#!/bin/bash
set -e
###########变量区##############
file="ssh9.4p1_ssl1.1.1v_rpm_x86_64.tar.gz"
BackupDir=/tmp/sshd_backup_`date +%Y%m%d`
PatchLog=$BackupDir/ssh_ssl_upgrage.log
ExecDir=/tmp/updatessh
#影藏版本号(远程登录提示的版本号,可能与“ssh -V”查询的有差异,是否加单引号和双信号都可用)
version="OpenSSH_9.4"
##########################
function _echo () {
local info=$*
echo -e "\e[1;33m ${info} \e[0m" |tee -a $PatchLog
}
function runcheck()
{
if [ "`id -u`" -ne 0 ]
then
echo -e "\033[31m"$0:this script must be run as root!" \033[0m"
exit 1
elif [ "`uname -p`" != "x86_64" ]
then
echo -e "\033[31m"$0:this script must be run on x86_64!" \033[0m"
exit 1
elif [ "`rpm -q --queryformat '%{VERSION}' centos-release`" != "7" ]
then
echo -e "\033[31m"$0:this script must be run on centos7.x版本!" \033[0m"
exit 1
#编译安装openssl与已有openssl11-libs存在冲突
elif test ! -z "$(rpm -qa | grep openssl11-libs)"; then
echo -e "\033[31m"系统已安装openssl11-libs包与当前升级包冲突,可能影响nignx等服务,请手动卸载后继续!" \033[0m"
exit 1
#判断^PermitRootLogin是否多行(大于1)
elif [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then
echo -e "\033[31m"注意!经检测配置文件存在多个root远程登录配置参数,查询如下:" \033[0m"
grep -n '^PermitRootLogin ' /etc/ssh/sshd_config
echo -e "\033[31m"请手动验证后继续!" \033[0m"
exit 1
else
[ -d $BackupDir ] || mkdir -p $BackupDir >>/dev/null
fi
}
#wget
function rpmdown()
{
[ -d $ExecDir ] || mkdir -p $ExecDir >/dev/null
[ -f $ExecDir/$file ] || cp $file $ExecDir
if [ $? -eq 0 ]
then
cd $ExecDir
tar -xzvf $file
else
echo -e "\033[31m"$file download faild,please check!" \033[0m"
exit 1
fi
}
#OpenSSL
function install_openssl()
{
if test ! -z "$(rpm -qa | grep openssl | grep -v libs)"; then
ssl_ver=`openssl version|awk '{print $1"-"$2}'`
_echo "# `date +%F-%X` uninstall $ssl_ver......"
rpm -e `rpm -qa | grep openssl | grep -v libs` --nodeps
fi
_echo "# `date +%F-%X` install openssl......"
rpm -Uvh openssl* --nodeps
# cp /etc/ld.so.conf /etc/ld.so.conf.bak
# sed -i '/openssl/d' /etc/ld.so.conf
# #sed -i 's/openssl-1.1.1h/openssl/g' /etc/ld.so.conf
# echo "/usr/local/openssl/lib">> /etc/ld.so.conf
# ldconfig
# _echo "# `date +%F-%X` openssl upgrade done......"
# _echo "# `date +%F-%X` Curren version:"
# openssl version|tee -a $PatchLog
}
#OpenSSH
function install_openssh()
{
_echo "------------------------------------------"
_echo "# `date +%F-%X` Stop sshd......"
# systemctl stop sshd
if systemctl is-active --quiet sshd; then
systemctl stop sshd
fi
_echo "# `date +%F-%X` backup /etc/pam.d/sshd......"
cp /etc/pam.d/sshd $BackupDir
_echo "# `date +%F-%X` /etc/ssh/sshd_config......"
cp /etc/ssh/sshd_config $BackupDir
_echo "# `date +%F-%X` uninstall openssh......"
rpm -e `rpm -qa | grep openssh` --nodeps
_echo "# `date +%F-%X` install openssh......"
rpm -Uvh openssh* --nodeps
_echo "# `date +%F-%X` chmod 600 /etc/ssh/*_key......"
chmod 600 /etc/ssh/*_key
_echo "# `date +%F-%X` recover /etc/pam.d/sshd......"
\cp $BackupDir/sshd /etc/pam.d/sshd
_echo "# `date +%F-%X` recover /etc/ssh/sshd_config......"
\cp $BackupDir/sshd_config /etc/ssh/sshd_config
_echo "# `date +%F-%X` restart sshd......"
systemctl restart sshd
_echo "# `date +%F-%X` openssh upgrade done......"
_echo "# `date +%F-%X` Curren version:"
#ssh -V|tee -a $PatchLog
ssh -V
_echo "# `date +%F-%X` openssh && openssl update sucess!"
