CentOS7编译升级OpenSSH9.6P1（启用PAM）

[root@CentOS7-9 ~]# ll
total 12932
-rw-------. 1 root root    1572 May 17 09:19 anaconda-ks.cfg
-rw-r--r--. 1 root root 1857862 May 17 09:31 openssh-9.6p1.tar.gz
-rw-r--r--. 1 root root     833 May 17 09:31 openssh-9.6p1.tar.gz.asc
-rw-r--r--. 1 root root 9864061 May 17 09:31 openssl-1.1.1q.tar.gz
-rw-r--r--. 1 root root      65 May 17 09:31 openssl-1.1.1q.tar.gz.sha256
-rw-r--r--. 1 root root 1495873 May 17 09:31 zlib-1.3.tar.gz
-rw-r--r--. 1 root root     235 May 17 09:31 zlib-1.3.tar.gz.asc


[root@CentOS7-9 ~]# cat openssl-1.1.1q.tar.gz.sha256
d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca
[root@CentOS7-9 ~]# sha256sum openssl-1.1.1q.tar.gz
d7939ce614029cdff0b6c20f0e2e5703158a489a72b2507b8bd51bf8c8fd10ca  openssl-1.1.1q.tar.gz

[root@CentOS7-9 ~]# gpg --verify -vvvv zlib-1.3.tar.gz.asc
gpg: using character set `utf-8'
gpg: directory `/root/.gnupg' created
gpg: new configuration file `/root/.gnupg/gpg.conf' created
gpg: WARNING: options in `/root/.gnupg/gpg.conf' are not yet active during this run
gpg: keyring `/root/.gnupg/pubring.gpg' created
gpg: armor: BEGIN PGP SIGNATURE
Comment: GPGTools - http://gpgtools.org
:signature packet: algo 17, keyid 783FCD8E58BCAFBA
        version 4, created 1692352018, md5len 0, sigclass 0x00
        digest algo 2, begin of digest c0 66
        hashed subpkt 33 len 21 (?)
        hashed subpkt 2 len 4 (sig created 2023-08-18)
        subpkt 16 len 8 (issuer key ID 783FCD8E58BCAFBA)
        data: [160 bits]
        data: [160 bits]
gpg: armor header:
gpg: assuming signed data in `zlib-1.3.tar.gz'
gpg: Signature made Fri 18 Aug 2023 05:46:58 PM CST using DSA key ID 58BCAFBA
gpg: Can't check signature: No public key


[root@CentOS7-9 ~]# gpg --keyserver keyserver.ubuntu.com --search-keys 783FCD8E58BCAFBA
gpg: searching for "783FCD8E58BCAFBA" from hkp server keyserver.ubuntu.com
(1)     Mark Adler <madler@alumni.caltech.edu>
          1024 bit DSA key 58BCAFBA, created: 2001-09-05
Keys 1-1 of 1 for "783FCD8E58BCAFBA".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 58BCAFBA from hkp server keyserver.ubuntu.com
gpg: /root/.gnupg/trustdb.gpg: trustdb created
gpg: key 58BCAFBA: public key "Mark Adler <madler@alumni.caltech.edu>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1

[root@CentOS7-9 ~]# gpg --verify zlib-1.3.tar.gz.asc zlib-1.3.tar.gz
gpg: Signature made Fri 18 Aug 2023 05:46:58 PM CST using DSA key ID 58BCAFBA
gpg: Good signature from "Mark Adler <madler@alumni.caltech.edu>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5ED4 6A67 21D3 6558 7791  E2AA 783F CD8E 58BC AFBA

[root@CentOS7-9 ~]# gpg --verify -vvvv openssh-9.6p1.tar.gz.asc
gpg: using character set `utf-8'
gpg: armor: BEGIN PGP SIGNATURE
:signature packet: algo 1, keyid 2A3F414E736060BA
        version 4, created 1702911728, md5len 0, sigclass 0x00
        digest algo 10, begin of digest f2 a4
        hashed subpkt 33 len 21 (?)
        hashed subpkt 2 len 4 (sig created 2023-12-18)
        subpkt 16 len 8 (issuer key ID 2A3F414E736060BA)
        data: [4090 bits]
gpg: assuming signed data in `openssh-9.6p1.tar.gz'
gpg: Signature made Mon 18 Dec 2023 11:02:08 PM CST using RSA key ID 736060BA
gpg: Can't check signature: No public key
[root@CentOS7-9 ~]# gpg --keyserver keyserver.ubuntu.com --search-keys 2A3F414E736060BA
gpg: searching for "2A3F414E736060BA" from hkp server keyserver.ubuntu.com
(1)     Damien Miller <djm@mindrot.org>
          4096 bit RSA key 736060BA, created: 2021-01-01
Keys 1-1 of 1 for "2A3F414E736060BA".  Enter number(s), N)ext, or Q)uit > 1
gpg: requesting key 736060BA from hkp server keyserver.ubuntu.com
gpg: key 736060BA: public key "Damien Miller <djm@mindrot.org>" imported
gpg: no ultimately trusted keys found
gpg: Total number processed: 1
gpg:               imported: 1  (RSA: 1)


