0%

Ansible批量升级ssh版本至OpenSSH8.6p1

准备工作

我这里测试使用了一台机器

1
2
3
# egrep -v "^#|^$" /etc/ansible/hosts 
[server]
192.168.100.133 ansible_ssh_pass=f ansible_ssh_user=root

Playbook文件结构

这里是升级openssh的目录结构及所需文件。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[root@c71 roles]# pwd
/etc/ansible/roles
[root@c71 roles]# tree update_openssh/
update_openssh/
├── files
│ ├── openssh-8.6p1.tar.gz
│ └── openssl-1.1.1k.tar.gz
├── handlers
│ └── main.yaml
├── tasks
│ ├── install.yaml
│ └── main.yaml
├── update_openssh.yaml
└── vars
└── main.yaml

4 directories, 8 files

下载openssl-1.1.1k.tar.gz,openssh-8.6p1.tar.gz两个文件到files目录下

Openssl 下载地址:https://ftp.openssl.org/source/

Openssh 下载地址:https://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/

update_openssh.yaml

1
2
3
4
5
6
7
8
[root@c71 update_openssh]# cat update_openssh.yaml 
---
- name: 升级openssh版本到openssh8.6p1
hosts: server
user: root
gather_facts: false
roles:
- update_openssh

vars/main.yaml

1
2
3
[root@c71 update_openssh]# cat vars/main.yaml 
open_ssh_package: openssh-8.6p1.tar.gz
open_ssl_package: openssl-1.1.1k.tar.gz

tasks/main.yaml

1
2
3
[root@c71 update_openssh]# cat tasks/main.yaml 
---
- import_tasks: install.yaml

tasks/install.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
[root@c71 update_openssh]# cat tasks/install.yaml
---
- name: 安装telnet、xinetd
yum:
name: ['telnet','telnet-server','xinetd']
state: present
- name: 启动telnet、xinetd,并设置开机启动
service:
name: "{{ item }}"
state: started
enabled: yes
loop:
- xinetd
- telnet.socket
- name: 备份/etc/securetty文件
shell:
cmd: cp -rf /etc/securetty /etc/securetty.bak$(date +%Y%m%d)
- name: 在/etc/securetty文件添加其他终端设备
blockinfile:
dest: /etc/securetty
block: "pts/0\npts/1\npts/2\npts/3\npts/4"
- name: 重启xinetd服务
service:
name: xinetd
state: restarted
notify: #要确保telnet成功启动后才能进行升级,否则如果升级失败,telnet又没启动,就无法远程连接服务器了
- telnet已经启动成功,可以进行升级

handlers/main.yaml

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
[root@c71 update_openssh]# cat handlers/main.yaml 
---
- name: 安装编译环境及基础依赖包
yum:
name: ['ntpdate','gcc','gcc-c++','glibc','make','krb5-libs','krb5-devel','autoconf','openssl','openssl-devel','pcre-devel','zlib-devel','pam-devel','perl']
state: present
listen: telnet已经启动成功,可以进行升级
- name: 将openssh、openssl的压缩包解压到//usr/local/src/目录
unarchive:
src: "{{ item }}"
dest: /usr/local/src/
loop:
- "{{ open_ssh_package }}"
- "{{ open_ssl_package }}"
listen: telnet已经启动成功,可以进行升级
- name: 备份openssl文件
shell:
cmd: mv /usr/bin/openssl{,.bak};mv /usr/include/openssl{,.bak}
listen: telnet已经启动成功,可以进行升级
- name: 编译安装openssl
shell:
cmd: ./config shared --prefix=/usr/local/openssl && make && make install
chdir: /usr/local/src/openssl-1.1.1k
listen: telnet已经启动成功,可以进行升级
- name: 设置openssl指令的软链接
shell:
cmd: 'ln -s /usr/local/openssl/lib/libssl.so.1.1 /usr/lib64/; ln -s /usr/local/openssl/lib/libcrypto.so.1.1 /usr/lib64/; ln -s /usr/local/openssl/bin/openssl /usr/bin/openssl; ln -s /usr/local/openssl/include/openssl /usr/include/openssl'
listen: telnet已经启动成功,可以进行升级
- name: 加载openssl模块
shell:
cmd: echo "/usr/local/openssl/lib" >> /etc/ld.so.conf;/sbin/ldconfig
listen: telnet已经启动成功,可以进行升级
- name: 备份/etc/ssh、/etc/pam.d/sshd.pam
shell:
cmd: mv /etc/ssh /etc/ssh.$(date +%Y%m%d);cp -rf /etc/pam.d/sshd.pam /etc/pam.d/sshd.pam.$(date +%Y%m%d) || echo "ansible_ens33['ipv4']['address']上暂无这个文件。"
listen: telnet已经启动成功,可以进行升级
- name: 编译安装openssh
shell:
cmd: ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-ssl-dir=/usr/local/openssl --with-zlib --with-md5-passwords --with-pam --with-kerberos5 && make && make install
chdir: /usr/local/src/openssh-8.6p1
listen: telnet已经启动成功,可以进行升级
- name: 替换新的sshd_config
shell:
cmd: cp -rf /usr/local/src/openssh-8.6p1/sshd_config /etc/ssh/sshd_config
listen: telnet已经启动成功,可以进行升级
- name: override default of no subsystems
lineinfile:
dest: /etc/ssh/sshd_config
regexp: .*Subsystem.*sftp-server
line: Subsystem sftp /usr/libexec/openssh/sftp-server
listen: telnet已经启动成功,可以进行升级
- name: 关闭DNS解析
lineinfile:
dest: /etc/ssh/sshd_config
regexp: .*UseDNS
line: UseDNS no
listen: telnet已经启动成功,可以进行升级
- name: 允许root远程登录
lineinfile:
dest: /etc/ssh/sshd_config
regexp: .*PermitRootLogin
line: PermitRootLogin yes
listen: telnet已经启动成功,可以进行升级
- name: 添加banner路径
lineinfile:
dest: /etc/ssh/sshd_config
insertafter: ^#Banner none
line: Banner /etc/sshbanner
listen: telnet已经启动成功,可以进行升级
- name: 拷贝sshd.init和sshd.pam
shell:
cmd: cp -a contrib/redhat/sshd.init /etc/init.d/sshd;cp -a contrib/redhat/sshd.pam /etc/pam.d/sshd.pam
chdir: /usr/local/src/openssh-8.6p1
listen: telnet已经启动成功,可以进行升级
- name: 将sshd交给chkconfig管理
shell:
cmd: chmod +x /etc/init.d/sshd;chkconfig --add sshd;chkconfig sshd on;systemctl enable sshd
listen: telnet已经启动成功,可以进行升级
- name: 备份sshd.service并重启sshd服务
shell:
cmd: mv /usr/lib/systemd/system/sshd.service /usr/local/src/;mv /usr/lib/systemd/system/sshd.socket /usr/local/src/;systemctl daemon-reload;service sshd restart
listen: telnet已经启动成功,可以进行升级
- name: 检查版本,确认是否升级成功
shell:
cmd: ssh -V;openssl version
register: check
listen: telnet已经启动成功,可以进行升级
- name: 更新后版本信息
debug:
var: check
verbosity: 0
listen: telnet已经启动成功,可以进行升级

