Ubuntu源码制作openssh 9.9p2 deb二进制包修复安全漏洞 —— 筑梦之路
之前有写过使用openssh源码在ubuntu系统上编译安装,这里基于开源项目 https://github.com/boypt/openssh-deb.git 制作,目前主要支持的发行版有:
• Ubuntu 24.04/22.04/20.04
• Debian 13/trixie 12/bookworm 11/bullseye
• UnionTech OS Desktop 20 Home (Debian GLIBC 2.28.21-1+deepin-1)
• Kylin V10 SP1 (Ubuntu GLIBC 2.31-0kylin9.2k0.1)
该项目提供了直接构建和docker构建两种方式,我这里主要使用直接构建的方式。
编译制作deb二进制包
# 拉取代码git clone https://github.com/boypt/openssh-deb.git# 切换目录,修改文件version.env中的openssl版本,默认为3.0.16;openssh版本,默认获取最新, 如果需要指定版本可以从http://deb.debian.org/debian//pool/main/o/openssh/查找源码包cd openssh-deb
cat version.envOPENSSLVER=3.5.0
OPENSSLMIR=https://github.com/openssl/openssl/releases/download/openssl-${OPENSSLVER}/
OPENSSLSRC=openssl-${OPENSSLVER}.tar.gzDEBMIRROR=http://deb.debian.org/debian/
OPENSSH_SIDPKG=9.9p2-2
[[ -z $OPENSSH_SIDPKG ]] && \OPENSSH_SIDPKG=$(wget --no-check-certificate -qO- https://packages.debian.org/sid/openssh-server | sed -n '/vcurrent/s/ *<[^>]*> *//gp' | head -n1 | cut -d: -f2)
OPENSSHVER=$(echo $OPENSSH_SIDPKG|cut -d- -f1)# 安装依赖包sudo ./install_deps.sh# 下载源码包sudo ./pullsrc.sh# 编译制作deb二进制包sudo ./compile.sh制作成果展示
ls -lh output/
total 32M
-rw-r--r-- 1 root root 5.6M Apr 16 02:53 openssh-client_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 4.0M Apr 16 02:53 openssh-client-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:53 openssh-client-gssapi_9.9p2-2_all.deb
-rw-r--r-- 1 root root 1.8M Apr 16 02:54 openssh-client-udeb_9.9p2-2_amd64.udeb
-rw-r--r-- 1 root root 2.3M Apr 16 02:53 openssh-server_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 1.7M Apr 16 02:53 openssh-server-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:53 openssh-server-gssapi_9.9p2-2_all.deb
-rw-r--r-- 1 root root 2.6M Apr 16 02:54 openssh-server-udeb_9.9p2-2_amd64.udeb
-rw-r--r-- 1 root root 63K Apr 16 02:53 openssh-sftp-server_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 158K Apr 16 02:52 openssh-sftp-server-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 9.8M Apr 16 02:53 openssh-tests_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 3.7M Apr 16 02:54 openssh-tests-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:54 ssh_9.9p2-2_all.deb# 需要使用到的包如下find output -maxdepth 1 ! -name '*dbgsym*' ! -name '*tests*' -name '*.deb'output/openssh-sftp-server_9.9p2-2_amd64.deb
output/openssh-client_9.9p2-2_amd64.deb
output/openssh-client-gssapi_9.9p2-2_all.deb
output/openssh-server_9.9p2-2_amd64.deb
output/openssh-server-gssapi_9.9p2-2_all.deb
output/ssh_9.9p2-2_all.deb安装验证
find ./output -maxdepth 1 ! -name '*dbgsym*' ! -name '*tests*' -name '*.deb' | xargs sudo apt install -y# 解除屏蔽sudo systemctl unmask sshd.servicesudo systemctl unmask ssh.service# 这里安装验证存在问题,服务无法正常启动,后续抽空再研究Known issuessshd-session issue
If installing backported openssh 9.8+ on older distros, some other programs may face problems while interacting with the openssh service. Since openssh-9.8, the subprocess name have changed from sshd to sshd-session.Known programs with issue:fail2ban
sshguard
Make sure to upgrade or reconfigure them to meet the latest changes.fail2ban
change in filter.d/sshd.conf:_daemon = sshd
into_daemon = sshd(?:-session)?
Distro Issues
Extra steps are needed to install on some distros.UnionTech OS Desktop 20 Home (Debian GLIBC 2.28.21-1+deepin-1)
Exclude libfido2-dev from the build Dependencies intall command, it's not available.
Install following packages from debian/bullseye.
bullseye/dwz
bullseye/dh-runit
Kylin V10 SP1 (Ubuntu GLIBC 2.31-0kylin9.2k0.1)
Run ./compile.sh from the desktop Terminal(mate-terminal).During install the builddep/*.deb, a kysec_auth dialog would pop up asking for installing permissions. Manual click on the permit button is needed.If running in a ssh session, the compile script would fail without permissions.