OpenSSH作为操作系统底层管理平台软件,需要保持更新以免遭受安全攻击,编译生成rpm包是生产环境中批量升级的最佳途径。本文在国产openEuler 22.03 LTS系统上完成OpenSSH 9.6的编译工作。
一、编译环境
1、准备环境
基于vmware workstation发布的x86虚拟机,最小化安装了openEuler 22.03 LTS,版本信息如下:
[root@localhost ~]# cat /etc/os-release
NAME="openEuler"
VERSION="22.03 LTS"
ID="openEuler"
VERSION_ID="22.03"
PRETTY_NAME="openEuler 22.03 LTS"
ANSI_COLOR="0;31"[root@localhost ~]# rpm -qa|grep openssh
openssh-8.8p1-2.oe2203.x86_64
openssh-server-8.8p1-2.oe2203.x86_64
openssh-clients-8.8p1-2.oe2203.x86_64
[root@localhost ~]# ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021
[root@localhost ~]# sshd -V
unknown option -- V
OpenSSH_8.8p1, OpenSSL 1.1.1m 14 Dec 2021
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file][-E log_file] [-f config_file] [-g login_grace_time][-h host_key_file] [-o option] [-p port] [-u len]
[root@localhost SPECS]# openssl
OpenSSL> version
OpenSSL 1.1.1m 14 Dec 2021
OpenSSL> exit2、修改系统源为阿里源
[root@localhost ~]# cp /etc/yum.repos.d/openEuler.repo{,.bak}
[root@localhost ~]# sed -i "s/repo.openeuler.org/mirrors.aliyun.com\/openeuler/g" /etc/yum.repos.d/openEuler.repo
[root@localhost ~]# cat /etc/yum.repos.d/openEuler.repo
#generic-repos is licensed under the Mulan PSL v2.
#You can use this software according to the terms and conditions of the Mulan PSL v2.
#You may obtain a copy of Mulan PSL v2 at:
# http://license.coscl.org.cn/MulanPSL2
#THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
#IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
#PURPOSE.
#See the Mulan PSL v2 for more details.[OS]
name=OS
baseurl=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/OS/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/OS/$basearch/RPM-GPG-KEY-openEuler[everything]
name=everything
baseurl=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/everything/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/everything/$basearch/RPM-GPG-KEY-openEuler[EPOL]
name=EPOL
baseurl=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/EPOL/main/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/OS/$basearch/RPM-GPG-KEY-openEuler[debuginfo]
name=debuginfo
baseurl=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/debuginfo/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/debuginfo/$basearch/RPM-GPG-KEY-openEuler[source]
name=source
baseurl=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/source/
enabled=1
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/source/RPM-GPG-KEY-openEuler[update]
name=update
baseurl=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/update/$basearch/
enabled=1
gpgcheck=1
gpgkey=http://mirrors.aliyun.com/openeuler/openEuler-22.03-LTS/OS/$basearch/RPM-GPG-KEY-openEuler
[root@localhost ~]# yum install tree -y3、准备编译所需目录
[root@localhost ~]# cd ~
[root@localhost ~]# mkdir -p rpmbuild/{SOURCES,SPECS}
[root@localhost ~]# tree
.
├── anaconda-ks.cfg
└── rpmbuild├── SOURCES└── SPECS3 directories, 1 file4、准备源码包
4.1、源包版本
官网地址 当前版本
- SHA1 (openssh-9.6.tar.gz) = a6d4cb69811e879e2f158c2e597fd9f444b26506- SHA256 (openssh-9.6.tar.gz) = nejPUhSnG1R1sOmIBi/t+HMNvsRqfN/DJgjwIU2tvqg=- SHA1 (openssh-9.6p1.tar.gz) = de300d09ec79fdbf37de4e6672cce4161439f2c3- SHA256 (openssh-9.6p1.tar.gz) = kQIRwHJVqMWtZUORtA7lmABxDdgRndU2LeCThap6d3w=
附加程序:
x11-ssh-askpass-1.2.4.1
openssl-1.1.1v
4.2、下载实作
[root@localhost ~]# cd rpmbuild/SOURCES/
[root@localhost SOURCES]# wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz --no-check-certificat
--2023-06-05 15:51:44-- https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.6p1.tar.gz
正在解析主机 cdn.openbsd.org (cdn.openbsd.org)... 146.75.115.52, 2a04:4e42:f::820
正在连接 cdn.openbsd.org (cdn.openbsd.org)|146.75.115.52|:443... 已连接。
警告: “cdn.openbsd.org” 的证书不可信。
已发出 HTTP 请求,正在等待回应... 200 OK
长度:1857862 (1.8M) [application/octet-stream]
正在保存至: “openssh-9.6p1.tar.gz”openssh-9.6p1.tar.gz 100%[=========================================================================>] 1.77M 1.28MB/s 用时 1.4s 2023-06-05 15:51:47 (1.28 MB/s) - 已保存 “openssh-9.6p1.tar.gz” [1857862/1857862])[root@localhost SOURCES]# wget https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz --no-check-certificat
--2023-06-05 15:52:32-- https://src.fedoraproject.org/repo/pkgs/openssh/x11-ssh-askpass-1.2.4.1.tar.gz/8f2e41f3f7eaa8543a2440454637f3c3/x11-ssh-askpass-1.2.4.1.tar.gz
正在解析主机 src.fedoraproject.org (src.fedoraproject.org)... 38.145.60.20, 38.145.60.21
