imx8mq根文件系统制作——openssh移植

一、下载源码

zlib官方下载：http://www.zlib.net/
openssl官方下载：http://www.openssl.org/source  （ OpenSSL >= 1.0.1 < 1.1.0）或     LibreSSL http://www.libressl.org/
openssh官网下载：http://www.openssh.com/portable.html
二、编译源码

源文件在ubuntu上的目录结构如下：

1、编译zlib
CC=aarch64-linux-gnu-gcc CFLAGS="-O4"  ./configure --static --prefix=/home/yasir/myproject/sftp/install/zlib
make  &&  make install 

2、编译openssl：openssl根目录下：

./Configure --prefix=/home/yasir/myproject/sftp/install/ssl os/compiler:aarch64-linux-gnu-gcc
make && make install

3、编译openssh
./configure --host=arm-linux --prefix=/usr/local --with-zlib=/home/yasir/myproject/sftp/install/zlib --with-ssl-dir=/home/yasir/myproject/sftp/install/ssl --disable-etc-default-login --disable-strip CC=aarch64-linux-gnu-gcc AR=aarch64-linux-gnu-ar --without-pie

make  //不需要install

可能会出现缺少libssl-dev

执行apt-get install libssl-dev 安装libssl-dev 即可

注意： --prefix=/usr/local 路径的指定，很多人说没有实质用处，其实是有用的，在开发板上执行sshd时，sshd会在 --prefix=/usr/local 这个指定的路径下寻找秘钥对，当然我们也可以在sshd_config文件中配置这个路径。

三、openssh移植

1、开发板上创建，我采用网络文件系统启动，看个人的方式了。
mkdir /usr/local/bin -p
mkdir /usr/local/sbin -p
mkdir /usr/local/etc -p
mkdir /usr/libexec -p

将主机上openssh编译的文件拷贝到这些目录中：这里只是演示一下，实际命令不是这个，按需调整。

cp ./{scp,sftp,ssh,ssh-add,ssh-agent,ssh-keygen,ssh-keyscan}     /usr/local/bin
cp ./{moduli,ssh_config,sshd_config}                                              /usr/local/etc
cp ./{sftp-server,ssh-keysign}                                                          /usr/libexec
cp ./sshd                                                                                          /usr/local/sbin

注意：将这些是二进制的文件更改权限   chmod a+x。ssh_hotst* 文件是后面生成的，暂时不用管。

2、开发板上建立可执行程序链接

进入/bin目录
ln -s /usr/local/bin/scp
ln -s /usr/local/bin/sftp
ln -s /usr/local/bin/ssh
ln -s /usr/local/bin/ssh-add
ln -s /usr/local/bin/ssh-agent
ln -s /usr/local/bin/ssh-keygen
ln -s /usr/local/bin/ssh-keyscan
进入/sbin目录
ln -s /usr/local/sbin/sshd

3、生成秘钥对
cd /usr/local/etc
ssh-keygen -t rsa -f ssh_host_rsa_key -N ""
ssh-keygen -t dsa -f ssh_host_dsa_key -N ""
ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""

4、配置 /etc/passwd
添加sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin 
passwd root      //为root用户设置一个密码，用于ssh使用root用户登录，免密登录设置完毕，可以删除这个密码

5、配置/usr/local/etc/sshd_config /usr/local/etc/ssh_config ，文末附上两个配置文件

1)vi /usr/local/etc/ssh_config 
Host * //取消前面#
2)vi /usr/local/etc/sshd_config 
UsePrivilegeSeparation yes

#PermitRootLogin prohibit-password
PermitRootLogin yes
PasswordAuthentication yes

6、登录测试

/sbin/sshd
ssh root@192.168.103.103 //输入密码，应该就能成功登陆了，scp、sftp也能用了

7、免密登录，主要是方便使用sftp 、scp 命令
vi /usr/local/etc/sshd_config 
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords yes        //一定要设置为yes

在主机ubuntu上生成公钥、私钥：

ssh-keygen -t rsa -P ''        //客户端生成私钥、公钥
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
scp ~/.ssh/authorized_keys root@192.168.103.103:~/.ssh/

8、客户端测试

killall sshd
/sbin/sshd
ssh root@192.168.103.103  //测试ok

四、遇到的问题
1、Privilege separation user sshd does not exist
vi /etc/passwd //添加sshd用户
sshd:x:74:74:rivilege-separated SSH:/var/empty/sshd:/sbin/nologin
vi /usr/local/etc/sshd_config 
UsePrivilegeSeparation yes    //将UsePrivilegeSeparation 设置为yes

2、Permission denied (publickey).或者 Permission denied (publickey,keyboard-interactive).
确保开发板以root用户顺利登录，并需要秘钥
vi /usr/local/etc/sshd_config
PermitRootLogin yes            //PermitRootLogin 设置为yes
PasswordAuthentication yes    //PasswordAuthentication 设置为yes

3、设置免密登录之后ssh root@192.168.103.103 还是需要密码

vi /usr/local/etc/sshd_config
PermitRootLogin yes            //PermitRootLogin 设置为yes
PermitEmptyPasswords yes    //PermitEmptyPasswords 设置为yes

五、附件

ssh_config 文件

#	$OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

 Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h

sshd_config文件

#	$OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
PermitRootLogin yes
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes	# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

注意：当openssh移植完毕，还是死活都不行的，多半是sshd_config配置有问题，将ssh_config和sshd_config拷贝到/usr/local/etc 目录。