本脚本支持离线安装和在线下载安装包安装openEuler2203由OpenSSH_8.8p1, OpenSSL 1.1.1m升级openEuler2403由OpenSSH_9.3p2, OpenSSL 3.0.12升级需新系统,只做基本设置升级#!/bin/bash update_sshssl_openEuler=v7.0 ...
脚本支持离线安装和在线下载安装包安装
直接升级Openssl是一个很危险的方法,会牵扯到系统的其他应用,此脚本仅供参考本,基本会影响系统其他方面,不要直接使用!!!
系统的Openssl版本过低,需要使用高版本有更好的办法!
需新系统,只做基本设置升级Huawei Cloud EulerOS由penSSH_8.8p1, OpenSSL 1.1.1m 升级openEuler2203由OpenSSH_8.8p1, OpenSSL 1.1.1m升级openEuler2403由OpenSSH_9.3p2, OpenSSL 3.0.12升级
#!/bin/bash
update_sshssl_openEuler=v8.01
echo "==============================================================================================================="
echo -e "\e[1;$[RANDOM%7+31]m
___ ___ ___ ___ ___
/\__\ /\__\ /\__\ /\ \ /\ \
/:/ / /:/ / /:/ / /::\ \ /::\ \
/:/__/ /:/ / /:/ / /:/\ \ \ /:/\:\ \
/::\ \ ___ /:/ / /:/ / ___ _\:\~\ \ \ /::\~\:\ \
/:/\:\ /\__\ /:/__/ /:/__/ /\__\ /\ \:\ \ \__\ /:/\:\ \:\__\
\/__\:\/:/ / \:\ \ \:\ \ /:/ / \:\ \:\ \/__/ \:\~\:\ \/__/
\::/ / \:\ \ \:\ /:/ / \:\ \:\__\ \:\ \:\__\
/:/ / \:\ \ \:\/:/ / \:\/:/ / \:\ \/__/
/:/ / \:\__\ \::/ / \::/ / \:\__\
\/__/ \/__/ \/__/ \/__/ \/__/ \e[0m"
echo -e "--- update-openEuler- hce - openssh-openssl升级脚本"
echo -e "--- version: $update_sshssl_openEuler"
echo -e "--- https://www.hl05.com"
echo "==============================================================================================================="
. /etc/os-release
SudoVersion=1.9.16p2
OpensslVersion=3.4.1
OpensshVersion=9.9p2
ZlibVersion=1.3.1
Current_Date=$(date +%Y%m%d%H%M%S)
echo -e "\e[1;35m===============================================================================================================\e[0m"
echo -e "\e[1;35m现在已安装的版本\e[0m"
ssh -V
echo -e "\e[1;35m本次安装的版本是sudo-${SudoVersion}\e[0m"
echo -e "\e[1;35m本次安装的版本是openssl-${OpensslVersion}\e[0m"
echo -e "\e[1;35m本次升级的安装版本openssh-${OpensshVersion}\e[0m"
echo -e "\e[1;35m本次升级的安装版本zlib-${ZlibVersion}\e[0m"
echo -e "\e[1;35m支持在线下载,如果已经下载好安装包了请将对应版本的压缩包放在root目录下\e[0m"
echo -e "\e[1;35m===============================================================================================================\e[0m"
echo -e "\e[1;35m不想安装请在五秒内终止脚本\e[0m\n"
for i in {5..1}
do
echo -n "${i} "
echo -ne "\r"
sleep 1
done
#====================================================================
# 系统检查函数
check_system(){
if [ "$ID" = "openEuler" -o "$ID" = "hce" ]; then
echo -e "\e[1;31m当前系统是:$NAME,版本号:$VERSION_ID\e[0m"
else
echo -e "\e[1;31m当前系统:$ID,脚本不支持。\e[0m"
exit 1
fi
}
#====================================================================
# OpenSSL版本检查
check_openssl_version(){
if [[ ${OpensslVersion} = "3.4.1" ]]; then
echo -e "\e[1;35m此脚本支持升级到OpenSSL 3.4.1\e[0m"
else