正在连接 src.fedoraproject.org (src.fedoraproject.org)|38.145.60.20|:443... 已连接。
警告: “src.fedoraproject.org” 的证书不可信。
警告: “src.fedoraproject.org” 的证书还未生效。
证书还未激活
已发出 HTTP 请求,正在等待回应... 200 OK
长度:29229 (29K) [application/x-gzip]
正在保存至: “x11-ssh-askpass-1.2.4.1.tar.gz”x11-ssh-askpass-1.2.4.1.tar.gz 100%[=========================================================================>] 28.54K 106KB/s 用时 0.3s 2023-06-05 15:52:33 (106 KB/s) - 已保存 “x11-ssh-askpass-1.2.4.1.tar.gz” [29229/29229])[root@localhost SOURCES]# wget https://www.openssl.org/source/openssl-1.1.1v.tar.gz --no-check-certificate
--2023-06-05 15:52:54-- https://www.openssl.org/source/openssl-1.1.1v.tar.gz
正在解析主机 www.openssl.org (www.openssl.org)... 34.36.58.177, 2600:1901:0:1812::
正在连接 www.openssl.org (www.openssl.org)|34.36.58.177|:443... 已连接。
警告: “www.openssl.org” 的证书不可信。
警告: “www.openssl.org” 的证书还未生效。
证书还未激活
已发出 HTTP 请求,正在等待回应... 200 OK
长度:9893443 (9.4M) [application/x-tar]
正在保存至: “openssl-1.1.1v.tar.gz”openssl-1.1.1v.tar.gz 100%[=========================================================================>] 9.43M 930KB/s 用时 10s 2023-06-05 15:53:05 (963 KB/s) - 已保存 “openssl-1.1.1v.tar.gz” [9893443/9893443])[root@localhost SOURCES]# vi sshd.pam.oe2203
[root@localhost SOURCES]# cat sshd.pam.oe2203
#%PAM-1.0
auth substack password-auth
auth include postlogin
account required pam_sepermit.so
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session optional pam_motd.so
session include password-auth
session include postlogin
[root@localhost SOURCES]# ll
总用量 12M
-rw-r--r--. 1 root root 1.8M 12月 18 2023 openssh-9.6p1.tar.gz
-rw-r--r--. 1 root root 727 6月 5 15:54 sshd.pam.oe2203
-rw-r--r--. 1 root root 29K 6月 26 2004 x11-ssh-askpass-1.2.4.1.tar.gz
-rw-r--r--. 1 root root 9.5M 1月 22 2024 openssl-1.1.1v.tar.gz5、安装编译所需软件包
[root@localhost SOURCES]# cd ../SPECS
[root@localhost SPECS]# yum install rpm-build zlib-devel openssl-devel gcc perl-devel pam-devel -y
Last metadata expiration check: 0:20:36 ago on 2023年06月05日 星期一 15时36分30秒.
Package gcc-10.3.1-10.oe2203.x86_64 is already installed.
Package perl-devel-4:5.34.0-3.oe2203.x86_64 is already installed.
Dependencies resolved.
=========================================================================================================================================================Package Architecture Version Repository Size
=========================================================================================================================================================
Installing:openssl-devel x86_64 1:1.1.1m-24.oe2203 update 1.8 Mpam-devel x86_64 1.5.2-7.oe2203 update 23 krpm-build x86_64 4.17.0-32.oe2203 update 69 kzlib-devel x86_64 1.2.11-24.oe2203 update 90 k
Upgrading:cpp x86_64 10.3.1-19.oe2203 update 9.0 Mgcc x86_64 10.3.1-19.oe2203 update 29 Mlibgcc x86_64 10.3.1-19.oe2203 update 74 klibgomp x86_64 10.3.1-19.oe2203 update 229 kopenssl x86_64 1:1.1.1m-24.oe2203 update 445 kopenssl-libs x86_64 1:1.1.1m-24.oe2203 update 1.4 Mpam x86_64 1.5.2-7.oe2203 update 439 kperl x86_64 4:5.34.0-12.oe2203 update 3.2 Mperl-devel x86_64 4:5.34.0-12.oe2203 update 2.1 Mperl-libs x86_64 4:5.34.0-12.oe2203 update 1.7 Mpython3-rpm x86_64 4.17.0-32.oe2203 update 79 krpm x86_64 4.17.0-32.oe2203 update 492 krpm-libs x86_64 4.17.0-32.oe2203 update 366 kzlib x86_64 1.2.11-24.oe2203 update 88 k
Installing dependencies:babeltrace x86_64 1.5.8-2.oe2203 OS 205 kdebugedit x86_64 5.0-2.oe2203 OS 74 kdwz x86_64 0.14-3.oe2203 OS 119 ke2fsprogs-devel x86_64 1.46.4-7.oe2203 OS 287 kgdb-headless x86_64 11.1-7.oe2203 update 3.5 Mgmp-c++ x86_64 1:6.2.1-1.oe2203 OS 17 kgmp-devel x86_64 1:6.2.1-1.oe2203 OS 449 kisl x86_64 0.16.1-12.oe2203 update 799 kisl-devel x86_64 0.16.1-12.oe2203 update 518 kkeyutils-libs-devel x86_64 1.6.3-3.oe2203 OS 12 kkrb5-devel x86_64 1.19.2-2.oe2203 OS 164 klibipt x86_64 2.0.4-1.oe2203 OS 51 klibselinux-devel x86_64 3.3-1.oe2203 OS 102 klibsepol-devel x86_64 3.3-2.oe2203 OS 362 klibverto-devel x86_64 0.3.2-1.oe2203 OS 17 kpatch x86_64 2.7.6-12.oe2203 OS 123 kpcre2-devel x86_64 10.39-1.oe2203 OS 501 kTransaction Summary
=========================================================================================================================================================
Install 21 Packages
Upgrade 14 PackagesTotal download size: 57 M
Downloading Packages:
...
