假设升级的目标主机不可以上网,演示离线情况下升级流程
1.下载所需依赖deb包
使用能够apt 正常安装的机器,将deb包下载到本地,然后将deb离线包传输到目标主机上
编译openssh所需依赖和gcc编译工具
apt install gcc make zlib1g-dev libpam0g-dev -y将deb包传输到目标主机上并安装
dpkg -i *.deb2.下载并编译openssl
下载指定版本openssl,并将其传输到目标机器上
https://www.openssl.org/source/old/3.1/openssl-3.1.0.tar.gz解压并编译
tar xf openssl-3.1.0.tar.gzcd openssl-3.1.0./config shared --prefix=/usr/local/opensslmake -j4 && make install # 根据cpu核心数指定配置动态链接库缓存
echo "/usr/local/openssl/lib64" > /etc/ld.so.conf.d/openssl.conf更新动态链接库缓存
ldconfig -v3.卸载旧版本openssh
在卸载旧版本之前需要先备份某些文件
cp /etc/passwd /etc/group /etc/shadow /etc/gshadow /root/cp /etc/pam.d/sshd /root/cp /etc/ssh/sshd_config /root卸载旧版本openssh
apt purge openssh* -y4.下载并编译openssh
下载指定版本openssh,并将其传输到目标机器上
https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-9.3p1.tar.gz解压并编译
tar xf openssh-9.3p1.tar.gzcd openssh-9.3p1./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-pam --with-md5-passwords# 先恢复sshd用户等,不然make报错
cd /root
cp passwd group shadow gshadow /etc/
chown root:shadow /etc/gshadow
chown root:shadow /etc/shadow
chmod 640 /etc/gshadow
chmod 640 /etc/shadowmake -j4 && make install # 根据cpu核心数指定在当前openssh源码包目录执行如下命令,安装额外文件
install -m755 contrib/ssh-copy-id /usr/bin
install -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -m755 -d /usr/share/doc/openssh-9.3p1
install -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-9.3p1编辑 /etc/ssh/sshd_config,将注释掉的 UsePAM no 取消注释并改为 yes,并修改 PermitRootLogin 的值修改为 yes。
UsePAM yes
....
PermitRootLogin yes配置systemd启动文件
vim /lib/systemd/system/sshd.service[Unit]
Description=OpenSSH Daemon
Wants=sshdgenkeys.service
After=sshdgenkeys.service
After=network.target
[Service]
ExecStart=/usr/sbin/sshd -D
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
Restart=always
[Install]
WantedBy=multi-user.targetvim /lib/systemd/system/sshd-keygen.service
[Unit]
Description=SSH Key Generation
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_dsa_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key.pub
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key.pub
[Service]
ExecStart=/usr/bin/ssh-keygen -A
Type=oneshot
RemainAfterExit=yes恢复配置文件
cp sshd /etc/pam.d/cp sshd_config /etc/ssh/启动sshd
systemctl daemon-reloadsystemctl enable sshd --now关于sftp无法连接问题,是因为编译安装的sftp-server组件路径为/usr/libexec/sftp-server,而恢复的备份sshd_config配置的sftp组件路径为/usr/lib/openssh/sftp-server,修改为如下内容,然后重启sshd即可
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server