redhat用脚本升级openssh到7.9
因openssh扫描存在漏洞,基于安全考虑,需要将openssh升级为openssh_7.9p1
本文以redhat6.9为例,且需要yum源能使用,如果红帽没有授权,可以更换为centos的yum源,可以看我以前的文章:《RedHat6使用CentOS yum源》
脚本全文如下:
#################################################################
###### Warning:start telnet service before use the script
#################################################################
Task="update_openssh"
DATE=`date +%F_%T`
Log="/tmp/${Task}.log"
OS_Version=`cat /etc/redhat-release|gawk '{print $(NF-1)}'|gawk -F'.' '{print $1}'`
OS_Bit=`getconf LONG_BIT`
Zlib_Version="1.2.3"
Openssl_Version="openssl-1.0.2q"
Openssh_Version="openssh-7.9p1"
Openssl_Addr="https://www.openssl.org/source/openssl-1.0.2q.tar.gz"
Openssh_Addr="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz"
while getopts "n:v:" opt; do
case $opt in
n)
Update_Name=$OPTARG
;;
v)
Update_Version=$OPTARG
;;
\?)
echo "Invalid option: $OPTARG" >> ${Log}
exit 1
;;
esac
done
echo -e "---- ${DATE} ${Task} Begin ---- \n" >> ${Log}
# Must be the root user
userid=`id -u`
if [ "$userid" -ne 0 ]; then
echo "sorry,only root can execute the script. " >> ${Log}
echo "---- ${DATE} ${Task} End ---- " >> ${Log}
exit 1
fi
# SET SELINUX=disabled
Selinux=`getenforce`
if [ "$Selinux" == "Enforcing" ]; then
setenforce 0
sed -i '/SELINUX=enforcing/s/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
echo "The selinux is set Permissive. " >> ${Log}
fi
Check_Version(){
Last_Version=`ssh -V 2>&1 |gawk -F"," '{print $1}'`
Version_Num=`echo ${Last_Version#OpenSSH_}|grep -o ^[0-9][.0-9]\*`
Version_diff=`expr ${Version_Num} \> ${Update_Version}`
if [ ${Version_diff} -eq 1 -o "${Version_Num}" == "${Update_Version}" ];then
echo -e "\nThe Version of the ${Update_Name} is ${Version_Num},It is newest!\n" >> ${Log}
echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}
exit 1
else
return 2
fi
}
rhel7_update(){
Check_Version
yum -y update openssh >> ${Log} 2>&1
Check_Version
if [ $? -eq 2 ];then
echo -e "\nThe Version of the ${Update_Name} is ${Version_Num},It is not update to ${Update_Version}!\n" >> ${Log}
echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}
exit 1
fi
}
rhel6_update(){
Check_Version
yum -y install gcc pam-devel zlib-devel >> ${Log} 2>&1
#Update Zlib
if rpm -q zlib |grep ${Zlib_Version} >/dev/null 2>&1;then
echo -e "\nThe Version of the Zlib is ${Zlib_Version}\n" >> ${Log}
else
yum -y update zlib >> ${Log} 2>&1
fi
#Update Openssl
if openssl version |grep "1.0.2q" >/dev/null 2>&1;then
echo -e "\nThe Version of the openssl is 1.0.2q\n" >> ${Log}
else
find / -name openssl -print0|xargs -0 -I {} mv {} {}.old >> ${Log} 2>&1
if [ ${OS_Bit} -eq 64 ];then
cp /usr/lib64/libcrypto.so.10 /usr/lib64/libcrypto.so.10.old >> ${Log} 2>&1
cp /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.10.old >> ${Log} 2>&1
else
cp /usr/lib/libcrypto.so.10 /usr/lib/libcrypto.so.10.old >> ${Log} 2>&1
cp /usr/lib/libssl.so.10 /usr/lib/libssl.so.10.old >> ${Log} 2>&1
fi
rpm -qa |grep openssl|xargs -i rpm -e --nodeps {} >> ${Log} 2>&1
wget -P /tmp/ ${Openssl_Addr} >> ${Log} 2>&1
cd /tmp/
tar -avxf `basename ${Openssl_Addr}` >/dev/null 2>>${Log}
cd ${Openssl_Version}
./config --prefix=/usr --openssldir=/etc/ssl --shared zlib >> ${Log} 2>&1
make >/dev/null 2>>${Log} && make install >/dev/null 2>>${Log}
if openssl version |grep "1.0.2q" >/dev/null 2>&1;then
echo -e "\nThe Version of the openssl is update to 1.0.2q success!\n" >> ${Log}
else
echo -e "\nThe Version of the openssl is update to 1.0.2q faild!\n" >> ${Log}
exit 1
fi
fi
#Update Openssh
if echo ${Openssh_Version}|grep "${Update_Version}" >/dev/null 2>&1;then
service sshd stop >> ${Log} 2>&1
mv /etc/ssh /etc/ssh.old >> ${Log} 2>&1
rpm -qa |grep openssh|xargs -i rpm -e --nodeps {} >> ${Log} 2>&1
install -m700 -d /var/lib/sshd >> ${Log} 2>&1
chown root:sys /var/lib/sshd >> ${Log} 2>&1
usermod -d /var/lib/sshd sshd >> ${Log} 2>&1
wget -P /tmp/ ${Openssh_Addr} >> ${Log} 2>&1
cd /tmp/
tar -avxf `basename ${Openssh_Addr}` >/dev/null 2>>${Log}
cd ${Openssh_Version}
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd >> ${Log} 2>&1
make >/dev/null 2>>${Log} && make install >/dev/null 2>>${Log}
install -m755 contrib/ssh-copy-id /usr/bin
install -m644 contrib/ssh-copy-id.1 /usr/share/man/man1
install -m755 -d /usr/share/doc/openssh-7.9p1
install -m644 INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.9p1
echo 'X11Forwarding yes' >> /etc/ssh/sshd_config
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
cp -p contrib/redhat/sshd.init /etc/init.d/sshd
sed -i '/ssh_host_key.pub/s@/sbin/restorecon /etc/ssh/ssh_host_key.pub@# /sbin/restorecon /etc/ssh/ssh_host_key.pub@' /etc/init.d/sshd
chmod +x /etc/init.d/sshd
chkconfig --add sshd
chkconfig sshd on
service sshd start >> ${Log} 2>&1
Check_Version
if [ $? -eq 2 ];then
echo -e "\nThe Version of the ${Update_Name} is ${Version_Num},It is not update to ${Update_Version}!\n" >> ${Log}
echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}
exit 1
fi
else
echo -e "\nThe script does not suitable the Version of the ${Update_Name},It is for ${Openssh_Version}\n" >> ${Log}
echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}
exit 1
fi
}
case $OS_Version in
7)
rhel7_update
;;
6)
rhel6_update
;;
*)
echo "The operating system is not suitable " >> ${Log}
echo "---- ${DATE} ${Task} End ---- " >> ${Log}
exit 1
;;
esac
将上述代码复制进脚本之后执行 ,效果如图:
另外权限不够的话要赋予脚本执行的权限:
chmod 777 update_openssh.sh
脚本文件见附件
- 点赞
- 收藏
- 关注作者
评论(0)