Upgraded:cpp-10.3.1-19.oe2203.x86_64 gcc-10.3.1-19.oe2203.x86_64 libgcc-10.3.1-19.oe2203.x86_64 libgomp-10.3.1-19.oe2203.x86_64 openssl-1:1.1.1m-24.oe2203.x86_64 openssl-libs-1:1.1.1m-24.oe2203.x86_64 pam-1.5.2-7.oe2203.x86_64 perl-4:5.34.0-12.oe2203.x86_64 perl-devel-4:5.34.0-12.oe2203.x86_64 perl-libs-4:5.34.0-12.oe2203.x86_64 python3-rpm-4.17.0-32.oe2203.x86_64 rpm-4.17.0-32.oe2203.x86_64 rpm-libs-4.17.0-32.oe2203.x86_64 zlib-1.2.11-24.oe2203.x86_64
Installed:babeltrace-1.5.8-2.oe2203.x86_64 debugedit-5.0-2.oe2203.x86_64 dwz-0.14-3.oe2203.x86_64 e2fsprogs-devel-1.46.4-7.oe2203.x86_64 gdb-headless-11.1-7.oe2203.x86_64 gmp-c++-1:6.2.1-1.oe2203.x86_64 gmp-devel-1:6.2.1-1.oe2203.x86_64 isl-0.16.1-12.oe2203.x86_64 isl-devel-0.16.1-12.oe2203.x86_64 keyutils-libs-devel-1.6.3-3.oe2203.x86_64 krb5-devel-1.19.2-2.oe2203.x86_64 libipt-2.0.4-1.oe2203.x86_64 libselinux-devel-3.3-1.oe2203.x86_64 libsepol-devel-3.3-2.oe2203.x86_64 libverto-devel-0.3.2-1.oe2203.x86_64 openssl-devel-1:1.1.1m-24.oe2203.x86_64 pam-devel-1.5.2-7.oe2203.x86_64 patch-2.7.6-12.oe2203.x86_64 pcre2-devel-10.39-1.oe2203.x86_64 rpm-build-4.17.0-32.oe2203.x86_64 zlib-devel-1.2.11-24.oe2203.x86_64 Complete!
[root@localhost SPECS]#6、 编写spec文件
[root@localhost SPECS]# vi /root/rpmbuild/SPECS/openssh.spec
[root@localhost SPECS]# cat openssh.spec
%{?!opensslver: %global opensslver 1.1.1v}
%{?!opensshver: %global opensshver 9.6p1}
%define static_openssl 1# wheather to build openssl
%global no_build_openssl 0#if defined openssl_dir, don't build it
%{?openssl_dir:%global no_build_openssl 1}%global ver %{?opensshver}
%global rel %{?opensshpkgrel}%{?dist}oe2203# OpenSSH privilege separation requires a user & group ID
%global sshd_uid 74
%global sshd_gid 74# Version of ssh-askpass
%global aversion 1.2.4.1# Do we want to disable building of x11-askpass? (1=yes 0=no)
%global no_x11_askpass 1# Do we want to disable building of gnome-askpass? (1=yes 0=no)
%global no_gnome_askpass 1# Do we want to link against a static libcrypto? (1=yes 0=no)
%global static_libcrypto 0# Do we want smartcard support (1=yes 0=no)
%global scard 0# Use GTK2 instead of GNOME in gnome-ssh-askpass
%global gtk2 1# Use build6x options for older RHEL builds
# RHEL 7 not yet supported
%if 0%{?rhel} > 6
%global build6x 0
%else
%global build6x 0
%endif# Do we want kerberos5 support (1=yes 0=no)
%global kerberos5 1# Reserve options to override askpass settings with:
# rpm -ba|--rebuild --define 'skip_xxx 1'
%{?skip_x11_askpass:%global no_x11_askpass 1}
%{?skip_gnome_askpass:%global no_gnome_askpass 1}# Add option to build without GTK2 for older platforms with only GTK+.
# RedHat <= 7.2 and Red Hat Advanced Server 2.1 are examples.
# rpm -ba|--rebuild --define 'no_gtk2 1'
%{?no_gtk2:%global gtk2 0}# Is this a build for RHL 6.x or earlier?
%{?build_6x:%global build6x 1}# If this is RHL 6.x, the default configuration has sysconfdir in /usr/etc.
%if %{build6x}
%global _sysconfdir /etc
%endif# Options for static OpenSSL link:
# rpm -ba|--rebuild --define "static_openssl 1"
%{?static_openssl:%global static_libcrypto 1}# Options for Smartcard support: (needs libsectok and openssl-engine)
# rpm -ba|--rebuild --define "smartcard 1"
%{?smartcard:%global scard 1}# Is this a build for the rescue CD (without PAM, with MD5)? (1=yes 0=no)
%global rescue 0
%{?build_rescue:%global rescue 1}# Turn off some stuff for resuce builds
%if %{rescue}
%global kerberos5 0
%endifSummary: The OpenSSH implementation of SSH protocol version 2.
