原文:
做这一步之前,首先确定已经
- 你的本机上建立好了arm-linux交叉编译环境 #arm-linux-gcc -v
- 开发板已与路由器相连,并进行了必要的网络配置,可以ping通本机
1. 下载需要的源码,直接google最新的版本吧
mkdir -p ~/arm/fs ;mkdir -p ~/arm/source
下载zlib:zlib-1.2.3.tar.gz
下载ssl: openssl-0.9.8d.tar.gz
下载ssh: openssh-4.6p1.tar.gz
2. 编译:
cd ~/arm/source
(1) 编译zlib:
tar zxvf zlib-1.2.3.tar.gz -C .
cd zlib-1.2.3/
./configure –prefix=/home/itlanger/arm/fs/zlib-1.2.3
修改Makefile:
CC=gcc 改为:
CROSS=/usr/local/arm/3.4.1/bin/arm-linux-
CC=$(CROSS)gcc
LDSHARED=gcc 改为:
LDSHARED=$(CROSS)gcc
CPP=gcc-E 改为
:CPP=$(CROSS)gcc-E
AR=ar rc 改为:
AR=$(CROSS)ar rc
开始编译: make;
make install
(2) 编译openssl:
tar zxvf openssl-0.9.8d.tar.gz
./configure--prefix=/home/itlanger/arm/fs/openssl-0.9.8d
os/compiler:/usr/local/arm/3.4.1/bin/arm-linux-gcc
make
make install
(3)
编译openssh:
tar zxvf openssh-4.6p1.tar.gz
cd openssh-4.6p1/
./configure –host=arm-linux –with-libs –with-zlib=/home/itlanger/arm/fs/zlib-1.2.3
–with-ssl-dir=/home/itlanger/arm/fs/openssl-0.9.8d –disable-etc-default-login
CC=/usr/local/arm/3.4.1/bin/arm-linux-gcc AR=/usr/local/arm/3.4.1/bin/arm-linux-ar
make
##不要make install
3. 安装
(1) 将 openssh-4.6p1目录下的 sshd 拷贝到 目标板的/usr/sbin目录下
(2) 再copy scp sftp ssh ssh-add ssh-agent ssh-keygen ssh-keyscan 到目标板/usr/local/bin目录下
copy sftp-server ssh-keysign 到/usr/local/libexec
(3) 在目标板下:
mkdir -p /usr/local/etc/
然后将openssh下的sshd_config,ssh_config 拷贝到该目录下
mkdir -p /var/run; mkdir -p /var/empty/sshd
chmod 755 /var/empty
(4)在主机上:
ssh-keygen -t rsa1 -f ssh_host_key -N ""
ssh-keygen -t rsa -f ssh_host_rsa_key -N ""
ssh-keygen -t dsa -f ssh_host_dsa_key -N“”
将生存的 ssh_host_* 4个文件copy到目标板的 /usr/local/etc/目录下
(5) 添加用户:
将主机上 /etc/目下的passwd, shadow, group 三个文件copy到目标板的 /etc目录下, 同时记得将passwd的最后 /bin/bash 该为 /bin/sh
//这一步以后,开发板上的用户结构与你本机的结构就是一样的了,所以在cp之前先把你自己的root密码设好
//#passwd设置root密码,然后在把上面3个文件cp到开发板/etc下
其实可以删除不需要的一些用户。
4.测试
目标板启动sshd: # /usr/sbin/sshd
//在开发板上运行这个命令的时候可能会提示
//Privilege separation user sshd does not exist
//需要在开发板的系统里adduser shhd
//或者在 /etc/passwd 中添加下面这一行
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
主机: $ ssh root@192.168.0.34(开发板的ip)//root密码就是你本机上root的密码
我移植成功后出现以下问题:
Could not load host key: /etc/ssh/ssh_host_rsa_key
问题的解决
症状:
用命令/usr/sbin/sshd启动sshd时出现:
系统提示“Could not load host key: /etc/ssh/ssh_host_key
问题所在:
1、系统丢失了ssh_host_dsa_key和ssh_host_rsa_key
2、用户没有权限访问这两个key
解决办法如下:
1、系统丢失了两个key时:
在终端中输入:ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key重新建立ssh_host_dsa_key文件
以下是返回信息
Generating public/private dsa key pair.
Enter passphrase (empty for no passphrase):(直接回车)
Enter same passphrase again:
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx root@localhost.localdomain
在终端中输入:ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key重新建立ssh_host_rsa_key文件
以下是返回信息
Generating public/private rkey pair.
