[scode type="blue"] 由于在OpenSSH 10 中 ,GSSAPIKexAlgorithms 配置选项可能被弃用的情况,建议升级之前注释掉 GSSAPI(通用安全服务应用程序接口) 相关的配置信息,否则可能会无法启动服务,已经在脚本中定义了,直接看脚本即可。 [/scode] ```bash #!/bin/bash # OpenSSH 10.0 upgrade script # By wanghaoyu.com.cn # Supports AlmaLinux, Rocky Linux 8/9, CentOS 8/9, Ubuntu, and Debian RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' if [ "$(id -u)" -ne 0 ]; then echo -e "${RED}Error: Please use root to run this scripts!${NC}" exit 1 fi if [ -f /etc/redhat-release ]; then if grep -q "AlmaLinux" /etc/redhat-release; then OS="almalinux" elif grep -q "Rocky Linux" /etc/redhat-release; then OS="rocky" elif grep -q "CentOS" /etc/redhat-release; then OS="centos" fi VERSION_ID=$(grep -oP '(?<=VERSION_ID=)\d+' /etc/os-release) elif [ -f /etc/debian_version ]; then if grep -q "Ubuntu" /etc/os-release; then OS="ubuntu" else OS="debian" fi VERSION_ID=$(grep -oP '(?<=VERSION_ID=)\d+\.\d+' /etc/os-release) else echo -e "${RED}Unsupported operating system.${NC}" exit 1 fi check_openssl_version() { local current_version=$(openssl version | awk '{print $2}') local required_version="1.1.1" if [ "$(printf '%s\n' "$required_version" "$current_version" | sort -V | head -n1)" != "$required_version" ]; then echo -e "${RED}Error: Current OpenSSL version is $current_version, which is lower than required version $required_version. Please upgrade OpenSSL first.${NC}" exit 1 else echo -e "${GREEN}OpenSSL version check passed, current version is $current_version.${NC}" fi } install_dependencies() { echo -e "${YELLOW}Installing build dependencies...${NC}" case $OS in almalinux|rocky|centos) dnf groupinstall -y "Development Tools" dnf install -y wget zlib-devel openssl-devel pam-devel libselinux-devel ;; ubuntu|debian) apt-get update apt-get install -y build-essential wget zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev ;; *) echo -e "${RED}Unsupported operating system.${NC}" exit 1 ;; esac } # backup ssh config backup_openssh() { echo -e "${YELLOW}Backing up current OpenSSH configuration...${NC}" cp -r /etc/ssh /etc/ssh.bak.$(date +%Y%m%d%H%M%S) } download_and_compile_openssh() { echo -e "${YELLOW}Downloading OpenSSH 10.0...${NC}" cd /usr/local/src wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p1.tar.gz tar -xzf openssh-10.0p1.tar.gz cd openssh-10.0p1 echo -e "${YELLOW}Compiling OpenSSH 10.0...${NC}" ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-engine --with-privsep-path=/var/lib/sshd make -j$(nproc) make install } configure_sshd() { echo -e "${YELLOW}Configuring sshd service...${NC}" case $OS in almalinux|rocky|centos) systemctl restart sshd systemctl enable sshd ;; ubuntu|debian) systemctl restart ssh systemctl enable ssh ;; *) echo -e "${RED}Unsupported operating system.${NC}" exit 1 ;; esac } # Fix GSSAPIKexAlgorithms config fix_gssapi_config() { echo -e "${YELLOW}Fixing GSSAPIKexAlgorithms configuration...${NC}" if [ -f /etc/crypto-policies/back-ends/opensshserver.config ]; then sed -i 's/GSSAPIKexAlgorithms.*/#&/' /etc/crypto-policies/back-ends/opensshserver.config fi } verify_installation() { echo -e "${YELLOW}Verifying installation...${NC}" ssh -V } main() { echo -e "${GREEN}Starting OpenSSH upgrade to 10.0...${NC}" check_openssl_version install_dependencies backup_openssh download_and_compile_openssh fix_gssapi_config configure_sshd verify_installation echo -e "${GREEN}OpenSSH 10.0 upgrade completed.${NC}" } main ```bash 到这里就ok了 官方的openssh 下载可能比较慢,可以替换为国内镜像站中的地址 Loading... <div class="tip inlineBlock info"> 由于在OpenSSH 10 中 ,GSSAPIKexAlgorithms 配置选项可能被弃用的情况,建议升级之前注释掉 GSSAPI(通用安全服务应用程序接口) 相关的配置信息,否则可能会无法启动服务,已经在脚本中定义了,直接看脚本即可。 </div> ```bash #!/bin/bash # OpenSSH 10.0 upgrade script # By wanghaoyu.com.cn # Supports AlmaLinux, Rocky Linux 8/9, CentOS 8/9, Ubuntu, and Debian RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' NC='\033[0m' if [ "$(id -u)" -ne 0 ]; then echo -e "${RED}Error: Please use root to run this scripts!${NC}" exit 1 fi if [ -f /etc/redhat-release ]; then if grep -q "AlmaLinux" /etc/redhat-release; then OS="almalinux" elif grep -q "Rocky Linux" /etc/redhat-release; then OS="rocky" elif grep -q "CentOS" /etc/redhat-release; then OS="centos" fi VERSION_ID=$(grep -oP '(?<=VERSION_ID=)\d+' /etc/os-release) elif [ -f /etc/debian_version ]; then if grep -q "Ubuntu" /etc/os-release; then OS="ubuntu" else OS="debian" fi VERSION_ID=$(grep -oP '(?<=VERSION_ID=)\d+\.\d+' /etc/os-release) else echo -e "${RED}Unsupported operating system.${NC}" exit 1 fi check_openssl_version() { local current_version=$(openssl version | awk '{print $2}') local required_version="1.1.1" if [ "$(printf '%s\n' "$required_version" "$current_version" | sort -V | head -n1)" != "$required_version" ]; then echo -e "${RED}Error: Current OpenSSL version is $current_version, which is lower than required version $required_version. Please upgrade OpenSSL first.${NC}" exit 1 else echo -e "${GREEN}OpenSSL version check passed, current version is $current_version.${NC}" fi } install_dependencies() { echo -e "${YELLOW}Installing build dependencies...${NC}" case $OS in almalinux|rocky|centos) dnf groupinstall -y "Development Tools" dnf install -y wget zlib-devel openssl-devel pam-devel libselinux-devel ;; ubuntu|debian) apt-get update apt-get install -y build-essential wget zlib1g-dev libssl-dev libpam0g-dev libselinux1-dev ;; *) echo -e "${RED}Unsupported operating system.${NC}" exit 1 ;; esac } # backup ssh config backup_openssh() { echo -e "${YELLOW}Backing up current OpenSSH configuration...${NC}" cp -r /etc/ssh /etc/ssh.bak.$(date +%Y%m%d%H%M%S) } download_and_compile_openssh() { echo -e "${YELLOW}Downloading OpenSSH 10.0...${NC}" cd /usr/local/src wget https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-10.0p1.tar.gz tar -xzf openssh-10.0p1.tar.gz cd openssh-10.0p1 echo -e "${YELLOW}Compiling OpenSSH 10.0...${NC}" ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-md5-passwords --with-pam --with-ssl-engine --with-privsep-path=/var/lib/sshd make -j$(nproc) make install } configure_sshd() { echo -e "${YELLOW}Configuring sshd service...${NC}" case $OS in almalinux|rocky|centos) systemctl restart sshd systemctl enable sshd ;; ubuntu|debian) systemctl restart ssh systemctl enable ssh ;; *) echo -e "${RED}Unsupported operating system.${NC}" exit 1 ;; esac } # Fix GSSAPIKexAlgorithms config fix_gssapi_config() { echo -e "${YELLOW}Fixing GSSAPIKexAlgorithms configuration...${NC}" if [ -f /etc/crypto-policies/back-ends/opensshserver.config ]; then sed -i 's/GSSAPIKexAlgorithms.*/#&/' /etc/crypto-policies/back-ends/opensshserver.config fi } verify_installation() { echo -e "${YELLOW}Verifying installation...${NC}" ssh -V } main() { echo -e "${GREEN}Starting OpenSSH upgrade to 10.0...${NC}" check_openssl_version install_dependencies backup_openssh download_and_compile_openssh fix_gssapi_config configure_sshd verify_installation echo -e "${GREEN}OpenSSH 10.0 upgrade completed.${NC}" } main ```bash 到这里就ok了 官方的openssh 下载可能比较慢,可以替换为国内镜像站中的地址 Last modification:November 8, 2025 © Allow specification reprint Support Appreciate the author Like 4 如果觉得我的文章对你有用,请随意赞赏