语法检查

1
2
3
[root@c71 update_openssh]# ansible-playbook --syntax-check update_openssh.yaml

playbook: update_openssh.yaml

开始升级openssh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
[root@c71 update_openssh]# pwd
/etc/ansible/roles/update_openssh
[root@c71 update_openssh]# ansible-playbook update_openssh.yaml

PLAY [升级openssh版本到openssh8.6p1] *****************************************************************************************************************

TASK [update_openssh : 安装telnet、xinetd] *********************************************************************************************************
changed: [192.168.100.133]

TASK [update_openssh : 启动telnet、xinetd,并设置开机启动] *************************************************************************************************
changed: [192.168.100.133] => (item=xinetd)
changed: [192.168.100.133] => (item=telnet.socket)

TASK [update_openssh : 备份/etc/securetty文件] ******************************************************************************************************
changed: [192.168.100.133]

TASK [update_openssh : 在/etc/securetty文件添加其他终端设备] ***********************************************************************************************
changed: [192.168.100.133]

TASK [update_openssh : 重启xinetd服务] **************************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 安装编译环境] *******************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 将openssh、openssl的压缩包解压到//usr/local/src/目录] ********************************************************************
changed: [192.168.100.133] => (item=openssh-8.6p1.tar.gz)
changed: [192.168.100.133] => (item=openssl-1.1.1k.tar.gz)

RUNNING HANDLER [update_openssh : 备份openssl文件] **************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 编译安装openssl] **************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 设置openssl指令的软链接] **********************************************************************************************
[WARNING]: Consider using the file module with state=link rather than running 'ln'. If you need to use command because file is insufficient you
can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 加载openssl模块] **************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 备份/etc/ssh、/etc/pam.d/sshd.pam] *******************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 编译安装openssh] **************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 替换新的sshd_config] **********************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : override default of no subsystems] ****************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 关闭DNS解析] ******************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 允许root远程登录] ***************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 添加banner路径] ***************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 拷贝sshd.init和sshd.pam] *****************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 将sshd交给chkconfig管理] *******************************************************************************************
[WARNING]: Consider using the file module with mode rather than running 'chmod'. If you need to use command because file is insufficient you
can add 'warn: false' to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 备份sshd.service并重启sshd服务] **************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 检查版本,确认是否升级成功] ************************************************************************************************
changed: [192.168.100.133]

RUNNING HANDLER [update_openssh : 更新后版本信息] ******************************************************************************************************
ok: [192.168.100.133] => {
"check": {
"changed": true,
"cmd": "ssh -V;openssl version",
"delta": "0:00:00.014358",
"end": "2021-07-13 21:57:42.407139",
"failed": false,
"rc": 0,
"start": "2021-07-13 21:57:42.392781",
"stderr": "OpenSSH_8.6p1, OpenSSL 1.1.1k 25 Mar 2021",
"stderr_lines": [
"OpenSSH_8.6p1, OpenSSL 1.1.1k 25 Mar 2021"
],
"stdout": "OpenSSL 1.1.1k 25 Mar 2021",
"stdout_lines": [
"OpenSSL 1.1.1k 25 Mar 2021"
]
}
}

PLAY RECAP **************************************************************************************************************************************
192.168.100.133 : ok=23 changed=22 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

01

可以看到,已经成功升级,原来配置的免密登录如果无法正常登录,把/root/.ssh/konwn_hosts文件里面的记录删掉就能连接了。

参考:https://blog.csdn.net/rookie23rook/article/details/111691267