redhat用脚本升级openssh到7.9

举报
坚古运维 发表于 2019/01/17 18:43:37 2019/01/17
【摘要】 因openssh扫描存在漏洞,基于安全考虑,需要将openssh升级为openssh_7.9p1本文以redhat6.9为例:脚本全文如下:

因openssh扫描存在漏洞,基于安全考虑,需要将openssh升级为openssh_7.9p1

本文以redhat6.9为例,且需要yum源能使用,如果红帽没有授权,可以更换为centos的yum源,可以看我以前的文章:RedHat6使用CentOS yum源


脚本全文如下:



#################################################################

######        Warning:start telnet service before use the script

#################################################################

 Task="update_openssh"

 

DATE=`date +%F_%T`

Log="/tmp/${Task}.log"

 

OS_Version=`cat /etc/redhat-release|gawk '{print $(NF-1)}'|gawk -F'.' '{print $1}'`

OS_Bit=`getconf LONG_BIT`

 

Zlib_Version="1.2.3"

Openssl_Version="openssl-1.0.2q"

Openssh_Version="openssh-7.9p1"

Openssl_Addr="https://www.openssl.org/source/openssl-1.0.2q.tar.gz"

Openssh_Addr="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.9p1.tar.gz"

 

while getopts "n:v:" opt; do

  case $opt in

    n)

        Update_Name=$OPTARG

        ;;

    v)

        Update_Version=$OPTARG

                ;;

    \?)

        echo "Invalid option: $OPTARG" >> ${Log} 

        exit 1

        ;;

  esac

done

 

echo -e "---- ${DATE} ${Task} Begin ---- \n" >> ${Log}

 

# Must be the root user

userid=`id -u`

if [ "$userid" -ne 0 ]; then

    echo "sorry,only root can execute the script. "  >> ${Log}

    echo "---- ${DATE} ${Task} End ---- " >> ${Log}

    exit 1

fi

 

# SET SELINUX=disabled

Selinux=`getenforce`

if [ "$Selinux" == "Enforcing" ]; then

    setenforce 0

    sed -i '/SELINUX=enforcing/s/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config

    echo "The selinux is set Permissive. "  >> ${Log}

fi

 

Check_Version(){

    Last_Version=`ssh -V 2>&1 |gawk -F"," '{print $1}'`

    Version_Num=`echo ${Last_Version#OpenSSH_}|grep -o ^[0-9][.0-9]\*`


 

    Version_diff=`expr ${Version_Num} \> ${Update_Version}`

    if [ ${Version_diff} -eq 1 -o "${Version_Num}" == "${Update_Version}" ];then

        echo -e "\nThe Version of the ${Update_Name} is ${Version_Num},It is newest!\n"  >> ${Log}

        echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}

            exit 1

    else 

        return 2

    fi

}

 

rhel7_update(){

    Check_Version

    yum -y update openssh >> ${Log} 2>&1

    Check_Version

    if [ $? -eq 2 ];then

        echo -e "\nThe Version of the ${Update_Name} is ${Version_Num},It is not update to ${Update_Version}!\n"  >> ${Log} 

                echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}

                exit 1

 

    fi

}

rhel6_update(){

        Check_Version

    yum -y install gcc pam-devel zlib-devel >> ${Log} 2>&1

 

    #Update Zlib

        if rpm -q zlib |grep ${Zlib_Version} >/dev/null 2>&1;then

                echo -e "\nThe Version of the Zlib is ${Zlib_Version}\n"  >> ${Log}

        else

        yum -y update zlib >> ${Log} 2>&1

    fi

  

 

    #Update Openssl

    if openssl version |grep "1.0.2q" >/dev/null 2>&1;then

        echo -e "\nThe Version of the openssl is 1.0.2q\n"  >> ${Log}

    else

        find / -name openssl -print0|xargs -0 -I {} mv {} {}.old >> ${Log} 2>&1

        if [ ${OS_Bit} -eq 64 ];then 

            cp  /usr/lib64/libcrypto.so.10  /usr/lib64/libcrypto.so.10.old >> ${Log} 2>&1

            cp  /usr/lib64/libssl.so.10  /usr/lib64/libssl.so.10.old >> ${Log} 2>&1

        else

            cp  /usr/lib/libcrypto.so.10  /usr/lib/libcrypto.so.10.old >> ${Log} 2>&1

            cp  /usr/lib/libssl.so.10  /usr/lib/libssl.so.10.old >> ${Log} 2>&1

        fi

        rpm -qa |grep openssl|xargs -i rpm -e --nodeps {} >> ${Log} 2>&1

 