echo -e "\e[1;33m此脚本只支持升级openssl-${OpensslVersion}版本,其他版本不支持\e[0m"
exit 1
fi
if [ ! -e "/root/$0" ]; then
echo -e "\e[1;33m请将脚本文件放在root目录下执行\e[0m"
exit 1
fi
}
#====================================================================
# 安装必要的前置依赖
install_dependencies() {
echo -e "\e[1;35m===================================================安装前置依赖===================================================\e[0m"
# 检测并安装必要依赖
for pkg in pam-devel gcc gcc-c++ make glibc autoconf pcre-devel zlib-devel openssl-devel libselinux-devel openldap-devel libcom_err-devel krb5-devel libkadm5 libedit-devel libxcrypt-devel; do
if ! rpm -q $pkg > /dev/null 2>&1; then
echo -e "\e[1;33m$pkg 未安装,正在安装...\e[0m"
yum install -y $pkg || {
echo -e "\e[1;31m错误: $pkg 安装失败。\e[0m"
exit 1
}
else
echo -e "\e[1;32m$pkg 已安装。\e[0m"
fi
done
}
#====================================================================
# 文件下载函数
download_files() {
declare -A files=(
["/root/openssl-${OpensslVersion}.tar.gz"]="https://github.com/openssl/openssl/releases/download/openssl-${OpensslVersion}/openssl-${OpensslVersion}.tar.gz"
["/root/openssh-${OpensshVersion}.tar.gz"]="https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-${OpensshVersion}.tar.gz"
["/root/sudo-${SudoVersion}.tar.gz"]="https://www.sudo.ws/dist/sudo-${SudoVersion}.tar.gz"
["/root/zlib-${ZlibVersion}.tar.gz"]="https://www.zlib.net/fossils/zlib-${ZlibVersion}.tar.gz"
)
for file in "${!files[@]}"; do
if [ ! -e "$file" ]; then
echo -e "\e[1;33m文件 $file 不存在,执行下载。\e[0m"
wget -O "$file" "${files[$file]}"
if [ $? -ne 0 ]; then
echo -e "\e[1;31m文件 $file 下载失败,请手动下载到/root目录\e[0m"
exit 1
fi
fi
done
echo -e "\e[1;35m所有必要文件已就绪\e[0m"
}
#====================================================================
# Zlib编译函数
update_zlib(){
echo -e "\e[1;35m===================================================编译zlib======================================================\e[0m"
# 解压源码包
echo -e "\e[1;35m解压 zlib 源码包...\e[0m"
tar zxf "/root/zlib-${ZlibVersion}.tar.gz" -C /root/ || {
echo -e "\e[1;31m错误: zlib 源码包解压失败。\e[0m"
exit 1
}
# 进入源码目录
cd "/root/zlib-${ZlibVersion}" || {
echo -e "\e[1;31m错误: 无法进入 zlib 源码目录。\e[0m"
exit 1
}
# 配置编译参数
echo -e "\e[1;35m配置 zlib...\e[0m"
./configure --prefix=/usr/local/zlib || {
echo -e "\e[1;31m错误: zlib 配置失败,请检查编译器选项或依赖是否安装。\e[0m"
exit 1
}
# 编译并安装
echo -e "\e[1;35m编译并安装 zlib...\e[0m"
make -j$(nproc) && make install || {
echo -e "\e[1;31m错误: zlib 编译或安装失败。\e[0m"
exit 1
}
ldconfig -v
/sbin/ldconfig
# 使用 update-alternatives 管理 zlib
update-alternatives --install /usr/lib/libz.so libz /usr/local/zlib/lib/libz.so 200
update-alternatives --set libz /usr/local/zlib/lib/libz.so
