rocky9.3升级openssh10

SHELL
#!/bin/bash
set -e

OPENSSH_VERSION="10.0p1"
OPENSSH_TAR="openssh-${OPENSSH_VERSION}.tar.gz"
OPENSSH_URL="https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/${OPENSSH_TAR}"
SRC_DIR="/usr/local/src"
BACKUP_DIR="/usr/local/openssh_backup"


setenforce 0 && sed -i 's/^SELINUX=.*/SELINUX=disabled/' /etc/selinux/config

echo "[1/9] 检测系统并安装依赖..."
if [ -f /etc/os-release ]; then
    . /etc/os-release
else
    echo "无法识别系统类型，退出"
    exit 1
fi

case "$ID" in
    ubuntu|debian)
        apt update
        apt install -y build-essential zlib1g-dev libssl-dev libpam0g-dev wget
        ;;
    centos|rocky|rhel)
        yum groupinstall -y "Development Tools"
        yum install -y gcc make zlib-devel openssl-devel pam-devel wget
        ;;
    *)
        echo "暂不支持该系统: $ID"
        exit 1
        ;;
esac

echo "[2/9] 下载并解压源码..."
mkdir -p "$SRC_DIR"
cd "$SRC_DIR"
rm -rf "openssh-${OPENSSH_VERSION}"
wget -c "$OPENSSH_URL"
tar -xf "$OPENSSH_TAR"
cd "openssh-${OPENSSH_VERSION}"

echo "[3/9] 备份旧版本ssh相关文件..."
mkdir -p "$BACKUP_DIR"
cp /usr/sbin/sshd "$BACKUP_DIR/sshd.bak.$(date +%s)" 2>/dev/null || true
cp /usr/bin/ssh "$BACKUP_DIR/ssh.bak.$(date +%s)" 2>/dev/null || true
cp -r /etc/ssh "$BACKUP_DIR/etc_ssh.bak.$(date +%s)" 2>/dev/null || true

echo "[3.5/9] 设置 OpenSSL 编译环境..."
export CPPFLAGS="-I/usr/include"
export LDFLAGS="-L/usr/lib64"


echo "[4/9] 编译安装OpenSSH..."
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-privsep-path=/var/lib/sshd
make -j"$(nproc)"
make install

echo "[5/9] 修复主机密钥权限..."
chmod 600 /etc/ssh/ssh_host_*_key 2>/dev/null || true

echo "[6/9] 清理不兼容配置..."
for file in /etc/ssh/sshd_config.d/*.conf; do
    [ -f "$file" ] || continue
    sed -i '/GSSAPIAuthentication/d;/GSSAPICleanupCredentials/d;/GSSAPIKexAlgorithms/d' "$file"
done

if [ -d /etc/sysconfig ]; then
    echo 'CRYPTO_POLICY=""' | tee /etc/sysconfig/sshd
fi

echo "[6.1] 设置加密策略为 LEGACY，防止不兼容配置..."
update-crypto-policies --set LEGACY

echo "[6.2] 移除 sshd_config 中对 crypto-policies 的引用（如果有）..."
sed -i '/crypto-policies.*opensshserver.config/s/^/#/' /etc/ssh/sshd_config
# 移除 /etc/crypto-policies/back-ends/opensshserver.config 中不兼容配置（如升级失败又被引用）
if [ -f /etc/crypto-policies/back-ends/opensshserver.config ]; then
    sed -i '/GSSAPIKexAlgorithms/d' /etc/crypto-policies/back-ends/opensshserver.config
fi
#修正sftp位置
sed -i 's|^Subsystem\s\+sftp\s\+/usr/libexec/openssh/sftp-server|Subsystem sftp /usr/libexec/sftp-server|' /etc/ssh/sshd_config

echo "[7/9] 检查配置文件语法..."
if ! /usr/sbin/sshd -t -f /etc/ssh/sshd_config; then
    echo "sshd 配置语法错误，请检查 /etc/ssh/sshd_config"
    exit 1
fi

echo "[8/9] 重启ssh服务..."
if systemctl list-units --type=service | grep -q sshd.service; then
    systemctl restart sshd
elif systemctl list-units --type=service | grep -q ssh.service; then
    systemctl restart ssh
else
    echo "未检测到 ssh 服务，请手动启动"
fi

echo "[9/9] 校验systemd运行的sshd版本..."
SSHD_BIN="/usr/sbin/sshd"
RUNNING_SSHD=$(readlink -f /proc/$(pgrep -x sshd | head -n 1)/exe)
BIN_HASH=$(sha256sum "$SSHD_BIN" | awk '{print $1}')
RUN_HASH=$(sha256sum "$RUNNING_SSHD" | awk '{print $1}')
VERSION=$($SSHD_BIN -V 2>&1 | head -n 1)

echo "当前sshd版本: $VERSION"
echo "systemd运行的sshd路径: $RUNNING_SSHD"
if [ "$BIN_HASH" = "$RUN_HASH" ]; then
    echo "sshd已成功替换为新版并正在运行"
else
    echo "警告：systemd仍在运行旧版sshd，可能需要重启或手动修改服务"
fi

echo "脚本执行完成。"