Name: openssh
Version: %{ver}
%if %{rescue}
Release: %{rel}rescue
%else
Release: %{rel}
%endif
URL: https://www.openssh.com/portable.html
Source0: https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
Source1: http://www.jmknoble.net/software/x11-ssh-askpass/x11-ssh-askpass-%{aversion}.tar.gz
Source2: sshd.pam.oe2203
%if ! %{no_build_openssl}
Source3: https://www.openssl.org/source/openssl-%{opensslver}.tar.gz
%endif
License: BSD
Group: Applications/Internet
BuildRoot: %{_tmppath}/%{name}-%{version}-buildroot
Obsoletes: ssh
%if %{build6x}
PreReq: initscripts >= 5.00
%else
Requires: initscripts >= 5.20
%endif
BuildRequires: perl
BuildRequires: /bin/login
%if ! %{build6x}
BuildRequires: glibc-devel, pam
%else
BuildRequires: /usr/include/security/pam_appl.h
%endif
%if ! %{no_x11_askpass}
BuildRequires: /usr/include/X11/Xlib.h
# Xt development tools
BuildRequires: libXt-devel
# Provides xmkmf
BuildRequires: imake
# Rely on relatively recent gtk
%if %{gtk2}
BuildRequires: gtk2-devel
%endif
%endif
%if ! %{no_gnome_askpass}
BuildRequires: pkgconfig
%endif
%if %{kerberos5}
BuildRequires: krb5-devel
BuildRequires: krb5-libs
%endif%package clients
Summary: OpenSSH clients.
Requires: openssh = %{version}-%{release}
Group: Applications/Internet
Obsoletes: ssh-clients%package server
Summary: The OpenSSH server daemon.
Group: System Environment/Daemons
Obsoletes: ssh-server
Requires: openssh = %{version}-%{release}, chkconfig >= 0.9
%if ! %{build6x}
Requires: /etc/pam.d/system-auth
%endif%package askpass
Summary: A passphrase dialog for OpenSSH and X.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras%package askpass-gnome
Summary: A passphrase dialog for OpenSSH, X, and GNOME.
Group: Applications/Internet
Requires: openssh = %{version}-%{release}
Obsoletes: ssh-extras%description
SSH (Secure SHell) is a program for logging into and executing
commands on a remote machine. SSH is intended to replace rlogin and
rsh, and to provide secure encrypted communications between two
untrusted hosts over an insecure network. X11 connections and
arbitrary TCP/IP ports can also be forwarded over the secure channel.OpenSSH is OpenBSD's version of the last free version of SSH, bringing
it up to date in terms of security and features, as well as removing
all patented algorithms to separate libraries.
This package includes the core files necessary for both the OpenSSH
client and server. To make this package useful, you should also
install openssh-clients, openssh-server, or both.
%description clients
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package includes
the clients necessary to make encrypted connections to SSH servers.
You'll also need to install the openssh package on OpenSSH clients.%description server
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
the secure shell daemon (sshd). The sshd daemon allows SSH clients to
securely connect to your SSH server. You also need to have the openssh
package installed.%description askpass
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH.%description askpass-gnome
OpenSSH is a free version of SSH (Secure SHell), a program for logging
into and executing commands on a remote machine. This package contains
an X11 passphrase dialog for OpenSSH and the GNOME GUI desktop
environment.%prep%if ! %{no_x11_askpass}
%setup -q -a 1
%else
%setup -q
%endif%if ! %{no_build_openssl}
%define openssl_dir %{_builddir}/%{name}-%{version}/openssl
mkdir -p openssl
tar xfz %{SOURCE3} --strip-components=1 -C openssl
pushd openssl
./config shared zlib -fPIC
make %{?_smp_mflags}
popd
%endif%build
%if %{rescue}
CFLAGS="$RPM_OPT_FLAGS -Os"; export CFLAGS
%endifexport LD_LIBRARY_PATH="%{openssl_dir}"
%configure \--sysconfdir=%{_sysconfdir}/ssh \--libexecdir=%{_libexecdir}/openssh \--datadir=%{_datadir}/openssh \--with-default-path=/usr/local/bin:/bin:/usr/bin \--with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \--with-privsep-path=%{_var}/empty/sshd \--with-md5-passwords \--mandir=%{_mandir} \--with-mantype=man \--disable-strip \--with-ssl-dir="%{openssl_dir}" \