#update-alternatives --config libz # 选择新版本
# 清理临时文件
rm -rf "/root/zlib-${ZlibVersion}" 2>/dev/null
# 验证安装是否成功
if [ -f "/usr/local/zlib/lib/libz.so" ]; then
echo -e "\e[1;32mZlib 升级成功,版本:${ZlibVersion}\e[0m"
else
echo -e "\e[1;31m错误: Zlib 安装失败,请检查编译和安装过程。\e[0m"
exit 1
fi
sleep 30
}
#====================================================================
# OpenSSL升级函数
update_openssl(){
echo -e "\e[1;35m===================================================升级openssl===================================================\e[0m"
cd /root/ || exit
# 清理旧编译残留
rm -rf "/root/openssl-${OpensslVersion}" 2>/dev/null
# 解压并编译
tar -zxvf "/root/openssl-${OpensslVersion}.tar.gz" || exit 1
cd "/root/openssl-${OpensslVersion}" || exit
# 优化编译参数
./config \
--prefix=/usr/local/openssl \
--openssldir=/usr/local/openssl \
--libdir=lib64 \
shared \
zlib-dynamic \
enable-mdc2 \
enable-md2 \
enable-tls1_2 \
enable-tls1_3 \
enable-ktls \
enable-ec_nistp_64_gcc_128 \
no-weak-ssl-ciphers \
no-ssl3 \
no-comp \
-Wa,--noexecstack
# 编译安装
make clean
if ! make -j$(nproc); then
echo -e "\e[1;31mOpenSSL编译失败,请检查依赖项(如perl、gcc)\e[0m"
exit 1
fi
# 安装前备份关键文件
[ -f /usr/bin/openssl ] && mv /usr/bin/openssl /usr/bin/openssl.bak
[ -d /usr/include/openssl ] && mv /usr/include/openssl /usr/include/openssl.bak
# 安装新版本
make install || {
echo -e "\e[1;31mOpenSSL安装失败\e[0m"
exit 1
}
# 处理系统库冲突
echo -e "\e[1;33m正在处理系统库冲突...\e[0m"
# 1. 移除旧符号链接
rm -f /usr/lib64/libssl.so.* /usr/lib64/libcrypto.so.* 2>/dev/null
# 2. 创建新符号链接(绝对路径)
ln -sf /usr/local/openssl/lib64/libssl.so.3 /usr/lib64/
ln -sf /usr/local/openssl/lib64/libcrypto.so.3 /usr/lib64/
# 3. 强制更新动态链接库缓存-重要
echo "/usr/local/openssl/lib64" > /etc/ld.so.conf.d/openssl.conf
ldconfig -v | grep openssl
# 使用alternatives系统管理
echo -e "\e[1;33m配置多版本切换...\e[0m"
update-alternatives --install /usr/bin/openssl openssl /usr/local/openssl/bin/openssl 400 \
--slave /usr/bin/c_rehash c_rehash /usr/local/openssl/bin/c_rehash \
--slave /usr/include/openssl openssl_include /usr/local/openssl/include/openssl
update-alternatives --set openssl /usr/local/openssl/bin/openssl
# 永久环境变量配置
cat <<EOF >> /etc/profile.d/openssl.sh
export PATH=/usr/local/openssl/bin:\$PATH
export LD_LIBRARY_PATH=/usr/local/openssl/lib64:\$LD_LIBRARY_PATH
export PKG_CONFIG_PATH=/usr/local/openssl/lib64/pkgconfig:\$PKG_CONFIG_PATH
EOF
# 立即生效环境变量
source /etc/profile.d/openssl.sh
# 清理临时文件
rm -rf "/root/openssl-${OpensslVersion}" 2>/dev/null
# 验证安装
echo -e "\e[1;34m最终验证:\e[0m"
if ! openssl version | grep -q "$OpensslVersion"; then
echo -e "\e[1;31m版本验证失败! 当前版本: $(openssl version 2>&1)\e[0m"
# 显示详细的库加载信息
echo -e "\n\e[1;33m调试信息:\e[0m"
