当前位置: 首页 > news >正文

Ubuntu源码制作openssh 9.9p2 deb二进制包修复安全漏洞 —— 筑梦之路

news 2025/4/18 21:36:53

之前有写过使用openssh源码在ubuntu系统上编译安装,这里基于开源项目 https://github.com/boypt/openssh-deb.git 制作,目前主要支持的发行版有:

• Ubuntu 24.04/22.04/20.04

• Debian 13/trixie 12/bookworm 11/bullseye

• UnionTech OS Desktop 20 Home (Debian GLIBC 2.28.21-1+deepin-1)

• Kylin V10 SP1 (Ubuntu GLIBC 2.31-0kylin9.2k0.1) 

该项目提供了直接构建和docker构建两种方式,我这里主要使用直接构建的方式。

 编译制作deb二进制包

我这里使用的是ubuntu 20.04 x86架构

# 拉取代码git clone https://github.com/boypt/openssh-deb.git# 切换目录,修改文件version.env中的openssl版本,默认为3.0.16;openssh版本,默认获取最新, 如果需要指定版本可以从http://deb.debian.org/debian//pool/main/o/openssh/查找源码包cd openssh-deb 
cat version.envOPENSSLVER=3.5.0
OPENSSLMIR=https://github.com/openssl/openssl/releases/download/openssl-${OPENSSLVER}/
OPENSSLSRC=openssl-${OPENSSLVER}.tar.gzDEBMIRROR=http://deb.debian.org/debian/
OPENSSH_SIDPKG=9.9p2-2
[[ -z $OPENSSH_SIDPKG ]] && \OPENSSH_SIDPKG=$(wget --no-check-certificate -qO- https://packages.debian.org/sid/openssh-server | sed -n '/vcurrent/s/ *<[^>]*> *//gp' | head -n1 | cut -d: -f2)
OPENSSHVER=$(echo $OPENSSH_SIDPKG|cut -d- -f1)# 安装依赖包sudo ./install_deps.sh# 下载源码包sudo ./pullsrc.sh# 编译制作deb二进制包sudo ./compile.sh

对于openssh 10.0p1编译会报错:

dpkg-query: no packages found matching libwtmpdb-dev

dpkg-checkbuilddeps: error: Unmet build dependencies: dh-sequence-movetousr

 可以尝试换源,这里是24.04为例

# 默认注释了源码镜像以提高 apt update 速度,如有需要可自行取消注释deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-updates main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-backports main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-backports main restricted universe multiverse
# 以下安全更新软件源包含了官方源与镜像站配置,如有需要可自行修改注释切换
deb http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse
deb-src http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse
# 预发布软件源,不建议启用
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-proposed main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-proposed main restricted universe multiverse

制作成果展示

ls -lh output/
total 32M
-rw-r--r-- 1 root root 5.6M Apr 16 02:53 openssh-client_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 4.0M Apr 16 02:53 openssh-client-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:53 openssh-client-gssapi_9.9p2-2_all.deb
-rw-r--r-- 1 root root 1.8M Apr 16 02:54 openssh-client-udeb_9.9p2-2_amd64.udeb
-rw-r--r-- 1 root root 2.3M Apr 16 02:53 openssh-server_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 1.7M Apr 16 02:53 openssh-server-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:53 openssh-server-gssapi_9.9p2-2_all.deb
-rw-r--r-- 1 root root 2.6M Apr 16 02:54 openssh-server-udeb_9.9p2-2_amd64.udeb
-rw-r--r-- 1 root root  63K Apr 16 02:53 openssh-sftp-server_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 158K Apr 16 02:52 openssh-sftp-server-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 9.8M Apr 16 02:53 openssh-tests_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 3.7M Apr 16 02:54 openssh-tests-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:54 ssh_9.9p2-2_all.deb# 需要使用到的包如下find output -maxdepth 1 ! -name '*dbgsym*' ! -name '*tests*' -name '*.deb'output/openssh-sftp-server_9.9p2-2_amd64.deb
output/openssh-client_9.9p2-2_amd64.deb
output/openssh-client-gssapi_9.9p2-2_all.deb
output/openssh-server_9.9p2-2_amd64.deb
output/openssh-server-gssapi_9.9p2-2_all.deb
output/ssh_9.9p2-2_all.deb

安装验证

find ./output -maxdepth 1 ! -name '*dbgsym*' ! -name '*tests*' -name '*.deb' | xargs sudo apt install -y# 解除屏蔽sudo systemctl unmask sshd.servicesudo systemctl unmask ssh.service# 这里安装验证存在问题,服务无法正常启动,后续抽空再研究

对于安装验证这块,我这边没有成功在20.04上升级成功。 

Known issuessshd-session issue
If installing backported openssh 9.8+ on older distros, some other programs may face problems while interacting with the openssh service. Since openssh-9.8, the subprocess name have changed from sshd to sshd-session.Known programs with issue:fail2ban
sshguard
Make sure to upgrade or reconfigure them to meet the latest changes.fail2ban
change in filter.d/sshd.conf:_daemon = sshd
into_daemon = sshd(?:-session)?
Distro Issues
Extra steps are needed to install on some distros.UnionTech OS Desktop 20 Home (Debian GLIBC 2.28.21-1+deepin-1)
Exclude libfido2-dev from the build Dependencies intall command, it's not available.
Install following packages from debian/bullseye.
bullseye/dwz
bullseye/dh-runit
Kylin V10 SP1 (Ubuntu GLIBC 2.31-0kylin9.2k0.1)
Run ./compile.sh from the desktop Terminal(mate-terminal).During install the builddep/*.deb, a kysec_auth dialog would pop up asking for installing permissions. Manual click on the permit button is needed.If running in a ssh session, the compile script would fail without permissions.

综上,对于ubuntu这种发行版,还是建议使用源码编译的方式进行升级,相对比红帽系的操作系统,debian系操作系统依赖管理不是那么友好。


http://www.mrgr.cn/news/98871.html

相关文章:

  • Rust 中的Relaxed 内存指令重排演示:X=0 Y=0 是怎么出现的?
  • 抽象的https原理简介
  • SQL刷题记录贴
  • 机器学习 | 细说Deep Q-Network(DQN)
  • 【Python爬虫基础篇】--1.基础概念
  • git撤销提交
  • C++面试
  • 定制化 Docsify 文档框架实战分享
  • 常见的服务器硬盘接口
  • HTTP/1.1 队头堵塞问题
  • 消息中间件——RocketMQ(一)
  • nodejs使用pkg打包文件
  • 面试题之数据库-mysql高阶及业务场景设计
  • 论文阅读VACE: All-in-One Video Creation and Editing
  • 【Python】用Python写一个俄罗斯方块玩玩
  • ubuntu24.04离线安装deb格式的mysql-community-8.4.4
  • Git核心命令
  • 深度学习2.5 自动微分
  • 智能Todo协作系统开发日志(二):架构优化与安全增强
  • Livox Avia激光雷达与工业相机标定项目从零学习