%if %{scard}--with-smartcard \
%endif
%if %{rescue}--without-pam \
%else--with-pam \
%endif
%if %{kerberos5}--with-kerberos5=$K5DIR \
%endif%if %{static_libcrypto}
#perl -pi -e "s|-lcrypto|%{_libdir}/libcrypto.a|g" Makefile
perl -pi -e "s|-lcrypto|%{openssl_dir}/libcrypto.a -lpthread|g" Makefile
%endifmake %{?_smp_mflags}%if ! %{no_x11_askpass}
pushd x11-ssh-askpass-%{aversion}
%configure --libexecdir=%{_libexecdir}/openssh
xmkmf -a
make -j
popd
%endif# Define a variable to toggle gnome1/gtk2 building. This is necessary
# because RPM doesn't handle nested %if statements.
%if %{gtk2}gtk2=yes
%elsegtk2=no
%endif%if ! %{no_gnome_askpass}
pushd contrib
if [ $gtk2 = yes ] ; thenmake gnome-ssh-askpass2mv gnome-ssh-askpass2 gnome-ssh-askpass
elsemake gnome-ssh-askpass1mv gnome-ssh-askpass1 gnome-ssh-askpass
fi
popd
%endif%install
rm -rf $RPM_BUILD_ROOT
mkdir -p -m755 $RPM_BUILD_ROOT%{_sysconfdir}/ssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_libexecdir}/openssh
mkdir -p -m755 $RPM_BUILD_ROOT%{_var}/empty/sshdmake install DESTDIR=$RPM_BUILD_ROOT
echo -e 'PubkeyAcceptedAlgorithms +ssh-rsa\nUsePAM yes\nPermitRootLogin yes\nUseDNS no' >> $RPM_BUILD_ROOT/etc/ssh/sshd_config
install -d $RPM_BUILD_ROOT/etc/pam.d/
install -d $RPM_BUILD_ROOT/etc/rc.d/init.d
install -d $RPM_BUILD_ROOT%{_libexecdir}/openssh
install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT/usr/bin/ssh-copy-id
install -m644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sshd
install -m755 contrib/redhat/sshd.init $RPM_BUILD_ROOT/etc/rc.d/init.d/sshd%if ! %{no_x11_askpass}
install x11-ssh-askpass-%{aversion}/x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/x11-ssh-askpass
ln -s x11-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/ssh-askpass
%endif%if ! %{no_gnome_askpass}
install contrib/gnome-ssh-askpass $RPM_BUILD_ROOT%{_libexecdir}/openssh/gnome-ssh-askpass
%endif%if ! %{scard}rm -f $RPM_BUILD_ROOT/usr/share/openssh/Ssh.bin
%endif%if ! %{no_gnome_askpass}
install -m 755 -d $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
install -m 755 contrib/redhat/gnome-ssh-askpass.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/
%endifperl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*%clean
rm -rf $RPM_BUILD_ROOT%triggerun server -- ssh-server
if [ "$1" != 0 -a -r /var/run/sshd.pid ] ; thentouch /var/run/sshd.restart
fi%triggerun server -- openssh-server < 2.5.0p1
# Count the number of HostKey and HostDsaKey statements we have.
gawk 'BEGIN {IGNORECASE=1}/^hostkey/ || /^hostdsakey/ {sawhostkey = sawhostkey + 1}END {exit sawhostkey}' /etc/ssh/sshd_config
# And if we only found one, we know the client was relying on the old default
# behavior, which loaded the the SSH2 DSA host key when HostDsaKey wasn't
# specified. Now that HostKey is used for both SSH1 and SSH2 keys, specifying
# one nullifies the default, which would have loaded both.
if [ $? -eq 1 ] ; thenecho HostKey /etc/ssh/ssh_host_rsa_key >> /etc/ssh/sshd_configecho HostKey /etc/ssh/ssh_host_dsa_key >> /etc/ssh/sshd_config
fi%triggerpostun server -- ssh-server
if [ "$1" != 0 ] ; then/sbin/chkconfig --add sshdif test -f /var/run/sshd.restart ; thenrm -f /var/run/sshd.restart/sbin/service sshd start > /dev/null 2>&1 || :fi
fi%pre server
%{_sbindir}/groupadd -r -g %{sshd_gid} sshd 2>/dev/null || :
%{_sbindir}/useradd -d /var/empty/sshd -s /bin/false -u %{sshd_uid} \-g sshd -M -r sshd 2>/dev/null || :%post server
/sbin/chkconfig --add sshd%postun server
/sbin/service sshd condrestart > /dev/null 2>&1 || :%preun server
if [ "$1" = 0 ]
then/sbin/service sshd stop > /dev/null 2>&1 || :/sbin/chkconfig --del sshd
fi%files
%defattr(-,root,root)
%doc CREDITS ChangeLog INSTALL LICENCE OVERVIEW README* PROTOCOL* TODO
%attr(0755,root,root) %{_bindir}/scp
%attr(0644,root,root) %{_mandir}/man1/scp.1*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/moduli
%if ! %{rescue}
%attr(0755,root,root) %{_bindir}/ssh-keygen
%attr(0755,root,root) %{_bindir}/ssh-copy-id
%attr(0644,root,root) %{_mandir}/man1/ssh-keygen.1*
%attr(0755,root,root) %dir %{_libexecdir}/openssh
%attr(4711,root,root) %{_libexecdir}/openssh/ssh-keysign
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-pkcs11-helper
%attr(0755,root,root) %{_libexecdir}/openssh/ssh-sk-helper
%attr(0644,root,root) %{_mandir}/man8/ssh-keysign.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
%attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
%endif
%if %{scard}
%attr(0755,root,root) %dir %{_datadir}/openssh
%attr(0644,root,root) %{_datadir}/openssh/Ssh.bin
%endif%files clients
%defattr(-,root,root)
%attr(0755,root,root) %{_bindir}/ssh
%attr(0644,root,root) %{_mandir}/man1/ssh.1*
%attr(0644,root,root) %{_mandir}/man5/ssh_config.5*
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/ssh/ssh_config
%if ! %{rescue}
%attr(2755,root,nobody) %{_bindir}/ssh-agent
%attr(0755,root,root) %{_bindir}/ssh-add
%attr(0755,root,root) %{_bindir}/ssh-keyscan
%attr(0755,root,root) %{_bindir}/sftp
%attr(0644,root,root) %{_mandir}/man1/ssh-agent.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-add.1*
%attr(0644,root,root) %{_mandir}/man1/ssh-keyscan.1*
%attr(0644,root,root) %{_mandir}/man1/sftp.1*
%endif%if ! %{rescue}
%files server
%defattr(-,root,root)
%dir %attr(0111,root,root) %{_var}/empty/sshd
%attr(0755,root,root) %{_sbindir}/sshd
%attr(0755,root,root) %{_libexecdir}/openssh/sftp-server
%attr(0644,root,root) %{_mandir}/man8/sshd.8*
%attr(0644,root,root) %{_mandir}/man5/moduli.5*
%attr(0644,root,root) %{_mandir}/man5/sshd_config.5*
%attr(0644,root,root) %{_mandir}/man8/sftp-server.8*
%attr(0755,root,root) %dir %{_sysconfdir}/ssh
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/ssh/sshd_config
%attr(0600,root,root) %config(noreplace) /etc/pam.d/sshd
%attr(0755,root,root) %config /etc/rc.d/init.d/sshd
%endif%if ! %{no_x11_askpass}
%files askpass
%defattr(-,root,root)
%doc x11-ssh-askpass-%{aversion}/README
%doc x11-ssh-askpass-%{aversion}/ChangeLog
%doc x11-ssh-askpass-%{aversion}/SshAskpass*.ad
%{_libexecdir}/openssh/ssh-askpass
%attr(0755,root,root) %{_libexecdir}/openssh/x11-ssh-askpass
%endif%if ! %{no_gnome_askpass}
%files askpass-gnome
%defattr(-,root,root)
%attr(0755,root,root) %config %{_sysconfdir}/profile.d/gnome-ssh-askpass.*
%attr(0755,root,root) %{_libexecdir}/openssh/gnome-ssh-askpass
%endif7、查看当前文件情况
[root@localhost SPECS]# cd /root/rpmbuild && tree
.