ldd /usr/local/openssl/bin/openssl | grep -E 'ssl|crypto'
LD_DEBUG=libs openssl version 2>&1 | grep -i 'loading'
exit 1
else
echo -e "\e[1;32mOpenSSL升级成功! 版本: $(openssl version)\e[0m"
echo -e "\e[1;36m重启后验证命令:openssl version\e[0m"
fi
sleep 3
}
update_openssh(){
echo -e "\e[1;35m===================================================升级openssh===================================================\e[0m"
cd /root/ || exit
tar zxf "/root/openssh-${OpensshVersion}.tar.gz" || {
echo -e "\e[1;31mOpenSSH解压失败\e[0m"
exit 1
}
if [ ! -d "/root/openssh-${OpensshVersion}" ]; then
echo -e "\e[1;31mOpenSSH解压失败\e[0m"
exit 1
fi
cd "/root/openssh-${OpensshVersion}" || exit
# 设置编译参数,明确指定OpenSSL和zlib路径
CFLAGS="-I/usr/local/openssl/include -I/usr/local/zlib/include" \
LDFLAGS="-L/usr/local/openssl/lib64 -L/usr/local/zlib/lib" \
# 配置动态库
echo "/usr/local/openssl/lib64" > /etc/ld.so.conf.d/openssl.conf
ldconfig
# 编译安装
# 添加 --with-ssl-engine 选项以启用 OpenSSL 引擎
./configure \
--prefix=/usr/local/openssh \
--with-openssl=/usr/local/openssl \
--with-zlib=/usr/local/zlib \
--with-ssl-engine \
--without-openssl-header-check \
--with-ssl-dir=/usr/local/openssl \
--with-ssl-incdir=/usr/local/openssl/include \
--with-ssl-libdir=/usr/local/openssl/lib64
make -j$(nproc) && make install || {
echo -e "\e[1;31mOpenSSH编译或安装失败\e[0m"
exit 1
}
# 备份旧文件并替换新文件
mkdir -p /data/opensshbak
echo -e "\e[1;35m备份旧文件并替换新文件...\e[0m"
mv /etc/ssh/sshd_config "/data/opensshbak/sshd_config-${Current_Date}"
cp /usr/local/openssh/etc/sshd_config /etc/ssh/sshd_config
mv /usr/sbin/sshd "/data/opensshbak/sshd-${Current_Date}"
cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
mv /usr/bin/ssh "/data/opensshbak/ssh-${Current_Date}"
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
mv /usr/bin/ssh-keygen "/data/opensshbak/ssh-keygen-${Current_Date}"
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
mv /etc/ssh/ssh_host_ecdsa_key.pub "/data/opensshbak/ssh_host_ecdsa_key.pub-${Current_Date}"
cp /usr/local/openssh/etc/ssh_host_ecdsa_key.pub /etc/ssh/ssh_host_ecdsa_key.pub
# 卸载旧的OpenSSH包
for pkg in $(rpm -qa | grep openssh); do
rpm -e --nodeps "$pkg" &>/dev/null
done
cp /etc/ssh/sshd_config.rpmsave /etc/ssh/sshd_config
# 更新init脚本配置
cp -a "/root/openssh-${OpensshVersion}/contrib/redhat/sshd.init" /etc/init.d/sshd
chmod u+x /etc/init.d/sshd
# 修正init脚本中的路径和配置
sed -i 's#SSHD=.*#SSHD=/usr/local/openssh/sbin/sshd#' /etc/init.d/sshd
sed -i '/\/usr\/bin\/ssh-keygen/c\ \/usr\/local\/openssh\/bin\/ssh-keygen -A' /etc/init.d/sshd
sed -i '/ssh_host_rsa_key.pub/i\ \/sbin\/restorecon \/etc\/ssh\/ssh_host_key.pub' /etc/init.d/sshd
sed -i '/$SSHD $OPTIONS && success || failure/i\ OPTIONS="-f /etc/ssh/sshd_config"' /etc/init.d/sshd
