編譯openssl
配置和設置環境變量
這裏使用移遠的4G模組開發,直接使用SDK中的交叉編譯工具。
export PATH=/home/red/lte/ec25af/ql-ol-sdk/ql-ol-crosstool/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/:$PATH
export CC="arm-oe-linux-gnueabi-gcc -march=armv7-a -mfloat-abi=softfp -mfpu=neon"
./Configure no-asm shared --prefix=/home/red/Downloads/openssl linux-generic32
修改Makefile如下地方
刪除 CFLAG= 中的-m64
AR= arm-linux-gnueabi-ar $(ARFLAGS) r
RANLIB= arm-linux-gnueabi-ranlib
NM= arm-linux-gnueabi-nm
SHARED_LDFLAGS=
編譯:
make #這裏注意,不能使用make -j8這樣的命令,會出錯
make install
openssh編譯
測試平臺openssh-7.0p1,ubuntu18.04, linux 5.4.0
設置環境變量,這裏直接指定交叉編譯器
export PATH=/home/red/lte/ec25af/ql-ol-sdk/ql-ol-crosstool/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/:$PATH
export CC="arm-oe-linux-gnueabi-gcc -march=armv7-a -mfloat-abi=softfp -mfpu=neon"
配置openssh與編譯
./configure --host=arm-oe-linux-gnueabi --with-libs --with-zlib=/home/red/Downloads/zlib --with-ssl-dir=/home/red/Downloads/openssl --disable-etc-default-login
make -j8
注意:如果配置時加了--prefix選項,sshd會取這個默認目錄去找sshd_config文件,在運行時需要用-f參數去指定目錄。另外需要指定openssl的目錄,openssl的版本要和目標板上的版本一致,否則運行時會出錯,測試過小版本有差別的時候也可以用,但是大版本有差別不能用。
目標系統配置
確認目標系統有如下的目錄,沒有則新建。
/usr/local/bin
/usr/local/etc
/usr/libexec
/var/run
/var/empty/sshd
將scp、sftp、ssh 、sshd、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan共8個文件拷貝到目標板/usr/local/bin
將moduli、ssh_config、sshd_config共3個文件拷貝到目標板 /usr/local/etc
將sftp-server、ssh-keysign 共2個文件拷貝到目標板 /usr/libexec
用如下命令生成key文件,注意路徑
$ cd /usr/local/etc/
$ ssh-keygen -t rsa -f ssh_host_rsa_key -N ""
$ ssh-keygen -t dsa -f ssh_host_dsa_key -N ""
$ ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""
$ ssh-keygen -t dsa -f ssh_host_ed25519_key -N ""
在/etc/passwd文件中增加如下一行
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/bin/sh
#注意:這裏sshd用戶是沒有密碼的,使用該用戶登錄前,需要設置密碼。前面新建的目錄/var/empty/sshd是該用戶登錄時的工作目錄,要注意權限是否正確。
使用版本6.6.1,執行完以上步驟以後,並不能登錄到目標機器,即使密碼正確也總是報告[email protected]: Permission denied (password,keyboard-interactive). 最後換了7.0.1後可以正常登錄。最終解決問題使用瞭如下的sshd_config配置文件。
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
HostKey /usr/local/etc/ssh_host_ecdsa_key
HostKey /usr/local/etc/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 60
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
LogLevel VERBOSE
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
如何使用公鑰免密碼登錄:
在主機上生成key文件,並將.pub文件(公鑰)添加到目標機器~/.ssh/authorize_keys文件中後,主機可以免密碼登錄到目標機器。添加公鑰方式:cat id_rsa.pub >> ~/.ssh/authorize_keys。