├── SOURCES
│ ├── openssh-9.6p1.tar.gz
│ ├── openssl-1.1.1v.tar.gz
│ ├── sshd.pam.oe2203
│ └── x11-ssh-askpass-1.2.4.1.tar.gz
└── SPECS└── openssh.spec2 directories, 5 files二、编译rpm
1、编译
[root@localhost SPECS]# rpmbuild -bb openssh.spec
...
**************************************************
*** ***
*** Please run the same make command again ***
*** ***
**************************************************
make: *** [Makefile:688: configdata.pm] Error 1
错误:/var/tmp/rpm-tmp.nswfUe (%prep) 退出状态不好
...2、提示报错
提示报错 "make: *** [Makefile:688: configdata.pm] Error 1",系因时间不正确所致,修正时间:
[root@localhost SPECS]# date
2023年 06月 05日 星期一 15:02:45 CST
[root@localhost SPECS]# ntpdate -u ntp1.aliyun.com
29 Jan 17:02:23 ntpdate[10034]: step time server 120.25.115.20 offset +20570147.938882 sec
[root@localhost SPECS]# date
2024年 01月 29日 星期一 17:03:09 CST3、再次编译
[root@localhost SPECS]# rpmbuild -bb openssh.spec
警告:行 100:It's not recommended to have unversioned Obsoletes:Obsoletes: ssh
警告:行 136:It's not recommended to have unversioned Obsoletes:Obsoletes: ssh-clients
警告:行 141:It's not recommended to have unversioned Obsoletes:Obsoletes: ssh-server
警告:行 151:It's not recommended to have unversioned Obsoletes:Obsoletes: ssh-extras
警告:行 157:It's not recommended to have unversioned Obsoletes:Obsoletes: ssh-extras
正在执行(%prep):/bin/sh -e /var/tmp/rpm-tmp.4HNFWt
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd /root/rpmbuild/BUILD
+ rm -rf openssh-9.6p1
+ /usr/bin/gzip -dc /root/rpmbuild/SOURCES/openssh-9.6p1.tar.gz
+ /usr/bin/tar -xof -
+ STATUS=0
+ '[' 0 -ne 0 ']'
+ cd openssh-9.6p1
+ /usr/bin/chmod -Rf a+rX,u+w,g-w,o-w .
+ mkdir -p openssl
+ tar xfz /root/rpmbuild/SOURCES/openssl-1.1.1v.tar.gz --strip-components=1 -C openssl
+ pushd openssl
~/rpmbuild/BUILD/openssh-9.6p1/openssl ~/rpmbuild/BUILD/openssh-9.6p1
+ ./config shared zlib -fPIC
Operating system: x86_64-whatever-linux2
Configuring OpenSSL version 1.1.1v (0x1010116fL) for linux-x86_64
Using os-specific seed configuration
Creating configdata.pm
Creating Makefile**********************************************************************
*** ***
*** OpenSSL has been successfully configured ***
*** ***
*** If you encounter a problem while building, please open an ***
*** issue on GitHub <https://github.com/openssl/openssl/issues> ***
*** and include the output from the following command: ***
*** ***
*** perl configdata.pm --dump ***
*** ***
*** (If you are new to OpenSSL, you might want to consult the ***
*** 'Troubleshooting' section in the INSTALL file first) ***
*** ***
**********************************************************************
+ make -j2
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \"-oMakefile" include/crypto/bn_conf.h.in > include/crypto/bn_conf.h
/usr/bin/perl "-I." -Mconfigdata "util/dofile.pl" \"-oMakefile" include/crypto/dso_conf.h.in > include/crypto/dso_conf.h
...