# 修改sshd_config配置
echo -e "\n\e[1;35m==============================================修改sshd_config配置文件===============================================\e[0m"
sed -i '/PasswordAuthentication/c\PasswordAuthentication yes' /etc/ssh/sshd_config
sed -i '/X11Forwarding/c\X11Forwarding yes' /etc/ssh/sshd_config
sed -i 's/#PermitRootLogin prohibit-password/PermitRootLogin yes/' /etc/ssh/sshd_config
# 强制覆盖所有SSH工具路径
cp -f /usr/local/openssh/bin/* /usr/bin/
cp -f /usr/local/openssh/sbin/* /usr/sbin/
# 删除现有的 /usr/bin/ssh 和 /usr/sbin/sshd 文件
rm -f /usr/bin/ssh /usr/sbin/sshd
# 使用 update-alternatives 管理 ssh 和 sshd
update-alternatives --install /usr/bin/ssh ssh /usr/local/openssh/bin/ssh 300 \
--slave /usr/sbin/sshd sshd /usr/local/openssh/sbin/sshd
update-alternatives --set ssh /usr/local/openssh/bin/ssh
#添加开机启动
chkconfig --add sshd
chkconfig --level 2345 sshd on
chkconfig --list
# 重启服务并验证
echo -e "\e[1;35mSSH服务重启并验证...\e[0m"
systemctl restart sshd
sleep 3
echo -e "\e[1;35m===================================================更新后openssh版本===================================================\e[0m"
ssh -V
# 验证 OpenSSL 版本
echo -e "OpenSSL版本:$(openssl version)"
if openssl version &>/dev/null; then
echo "OpenSSL 可用"
else
echo "OpenSSL 不可用"
fi
# 更新环境变量
export PATH=/usr/bin:$PATH
source /etc/profile
# 提示用户手动执行 source /etc/profile
echo -e "\e[1;35m环境变量已更新,如果未生效,请手动执行以下命令以使更改生效:\nsource /etc/profile\e[0m"
exit 0 # 退出脚本
}
update_sudo(){
echo -e "\e[1;35m===================================================升级sudo======================================================\e[0m"
cd /root/ || exit
# 解压并编译
tar -zxvf "/root/sudo-${SudoVersion}.tar.gz" || exit 1
cd "/root/sudo-${SudoVersion}" || exit
# 配置编译参数
./configure --prefix=/usr/local/sudo --with-pam --with-ldap --with-selinux --with-zlib=/usr/local/zlib
make -j$(nproc) && make install || {
echo -e "\e[1;31mSudo编译或安装失败\e[0m"
exit 1
}
# 删除现有的 /usr/bin/sudo 文件
if [ -f "/usr/bin/sudo" ] && [ ! -L "/usr/bin/sudo" ]; then
rm -f /usr/bin/sudo
fi
# 使用 update-alternatives 管理 sudo
update-alternatives --install /usr/bin/sudo sudo /usr/local/sudo/bin/sudo 200
update-alternatives --set sudo /usr/local/sudo/bin/sudo
# 验证版本
PKG=$(sudo -V | grep "Sudo version" | awk '{print $3}')
if [ "$PKG" != "$SudoVersion" ]; then
echo -e "\e[1;31mSudo版本不匹配,期望$SudoVersion但检测到$PKG\e[0m"
exit 1
else
echo -e "\e[1;32mSudo升级成功,版本:$PKG\e[0m"
fi
sleep 30
}
# 主函数
main() {
check_system
check_openssl_version
download_files
update_zlib
install_dependencies
update_openssl
update_sudo
update_openssh
}
main "$@"
扫描二维码,手机查看
声明:部分数据/图片来源互联网,不代表欢乐你我,真实性请妥善甄别。