Enter passphrase (empty for no passphrase):(直接回车)
Enter same passphrase again:
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_rey.pub.
root@localhost.localdomain
现在用
/usr/sbin/sshd
即可成功启动sshd
这时候,就可以在windows底下使用putty连接这台linux主机了。
2、当前用户没有权限的时候用命令
/usr/sbin/sshd
启动sshd的时候也会这样,所以这是检查是否是root用户,一般root用户才能执行这个操作
注意: 该地址仅在今日23:59:59之前有效
作为ssh客户端的机器,有多个用户,他们属于同一个主目录,并且都需要进行密钥验证。而私钥id_rsa的权限必须为600,其他用户不能访问。我们就需要用ssh的-i参数解决这问题。
一、系统环境
应用软件:OpenSSH v4.3p2
客户端和服务端同一IP地址:192.168.48.128
服务端用户:hyphen(以该用户模拟服务端)
用户1:test、主目录:/home/test、宿组:test
用户2:user、主目录:/home/test、宿组:test
二、单用户密钥登陆
为了方便说明,这里先做个单用户使用密钥登陆sshd服务器的过程。以test用户为例。
1、客户端
创建密钥:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
15:b0:02:35:b4:0d:d3:fe:9c:e8:56:e1:a6:06:8c:e9 test@asianux3
然后拷贝公钥到服务器上:
The authenticity of host '192.168.48.128 (192.168.48.128)' can't be established.
RSA key fingerprint is 19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.48.128' (RSA) to the list of known hosts.
hyphen@192.168.48.128's password:
id_rsa.pub
2、服务端
在服务端上创建的authorized_keys默认权限是644,这不能满足安全要求,需要改为600:
-rw-r--r-- 1 hyphen hyphen 395 11-10 13:32 /home/hyphen/.ssh/authorized_keys
[hyphen@asianux3 ~]$ chmod 600 ~/.ssh/authorized_keys
[hyphen@asianux3 ~]$ ll ~/.ssh/authorized_keys
-rw------- 1 hyphen hyphen 395 11-10 13:32 /home/hyphen/.ssh/authorized_keys
3、测试
使用test用户,使用密钥进行登陆:
Last login: Mon Nov 10 12:34:20 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
测试成功。
三、多用户登陆
1、权限问题
user用户的信息如下:
/home/test
[user@asianux3 ~]$ id
uid=514(user) gid=513(test) groups=513(test)
由于私钥权限是600的,user用户无法使用它进行登陆:
-rw------- 1 test test 1675 11-10 12:40 /home/test/.ssh/id_rsa
[user@asianux3 ~]$ ssh hyphen@192.168.48.128
Enter passphrase for key '/home/test/.ssh/id_rsa':
hyphen@192.168.48.128's password:
2、解决
使用test用户把私钥文件拷贝成另一个文件:
[test@asianux3 .ssh]$ cp id_rsa common_id_rsa
[test@asianux3 .ssh]$ chmod 640 common_id_rsa
[test@asianux3 .ssh]$ ll common_id_rsa
-rw-r----- 1 test test 1675 11-10 13:43 common_id_rsa
user用户使用ssh的-i参数指定私钥文件来登陆:
Last login: Mon Nov 10 13:35:29 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
登陆成功。
四、其他问题
1、修改私钥id_rsa的权限
如果您看到id_rsa的私钥是600,然后希望其他用户可以使用该私钥,而改为640权限的话。那其他用户确实可以使用密钥登陆远端服务器的。
[test@asianux3 .ssh]$ ll id_rsa
-rw-r----- 1 test test 1675 11-10 12:40 id_rsa
[ user@asianux3 ~]$ ssh hyphen@192.168.48.128
Last login: Mon Nov 10 13:44:35 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
但原来的test用户就会因权限问题给挡住了:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/home/test/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/test/.ssh/id_rsa
Enter passphrase for key '/home/test/.ssh/id_rsa':
hyphen@192.168.48.128's password:
解决方式还是和上面的一样啦,另外给一个600权限的私钥给test使用:
-rw-r----- 1 test test 1675 11-10 13:43 common_id_rsa
[test@asianux3 .ssh]$ chmod 600 common_id_rsa
[test@asianux3 .ssh]$ ssh -i common_id_rsa hyphen@192.168.48.128
Last login: Mon Nov 10 13:48:06 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
成功了吧。O(∩_∩)O
※ 我觉得,最好还是保留原用户的密钥id_rsa权限,而另外给其他用户私钥清晰点咯。
2、客户端钥匙改变
linux上的ssh客户端,在登陆服务端时,会把自己的公钥写入~/.ssh/known_hosts文件中:
The authenticity of host '192.168.48.128 (192.168.48.128)' can't be established.
RSA key fingerprint is 19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Are you sure you want to continue connecting (yes/no)? yes
若后来因其他原因(如使用新的私钥等),客户端的公钥被修改了,在登陆服务器时,就会包错:
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Please contact your system administrator.
Add correct host key in /home/test/.ssh/known_hosts to get rid of this message.
