最近因为绿盟扫描到AIX5.3 AIX6.1系统有openssh高危漏洞,OPENSSH6.4之前的都报高危漏洞,IBM官网上也只有最新的openssh6.0安装文件供下载,没办法只有自己试验的用源码来安装升级,期间各种报错,搞了差不多一周的时间,才顺利的安装的把openssh版本升上去了。以下是安装步骤
1,修改/etc/profile文件
cp -p /etc/profile /etc/profile_bak
/etc/profile文件添加
export LIBPATH=/opt/freeware/lib
export PATH=$PATH:/usr/local/bin:/usr/local/sbin
source /etc/profile
2,安装openssl1.0.1g
从http://www-frec.bull.com/recherche.php下载所需的opensslRPM安装包,并安装:
openssl-1.0.1g-1.aix6.1.ppc.rpm
openssl-devel-1.0.1g-1.aix6.1.ppc.rpm
[email protected]:/home/weihu>rpm -Uvh openssl-1.0.1g-1.aix6.1.ppc.rpm
warning: /var/ssl/openssl.cnf saved as /var/ssl/openssl.cnf.rpmorig
openssl ##################################################
[email protected]:/home/weihu>rpm -Uvh openssl-devel-1.0.1g-1.aix6.1.ppc.rpm
openssl-devel ##################################################
接下来需要安装zlib,由于没有安装GCC,需要首先安装GCC
从http://www-frec.bull.com/recherche.php下载GCC RPM包,并下载相关的倚赖安装包,并安装:
2503gcc-cpp-4.8.1-2.aix6.1.ppc.rpm-with-deps.zip
gcc-4.8.1-2.aix6.1.ppc.rpm
首先将2503gcc-cpp-4.8.1-2.aix6.1.ppc.rpm-with-deps.zip解压出来
[email protected]:/home/weihu>jar -xvf 2503gcc-cpp-4.8.1-2.aix6.1.ppc.rpm-with-deps.zip
inflated: libmpc-0.9-1.aix5.3.ppc.rpm
inflated: zlib-1.2.5-6.aix6.1.ppc.rpm
inflated: info-5.0-2.aix6.1.ppc.rpm
inflated: gettext-0.17-8.aix6.1.ppc.rpm
inflated: libiconv-1.14-1.aix6.1.ppc.rpm
inflated: gmp-5.1.3-1.aix6.1.ppc.rpm
inflated: mpfr-3.1.2-1.aix6.1.ppc.rpm
inflated: gcc-4.8.1-2.aix6.1.ppc.rpm
inflated: gcc-cpp-4.8.1-2.aix6.1.ppc.rpm
inflated: libgcc-4.8.1-2.aix6.1.ppc.rpm
inflated: bash-4.2-9.aix6.1.ppc.rpm
[email protected]:/home/weihu>rpm -Uvh libgcc-4.8.1-2.aix6.1.ppc.rpm
libgcc ##################################################
[email protected]:/home/weihu>rpm -Uvh gmp-5.1.3-1.aix6.1.ppc.rpm
gmp ##################################################
[email protected]:/home/weihu>rpm -Uvh gettext-0.17-8.aix6.1.ppc.rpm --nodeps
/
gettext ##################################################
add libintl.so.1 (32bits) shared member to /opt/freeware/lib/libintl.a
add libintl.so.1 (64bits) shared member to /opt/freeware/lib/libintl.a
/
[email protected]:/home/weihu>rpm -Uvh libiconv-1.14-1.aix6.1.ppc.rpm
libiconv ##################################################
add shr4.o shared members from /usr/lib/libiconv.a to /opt/freeware/lib/libiconv.a
add shr.o shared members from /usr/lib/libiconv.a to /opt/freeware/lib/libiconv.a
add shr4_64.o shared members from /usr/lib/libiconv.a to /opt/freeware/lib/libiconv.a
/
[email protected]:/home/weihu>rpm -Uvh mpfr-3.1.2-1.aix6.1.ppc.rpm
mpfr ##################################################
[email protected]:/home/weihu>rpm -Uvh zlib-1.2.5-6.aix6.1.ppc.rpm
zlib ##################################################
[email protected]:/home/weihu>rpm -Uvh info-5.0-2.aix6.1.ppc.rpm
warning: /opt/freeware/info/dir created as /opt/freeware/info/dir.rpmnew
info ##################################################
Please check that /etc/info-dir does exist.
You might have to rename it from /etc/info-dir.rpmsave to /etc/info-dir.
