移植sshd
文章目录
- 移植sshd
- 1、准备工作
- 2、编译zlib
- 3、编译openssl
- 4、编译openssh
- 5、其他旧版本
- 6、部署测试
- 7、多用户配置
- 8、sshd_config示例
1、准备工作
准备openssh-9.5p1.tar.gz
openssl-1.1.1w.tar.gz
zlib-1.2.11.tar.gz
我在http://10.45.156.100/IG2100/IG2100.git IG2100/Build/source/third 找到如下源码库
-rw-rw-r-- 1 lanyx lanyx 1843001 5月 30 13:59 openssh-9.5p1.tar.gz
-rw-rw-r-- 1 lanyx lanyx 9893384 5月 30 13:59 openssl-1.1.1w.tar.gz
-rw-rw-r-- 1 lanyx lanyx 660294 5月 30 13:59 zlib-1.2.11.tar.gz
//新建如下目录
lanyx@ubuntu:~/src_lib/sshd$ tree -L 2
.
├── build
├── out
│ ├── openssl
│ └── zlib
├── source
│ ├── openssh-9.5p1
│ ├── openssl-1.1.1w
│ └── zlib-1.2.11
└── tar
├── openssh-9.5p1.tar.gz
├── openssl-1.1.1w.tar.gz
└── zlib-1.2.11.tar.gz
2、编译zlib
tar -zxvf zlib-1.2.11.tar.gz -C ../source/
cd ../source/zlib-1.2.11
./configure --prefix=/home/lanyx/src_lib/sshd/out/zlib
vim Makefile //修改编译链
make
make install
3、编译openssl
tar -zxvf openssl-1.1.1w.tar.gz -C ../source/
cd ../source/openssl-1.1.1w/
./Configure linux-generic32 no-asm no-threads no-zlib no-sse2 no-bf no-cast no-rc2 no-rc4 no-rc5 no-md2 no-mdc2 no-idea shared --prefix=/home/lanyx/src_lib/sshd/out/openssl --cross-compile-prefix=arm-unknown-linux-gnu-
make
make install
执行Configure的时候可能会报错:
hreads_pthread.c crypto/threads_pthread.c: In function `CRYPTO_THREAD_lock_new': crypto/threads_pthread.c:48: warning: implicit declaration of function `pthread_mutexattr_settype' crypto/threads_pthread.c:48: error: `PTHREAD_MUTEX_RECURSIVE' undeclared (first use in this function) crypto/threads_pthread.c:48: error: (Each undeclared identifier is reported only once crypto/threads_pthread.c:48: error: for each function it appears in.) make[1]: *** [Makefile:5103: crypto/threads_pthread.o] Error 1 make[1]: Leaving directory '/home/lanyx/src_lib/sshd/source/openssl-1.1.1w'
处理:打开 crypto/threads_pthread.c 文件,添加以下定义
#ifndef PTHREAD_MUTEX_RECURSIVE
#define PTHREAD_MUTEX_RECURSIVE PTHREAD_MUTEX_RECURSIVE_NP
#endif
4、编译openssh
tar -zxvf openssh-9.5p1.tar.gz -C ../source/
cd ../source/openssh-9.5p
./configure --host=arm-linux --prefix=/home/lanyx/src_lib/sshd/out/openssh --with-zlib=/home/lanyx/src_lib/sshd/out/zlib --with-ssl-dir=/home/lanyx/src_lib/sshd/out/openssl --disable-etc-default-login CC=arm-unknown-linux-gnu-gcc AR=arm-unknown-linux-gnu-ar
make
make install
5、其他旧版本
上述版本在在IG2000V3
设备上可以运行,但是存在sshd
无法启动sftp-server
服务,导致ftp无法使用,因此又尝试了低版本。
//openssh7.6 && openssl1.0.2n
wget https://zlib.net/fossils/zlib-1.2.11.tar.gz
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2n.tar.gz
wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz
#zlib
./configure --prefix=/home/lanyx/src_lib/sshd-7.6/out/zlib
vim Makefile
#修改编译链,一共有五处需要修改
make
make install
#openssl
./Configure linux-generic32 no-asm no-threads no-zlib no-sse2 no-bf no-cast no-rc2 no-rc4 no-rc5 no-md2 no-mdc2 no-idea shared --prefix=/home/lanyx/src_lib/sshd-7.6/out/openssl --cross-compile-prefix=arm-unknown-linux-gnu-
make
make install
#openssh
#9g25
