Ubuntu源码制作openssh 9.9p2 deb二进制包修复安全漏洞 —— 筑梦之路

筑梦之路

已于 2025-04-19 20:27:30 修改

阅读量465

点赞数 11

分类专栏： linux系统运维国产化文章标签： ubuntu linux 运维

于 2025-04-16 11:25:51 首次发布

本文链接：https://blog.youkuaiyun.com/qq_34777982/article/details/147268200

版权

linux系统运维同时被 2 个专栏收录

724 篇文章

订阅专栏

国产化

41 篇文章

订阅专栏

之前有写过使用openssh源码在ubuntu系统上编译安装，这里基于开源项目 https://github.com/boypt/openssh-deb.git 制作，目前主要支持的发行版有：

• Ubuntu 24.04/22.04/20.04

• Debian 13/trixie 12/bookworm 11/bullseye

• UnionTech OS Desktop 20 Home (Debian GLIBC 2.28.21-1+deepin-1)

• Kylin V10 SP1 (Ubuntu GLIBC 2.31-0kylin9.2k0.1)

该项目提供了直接构建和docker构建两种方式，我这里主要使用直接构建的方式。

编译制作deb二进制包

我这里使用的是ubuntu 20.04 x86架构

# 拉取代码

git clone https://github.com/boypt/openssh-deb.git

# 切换目录，修改文件version.env中的openssl版本，默认为3.0.16；openssh版本，默认获取最新, 如果需要指定版本可以从http://deb.debian.org/debian//pool/main/o/openssh/查找源码包

cd openssh-deb 
cat version.env

OPENSSLVER=3.5.0
OPENSSLMIR=https://github.com/openssl/openssl/releases/download/openssl-${OPENSSLVER}/
OPENSSLSRC=openssl-${OPENSSLVER}.tar.gz

DEBMIRROR=http://deb.debian.org/debian/
OPENSSH_SIDPKG=9.9p2-2
[[ -z $OPENSSH_SIDPKG ]] && \
	OPENSSH_SIDPKG=$(wget --no-check-certificate -qO- https://packages.debian.org/sid/openssh-server | sed -n '/vcurrent/s/ *<[^>]*> *//gp' | head -n1 | cut -d: -f2)
OPENSSHVER=$(echo $OPENSSH_SIDPKG|cut -d- -f1)


# 安装依赖包

sudo ./install_deps.sh

# 下载源码包

sudo ./pullsrc.sh

# 编译制作deb二进制包

sudo ./compile.sh

对于openssh 10.0p1编译会报错：

dpkg-query: no packages found matching libwtmpdb-dev

dpkg-checkbuilddeps: error: Unmet build dependencies: dh-sequence-movetousr

可以尝试换源，这里是24.04为例

# 默认注释了源码镜像以提高 apt update 速度，如有需要可自行取消注释

deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-updates main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-updates main restricted universe multiverse
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-backports main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-backports main restricted universe multiverse
# 以下安全更新软件源包含了官方源与镜像站配置，如有需要可自行修改注释切换
deb http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse
deb-src http://security.ubuntu.com/ubuntu/ noble-security main restricted universe multiverse
# 预发布软件源，不建议启用
deb https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-proposed main restricted universe multiverse
deb-src https://mirrors.tuna.tsinghua.edu.cn/ubuntu/ noble-proposed main restricted universe multiverse

制作成果展示

ls -lh output/
total 32M
-rw-r--r-- 1 root root 5.6M Apr 16 02:53 openssh-client_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 4.0M Apr 16 02:53 openssh-client-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:53 openssh-client-gssapi_9.9p2-2_all.deb
-rw-r--r-- 1 root root 1.8M Apr 16 02:54 openssh-client-udeb_9.9p2-2_amd64.udeb
-rw-r--r-- 1 root root 2.3M Apr 16 02:53 openssh-server_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 1.7M Apr 16 02:53 openssh-server-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:53 openssh-server-gssapi_9.9p2-2_all.deb
-rw-r--r-- 1 root root 2.6M Apr 16 02:54 openssh-server-udeb_9.9p2-2_amd64.udeb
-rw-r--r-- 1 root root  63K Apr 16 02:53 openssh-sftp-server_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 158K Apr 16 02:52 openssh-sftp-server-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 9.8M Apr 16 02:53 openssh-tests_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 3.7M Apr 16 02:54 openssh-tests-dbgsym_9.9p2-2_amd64.deb
-rw-r--r-- 1 root root 127K Apr 16 02:54 ssh_9.9p2-2_all.deb

# 需要使用到的包如下

find output -maxdepth 1 ! -name '*dbgsym*' ! -name '*tests*' -name '*.deb'

output/openssh-sftp-server_9.9p2-2_amd64.deb
output/openssh-client_9.9p2-2_amd64.deb
output/openssh-client-gssapi_9.9p2-2_all.deb
output/openssh-server_9.9p2-2_amd64.deb
output/openssh-server-gssapi_9.9p2-2_all.deb
output/ssh_9.9p2-2_all.deb

安装验证

find ./output -maxdepth 1 ! -name '*dbgsym*' ! -name '*tests*' -name '*.deb' | xargs sudo apt install -y

# 查看版本和服务状态

ssh  -V

systemctl status ssh

systemctl status sshd

对于安装验证这块，我这边一开始没有成功在20.04上升级成功，后面作者更新了代码成功解决问题。

Known issues

sshd-session issue
If installing backported openssh 9.8+ on older distros, some other programs may face problems while interacting with the openssh service. Since openssh-9.8, the subprocess name have changed from sshd to sshd-session.

Known programs with issue:

fail2ban
sshguard
Make sure to upgrade or reconfigure them to meet the latest changes.

fail2ban
change in filter.d/sshd.conf:

_daemon = sshd
into

_daemon = sshd(?:-session)?
Distro Issues
Extra steps are needed to install on some distros.

UnionTech OS Desktop 20 Home (Debian GLIBC 2.28.21-1+deepin-1)
Exclude libfido2-dev from the build Dependencies intall command, it's not available.
Install following packages from debian/bullseye.
bullseye/dwz
bullseye/dh-runit
Kylin V10 SP1 (Ubuntu GLIBC 2.31-0kylin9.2k0.1)
Run ./compile.sh from the desktop Terminal(mate-terminal).

During install the builddep/*.deb, a kysec_auth dialog would pop up asking for installing permissions. Manual click on the permit button is needed.

If running in a ssh session, the compile script would fail without permissions.

综上，对于ubuntu这种发行版，还是建议使用源码编译的方式进行升级，相对比红帽系的操作系统，debian系操作系统依赖管理不是那么友好。

2025年4月19日，看到作者更新了代码，使用最新版的代码重新制作安装验证没问题，有需要deb二进制包的可以查看我的资源。