[root@CentOS7-9 ~]# gpg --verify openssh-9.6p1.tar.gz.asc openssh-9.6p1.tar.gz
gpg: Signature made Mon 18 Dec 2023 11:02:08 PM CST using RSA key ID 736060BA
gpg: Good signature from "Damien Miller <djm@mindrot.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 7168 B983 815A 5EEF 59A4  ADFD 2A3F 414E 7360 60BA

yum -y install gcc make perl zlib zlib-devel pam pam-devel

systemctl stop sshd
mv /etc/ssh /etc/ssh.bak

rpm -qa | grep openssh
openssh-7.4p1-16.el7.x86_64
openssh-clients-7.4p1-16.el7.x86_64
openssh-server-7.4p1-16.el7.x86_64
 
rpm -qa | grep openssh |xargs rpm -e --nodeps

yum -y install perl-Module-Load-Conditional perl-core gcc perl-CPAN perl-devel
tar -zxvf zlib-1.3.tar.gz
cd zlib-1.3
./configure --prefix=/usr/local/zlib
make
make install

echo '/usr/local/zlib/lib' >> /etc/ld.so.conf.d/zlib.conf
  
ldconfig -v

yum remove -y openssl-devel
   tar -zxvf openssl-1.1.1q.tar.gz
   cd openssl-1.1.1q
   ./config shared zlib
   make
   make install
   mv /usr/bin/openssl /usr/bin/openssl.bak
   ln -s /usr/local/bin/openssl /usr/bin/openssl
   ln -s /usr/local/include/openssl /usr/include/openssl
   ln -s /usr/local/lib64/libssl.so.1.1 /usr/lib64/libssl.so.1.1
   ln -s /usr/local/lib64/libcrypto.so.1.1 /usr/lib64/libcrypto.so.1.1
   echo '/usr/local/ssl/lib' >> /etc/ld.so.conf.d/ssl.conf
   echo '/usr/local/lib' >> /etc/ld.so.conf.d/ssl.conf
   ldconfig -v
   
   openssl version -a

tar -zxvf openssh-9.6p1.tar.gz
cd openssh-9.6p1
 
./configure --prefix=/usr/local/openssh --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/ssl --with-zlib --with-pam

OpenSSH has been configured with the following options:
                     User binaries: /usr/bin
                   System binaries: /usr/sbin
               Configuration files: /etc/ssh
                   Askpass program: /usr/libexec/ssh-askpass
                      Manual pages: /usr/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
                    Manpage format: doc
                       PAM support: yes
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                   libedit support: no
                   libldns support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: seccomp_filter
                   PKCS#11 support: yes
                  U2F/FIDO support: yes

              Host: x86_64-pc-linux-gnu
          Compiler: cc
    Compiler flags: -g -O2 -pipe -Wall -Wextra -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-parameter -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/local/ssl  -D_XOPEN_SOURCE=600 -D_BSD_SOURCE -D_DEFAULT_SOURCE
      Linker flags: -L/usr/local/ssl  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
         Libraries: -lcrypto -ldl -lutil -lz  -lcrypt -lresolv
         +for sshd:  -lpam

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

make 
make install

[root@localhost ~]# cat /etc/ssh/sshd_config|grep -v '^#'|grep -v '^$'
       AuthorizedKeysFile      .ssh/authorized_keys
       Subsystem       sftp    /usr/local/openssh/libexec/sftp-server
       X11Forwarding yes
       X11UseLocalhost no
       XAuthLocation /usr/bin/xauth
       UseDNS no
       PermitRootLogin yes
       PubkeyAuthentication yes
       PasswordAuthentication yes
       Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
       MACs hmac-sha2-256,hmac-sha2-512,hmac-sha1
       KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
       UsePAM yes

 mv /usr/sbin/sshd /usr/sbin/sshd.bak0513
 cp /usr/local/openssh/sbin/sshd /usr/sbin/sshd
	   
mv /usr/bin/ssh /usr/bin/ssh.bak0513
cp /usr/local/openssh/bin/ssh /usr/bin/ssh
	   
mv /usr/bin/ssh-keygen /usr/bin/ssh-keygen.bak0513
cp /usr/local/openssh/bin/ssh-keygen /usr/bin/ssh-keygen
	   
 cp -p contrib/redhat/sshd.init /etc/init.d/sshd
 chmod +x /etc/init.d/sshd
 chkconfig --add sshd
      

 [root@localhost ~]# cat /etc/pam.d/sshd
#%PAM-1.0
auth       required pam_sepermit.so
auth       include      password-auth
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    optional     pam_keyinit.so force revoke
session    include      password-auth

systemctl daemon-reload
systemctl restart sshd