处理文件:openssh-server-9.6p1-oe2203.x86_64
Provides: config(openssh-server) = 9.6p1-oe2203 openssh-server = 9.6p1-oe2203 openssh-server(x86-64) = 9.6p1-oe2203
Requires(interp): /bin/sh /bin/sh /bin/sh /bin/sh /bin/sh
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Requires(pre): /bin/sh
Requires(post): /bin/sh
Requires(preun): /bin/sh
Requires(postun): /bin/sh
Requires: /bin/bash libc.so.6()(64bit) libc.so.6(GLIBC_2.14)(64bit) libc.so.6(GLIBC_2.16)(64bit) libc.so.6(GLIBC_2.17)(64bit) libc.so.6(GLIBC_2.2.5)(64bit) libc.so.6(GLIBC_2.25)(64bit) libc.so.6(GLIBC_2.26)(64bit) libc.so.6(GLIBC_2.3)(64bit) libc.so.6(GLIBC_2.3.2)(64bit) libc.so.6(GLIBC_2.3.4)(64bit) libc.so.6(GLIBC_2.33)(64bit) libc.so.6(GLIBC_2.34)(64bit) libc.so.6(GLIBC_2.4)(64bit) libc.so.6(GLIBC_2.6)(64bit) libc.so.6(GLIBC_2.7)(64bit) libc.so.6(GLIBC_2.8)(64bit) libcom_err.so.2()(64bit) libcrypt.so.1()(64bit) libcrypt.so.1(XCRYPT_2.0)(64bit) libgssapi_krb5.so.2()(64bit) libgssapi_krb5.so.2(gssapi_krb5_2_MIT)(64bit) libk5crypto.so.3()(64bit) libkrb5.so.3()(64bit) libkrb5.so.3(krb5_3_MIT)(64bit) libpam.so.0()(64bit) libpam.so.0(LIBPAM_1.0)(64bit) libz.so.1()(64bit) rtld(GNU_HASH)
Obsoletes: ssh-server
处理文件:openssh-debuginfo-9.6p1-oe2203.x86_64
Provides: openssh-debuginfo = 9.6p1-oe2203 openssh-debuginfo(x86-64) = 9.6p1-oe2203
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
Recommends: openssh-debugsource(x86-64) = 9.6p1-oe2203
处理文件:openssh-debugsource-9.6p1-oe2203.x86_64
Provides: openssh-debugsource = 9.6p1-oe2203 openssh-debugsource(x86-64) = 9.6p1-oe2203
Requires(rpmlib): rpmlib(CompressedFileNames) <= 3.0.4-1 rpmlib(FileDigests) <= 4.6.0-1 rpmlib(PayloadFilesHavePrefix) <= 4.0-1
检查未打包文件:/usr/lib/rpm/check-files /root/rpmbuild/BUILDROOT/openssh-9.6p1-oe2203.x86_64
已写至:/root/rpmbuild/RPMS/x86_64/openssh-debuginfo-9.6p1-oe2203.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-9.6p1-oe2203.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-server-9.6p1-oe2203.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-debugsource-9.6p1-oe2203.x86_64.rpm
已写至:/root/rpmbuild/RPMS/x86_64/openssh-clients-9.6p1-oe2203.x86_64.rpm
正在执行(%clean):/bin/sh -e /var/tmp/rpm-tmp.2ymafB
+ umask 022
+ cd /root/rpmbuild/BUILD
+ cd openssh-9.6p1
+ rm -rf /root/rpmbuild/BUILDROOT/openssh-9.6p1-oe2203.x86_64
+ RPM_EC=0
++ jobs -p
+ exit 0
[root@localhost SPECS]# 4、保存最终文件
[root@localhost SPECS]# cd /opt
[root@localhost opt]# mkdir openssh-9.6p1-oe2203
[root@localhost opt]# cd openssh-9.6p1-oe2203/
[root@localhost openssh-9.6p1-oe2203]# cp /root/rpmbuild/RPMS/x86_64/*.rpm .
[root@localhost openssh-9.6p1-oe2203]# ll
总用量 16M
-rw-r--r--. 1 root root 4.7M 1月 29 17:25 openssh-9.6p1-oe2203.x86_64.rpm
-rw-r--r--. 1 root root 4.9M 1月 29 17:25 openssh-clients-9.6p1-oe2203.x86_64.rpm
-rw-r--r--. 1 root root 4.0M 1月 29 17:25 openssh-debuginfo-9.6p1-oe2203.x86_64.rpm
-rw-r--r--. 1 root root 786K 1月 29 17:25 openssh-debugsource-9.6p1-oe2203.x86_64.rpm
-rw-r--r--. 1 root root 1.5M 1月 29 17:25 openssh-server-9.6p1-oe2203.x86_64.rpm三、升级测试
1、更新程序
[root@localhost openssh-9.6p1-oe2203]# yum update *
OS 14 kB/s | 3.8 kB 00:00
everything 13 kB/s | 3.8 kB 00:00
EPOL 11 kB/s | 3.0 kB 00:00
debuginfo 27 kB/s | 3.8 kB 00:00
source 20 kB/s | 3.8 kB 00:00
update 8.5 kB/s | 3.5 kB 00:00
Package openssh-debuginfo not installed, cannot update it.
No match for argument: openssh-debuginfo-9.6p1-oe2203.x86_64.rpm
Package openssh-debugsource not installed, cannot update it.
No match for argument: openssh-debugsource-9.6p1-oe2203.x86_64.rpm
Dependencies resolved.