Offending key in /home/test/.ssh/known_hosts:1
RS
注意: 该地址仅在今日23:59:59之前有效
作为ssh客户端的机器,有多个用户,他们属于同一个主目录,并且都需要进行密钥验证。而私钥id_rsa的权限必须为600,其他用户不能访问。我们就需要用ssh的-i参数解决这问题。
一、系统环境
应用软件:OpenSSH v4.3p2
客户端和服务端同一IP地址:192.168.48.128
服务端用户:hyphen(以该用户模拟服务端)
用户1:test、主目录:/home/test、宿组:test
用户2:user、主目录:/home/test、宿组:test
二、单用户密钥登陆
为了方便说明,这里先做个单用户使用密钥登陆sshd服务器的过程。以test用户为例。
1、客户端
创建密钥:
Generating public/private rsa key pair.
Enter file in which to save the key (/home/test/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/test/.ssh/id_rsa.
Your public key has been saved in /home/test/.ssh/id_rsa.pub.
The key fingerprint is:
15:b0:02:35:b4:0d:d3:fe:9c:e8:56:e1:a6:06:8c:e9 test@asianux3
然后拷贝公钥到服务器上:
The authenticity of host '192.168.48.128 (192.168.48.128)' can't be established.
RSA key fingerprint is 19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.48.128' (RSA) to the list of known hosts.
hyphen@192.168.48.128's password:
id_rsa.pub
2、服务端
在服务端上创建的authorized_keys默认权限是644,这不能满足安全要求,需要改为600:
-rw-r--r-- 1 hyphen hyphen 395 11-10 13:32 /home/hyphen/.ssh/authorized_keys
[hyphen@asianux3 ~]$ chmod 600 ~/.ssh/authorized_keys
[hyphen@asianux3 ~]$ ll ~/.ssh/authorized_keys
-rw------- 1 hyphen hyphen 395 11-10 13:32 /home/hyphen/.ssh/authorized_keys
3、测试
使用test用户,使用密钥进行登陆:
Last login: Mon Nov 10 12:34:20 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
测试成功。
三、多用户登陆
1、权限问题
user用户的信息如下:
/home/test
[user@asianux3 ~]$ id
uid=514(user) gid=513(test) groups=513(test)
由于私钥权限是600的,user用户无法使用它进行登陆:
-rw------- 1 test test 1675 11-10 12:40 /home/test/.ssh/id_rsa
[user@asianux3 ~]$ ssh hyphen@192.168.48.128
Enter passphrase for key '/home/test/.ssh/id_rsa':
hyphen@192.168.48.128's password:
2、解决
使用test用户把私钥文件拷贝成另一个文件:
[test@asianux3 .ssh]$ cp id_rsa common_id_rsa
[test@asianux3 .ssh]$ chmod 640 common_id_rsa
[test@asianux3 .ssh]$ ll common_id_rsa
-rw-r----- 1 test test 1675 11-10 13:43 common_id_rsa
user用户使用ssh的-i参数指定私钥文件来登陆:
Last login: Mon Nov 10 13:35:29 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
登陆成功。
四、其他问题
1、修改私钥id_rsa的权限
如果您看到id_rsa的私钥是600,然后希望其他用户可以使用该私钥,而改为640权限的话。那其他用户确实可以使用密钥登陆远端服务器的。
[test@asianux3 .ssh]$ ll id_rsa
-rw-r----- 1 test test 1675 11-10 12:40 id_rsa
[ user@asianux3 ~]$ ssh hyphen@192.168.48.128
Last login: Mon Nov 10 13:44:35 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
但原来的test用户就会因权限问题给挡住了:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for '/home/test/.ssh/id_rsa' are too open.
It is recommended that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /home/test/.ssh/id_rsa
Enter passphrase for key '/home/test/.ssh/id_rsa':
hyphen@192.168.48.128's password:
解决方式还是和上面的一样啦,另外给一个600权限的私钥给test使用:
-rw-r----- 1 test test 1675 11-10 13:43 common_id_rsa
[test@asianux3 .ssh]$ chmod 600 common_id_rsa
[test@asianux3 .ssh]$ ssh -i common_id_rsa hyphen@192.168.48.128
Last login: Mon Nov 10 13:48:06 2008 from 192.168.48.128
[hyphen@asianux3 ~]$
成功了吧。O(∩_∩)O
※ 我觉得,最好还是保留原用户的密钥id_rsa权限,而另外给其他用户私钥清晰点咯。
2、客户端钥匙改变
linux上的ssh客户端,在登陆服务端时,会把自己的公钥写入~/.ssh/known_hosts文件中:
The authenticity of host '192.168.48.128 (192.168.48.128)' can't be established.
RSA key fingerprint is 19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Are you sure you want to continue connecting (yes/no)? yes
若后来因其他原因(如使用新的私钥等),客户端的公钥被修改了,在登陆服务器时,就会包错:
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
19:05:03:5c:ac:b5:9d:ba:15:5a:46:7e:32:0e:b8:79.
Please contact your system administrator.
Add correct host key in /home/test/.ssh/known_hosts to get rid of this message.
Offending key in /home/test/.ssh/known_hosts:1
RS