./configure --host=arm-linux --disable-strip --sysconfdir=/etc/ssh --prefix=/usr --with-zlib=/home/lanyx/src_lib/sshd-7.6/out/zlib --with-ssl-dir=/home/lanyx/src_lib/sshd-7.6/out/openssl CC=arm-unknown-linux-gnu-gcc AR=arm-unknown-linux-gnu-ar
#9x60
./configure --host=arm-linux --disable-strip --sysconfdir=/etc/ssh --prefix=/usr --with-zlib=/home/lanyx/src_lib/sshd-7.6/out/zlib --with-ssl-dir=/home/lanyx/src_lib/sshd-7.6/out/openssl CC=arm-linux-gcc AR=arm-linux-ar
--sysconfdir :代表ssdh_config配置文件的默认路径,我将此文件放在/etc/ssh/sshd_config,因此这里我写/etc/ssh
--prefix :代表相关的bin文件的前缀,这里我写的/usr,因为我的sftp-server放在/usr/libexec目录
上述版本测试后还是发现sshd无法正常启动sftp-server,但是在IG2100上可以启动,目前原因未知,
将sshd_config中的sftp修改为sshd内部的sftp,测试可以正常。
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp`
小贴士:如果采用/usr/sbin/sshd -d
这种方式启动,在IG2000V3
上也是无法启动sftp的,一定要/usr/sbin/sshd&
或者在启动文件中启动
6、部署测试
准备编译好的文件
-rw-r--r-- 1 lanyx lanyx 553185 6月 4 08:04 moduli
drwxrwxr-x 6 lanyx lanyx 4096 6月 3 18:41 openssl
-rwxrwxr-x 1 lanyx lanyx 212549 6月 4 08:03 scp
-rwxrwxr-x 1 lanyx lanyx 292247 6月 4 08:07 sftp
-rwxrwxr-x 1 lanyx lanyx 234073 6月 4 08:03 sftp-server
-rwxrwxr-x 1 lanyx lanyx 1447435 6月 4 08:03 ssh
-rwxrwxr-x 1 lanyx lanyx 706755 6月 4 08:04 ssh-add
-rwxrwxr-x 1 lanyx lanyx 754599 6月 4 08:04 ssh-agent
-rw-r--r-- 1 lanyx lanyx 1495 6月 4 08:04 ssh_config
-rwxrwxr-x 1 lanyx lanyx 1616635 6月 4 08:05 sshd
-rw-r--r-- 1 lanyx lanyx 3120 6月 4 16:29 sshd_config
-rwxrwxr-x 1 lanyx lanyx 863203 6月 4 08:03 ssh-keygen
-rwxrwxr-x 1 lanyx lanyx 916052 6月 4 08:03 ssh-keyscan
-rwxrwxr-x 1 lanyx lanyx 877530 6月 4 08:05 ssh-keysign
drwxrwxr-x 5 lanyx lanyx 4096 6月 3 18:35 zlib
确保设备有以下目录,如果没有则新建:
/usr//bin
/usr/libexec
/etc/ssh
将 openssh 目录下文件拷贝到开发板系统中,具体为:
客户端文件
scp、sftp、ssh 、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan 共7个文件拷贝到开发板 /usr/bin
sshd配置文件
moduli、ssh_config、sshd_config 共3个文件拷贝到开发板 /etc/ssh
sftp-server文件
sftp-server、ssh-keysign 共2个文件拷贝到开发板 /usr/libexec
sshd 拷贝到 /usr/sbin
chmod 777 /usr/sbin/sshd
libz.so.1.2.11 拷贝到开发板 /lib (必须放在/lib下,不然scp会找不到这个库)
然后建立软链接:
ln -s libz.so.1.2.11 libz.so.1
将out/openssl/lib/libcrypto.so.1.0.0 也要复制到/lib
生成key文件:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""
将生成的 ssh_host_rsa_key 、 ssh_host_dsa_key 和 ssh_host_ecdsa_key 拷贝到 /etc/ssh
chmod 600 ssh_host_*
#如果开发板需要 ssh_host_key 的话,执行:
#ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
如果出现 privilege separation user sshd 问题:
在 /etc/passwd 增加以下:
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
测试:
/usr/sbin/sshd -d
7、多用户配置
useradd ftptest -m -s /bin/sh -d /TELECOM #/TELECOM是用户目录
echo "ftptest:ftptest" | chpasswd #修改密码
chmod 755 /TELECOM -R #修改权限,这里设置为755,只能下载不能上传,如果想要上传修改为766就可以
8、sshd_config示例
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
# Logging
#SyslogFacility AUTH
#LogLevel INFO
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
#Subsystem sftp /usr/libexec/sftp-server
Subsystem sftp internal-sftp
# Example of overriding settings on a per-user basis