openssh+openssl升级排障

先升级openssl，后升级openssh

#!/bin/bash

function version_ge() { test "$(echo "$@" | tr " " "\n" | sort -rV | head -n 1)" == "$1"; }

log(){
    status="$2"
    [ "$1" -eq 0 ] && echo -e "\033[32m[OK]\033[0m $status" || echo -e "\033[31m[NO]\033[0m $status"
}

file_modify(){
    match_value=$1
    file=$2
    value=$3
    match=`grep -Ev "^\s*#|^\s*$" $file |grep -E $match_value |tail -n1`
    if [ -z "$match" ]; then
        echo "$value" >> $file
        echo $?
    else
        sed -i "s#$match#$value#g" $file
        echo $?
    fi
}

check(){
    match_value=$1
    file=$2
    value=$3
    res=`file_modify "$match_value" "$file" "$value" `
    msg1="file: $file match: $match_value modify: $value"
}

path=`pwd`
version="openssh-8.3p1"
osversion=`cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/'`
url="https://mirrors.tuna.tsinghua.edu.cn/OpenBSD/OpenSSH/portable/${version}.tar.gz"

ssh_port="`ss -ntpl|grep sshd|head -n 1|awk '{print $4}'|awk -F ':' '{print $NF}'`"
log $? "ssh port: $ssh_port"

basics_check(){
    check_status=0

    yum_status=`yum install gcc gcc-c++  zlib zlib-devel pam pam-devel tcp_wrappers tcp_wrappers-devel --nogpgcheck -y &> /dev/null && echo 0 || echo 1`
    file_status=`ls ${version}.tar.gz &> /dev/null && echo 0 || echo 1` 
    if [ $yum_status -eq 0 ];then
        log 0 "deply: gcc gcc-c++  zlib zlib-devel pam pam-devel tcp_wrappers tcp_wrappers-devel"
    else
        log 1 "deply: gcc gcc-c++  zlib zlib-devel pam pam-devel tcp_wrappers tcp_wrappers-devel"
        let check_status++
    fi
    if [ $file_status -ne 0 ];then
        log 1 "file: ${version}.tar.gz"
        echo "-----Download $url"
        wget $url &> /dev/null && log 0 "Download success" || (log 1 "Download failed"; let check_status++)
    else
        log 0 "file: ${version}.tar.gz"
    fi

    ssl_version=`openssl version |awk '{print $2}'|grep -Po '\d+.\d+.\d+'`
    if version_ge $ssl_version 1.1.1; then
        log 0 "openssl: $ssl_version"
    else
        log 1 "openssl: need >= 1.1.1"
        let check_status++
    fi

    [ $check_status -ne 0 ] && exit 1
}


pam_sshd(){
cat<<EOF > /etc/pam.d/sshd
#%PAM-1.0
auth       required pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth
EOF
}

openssh_install(){
  ssl_dir=`openssl version -a|grep OPENSSLDIR|tr -d '" '|awk -F ':' '{print $2}'|sed 's/\/ssl$//'`
  #OpenSSH
  cd $path
  [ ! -f ${version}.tar.gz ] && echo "package not found" && exit 
  tar xf ${version}.tar.gz
  cd ${version}
  sed -i 's#"OpenSSH\S*"#"OpenSSH_99.99"#g' version.h
  ./configure --prefix=/usr/local/${version} --sysconfdir=/usr/local/${version} -with-ssl-dir=${ssl_dir} --with-privsep-path=/var/myempty --with-privsep-user=sshd --with-zlib --with-ssl-engine --with-md5-passwords --disable-etc-default-login --with-pam=enable > ./configure.log && make > ./make.log && make install > ./make_install.log
  if [ $? -eq 0 ] ; then
    check 'PermitRootLogin' '/usr/local/'${version}'/sshd_config' 'PermitRootLogin yes'
    check 'UsePAM' '/usr/local/'${version}'/sshd_config' 'UsePAM yes'
    sed -i 's/#Port 22/Port '$ssh_port'/g' /usr/local/${version}/sshd_config
    pam_sshd
    /bin/cp -f contrib/redhat/sshd.init /etc/init.d/sshd
    
    sed -i 's/\/usr\/sbin\/sshd/\/usr\/local\/'${version}'\/sbin\/sshd/g' /etc/init.d/sshd
    chkconfig --add sshd
    chkconfig sshd on
    bin_file=(ssh scp ssh-keygen sftp)
    sbin_file=(sshd)
    for i in ${bin_file[@]}; do
      [  -f "/usr/bin/$i" ] && mv -f /usr/bin/$i /usr/bin/${i}.bak
      ln -s /usr/local/${version}/bin/$i /usr/bin/$i
    done
    for i in ${sbin_file[@]}; do
      [  -f "/usr/sbin/$i" ] && mv -f /usr/sbin/$i /usr/sbin/${i}.bak
      ln -s /usr/local/${version}/sbin/$i /usr/sbin/$i
    done
    chmod o+rx /usr/local/${version}/
    chmod o+rx /usr/local/${version}/bin
    chmod o+rx /usr/local/${version}/sbin

    touch /etc/ssh/ssh_host_ecdsa_key.pub
    if [ $osversion -eq 6 ]; then
        service sshd stop && service sshd start
    elif [ $osversion -eq 7 ]; then
        [ -f "/usr/lib/systemd/system/sshd.service" ] && mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
        systemctl daemon-reload
        systemctl restart sshd
    fi
    rm -rf $path/${version}
  else
    log 1 "openssh install faild" && exit 
  fi
  }

ssh_check(){
    for i in {1..10}; do
        service sshd status &> /dev/null
        if [ $? -eq 0 ]; then
            return 0
        else
            service sshd start
            sleep 1
        fi
    done
}

basics_check
openssh_install
ssh_check

1.普通用户无权限

chmod 755 -R /usr/local/openssh
在执行 sshd -t
将报错文件权限修改为600
即可

2.启动sshd服务报错

[ -f "/usr/lib/systemd/system/sshd.service" ] && mv /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/sshd.service.bak
systemctl daemon-reload
systemctl restart sshd

3.openssl升级报错

修改/etc/ld.conf，添加新包编译安装的bin路径
ldconfig生效修改

openssl version 查看有无报错