文章目录
- debian12 - openssh-9.6.P1的编译安装
- 概述
- 笔记
- 备注
- END
debian12 - openssh-9.6.P1的编译安装
概述
在debian12上, 源码编译安装了openssl3.2
导致ssh失败.
lostspeed@debian12d4x64:~$ openssl version
OpenSSL 3.2.0 23 Nov 2023 (Library: OpenSSL 3.2.0 23 Nov 2023)
lostspeed@debian12d4x64:~$ ssh -V
OpenSSL version mismatch. Built against 300000a0, you have 30200000
因为ssh用的openssl版本是3.0, 和openssl3.2有冲突.
我现在再学openssl3.2, 又不能降版本.
那现在怎么配置debian12都没用, openssl3.2 和 SSH水火不容.
只能是重新从源码编译安装openssh.
笔记
openssh的库地址 https://github.com/openssh/openssh-portable.git
迁出到本地, 然后迁出到最新的稳定版(openssh-9.6.P1)
用7z压缩成.tar
设置debian12虚拟机的虚拟目录, 拷贝到虚拟机中.
如果虚拟机中没有挂在的虚拟目录, 执行下面的脚本
sudo umount /mnt/hgfs
lostspeed@debian12d4x64:~$ id
uid=1000(lostspeed) gid=1000(lostspeed) 组=1000(lostspeed),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),106(netdev),111(bluetooth),113(lpadmin),116(scanner)
sudo /usr/bin/vmhgfs-fuse .host:/ /mnt/hgfs -o allow_other -o uid=1000 -o gid=1000 -o umask=022
sudo /usr/bin/vmhgfs-fuse .host:/ /mnt/hgfs -o nonempty -o allow_other -o uid=1000 -o gid=1000 -o umask=022
进入home目录, 开始干活
cd /home/lostspeed
mkdir ./openssh
cd ./openssh
cp /mnt/hgfs/crypt/openssh-portable.tar .
tar -xf ./openssh-portable.tar
开始编译安装
cd ./openssh-portable/
autoreconf
./configure
# 报错, 说openssl头文件和库文件版本对不上, 根据日志config.log, 看到检查 opensslv.h 版本不对.
# 因为debian12默认的openssl版本低, 所以要找出哪个头目录是openssl旧版本的.
sudo find / -name 'opensslv.h'
找到/usr/include/openssl/是旧的openssl头文件目录.
改名
cd /usr/include/
sudo mv ./openssl ./openssl_old
再重新运行自动配置和配置
cd /home/lostspeed/openssh/openssh-portable
checking for openssl... /usr/local/ssl/bin/openssl
checking for openssl/opensslv.h... no
configure: error: *** OpenSSL headers missing - please install first or check config.log ***
最后才试错出来, 因为openssh不知道openssl安装后的目录在哪里, 所以要 ./configure --with-ssl-dir=/usr/local/ssl 指定openssl的目录才行.
如果看到有旧的openssl, 就做一个软连接, 指向自己从源码编译安装的 /usr/local/ssl/bin/openssl
如果自己编译安装后的新版openssl不在PATH中, 需要自己将路径加入PATH中
lostspeed@debian12d4x64:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/snap/bin:/usr/local/ssl/bin
如果发现有旧版的头文件目录, 做软连接, 指向自己的新版openssl
lostspeed@debian12d4x64:~$ ls -l /usr/include/openssl
lrwxrwxrwx 1 root root 22 Feb 6 17:52 /usr/include/openssl -> /usr/local/ssl/include
尝试将openssl头文件目录拷贝到openssh目录
pwd
/home/lostspeed/openssh/openssh-portable
cp -r /usr/local/ssl/include/openssl .
autoreconf
./configure --with-ssl-dir=/usr/local/ssl
这回成功了!!!
