Ubuntu20.04版本升级openssh9.9p1方法(含脚本)
2025-08-07 14:56:23
jing123456
1.安装编译依赖包
apt install gcc make zlib1g-dev libpam0g-dev libkrb5-dev libedit-dev -y
2.先升级openssl,再升级openssh
ubuntu20.04 默认openssl版本:OpenSSL 1.1.1f
(我这是22.04)
3.下载OpenSSL
访问openssl官网:https://www.openssl.org/source/
找到最新版本通过wget下载
wget https://github.com/openssl/openssl/releases/download/openssl-3.3.1/openssl-3.3.1.tar.gz
注意:由于OpenSSL 1.1.x版本已停止维护,ubuntu20.04.x系统建议都使用目前长期支持版
下载最新版ssl和sshd
cd /usr/local/src/
tar xf openssl-3.3.1.tar.gz
cd openssl-3.3.1/
./config shared --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
编译安装
make&&make install
运行一段时间等编译安装完成,完成后执行echo $?显示是否执行成功。
备份原来的openssl
mv /usr/bin/openssl /usr/bin/openssl.bak
ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl
将openssl 的lib 库添加到系统(‘/usr/local/openssl/lib64’ 单引号)
#openssl 1.x.x版本是: /usr/local/openssl/lib/ 路径
#echo '/usr/local/openssl/lib' > /etc/ld.so.conf.d/openssl.conf
echo '/usr/local/openssl/lib64' > /etc/ld.so.conf.d/openssl.conf
然后加载lib库
ldconfig -v
检查openssl版本
4.下载OpenSSH包
访问链接:https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/通过wget下载OpenSSH_9.9p1
wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.9p1.tar.gz
备份文件
mkdir /usr/bin/bak
cp -arpf /usr/bin/scp /usr/bin/bak/scp.bak
cp -arpf /usr/bin/sftp /usr/bin/bak/sftp.bak
cp -arpf /usr/bin/ssh /usr/bin/bak/ssh.bak
cp -arpf /usr/bin/ssh-add /usr/bin/bak/ssh-add.bak
cp -arpf /usr/bin/ssh-agent /usr/bin/bak/ssh-agent.bak
cp -arpf /usr/bin/ssh-keygen /usr/bin/bak/ssh-keygen.bak
cp -arpf /usr/bin/ssh-keyscan /usr/bin/bak/ssh-keyscan.bak
mkdir /usr/sbin/bak
cp -arpf /usr/sbin/sshd /usr/sbin/bak/sshd.bak
进入openssh-9.9p1目录,执行编译安装命令
cd /usr/local/src/
tar -zxf openssh-9.9p1.tar.gz
cd /usr/local/src/openssh-9.9p1
./configure --prefix=/usr/local/openssh-9.9p1 --sysconfdir=/etc/ssh --with-kerberos5 --with-libedit --with-pam --with-gssapi --with-zlib --with-ssl-dir=/usr/local/openssl --with-privsep-path=/var/lib/sshd
make && make install
替换新版openssh命令
cp -arpf /usr/local/openssh-9.9p1/bin/* /usr/bin/
cp -arpf /usr/local/openssh-9.9p1/sbin/* /usr/sbin/
修改配置文件
sed -i 's@#PermitRootLogin prohibit-password@PermitRootLogin yes@g' /etc/ssh/sshd_config
允许root远程登录,并重启ssh
systemctl daemon-reload
systemctl restart ssh
ssh -V 查看版本
注:遇到如下编译问题
解决方法:
安装依赖包
apt install gcc make zlib1g-dev libpam0g-dev libkrb5-dev libedit-dev -y
5,脚本一键升级
#!/bin/bash
# 自动升级OpenSSL和OpenSSH脚本
# 适用于Ubuntu 20.04/22.04
set -e
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[0;33m'
NC='\033[0m' # No Color
# 检查是否为root用户
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}请使用root用户运行此脚本!${NC}"
exit 1
fi
# 定义版本和URL
OPENSSL_VERSION="3.3.1"
OPENSSH_VERSION="9.9p1"
OPENSSL_URL="https://github.com/openssl/openssl/releases/download/openssl-${OPENSSL_VERSION}/openssl-${OPENSSL_VERSION}.tar.gz"
OPENSSH_URL="https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-${OPENSSH_VERSION}.tar.gz"
# 检查并安装依赖包
check_dependencies() {
echo -e "${YELLOW}检查并安装编译依赖包...${NC}"
local deps=("gcc" "make" "zlib1g-dev" "libpam0g-dev" "libkrb5-dev" "libedit-dev" "wget")
local missing_deps=()
# 检查包是否安装
for dep in "${deps[@]}"; do
if ! dpkg -l | grep -q "^ii $dep"; then
missing_deps+=("$dep")
fi
done
# 安装缺失的依赖
if [ ${#missing_deps[@]} -gt 0 ]; then
echo -e "${YELLOW}安装缺失的依赖包: ${missing_deps[*]}${NC}"
apt update && apt install -y "${missing_deps[@]}" || {
echo -e "${RED}依赖安装失败!请手动执行: apt install -y ${missing_deps[*]}${NC}"
exit 1
}
fi
# 二次验证:检查 gcc 是否可执行
if ! command -v gcc &>/dev/null; then
echo -e "${RED}编译器 gcc 不可用!尝试修复...${NC}"
