centos7离线升级openssh9.4包含升级脚本

#!/bin/bash set -e ###########变量区############## file="ssh9.4p1_ssl1.1.1v_rpm_x86_64.tar.gz" BackupDir=/tmp/sshd_backup_`date +%Y%m%d` PatchLog=$BackupDir/ssh_ssl_upgrage.log ExecDir=/tmp/updatessh #影藏版本号(远程登录提示的版本号,可能与“ssh -V”查询的有差异,是否加单引号和双信号都可用) version="OpenSSH_9.4" ########################## function _echo () { local info=$* echo -e "\e[1;33m ${info} \e[0m" |tee -a $PatchLog } function runcheck() { if [ "`id -u`" -ne 0 ] then echo -e "\033[31m"$0:this script must be run as root!" \033[0m" exit 1 elif [ "`uname -p`" != "x86_64" ] then echo -e "\033[31m"$0:this script must be run on x86_64!" \033[0m" exit 1 elif [ "`rpm -q --queryformat '%{VERSION}' centos-release`" != "7" ] then echo -e "\033[31m"$0:this script must be run on centos7.x版本!" \033[0m" exit 1 #编译安装openssl与已有openssl11-libs存在冲突 elif test ! -z "$(rpm -qa | grep openssl11-libs)"; then echo -e "\033[31m"系统已安装openssl11-libs包与当前升级包冲突，可能影响nignx等服务，请手动卸载后继续!" \033[0m" exit 1 #判断^PermitRootLogin是否多行（大于1） elif [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then echo -e "\033[31m"注意!经检测配置文件存在多个root远程登录配置参数，查询如下：" \033[0m" grep -n '^PermitRootLogin ' /etc/ssh/sshd_config echo -e "\033[31m"请手动验证后继续!" \033[0m" exit 1 else [ -d $BackupDir ] || mkdir -p $BackupDir >>/dev/null fi } #wget function rpmdown() { [ -d $ExecDir ] || mkdir -p $ExecDir >/dev/null [ -f $ExecDir/$file ] || cp $file $ExecDir if [ $? -eq 0 ] then cd $ExecDir tar -xzvf $file else echo -e "\033[31m"$file download faild,please check!" \033[0m" exit 1 fi } #OpenSSL function install_openssl() { if test ! -z "$(rpm -qa | grep openssl | grep -v libs)"; then ssl_ver=`openssl version|awk '{print $1"-"$2}'` _echo "# `date +%F-%X` uninstall $ssl_ver......" rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps fi _echo "# `date +%F-%X` install openssl......" rpm -Uvh openssl* --nodeps # cp /etc/ld.so.conf /etc/ld.so.conf.bak # sed -i '/openssl/d' /etc/ld.so.conf # #sed -i 's/openssl-1.1.1h/openssl/g' /etc/ld.so.conf # echo "/usr/local/openssl/lib">> /etc/ld.so.conf # ldconfig # _echo "# `date +%F-%X` openssl upgrade done......" # _echo "# `date +%F-%X` Curren version:" # openssl version|tee -a $PatchLog } #OpenSSH function install_openssh() { _echo "------------------------------------------" _echo "# `date +%F-%X` Stop sshd......" # systemctl stop sshd if systemctl is-active --quiet sshd; then systemctl stop sshd fi _echo "# `date +%F-%X` backup /etc/pam.d/sshd......" cp /etc/pam.d/sshd $BackupDir _echo "# `date +%F-%X` /etc/ssh/sshd_config......" cp /etc/ssh/sshd_config $BackupDir _echo "# `date +%F-%X` uninstall openssh......" rpm -e `rpm -qa | grep openssh` --nodeps _echo "# `date +%F-%X` install openssh......" rpm -Uvh openssh* --nodeps _echo "# `date +%F-%X` chmod 600 /etc/ssh/*_key......" chmod 600 /etc/ssh/*_key _echo "# `date +%F-%X` recover /etc/pam.d/sshd......" \cp $BackupDir/sshd /etc/pam.d/sshd _echo "# `date +%F-%X` recover /etc/ssh/sshd_config......" \cp $BackupDir/sshd_config /etc/ssh/sshd_config _echo "# `date +%F-%X` restart sshd......" systemctl restart sshd _echo "# `date +%F-%X` openssh upgrade done......" _echo "# `date +%F-%X` Curren version:" #ssh -V|tee -a $PatchLog ssh -V _echo "# `date +%F-%X` openssh && openssl update sucess!" ############# ##添加ssh-copy-id 命令(本脚本编译前已添加) ##tar -zxf $file ssh-copy-id && mv ssh-copy-id /usr/bin/ && chmod +x ssh-copy-id #mv ssh-copy-id /usr/bin/ && chmod +x /usr/bin/ssh-copy-id ############# } rpmclear() { rm -rf $ExecDir >/dev/null && _echo "# `date +%F-%X` clear $ExecDir done." } security_reinforce() { ##安全加固 #可手动修改 sshd_config #Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected] #kexalgorithms [email protected],ecdh-sha2-nistp384,ecdh-sha2-nistp521 #MACs [email protected],[email protected] #PubkeyAcceptedKeyTypes=+ssh-rsa #rke ssh echo "安全加固配置" if [ `grep '^Ciphers ' /etc/ssh/sshd_config|wc -l` -eq 0 ] then echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected]" >> /etc/ssh/sshd_config echo -e "\033[32m "Ciphers 加密算法配置添加!!" \033[0m" else echo -e "\033[33m "Ciphers 加密算法已存在，跳过!!" \033[0m" fi if [ `grep '^kexalgorithms ' /etc/ssh/sshd_config|wc -l` -eq 0 ] then echo "kexalgorithms [email protected],ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config echo -e "\033[32m "Ciphers 密钥交换算法配置添加!!" \033[0m" else echo -e "\033[33m "kexalgorithms 密钥交换算法已存在，跳过!!" \033[0m" fi if [ `grep '^MACs ' /etc/ssh/sshd_config|wc -l` -eq 0 ] then echo "MACs [email protected],[email protected]" >> /etc/ssh/sshd_config echo -e "\033[32m "MACs 消息认证码算法配置添加!!" \033[0m" else echo -e "\033[33m "MACs 消息认证码算法已存在，跳过!!" \033[0m" fi if [ `grep '^PubkeyAcceptedKeyTypes' /etc/ssh/sshd_config|grep 'ssh-rsa'|wc -l` -eq 0 ] then echo "PubkeyAcceptedKeyTypes=+ssh-rsa" >> /etc/ssh/sshd_config echo -e "\033[32m "+ssh-rsa 公钥算法类型配置添加!!" \033[0m" else echo -e "\033[33m "+ssh-rsa 公钥算法类型已存在，跳过!!" \033[0m" fi } PermitRootLogin(){ ##授权（确认root能远程登录再执行,升级为8.6后默认为不允许root登录）(可选项) if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -eq 0 ] then echo -e "\033[31m"注意!经检测root用户远程登录未配置，root用户无法远程登录!!" \033[0m" while true; do read -p "请确认开启/禁用: root远程登录?[y/n]:" sure case $sure in y|Y|Yes|yes|YES) echo "输入为：$sure，开启root远程登录中...." sed -i '/^#PermitRootLogin/s/#PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config #判断并删除^PermitRootLogin开头行重复值(倒序删除) if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then for i in $(grep -n '^PermitRootLogin' /etc/ssh/sshd_config | sed '1d' | cut -d ':' -f 1|sort -rn) do sed -i "${i}d" /etc/ssh/sshd_config done fi #判断^PermitRootLogin开头行不存在 if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -eq 0 ];then echo "PermitRootLogin yes" >> /etc/ssh/sshd_config fi systemctl restart sshd echo -e "\033[32m" 开启root远程登录完成,请新开窗口验证后再退出当前终端!!" \033[0m" #break exit 0 ;; n|N|NO|no) echo "输入为: $sure,禁用root远程登录中..." sed -i '/^#PermitRootLogin/s/#PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config #判断并删除^PermitRootLogin开头行重复值(倒序删除) if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then for i in $(grep -n '^PermitRootLogin' /etc/ssh/sshd_config | sed '1d' | cut -d ':' -f 1|sort -rn) do sed -i "${i}d" /etc/ssh/sshd_config done fi #判断^PermitRootLogin开头行不存在 if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -eq 0 ];then echo "PermitRootLogin no" >> /etc/ssh/