1. 下载源代码
移植openssh需要三个包:openssh、openssl 和 zlib
- zlib官方下载:http://www.zlib.net/
- openssl官方下载:http://www.openssl.org/source ( OpenSSL >= 1.0.1 < 1.1.0)或 LibreSSL http://www.libressl.org/
- openssh官网下载:http://www.openssh.com/portable.html
由于OpenSSL 最新版本不支持,再加上曝光出的一些漏洞,所以决定用LibreSSL ,
所以下面都是用libressl的库的。
2. 编译
2.1 环境变量配置
#!/bin/sh
TOOLCHAIN_PATH=/home/semilog/semilog/gcc-linaro-5.3-2016.02-x86_64_arm-linux-gnueabihf export CROSS_COMPILE=$TOOLCHAIN_PATH/bin/arm-linux-gnueabihf- export PATH=$TOOLCHAIN_PATH/bin:$PATH export HOSTCC=gcc |
存为 env_setup.sh, 然后 source env_setup.sh
2.2. 编译zlib
当前下载版本:zlib-1.2.11
https://jaist.dl.sourceforge.net/project/libpng/zlib/1.2.11/zlib-1.2.11.tar.gz
CC=arm-linux-gnueabihf-gcc CFLAGS="-O4" ./configure --static --prefix=/home/semilog/out/lib/zlib
make && make install |
2.3. 编译libressl
当前下载版本:libressl-2.7.3
https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.3.tar.gz
./configure --prefix=/home/semilog/out/lib/libressl --with-pic --host=arm CC="arm-linux-gnueabihf-gcc -march=armv7-a" LIBS="-lpthread" HOST_OS=linux
make && make install |
2.4如果要支持PAM
由于还要支持pam, 所以下载了openpam
openpam-20170430.tar.gz
https://www.openpam.org/downloads/35
./configure --prefix=/home/semilog/out/lib/openpam --with-pic --host=arm CC="arm-linux-gnueabihf-gcc -march=armv7-a" LIBS="-lpthread" HOST_OS=linux --with-gnu-ld
make && make install |
2.5. 编译 openssh
当前下载版本:openssh-7.7p1
https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
./configure --host=arm --with-libs --with-zlib=/home/semilog/out/lib/zlib --with-ssl-dir=/home/semilog/out/lib/libressl --disable-etc-default-login --with-md5-passwords CC="arm-linux-gnueabihf-gcc -march=armv7-a" HOST_OS=linux --with-ssl-engine --with-openssl LIBS="-lpthread"
make |
注:--with-ssl-dir 用来指定 openssl 的库和头文件路径
编译完不需要用命令安装。
3. 安装
确保目标板上有以下目录,若没有,则新建:
/usr/bin/
/usr/sbin/
/etc/ssh
/usr/libexec/
/var/run/
/var/empty
将PC机 /home/semilog/openssh_install/ 目录下文件拷贝到目标板系统中,具体为:
· scp、sftp、ssh、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan共8个文件拷贝到目标板/usr/bin
· sshd 放在/usr/sbin 下面
· moduli、ssh_config、sshd_config共3个文件拷贝到目标板 /etc/ssh
· sftp-server、ssh-keysign 共2个文件拷贝到目标板 /usr/libexec
下面这个脚本先把所需的文件提取出来,放在out_bin下:(脚本写的粗糙,见谅)
#!/bin/sh if test -e out_bin; then mkdir -p out_bin/etc/ssh cp openssh*/scp out_bin/usr/bin/ cp openssh*/moduli out_bin/etc/ssh/ cp openssh*/sftp-server out_bin/usr/libexec/ chmod +x out_bin/usr/sbin/* |
编写启动脚本:
/etc/init.d/sshd
#! /bin/sh PIDFILE=/var/run/sshd.pid # source function library # /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon test -x /usr/sbin/sshd || exit 0 # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key check_for_no_start() { check_privsep_dir() { check_config() { check_keys() { export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" case "$1" in reload|force-reload) restart) status) *) exit 0 |
然后,使用install 脚本先安装到目标板中:
#!/bin/sh OPENSSH_PATH=$(pwd) if [ ! -d /etc/ssh ]; then cp -f $SBIN_PATH/sshd /usr/sbin/ cp -f $BIN_PATH/ssh /usr/bin/ cp -f $ETC_PATH/moduli /etc/ssh/ cp -f $LIBEXEC_PATH/sftp-server /usr/libexec/ cp -f $OPENSSH_PATH/init.d/sshd /etc/init.d/ |
然后通过:
/etc/init.d/sshd start 启动
ssh_config
# $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ # This is the ssh client system-wide configuration file. See # Configuration data is parsed as follows: # Site-wide defaults for some commonly used options. For a comprehensive Host * |
在这之前还要配置 sshd_config文件和 /etc/passwd
sshd_config如下:
# $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file. See # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with #Port 22 # The default requires explicit activation of protocol 1 # Lifetime and size of ephemeral version 1 server key # Ciphers and keying # Logging # Authentication: LoginGraceTime 2m PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts # To disable tunneled clear text passwords, change to no here! # Change to no to disable s/key passwords # Kerberos options # GSSAPI options # Set this to 'yes' to enable PAM authentication, account processing, #AllowAgentForwarding yes # no default banner path # override default of no subsystems # Example of overriding settings on a per-user basis |
/etc/passwd中加入如下:
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin |
然后基本上就可以了。关于建立ssh key的过程 /etc/init.d/sshd start的时候会去做