apt reinstall -y gcc || {
echo -e "${RED}修复失败!请检查系统环境。${NC}"
exit 1
}
fi
echo -e "${GREEN}所有依赖已验证可用。${NC}"
}
# 检查并创建工作目录
check_workdir() {
local dir="$1"
if [ ! -d "$dir" ]; then
echo -e "${YELLOW}创建目录: $dir${NC}"
mkdir -p "$dir"
if [ $? -ne 0 ]; then
echo -e "${RED}创建目录 $dir 失败!${NC}"
exit 1
fi
fi
}
# 备份文件
backup_file() {
local src="$1"
local dest="$2"
if [ -e "$src" ]; then
echo -e "${YELLOW}备份文件 $src 到 $dest${NC}"
cp -arpf "$src" "$dest"
if [ $? -ne 0 ]; then
echo -e "${RED}备份 $src 失败!${NC}"
exit 1
fi
else
echo -e "${YELLOW}警告: 源文件 $src 不存在,跳过备份${NC}"
fi
}
# 检查并下载文件
download_file() {
local url="$1"
local dest="$2"
if [ ! -f "$dest" ]; then
echo -e "${YELLOW}下载文件: $url${NC}"
wget --no-check-certificate "$url" -O "$dest"
if [ $? -ne 0 ]; then
echo -e "${RED}下载 $url 失败!${NC}"
exit 1
fi
else
echo -e "${GREEN}文件已存在: $dest,跳过下载${NC}"
fi
}
# 检查命令执行结果
check_result() {
if [ $? -ne 0 ]; then
echo -e "${RED}上一步操作失败!${NC}"
exit 1
fi
echo -e "${GREEN}操作成功完成!${NC}"
}
# 主函数
main() {
# 安装依赖
check_dependencies
# 创建工作目录
WORK_DIR="/usr/local/src"
check_workdir "$WORK_DIR"
cd "$WORK_DIR"
# 备份当前openssl和openssh
echo -e "${YELLOW}备份当前openssl和openssh配置...${NC}"
check_workdir "/etc/ssh.bak"
check_workdir "/usr/bin/bak"
check_workdir "/usr/sbin/bak"
backup_file "/etc/ssh" "/etc/ssh.bak"
backup_file "/usr/bin/openssl" "/usr/bin/openssl.bak"
# 升级OpenSSL
echo -e "${YELLOW}开始升级OpenSSL...${NC}"
download_file "$OPENSSL_URL" "openssl-${OPENSSL_VERSION}.tar.gz"
if [ ! -d "openssl-${OPENSSL_VERSION}" ]; then
tar xf "openssl-${OPENSSL_VERSION}.tar.gz"
check_result
fi
cd "openssl-${OPENSSL_VERSION}"
./config shared --prefix=/usr/local/openssl --openssldir=/usr/local/openssl
make -j$(nproc)
make install
check_result
# 创建符号链接
ln -sf /usr/local/openssl/bin/openssl /usr/bin/openssl
check_result
# 添加库路径
echo "/usr/local/openssl/lib64" > /etc/ld.so.conf.d/openssl.conf
ldconfig -v
check_result
# 验证OpenSSL版本
echo -e "${GREEN}OpenSSL新版本:${NC}"
openssl version
# 升级OpenSSH
echo -e "${YELLOW}开始升级OpenSSH...${NC}"
cd "$WORK_DIR"
download_file "$OPENSSH_URL" "openssh-${OPENSSH_VERSION}.tar.gz"
if [ ! -d "openssh-${OPENSSH_VERSION}" ]; then
tar xf "openssh-${OPENSSH_VERSION}.tar.gz"
check_result
fi
cd "openssh-${OPENSSH_VERSION}"
# 备份旧版命令
echo -e "${YELLOW}备份旧版OpenSSH命令...${NC}"
backup_file "/usr/bin/scp" "/usr/bin/bak/scp.bak"
backup_file "/usr/bin/sftp" "/usr/bin/bak/sftp.bak"
backup_file "/usr/bin/ssh" "/usr/bin/bak/ssh.bak"
backup_file "/usr/bin/ssh-add" "/usr/bin/bak/ssh-add.bak"
backup_file "/usr/bin/ssh-agent" "/usr/bin/bak/ssh-agent.bak"
backup_file "/usr/bin/ssh-keygen" "/usr/bin/bak/ssh-keygen.bak"
backup_file "/usr/bin/ssh-keyscan" "/usr/bin/bak/ssh-keyscan.bak"
backup_file "/usr/sbin/sshd" "/usr/sbin/bak/sshd.bak"
# 编译安装OpenSSH
./configure --prefix=/usr/local/openssh-${OPENSSH_VERSION} \
--sysconfdir=/etc/ssh \
--with-kerberos5 \
--with-libedit \
--with-pam \
--with-gssapi \
--with-zlib \
--with-ssl-dir=/usr/local/openssl \
--with-privsep-path=/var/lib/sshd
make -j$(nproc)
make install
check_result
# 替换命令
cp -arpf /usr/local/openssh-${OPENSSH_VERSION}/bin/* /usr/bin/
cp -arpf /usr/local/openssh-${OPENSSH_VERSION}/sbin/* /usr/sbin/
check_result
# 配置SSH
echo -e "${YELLOW}配置SSH...${NC}"
sed -i 's@#PermitRootLogin prohibit-password@PermitRootLogin yes@g' /etc/ssh/sshd_config
# 重启SSH服务
echo -e "${YELLOW}重启SSH服务...${NC}"
systemctl daemon-reload
systemctl restart ssh
check_result
# 验证版本
echo -e "${GREEN}OpenSSH新版本:${NC}"
ssh -V
echo -e "${GREEN}OpenSSL和OpenSSH升级完成!${NC}"
}
# 执行主函数
main