在ARM平台上编译移植openssh

9 篇文章 0 订阅

1. 下载源代码

    移植openssh需要三个包:openssh、openssl 和 zlib

  •     zlib官方下载:http://www.zlib.net/
  •     openssl官方下载:http://www.openssl.org/source  ( OpenSSL >= 1.0.1 < 1.1.0)或     LibreSSL http://www.libressl.org/
  •     openssh官网下载:http://www.openssh.com/portable.html

由于OpenSSL 最新版本不支持,再加上曝光出的一些漏洞,所以决定用LibreSSL ,

所以下面都是用libressl的库的。

2. 编译

2.1 环境变量配置

#!/bin/sh

 

TOOLCHAIN_PATH=/home/semilog/semilog/gcc-linaro-5.3-2016.02-x86_64_arm-linux-gnueabihf

export CROSS_COMPILE=$TOOLCHAIN_PATH/bin/arm-linux-gnueabihf-

export PATH=$TOOLCHAIN_PATH/bin:$PATH

export HOSTCC=gcc

存为 env_setup.sh, 然后 source env_setup.sh

2.2. 编译zlib

当前下载版本:zlib-1.2.11

https://jaist.dl.sourceforge.net/project/libpng/zlib/1.2.11/zlib-1.2.11.tar.gz

CC=arm-linux-gnueabihf-gcc CFLAGS="-O4"  ./configure --static --prefix=/home/semilog/out/lib/zlib

 

make  &&  make install 

2.3. 编译libressl

当前下载版本:libressl-2.7.3

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.3.tar.gz

./configure --prefix=/home/semilog/out/lib/libressl  --with-pic --host=arm CC="arm-linux-gnueabihf-gcc -march=armv7-a" LIBS="-lpthread" HOST_OS=linux

 

make &&  make install  

2.4如果要支持PAM

由于还要支持pam, 所以下载了openpam
openpam-20170430.tar.gz
https://www.openpam.org/downloads/35

./configure --prefix=/home/semilog/out/lib/openpam  --with-pic --host=arm CC="arm-linux-gnueabihf-gcc -march=armv7-a" LIBS="-lpthread" HOST_OS=linux --with-gnu-ld

 

make &&  make install  

2.5. 编译 openssh

当前下载版本:openssh-7.7p1

https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz

./configure --host=arm --with-libs --with-zlib=/home/semilog/out/lib/zlib --with-ssl-dir=/home/semilog/out/lib/libressl --disable-etc-default-login --with-md5-passwords CC="arm-linux-gnueabihf-gcc -march=armv7-a" HOST_OS=linux --with-ssl-engine --with-openssl LIBS="-lpthread"

 

make

注:--with-ssl-dir 用来指定 openssl 的库和头文件路径

编译完不需要用命令安装。

3. 安装

确保目标板上有以下目录,若没有,则新建:

/usr/bin/

/usr/sbin/

/etc/ssh

/usr/libexec/

/var/run/

/var/empty

将PC机 /home/semilog/openssh_install/ 目录下文件拷贝到目标板系统中,具体为:

·        scp、sftp、ssh、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan共8个文件拷贝到目标板/usr/bin

·       sshd 放在/usr/sbin  下面

·        moduli、ssh_config、sshd_config共3个文件拷贝到目标板 /etc/ssh

·        sftp-server、ssh-keysign 共2个文件拷贝到目标板 /usr/libexec

下面这个脚本先把所需的文件提取出来,放在out_bin下:(脚本写的粗糙,见谅)

#!/bin/sh

if test -e out_bin; then
    rm -rf out_bin
fi

mkdir -p out_bin/etc/ssh
mkdir -p out_bin/usr/libexec
mkdir -p out_bin/usr/bin
mkdir -p out_bin/usr/sbin

cp openssh*/scp                out_bin/usr/bin/
cp openssh*/sftp            out_bin/usr/bin/
cp openssh*/ssh                out_bin/usr/bin/
cp openssh*/ssh-add            out_bin/usr/bin/
cp openssh*/ssh-agent        out_bin/usr/bin/
cp openssh*/ssh-keygen        out_bin/usr/bin/
cp openssh*/ssh-keyscan        out_bin/usr/bin/
cp openssh*/sshd            out_bin/usr/sbin/

cp openssh*/moduli            out_bin/etc/ssh/
cp openssh*/ssh_config        out_bin/etc/ssh/
cp openssh*/sshd_config        out_bin/etc/ssh/

cp openssh*/sftp-server        out_bin/usr/libexec/
cp openssh*/ssh-keysign        out_bin/usr/libexec/

chmod +x     out_bin/usr/sbin/*
chmod +x     out_bin/usr/bin/*
chmod +x    out_bin/usr/libexec/*

编写启动脚本:

/etc/init.d/sshd

#! /bin/sh
set -e

PIDFILE=/var/run/sshd.pid

# source function library
. /etc/init.d/functions

# /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon

test -x /usr/sbin/sshd || exit 0
( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0

# /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS
if test -f /etc/default/ssh; then
    . /etc/default/ssh
fi

[ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh
mkdir -p $SYSCONFDIR

HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key
HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key
HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key
HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key

check_for_no_start() {
    # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists
    if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then
    echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)"
    exit 0
    fi
}

check_privsep_dir() {
    # Create the PrivSep empty dir if necessary
    if [ ! -d /var/run/sshd ]; then
    mkdir /var/run/sshd
    chmod 0755 /var/run/sshd
    fi
}

check_config() {
    /usr/sbin/sshd -t $SSHD_OPTS || exit 1
}

check_keys() {
    # create keys if necessary
    if [ ! -f $HOST_KEY_RSA ]; then
        echo "  generating ssh RSA key..."
        ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa
    fi
    if [ ! -f $HOST_KEY_ECDSA ]; then
        echo "  generating ssh ECDSA key..."
        ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa
    fi
    if [ ! -f $HOST_KEY_DSA ]; then
        echo "  generating ssh DSA key..."
        ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa
    fi
    if [ ! -f $HOST_KEY_ED25519 ]; then
        echo "  generating ssh ED25519 key..."
        ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519
    fi
}

export PATH="${PATH:+$PATH:}/usr/sbin:/sbin"

case "$1" in
  start)
    check_for_no_start
    echo "Starting OpenBSD Secure Shell server: sshd"
    check_keys
    check_privsep_dir
    start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
        echo "done."
    ;;
  stop)
        echo -n "Stopping OpenBSD Secure Shell server: sshd"
    start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd
        echo "."
    ;;

  reload|force-reload)
    check_for_no_start
    check_keys
    check_config
        echo -n "Reloading OpenBSD Secure Shell server's configuration"
    start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd
    echo "."
    ;;

  restart)
      check_keys
    check_config
        echo -n "Restarting OpenBSD Secure Shell server: sshd"
    start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd
    check_for_no_start
    check_privsep_dir
    sleep 2
    start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS
    echo "."
    ;;

  status)
    status /usr/sbin/sshd
    exit $?
  ;;

  *)
    echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}"
    exit 1
esac

exit 0

然后,使用install 脚本先安装到目标板中:

#!/bin/sh

OPENSSH_PATH=$(pwd)
SBIN_PATH=$OPENSSH_PATH/usr/sbin/
BIN_PATH=$OPENSSH_PATH/usr/bin/
LIBEXEC_PATH=$OPENSSH_PATH/usr/libexec/
ETC_PATH=$OPENSSH_PATH/etc/ssh/

if [ ! -d /etc/ssh ]; then
    mkdir -p /etc/ssh
fi

cp -f $SBIN_PATH/sshd /usr/sbin/

cp -f $BIN_PATH/ssh /usr/bin/
cp -f $BIN_PATH/ssh-keygen /usr/bin/
cp -f $BIN_PATH/ssh-keyscan /usr/bin/
cp -f $BIN_PATH/ssh-agent /usr/bin/
cp -f $BIN_PATH/ssh-add /usr/bin/
cp -f $BIN_PATH/scp /usr/bin/
cp -f $BIN_PATH/sftp /usr/bin/

cp -f $ETC_PATH/moduli /etc/ssh/
cp -f $ETC_PATH/ssh_config /etc/ssh/
cp -f $ETC_PATH/sshd_config /etc/ssh/

cp -f $LIBEXEC_PATH/sftp-server /usr/libexec/
cp -f $LIBEXEC_PATH/ssh-keysign /usr/libexec/

cp -f $OPENSSH_PATH/init.d/sshd /etc/init.d/

然后通过:

/etc/init.d/sshd start 启动

ssh_config

#    $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

 Host *
   ForwardAgent yes
   ForwardX11 yes
   HashKnownHosts yes
   PasswordAuthentication yes
#   HostbasedAuthentication no
   GSSAPIAuthentication yes
   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   IdentityFile ~/.ssh/id_ecdsa
#   IdentityFile ~/.ssh/id_ed25519
#   Port 22
#   Protocol 2
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
#   RekeyLimit 1G 1h

在这之前还要配置 sshd_config文件和 /etc/passwd

sshd_config如下:

#    $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 1h
ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile    .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
HostbasedAuthentication no
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
Compression no
ClientAliveInterval 15
ClientAliveCountMax 4
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem    sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#    X11Forwarding no
#    AllowTcpForwarding no
#    PermitTTY no
#    ForceCommand cvs server
 

/etc/passwd中加入如下:

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

然后基本上就可以了。关于建立ssh key的过程 /etc/init.d/sshd start的时候会去做

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值