arm开发板移植sshd
移植sshd
文章目录
- 移植sshd
- 1、准备工作
- 2、编译zlib
- 3、编译openssl
- 4、编译openssh
- 5、其他旧版本
- 6、部署测试
- 7、多用户配置
- 8、sshd_config示例
1、准备工作
准备openssh-9.5p1.tar.gz openssl-1.1.1w.tar.gz zlib-1.2.11.tar.gz
我在http://10.45.156.100/IG2100/IG2100.git IG2100/Build/source/third 找到如下源码库
-rw-rw-r-- 1 lanyx lanyx 1843001 5月 30 13:59 openssh-9.5p1.tar.gz -rw-rw-r-- 1 lanyx lanyx 9893384 5月 30 13:59 openssl-1.1.1w.tar.gz -rw-rw-r-- 1 lanyx lanyx 660294 5月 30 13:59 zlib-1.2.11.tar.gz
//新建如下目录 lanyx@ubuntu:~/src_lib/sshd$ tree -L 2 . ├── build ├── out │ ├── openssl │ └── zlib ├── source │ ├── openssh-9.5p1 │ ├── openssl-1.1.1w │ └── zlib-1.2.11 └── tar ├── openssh-9.5p1.tar.gz ├── openssl-1.1.1w.tar.gz └── zlib-1.2.11.tar.gz2、编译zlib
tar -zxvf zlib-1.2.11.tar.gz -C ../source/ cd ../source/zlib-1.2.11 ./configure --prefix=/home/lanyx/src_lib/sshd/out/zlib vim Makefile //修改编译链 make make install
3、编译openssl
tar -zxvf openssl-1.1.1w.tar.gz -C ../source/ cd ../source/openssl-1.1.1w/ ./Configure linux-generic32 no-asm no-threads no-zlib no-sse2 no-bf no-cast no-rc2 no-rc4 no-rc5 no-md2 no-mdc2 no-idea shared --prefix=/home/lanyx/src_lib/sshd/out/openssl --cross-compile-prefix=arm-unknown-linux-gnu- make make install
执行Configure的时候可能会报错:
hreads_pthread.c crypto/threads_pthread.c: In function `CRYPTO_THREAD_lock_new': crypto/threads_pthread.c:48: warning: implicit declaration of function `pthread_mutexattr_settype' crypto/threads_pthread.c:48: error: `PTHREAD_MUTEX_RECURSIVE' undeclared (first use in this function) crypto/threads_pthread.c:48: error: (Each undeclared identifier is reported only once crypto/threads_pthread.c:48: error: for each function it appears in.) make[1]: *** [Makefile:5103: crypto/threads_pthread.o] Error 1 make[1]: Leaving directory '/home/lanyx/src_lib/sshd/source/openssl-1.1.1w' 处理:打开 crypto/threads_pthread.c 文件,添加以下定义 #ifndef PTHREAD_MUTEX_RECURSIVE #define PTHREAD_MUTEX_RECURSIVE PTHREAD_MUTEX_RECURSIVE_NP #endif
4、编译openssh
tar -zxvf openssh-9.5p1.tar.gz -C ../source/ cd ../source/openssh-9.5p ./configure --host=arm-linux --prefix=/home/lanyx/src_lib/sshd/out/openssh --with-zlib=/home/lanyx/src_lib/sshd/out/zlib --with-ssl-dir=/home/lanyx/src_lib/sshd/out/openssl --disable-etc-default-login CC=arm-unknown-linux-gnu-gcc AR=arm-unknown-linux-gnu-ar make make install
5、其他旧版本
上述版本在在IG2000V3设备上可以运行,但是存在sshd无法启动sftp-server服务,导致ftp无法使用,因此又尝试了低版本。
//openssh7.6 && openssl1.0.2n wget https://zlib.net/fossils/zlib-1.2.11.tar.gz wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2n.tar.gz wget https://mirrors.aliyun.com/pub/OpenBSD/OpenSSH/portable/openssh-7.6p1.tar.gz #zlib ./configure --prefix=/home/lanyx/src_lib/sshd-7.6/out/zlib vim Makefile #修改编译链,一共有五处需要修改 make make install #openssl ./Configure linux-generic32 no-asm no-threads no-zlib no-sse2 no-bf no-cast no-rc2 no-rc4 no-rc5 no-md2 no-mdc2 no-idea shared --prefix=/home/lanyx/src_lib/sshd-7.6/out/openssl --cross-compile-prefix=arm-unknown-linux-gnu- make make install #openssh #9g25 ./configure --host=arm-linux --disable-strip --sysconfdir=/etc/ssh --prefix=/usr --with-zlib=/home/lanyx/src_lib/sshd-7.6/out/zlib --with-ssl-dir=/home/lanyx/src_lib/sshd-7.6/out/openssl CC=arm-unknown-linux-gnu-gcc AR=arm-unknown-linux-gnu-ar #9x60 ./configure --host=arm-linux --disable-strip --sysconfdir=/etc/ssh --prefix=/usr --with-zlib=/home/lanyx/src_lib/sshd-7.6/out/zlib --with-ssl-dir=/home/lanyx/src_lib/sshd-7.6/out/openssl CC=arm-linux-gcc AR=arm-linux-ar --sysconfdir :代表ssdh_config配置文件的默认路径,我将此文件放在/etc/ssh/sshd_config,因此这里我写/etc/ssh --prefix :代表相关的bin文件的前缀,这里我写的/usr,因为我的sftp-server放在/usr/libexec目录
上述版本测试后还是发现sshd无法正常启动sftp-server,但是在IG2100上可以启动,目前原因未知,
将sshd_config中的sftp修改为sshd内部的sftp,测试可以正常。
#Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp`
小贴士:如果采用/usr/sbin/sshd -d这种方式启动,在IG2000V3上也是无法启动sftp的,一定要/usr/sbin/sshd&或者在启动文件中启动
6、部署测试
准备编译好的文件
-rw-r--r-- 1 lanyx lanyx 553185 6月 4 08:04 moduli drwxrwxr-x 6 lanyx lanyx 4096 6月 3 18:41 openssl -rwxrwxr-x 1 lanyx lanyx 212549 6月 4 08:03 scp -rwxrwxr-x 1 lanyx lanyx 292247 6月 4 08:07 sftp -rwxrwxr-x 1 lanyx lanyx 234073 6月 4 08:03 sftp-server -rwxrwxr-x 1 lanyx lanyx 1447435 6月 4 08:03 ssh -rwxrwxr-x 1 lanyx lanyx 706755 6月 4 08:04 ssh-add -rwxrwxr-x 1 lanyx lanyx 754599 6月 4 08:04 ssh-agent -rw-r--r-- 1 lanyx lanyx 1495 6月 4 08:04 ssh_config -rwxrwxr-x 1 lanyx lanyx 1616635 6月 4 08:05 sshd -rw-r--r-- 1 lanyx lanyx 3120 6月 4 16:29 sshd_config -rwxrwxr-x 1 lanyx lanyx 863203 6月 4 08:03 ssh-keygen -rwxrwxr-x 1 lanyx lanyx 916052 6月 4 08:03 ssh-keyscan -rwxrwxr-x 1 lanyx lanyx 877530 6月 4 08:05 ssh-keysign drwxrwxr-x 5 lanyx lanyx 4096 6月 3 18:35 zlib
确保设备有以下目录,如果没有则新建:
/usr//bin /usr/libexec /etc/ssh
将 openssh 目录下文件拷贝到开发板系统中,具体为:
客户端文件
scp、sftp、ssh 、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan 共7个文件拷贝到开发板 /usr/bin
sshd配置文件
moduli、ssh_config、sshd_config 共3个文件拷贝到开发板 /etc/ssh
sftp-server文件
sftp-server、ssh-keysign 共2个文件拷贝到开发板 /usr/libexec
sshd 拷贝到 /usr/sbin
chmod 777 /usr/sbin/sshd
libz.so.1.2.11 拷贝到开发板 /lib (必须放在/lib下,不然scp会找不到这个库)
然后建立软链接:
ln -s libz.so.1.2.11 libz.so.1
将out/openssl/lib/libcrypto.so.1.0.0 也要复制到/lib
生成key文件:
ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N "" ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N "" ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ""
将生成的 ssh_host_rsa_key 、 ssh_host_dsa_key 和 ssh_host_ecdsa_key 拷贝到 /etc/ssh
chmod 600 ssh_host_*
#如果开发板需要 ssh_host_key 的话,执行:
#ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
如果出现 privilege separation user sshd 问题:
在 /etc/passwd 增加以下:
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
测试:
/usr/sbin/sshd -d
7、多用户配置
useradd ftptest -m -s /bin/sh -d /TELECOM #/TELECOM是用户目录 echo "ftptest:ftptest" | chpasswd #修改密码 chmod 755 /TELECOM -R #修改权限,这里设置为755,只能下载不能上传,如果想要上传修改为766就可以
8、sshd_config示例
# $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $ # This is the sshd server system-wide configuration file. See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented. Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: #HostKey /etc/ssh/ssh_host_rsa_key #HostKey /etc/ssh/ssh_host_ecdsa_key #HostKey /etc/ssh/ssh_host_ed25519_key # Ciphers and keying #RekeyLimit default none kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256 # Logging #SyslogFacility AUTH #LogLevel INFO #LoginGraceTime 2m #PermitRootLogin prohibit-password PermitRootLogin yes #StrictModes yes #MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts #HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for # HostbasedAuthentication #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files #IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! #PasswordAuthentication yes #PermitEmptyPasswords no # Change to no to disable s/key passwords #ChallengeResponseAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. #UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 UseDNS no #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # override default of no subsystems #Subsystem sftp /usr/libexec/sftp-server Subsystem sftp internal-sftp # Example of overriding settings on a per-user basis
免责声明:我们致力于保护作者版权,注重分享,被刊用文章因无法核实真实出处,未能及时与作者取得联系,或有版权异议的,请联系管理员,我们会立即处理! 部分文章是来自自研大数据AI进行生成,内容摘自(百度百科,百度知道,头条百科,中国民法典,刑法,牛津词典,新华词典,汉语词典,国家院校,科普平台)等数据,内容仅供学习参考,不准确地方联系删除处理! 图片声明:本站部分配图来自人工智能系统AI生成,觅知网授权图片,PxHere摄影无版权图库和百度,360,搜狗等多加搜索引擎自动关键词搜索配图,如有侵权的图片,请第一时间联系我们,邮箱:ciyunidc@ciyunshuju.com。本站只作为美观性配图使用,无任何非法侵犯第三方意图,一切解释权归图片著作权方,本站不承担任何责任。如有恶意碰瓷者,必当奉陪到底严惩不贷!