[email protected]:/home/weihu>rpm -Uvh libmpc-0.9-1.aix5.3.ppc.rpm
libmpc ##################################################
[email protected]:/home/weihu>rpm -Uvh bash-4.2-9.aix6.1.ppc.rpm
bash ##################################################
## Binary "bash" is avaible on 32bit and 64bit ##
The default used is 64bit
Please change symbolic link
from "bash" into /bin directory
To do that tape:
# rm -f /bin/bash
# ln -sf /opt/freeware/bin/bash_32 /bin/bash
[email protected]:/home/weihu>mv /bin/bash /bin/bash_bak
[email protected]:/home/weihu>ln -sf /opt/freeware/bin/bash_
bash_32 bash_64
[email protected]:/home/weihu>ln -sf /opt/freeware/bin/bash_32 /bin/bash
[email protected]:/home/weihu>rpm -Uvh gcc-cpp-4.8.1-2.aix6.1.ppc.rpm gcc-4.8.1-2.aix6.1.ppc.rpm
gcc-cpp ##################################################
gcc ##################################################
[email protected]:/home/weihu>type gcc
gcc is /usr/bin/gcc
到此GCC已经安装好。
接下来编译zlib,我用的zlib版本是zlib-1.2.5.tar.bz2,解压并编译它
(*注意这里一定要安装,否则会报错:configure: error: *** zlib.h missing - please install first or check config.log ****)
[email protected]:/home/weihu>bzip2 -d zlib-1.2.5.tar.bz2
[email protected]:/home/weihu>tar -xvf zlib-1.2.5.tar
[email protected]:/home/weihu>cd zlib-1.2.5
[email protected]:/home/weihu>./configure
[email protected]:/home/weihu>make
[email protected]:/home/weihu>make install
编译openssh,并将openssh源码包打包成
[email protected]:/home/weihu>gzip -d openssh-6.6p1.tar.gz
[email protected]:/home/weihu>tar xvf openssh-6.6p1.tar
[email protected]:/home/weihu>cd openssh-6.6p1
[email protected]:/home/weihu>./configure
[email protected]:/home/weihu/openssh-6.6p1>contrib/aix/buildbff.sh (*这条命令生成BFF格式可安装文件,如果脚本最后没有生成openssh-6.6p1.bff文件,你需要检查LIB_ PATH是否设置好,并且source /etc/profile让设置立即生效,同时需要make clean清空上次configure的文件,然后再次./configure并执行buildbff.sh文件*)
[email protected]:/home/weihu/openssh-6.6p1>ls -lat openssh
openssh-6.6p1.bff openssh.xml opensshd.init
openssh-exec(): openssh.xml.in opensshd.init.in
[email protected]:/home/weihu/openssh-6.6p1>ls -lat openssh-6.6p1.bff
-rw-r--r-- 1 root system 4966400 Oct 16 16:17 openssh-6.6p1.bff
在当前目录下安装openssh-6.6p1.bff文件
[email protected]:/home/weihu/openssh-6.6p1>inutoc .
(*注意运行上面的命令出现此错误sh: 0403-057 Syntax error at line 1 : `(‘ is not expected.,只需要删除当前目录下的openssh-exec(): 文件即可正常运行*)
[email protected]:/home/weihu/openssh-6.6p1>installp -acgNQqX -d . -f .toc
到此OPENSSH安装成功
这个时候看ssh版本还是以前的
[email protected]:/>type sshd
sshd is /usr/sbin/sshd
关闭sshd
[email protected]:/>stopsrc -s sshd
备份老版本sshd,建立软链接到新版本
[email protected]:/>mv /usr/sbin/sshd /usr/sbin/sshd_bak
[email protected]:/>ln -s /usr/local/sbin/sshd /usr/sbin/sshd
启动ssh
[email protected]:/>/usr/sbin/sshd
Could not load host key: /usr/local/etc/ssh_host_rsa_key
Could not load host key: /usr/local/etc/ssh_host_dsa_key
Could not load host key: /usr/local/etc/ssh_host_ecdsa_key
Could not load host key: /usr/local/etc/ssh_host_ed25519_key
建立KEY文件
[email protected]:/>/usr/local/bin/ssh-keygen -t rsa -f /usr/local/etc/ssh_host_rsa_key
[email protected]:/>/usr/local/bin/ssh-keygen -t dsa -f /usr/local/etc/ssh_host_dsa_key
[email protected]:/>/usr/local/bin/ssh-keygen -t ecdsa -f /usr/local/etc/ssh_host_ecdsa_key
[email protected]:/>/usr/local/bin/ssh-keygen -t ed25519 -f /usr/local/etc/ssh_host_ed25519_key
重新开启ssh服务
[email protected]:/>/usr/sbin/sshd
至此ssh服务启动完成,可以正常远程连接
查看以下ssh服务进程和OPENSSH的版本
[email protected]:/>ps -ef|grep sshd
weihu 44957866 5767496 0 14:38:48 - 0:00 /usr/sbin/sftp-server -m /etc/ssh/sshd_config
weihu 45481992 48365574 0 13:55:31 - 0:00 sshd: [email protected]/3
weihu 46661832 7340288 0 13:09:51 - 0:00 sshd: [email protected]/1
root 48365574 1 0 13:55:18 - 0:00 sshd: weihu [priv]
root 3998086 1 0 16:47:30 - 0:00 sshd: weihu [priv]
root 4063686 6357374 0 16:59:02 pts/0 0:00 grep sshd
weihu 4194786 3998086 0 16:47:52 - 0:00 sshd: [email protected]/0
weihu 5767496 6750580 0 14:38:48 - 0:01 sshd: [email protected]
root 6750580 1 0 14:38:47 - 0:00 sshd: weihu [priv]
root 7340288 1 0 13:09:44 - 0:00 sshd: weihu [priv]
root 7406052 1 0 16:58:54 - 0:00 /usr/sbin/sshd
[email protected]:/>sshd -v
unknown option -- v
OpenSSH_6.6p1, OpenSSL 1.0.1g 7 Apr 2014
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
做到这一步openssh的版本就算是升上去了,但是有一个问题还未解决
[email protected]:/>stopsrc -s sshd
[email protected]:/>startsrc -s sshd
上面的命令无法对ssh进程产生重启和关闭的作用,而且当我重启系统后,ssh是不会自启动的,还好开启了telnet,这个问题暂时还未解决,希望看到此文的网络大牛们给指导指导。
上文所需要的全部安装包,我已经上传,有需要的可以下载,下载地址如下:
http://down.51cto.com/data/1884215