#############
##添加ssh-copy-id 命令(本脚本编译前已添加)
##tar -zxf $file ssh-copy-id && mv ssh-copy-id /usr/bin/ && chmod +x ssh-copy-id
#mv ssh-copy-id /usr/bin/ && chmod +x /usr/bin/ssh-copy-id
#############
}
rpmclear()
{
rm -rf $ExecDir >/dev/null && _echo "# `date +%F-%X` clear $ExecDir done."
}
security_reinforce()
{
##安全加固
#可手动修改 sshd_config
#Ciphers aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],
[email protected]
#kexalgorithms
[email protected],ecdh-sha2-nistp384,ecdh-sha2-nistp521
#MACs
[email protected],
[email protected]
#PubkeyAcceptedKeyTypes=+ssh-rsa #rke ssh
echo "安全加固配置"
if [ `grep '^Ciphers ' /etc/ssh/sshd_config|wc -l` -eq 0 ]
then
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,
[email protected],
[email protected]" >> /etc/ssh/sshd_config
echo -e "\033[32m "Ciphers 加密算法配置添加!!" \033[0m"
else
echo -e "\033[33m "Ciphers 加密算法已存在,跳过!!" \033[0m"
fi
if [ `grep '^kexalgorithms ' /etc/ssh/sshd_config|wc -l` -eq 0 ]
then
echo "kexalgorithms
[email protected],ecdh-sha2-nistp384,ecdh-sha2-nistp521" >> /etc/ssh/sshd_config
echo -e "\033[32m "Ciphers 密钥交换算法配置添加!!" \033[0m"
else
echo -e "\033[33m "kexalgorithms 密钥交换算法已存在,跳过!!" \033[0m"
fi
if [ `grep '^MACs ' /etc/ssh/sshd_config|wc -l` -eq 0 ]
then
echo "MACs
[email protected],
[email protected]" >> /etc/ssh/sshd_config
echo -e "\033[32m "MACs 消息认证码算法配置添加!!" \033[0m"
else
echo -e "\033[33m "MACs 消息认证码算法已存在,跳过!!" \033[0m"
fi
if [ `grep '^PubkeyAcceptedKeyTypes' /etc/ssh/sshd_config|grep 'ssh-rsa'|wc -l` -eq 0 ]
then
echo "PubkeyAcceptedKeyTypes=+ssh-rsa" >> /etc/ssh/sshd_config
echo -e "\033[32m "+ssh-rsa 公钥算法类型配置添加!!" \033[0m"
else
echo -e "\033[33m "+ssh-rsa 公钥算法类型已存在,跳过!!" \033[0m"
fi
}
PermitRootLogin(){
##授权(确认root能远程登录再执行,升级为8.6后默认为不允许root登录)(可选项)
if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -eq 0 ]
then
echo -e "\033[31m"注意!经检测root用户远程登录未配置,root用户无法远程登录!!" \033[0m"
while true; do
read -p "请确认开启/禁用: root远程登录?[y/n]:" sure
case $sure in
y|Y|Yes|yes|YES)
echo "输入为:$sure,开启root远程登录中...."
sed -i '/^#PermitRootLogin/s/#PermitRootLogin .*/PermitRootLogin yes/' /etc/ssh/sshd_config
#判断并删除^PermitRootLogin开头行重复值(倒序删除)
if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then
for i in $(grep -n '^PermitRootLogin' /etc/ssh/sshd_config | sed '1d' | cut -d ':' -f 1|sort -rn)
do
sed -i "${i}d" /etc/ssh/sshd_config
done
fi
#判断^PermitRootLogin开头行不存在
if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -eq 0 ];then
echo "PermitRootLogin yes" >> /etc/ssh/sshd_config
fi
systemctl restart sshd
echo -e "\033[32m" 开启root远程登录完成,请新开窗口验证后再退出当前终端!!" \033[0m"
#break
exit 0
;;
n|N|NO|no)
echo "输入为: $sure,禁用root远程登录中..."
sed -i '/^#PermitRootLogin/s/#PermitRootLogin .*/PermitRootLogin no/' /etc/ssh/sshd_config
#判断并删除^PermitRootLogin开头行重复值(倒序删除)
if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -gt 1 ];then
for i in $(grep -n '^PermitRootLogin' /etc/ssh/sshd_config | sed '1d' | cut -d ':' -f 1|sort -rn)
do
sed -i "${i}d" /etc/ssh/sshd_config
done
fi
#判断^PermitRootLogin开头行不存在
if [ `grep -n '^PermitRootLogin ' /etc/ssh/sshd_config|wc -l` -eq 0 ];then
echo "PermitRootLogin no" >> /etc/ssh/