        wget -P /tmp/ ${Openssl_Addr}  >> ${Log} 2>&1

        cd /tmp/

        tar -avxf `basename ${Openssl_Addr}` >/dev/null 2>>${Log}

        cd ${Openssl_Version}

        ./config --prefix=/usr --openssldir=/etc/ssl --shared zlib >> ${Log} 2>&1

        make >/dev/null 2>>${Log} && make install >/dev/null 2>>${Log}

        if openssl version |grep "1.0.2q" >/dev/null 2>&1;then

                    echo -e "\nThe Version of the openssl is update to 1.0.2q success!\n"  >> ${Log}

        else

            echo -e "\nThe Version of the openssl is update to 1.0.2q faild!\n"  >> ${Log}

            exit 1

        fi

    fi

   

        #Update Openssh

    if echo ${Openssh_Version}|grep "${Update_Version}" >/dev/null 2>&1;then 

        service sshd stop >> ${Log} 2>&1

        mv /etc/ssh /etc/ssh.old >> ${Log} 2>&1

        rpm -qa |grep openssh|xargs -i rpm -e --nodeps {} >> ${Log} 2>&1

        install -m700 -d /var/lib/sshd >> ${Log} 2>&1

        chown   root:sys /var/lib/sshd >> ${Log} 2>&1

        usermod -d /var/lib/sshd sshd >> ${Log} 2>&1

 

        wget -P /tmp/ ${Openssh_Addr}  >> ${Log} 2>&1

        cd /tmp/

        tar -avxf `basename ${Openssh_Addr}` >/dev/null 2>>${Log}

        cd ${Openssh_Version} 

        ./configure --prefix=/usr  --sysconfdir=/etc/ssh  --with-md5-passwords  --with-pam  --with-zlib --with-openssl-includes=/usr --with-privsep-path=/var/lib/sshd >> ${Log} 2>&1

        make >/dev/null 2>>${Log} && make install >/dev/null 2>>${Log}

 

        install -m755    contrib/ssh-copy-id /usr/bin

        install -m644    contrib/ssh-copy-id.1 /usr/share/man/man1

        install -m755 -d /usr/share/doc/openssh-7.9p1

        install  -m644    INSTALL LICENCE OVERVIEW README* /usr/share/doc/openssh-7.9p1

     

        echo 'X11Forwarding yes' >> /etc/ssh/sshd_config

        echo "PermitRootLogin yes" >> /etc/ssh/sshd_config

        cp -p contrib/redhat/sshd.init /etc/init.d/sshd

        sed -i '/ssh_host_key.pub/s@/sbin/restorecon /etc/ssh/ssh_host_key.pub@# /sbin/restorecon /etc/ssh/ssh_host_key.pub@' /etc/init.d/sshd

        chmod +x /etc/init.d/sshd

        chkconfig  --add  sshd

        chkconfig  sshd  on

    

        service sshd start >> ${Log} 2>&1

              Check_Version

            if [ $? -eq 2 ];then

                    echo -e "\nThe Version of the ${Update_Name} is ${Version_Num},It is not update to ${Update_Version}!\n"  >> ${Log}

                    echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}

                    exit 1

        fi

    else

        echo -e "\nThe script does not suitable the Version of the ${Update_Name},It is for ${Openssh_Version}\n"  >> ${Log}

                echo -e "\n---- ${DATE} ${Task} End ---- \n" >> ${Log}

                exit 1

 

        fi

}

 

case $OS_Version in 

    7)

        rhel7_update

        ;;

    6)

        rhel6_update

        ;;

    *)

        echo "The operating system is not suitable "  >> ${Log}

        echo "---- ${DATE} ${Task} End ---- " >> ${Log}

        exit 1

        ;;

esac


将上述代码复制进脚本之后执行 ,效果如图:


image.png


另外权限不够的话要赋予脚本执行的权限:

chmod 777 update_openssh.sh


脚本文件见附件

【版权声明】本文为华为云社区用户原创内容,转载时必须标注文章的来源(华为云社区)、文章链接、文章作者等基本信息, 否则作者和本社区有权追究责任。如果您发现本社区中有涉嫌抄袭的内容,欢迎发送邮件进行举报,并提供相关证据,一经查实,本社区将立刻删除涉嫌侵权内容,举报邮箱: cloudbbs@huaweicloud.com
  • 点赞
  • 收藏
  • 关注作者

评论(0

0/1000
抱歉,系统识别当前为高风险访问,暂不支持该操作

全部回复

上滑加载中

设置昵称

在此一键设置昵称,即可参与社区互动!

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

*长度不超过10个汉字或20个英文字符,设置后3个月内不可修改。

举报
请填写举报理由
0/200