=========================================================================================================================================================Package Architecture Version Repository Size
=========================================================================================================================================================
Upgrading:openssh x86_64 9.6p1-oe2203 @commandline 4.7 Mopenssh-clients x86_64 9.6p1-oe2203 @commandline 4.8 Mopenssh-server x86_64 9.6p1-oe2203 @commandline 1.5 MTransaction Summary
=========================================================================================================================================================
Upgrade 3 PackagesTotal size: 11 M
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transactionPreparing : 1/1 Running scriptlet: openssh-9.6p1-oe2203.x86_64 1/1 Upgrading : openssh-9.6p1-oe2203.x86_64 1/6 Upgrading : openssh-clients-9.6p1-oe2203.x86_64 2/6 Running scriptlet: openssh-server-9.6p1-oe2203.x86_64 3/6 Upgrading : openssh-server-9.6p1-oe2203.x86_64 3/6
警告:/etc/ssh/sshd_config 已建立为 /etc/ssh/sshd_config.rpmnew Running scriptlet: openssh-server-9.6p1-oe2203.x86_64 3/6 Cleanup : openssh-clients-8.8p1-2.oe2203.x86_64 4/6 Cleanup : openssh-8.8p1-2.oe2203.x86_64 5/6 Running scriptlet: openssh-server-8.8p1-2.oe2203.x86_64 6/6 Cleanup : openssh-server-8.8p1-2.oe2203.x86_64 6/6 Running scriptlet: openssh-server-8.8p1-2.oe2203.x86_64 6/6 Verifying : openssh-9.6p1-oe2203.x86_64 1/6 Verifying : openssh-8.8p1-2.oe2203.x86_64 2/6 Verifying : openssh-clients-9.6p1-oe2203.x86_64 3/6 Verifying : openssh-clients-8.8p1-2.oe2203.x86_64 4/6 Verifying : openssh-server-9.6p1-oe2203.x86_64 5/6 Verifying : openssh-server-8.8p1-2.oe2203.x86_64 6/6 Upgraded:openssh-9.6p1-oe2203.x86_64 openssh-clients-9.6p1-oe2203.x86_64 openssh-server-9.6p1-oe2203.x86_64 Complete!2、更新配置文件
[root@localhost openssh-9.6p1-oe2203]# ll /etc/ssh/sshd_config*
-rw-------. 1 root root 4.8K 5月 5 2023 /etc/ssh/sshd_config
-rw-------. 1 root root 3.2K 1月 29 17:08 /etc/ssh/sshd_config.rpmnew
[root@localhost openssh-9.6p1-oe2203]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.v8.8p1.bak
[root@localhost openssh-9.6p1-oe2203]# cp /etc/ssh/sshd_config.rpmnew /etc/ssh/sshd_config
cp:是否覆盖'/etc/ssh/sshd_config'? y
[root@localhost openssh-9.6p1-oe2203]# ll /etc/ssh/sshd_config*
-rw-------. 1 root root 3.2K 1月 29 17:28 /etc/ssh/sshd_config
-rw-------. 1 root root 3.2K 1月 29 17:08 /etc/ssh/sshd_config.rpmnew
-rw-------. 1 root root 4.8K 1月 29 17:28 /etc/ssh/sshd_config.v8.8p1.bak3、重启服务测试
[root@localhost openssh-9.6p1-oe2203]# systemctl restart sshd
[root@localhost openssh-9.6p1-oe2203]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemonLoaded: loaded (/etc/rc.d/init.d/sshd; generated)Active: active (running) since Mon 2024-01-29 17:29:49 CST; 1s agoDocs: man:systemd-sysv-generator(8)Process: 32037 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)Main PID: 32046 (sshd)Tasks: 11 (limit: 4172)Memory: 195.9MCGroup: /system.slice/sshd.service├─ 1500 "sshd: AAAA [priv]" "" "" ""├─ 1504 "sshd: AAAA@notty" "" "" "" ""├─ 1505 /usr/libexec/openssh/sftp-server -l INFO -f AUTH├─ 1794 "sshd: AAAA [priv]" "" "" ""├─ 1824 "sshd: AAAA@pts/0" "" "" "" ""├─ 1825 -bash├─ 1884 su -├─ 1885 -bash├─32046 "sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups"├─32048 systemctl status sshd└─32049 less1月 29 17:29:49 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
1月 29 17:29:49 localhost.localdomain sshd[32043]: /sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory
1月 29 17:29:49 localhost.localdomain sshd[32046]: Server listening on 0.0.0.0 port 22.
1月 29 17:29:49 localhost.localdomain sshd[32046]: Server listening on :: port 22.
1月 29 17:29:49 localhost.localdomain sshd[32037]: Starting sshd:[ 确定 ]
1月 29 17:29:49 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.4、提示信息消除
服务正常,有一异常提示“/sbin/restorecon: lstat(/etc/ssh/ssh_host_dsa_key.pub) failed: No such file or directory”,消除该提示
[root@localhost openssh-9.6p1-oe2203]# touch /etc/ssh/ssh_host_dsa_key.pub
[root@localhost openssh-9.6p1-oe2203]# systemctl restart sshd
[root@localhost openssh-9.6p1-oe2203]# systemctl status sshd
● sshd.service - SYSV: OpenSSH server daemonLoaded: loaded (/etc/rc.d/init.d/sshd; generated)Active: active (running) since Mon 2024-01-29 17:31:28 CST; 1s agoDocs: man:systemd-sysv-generator(8)Process: 32303 ExecStart=/etc/rc.d/init.d/sshd start (code=exited, status=0/SUCCESS)Main PID: 32312 (sshd)Tasks: 11 (limit: 4172)Memory: 195.9MCGroup: /system.slice/sshd.service├─ 1500 "sshd: AAAA [priv]" "" "" ""├─ 1504 "sshd: AAAA@notty" "" "" "" ""├─ 1505 /usr/libexec/openssh/sftp-server -l INFO -f AUTH├─ 1794 "sshd: AAAA [priv]" "" "" ""├─ 1824 "sshd: AAAA@pts/0" "" "" "" ""├─ 1825 -bash├─ 1884 su -├─ 1885 -bash├─32312 "sshd: /usr/sbin/sshd [listener] 0 of 10-100 startups"├─32340 systemctl status sshd└─32341 less1月 29 17:31:28 localhost.localdomain systemd[1]: Starting SYSV: OpenSSH server daemon...
1月 29 17:31:28 localhost.localdomain sshd[32312]: Server listening on 0.0.0.0 port 22.
1月 29 17:31:28 localhost.localdomain sshd[32312]: Server listening on :: port 22.
1月 29 17:31:28 localhost.localdomain sshd[32303]: Starting sshd:[ 确定 ]
1月 29 17:31:28 localhost.localdomain systemd[1]: Started SYSV: OpenSSH server daemon.5、远程发起重新连接,验证登录正常。
