-curve25519-sha256-

```

3. 如果你需要使用 GSSAPI 相关的密钥交换算法，可以替换为：

```

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

```

4. 保存修改后，测试配置文件是否正确：

```bash

sudo sshd -t

```

如果没有显示错误，再重新启动 sshd 服务：

```bash

sudo systemctl restart sshd

```

5. 如果你确实需要 GSSAPI 相关的功能，可能需要查看 OpenSSH 10.2p1 的文档，了解新的配置方式。

这些修改应该能解决你的问题。

OpenSSH 的新版本移除了一些旧的加密算法和认证方式，以提高安全性，所以配置需要相应更新。

```

sed -i '/RSAAuthentication/s/^/#/' /etc/ssh/sshd_config

sed -i '/GSSAPIKexAlgorithms/s/^/#/' /etc/ssh/sshd_config

echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256" >> /etc/ssh/sshd_config

```

```

systemctl resart sshd

systemctl enable sshd

systemctl status sshd

rpm -qa| grep openssh

openssh-10.2p1-1.oe2203.x86_64

openssh-server-10.2p1-1.oe2203.x86_64

openssh-clients-10.2p1-1.oe2203.x86_64

ssh -V

OpenSSH_10.2p1, OpenSSL 3.0.18 30 Sep 2025

```



三、制作一键安装脚本

> install_openssh-10.2p1-oe2203.sh

```

#!/bin/bash

if ! yum -y localinstall *.rpm --disablerepo=* ; then

echo "OpenSSH rpm 安装失败！"

exit 1

fi

sed -i '/RSAAuthentication/s/^/#/' /etc/ssh/sshd_config

sed -i '/GSSAPIKexAlgorithms/s/^/#/' /etc/ssh/sshd_config

echo "KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256" >> /etc/ssh/sshd_config

systemctl daemon-reload

systemctl restart sshd

systemctl enable sshd

systemctl status sshd

echo "#-------------------------------------------------#"

rpm -qa | grep openssh

ssh -V

```

四、 参考

CentOS7.x上编译rpm升级OpenSSH至 9.8p1，解决 CVE-2024-6387安全漏洞问题

https://www.jianshu.com/p/46011da1047c

A script to backport openssh rpm package from upstream

https://github.com/boypt/openssh-rpms