OpenSSH has been configured with the following options:
User binaries: /usr/local/bin
System binaries: /usr/local/sbin
Configuration files: /usr/local/etc
Askpass program: /usr/local/libexec/ssh-askpass
Manual pages: /usr/local/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
Manpage format: doc
PAM support: no
OSF SIA support: no
KerberosV support: no
SELinux support: no
libedit support: no
libldns support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
PKCS#11 support: yes
U2F/FIDO support: yes
Host: x86_64-pc-linux-gnu
Compiler: cc
Compiler flags: -g -O2 -pipe -Wno-error=format-truncation -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -Wimplicit-fallthrough -Wmisleading-indentation -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fzero-call-used-regs=used -ftrivial-auto-var-init=zero -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/ssl/include -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE -D_GNU_SOURCE -DOPENSSL_API_COMPAT=0x10100000L
Linker flags: -L/usr/local/ssl/lib64 -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries:
+for channels: -lcrypto -lz
+for sshd: -lcrypt
openssl 测试, 安装
make
make tests
sudo make install
# 安装位置
/usr/bin/install -c -m 0755 -s ssh /usr/local/bin/ssh
ssh -v 正常运行
lostspeed@debian12d4x64:~$ ssh -V
OpenSSH_9.6p1, OpenSSL 3.2.0 23 Nov 2023
可以看到, 自己编译安装的openssh用的openssl是最新版的openssl3.2
测试
sshd -t
lostspeed@debian12d4x64:~$
OpenSSL version mismatch. Built against 300000a0, you have 30200000
lostspeed@debian12d4x64:~$ /usr/local/sbin/sshd
sshd: no hostkeys available -- exiting.
lostspeed@debian12d4x64:~$ /usr/local/sbin/sshd --help
unknown option -- -
OpenSSH_9.6p1, OpenSSL 3.2.0 23 Nov 2023
usage: sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
lostspeed@debian12d4x64:~$
可以看到, 可能是旧版的sshd引起ssh启动失败.
将旧版sshd备份掉, 做一个新版的sshd软链接代替.
sudo mv /usr/sbin/sshd /usr/sbin/sshd.old.bk
sudo ln -s /usr/local/sbin/sshd /usr/sbin/sshd
sshd好使了
lostspeed@debian12d4x64:~$ ssh -V
OpenSSH_9.6p1, OpenSSL 3.2.0 23 Nov 2023
lostspeed@debian12d4x64:~$ sshd -V
OpenSSH_9.6p1, OpenSSL 3.2.0 23 Nov 2023
sudo systemctl enable ssh
sudo systemctl start ssh
lostspeed@debian12d4x64:~$ sudo systemctl start ssh
Job for ssh.service failed because a timeout was exceeded.
See "systemctl status ssh.service" and "journalctl -xeu ssh.service" for details.
修改配置试试.
// 手工启动服务到后台
systemctl restart sshd &
sudo systemctl status ssh
好像可以了
重启后, 查看状态, ssh服务正常
lostspeed@debian12d4x64:~$ sudo systemctl status ssh
[sudo] lostspeed 的密码:
● ssh.service - OpenBSD Secure Shell server
Loaded: loaded (/lib/systemd/system/ssh.service; enabled; preset: enabled)
Active: activating (start) since Tue 2024-02-06 19:40:31 CST; 40s ago
Docs: man:sshd(8)
man:sshd_config(5)
Process: 726 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
Main PID: 756 (sshd)
Tasks: 1 (limit: 2244)
Memory: 2.6M
CPU: 18ms
CGroup: /system.slice/ssh.service
└─756 "sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups"
2月 06 19:40:31 debian12d4x64 systemd[1]: Starting ssh.service - OpenBSD Secure Shell server...
2月 06 19:40:31 debian12d4x64 sshd[756]: Server listening on 0.0.0.0 port 22.
2月 06 19:40:31 debian12d4x64 sshd[756]: Server listening on :: port 22.
在win10中用WindTerm链接debian12正常.
备注
这次实验有点乱, 不过能用了, 先这样.
已经做了vmware16的还原点.
用SSH客户端去连debian12, 感觉舒服多了.
