一、下载源码
zlib官方下载:http://www.zlib.net/
openssl官方下载:http://www.openssl.org/source ( OpenSSL >= 1.0.1 < 1.1.0)或 LibreSSL http://www.libressl.org/
openssh官网下载:http://www.openssh.com/portable.html
二、编译源码
源文件在ubuntu上的目录结构如下:
1、编译zlib
CC=aarch64-linux-gnu-gcc CFLAGS="-O4" ./configure --static --prefix=/home/yasir/myproject/sftp/install/zlib
make && make install
2、编译openssl:openssl根目录下:
./Configure --prefix=/home/yasir/myproject/sftp/install/ssl os/compiler:aarch64-linux-gnu-gcc
make && make install
3、编译openssh
./configure --host=arm-linux --prefix=/usr/local --with-zlib=/home/yasir/myproject/sftp/install/zlib --with-ssl-dir=/home/yasir/myproject/sftp/install/ssl --disable-etc-default-login --disable-strip CC=aarch64-linux-gnu-gcc AR=aarch64-linux-gnu-ar --without-pie
make //不需要install
可能会出现缺少libssl-dev
执行apt-get install libssl-dev 安装libssl-dev 即可
注意: --prefix=/usr/local 路径的指定,很多人说没有实质用处,其实是有用的,在开发板上执行sshd时,sshd会在 --prefix=/usr/local 这个指定的路径下寻找秘钥对,当然我们也可以在sshd_config文件中配置这个路径。
三、openssh移植
1、开发板上创建,我采用网络文件系统启动,看个人的方式了。
mkdir /usr/local/bin -p
mkdir /usr/local/sbin -p
mkdir /usr/local/etc -p
mkdir /usr/libexec -p
将主机上openssh编译的文件拷贝到这些目录中:这里只是演示一下,实际命令不是这个,按需调整。
cp ./{scp,sftp,ssh,ssh-add,ssh-agent,ssh-keygen,ssh-keyscan} /usr/local/bin
cp ./{moduli,ssh_config,sshd_config} /usr/local/etc
cp ./{sftp-server,ssh-keysign} /usr/libexec
cp ./sshd /usr/local/sbin
注意:将这些是二进制的文件更改权限 chmod a+x。ssh_hotst* 文件是后面生成的,暂时不用管。
2、开发板上建立可执行程序链接
进入/bin目录
ln -s /usr/local/bin/scp
ln -s /usr/local/bin/sftp
ln -s /usr/local/bin/ssh
ln -s /usr/local/bin/ssh-add
ln -s /usr/local/bin/ssh-agent
ln -s /usr/local/bin/ssh-keygen
ln -s /usr/local/bin/ssh-keyscan
进入/sbin目录
ln -s /usr/local/sbin/sshd
3、生成秘钥对
cd /usr/local/etc
ssh-keygen -t rsa -f ssh_host_rsa_key -N ""
ssh-keygen -t dsa -f ssh_host_dsa_key -N ""
ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""
ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N ""
4、配置 /etc/passwd
添加sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
passwd root //为root用户设置一个密码,用于ssh使用root用户登录,免密登录设置完毕,可以删除这个密码
5、配置/usr/local/etc/sshd_config /usr/local/etc/ssh_config ,文末附上两个配置文件
1)vi /usr/local/etc/ssh_config
Host * //取消前面#
2)vi /usr/local/etc/sshd_config
UsePrivilegeSeparation yes
#PermitRootLogin prohibit-password
PermitRootLogin yes
PasswordAuthentication yes
6、登录测试
/sbin/sshd
ssh [email protected] //输入密码,应该就能成功登陆了,scp、sftp也能用了
7、免密登录,主要是方便使用sftp 、scp 命令
vi /usr/local/etc/sshd_config
RSAAuthentication yes
PubkeyAuthentication yes
PermitEmptyPasswords yes //一定要设置为yes
在主机ubuntu上生成公钥、私钥:
ssh-keygen -t rsa -P '' //客户端生成私钥、公钥
cat ~/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
scp ~/.ssh/authorized_keys [email protected]:~/.ssh/
8、客户端测试
killall sshd
/sbin/sshd
ssh [email protected] //测试ok
四、遇到的问题
1、Privilege separation user sshd does not exist
vi /etc/passwd //添加sshd用户
sshd:x:74:74:rivilege-separated SSH:/var/empty/sshd:/sbin/nologin
vi /usr/local/etc/sshd_config
UsePrivilegeSeparation yes //将UsePrivilegeSeparation 设置为yes
2、Permission denied (publickey).或者 Permission denied (publickey,keyboard-interactive).
确保开发板以root用户顺利登录,并需要秘钥
vi /usr/local/etc/sshd_config
PermitRootLogin yes //PermitRootLogin 设置为yes
PasswordAuthentication yes //PasswordAuthentication 设置为yes
3、设置免密登录之后ssh [email protected] 还是需要密码
vi /usr/local/etc/sshd_config
PermitRootLogin yes //PermitRootLogin 设置为yes
PermitEmptyPasswords yes //PermitEmptyPasswords 设置为yes
五、附件
ssh_config 文件
# $OpenBSD: ssh_config,v 1.28 2013/09/16 11:35:43 sthen Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.
Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
# MACs hmac-md5,hmac-sha1,[email protected],hmac-ripemd160
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
# VisualHostKey no
# ProxyCommand ssh -q -W %h:%p gateway.example.com
# RekeyLimit 1G 1h
sshd_config文件
# $OpenBSD: sshd_config,v 1.97 2015/08/06 14:53:21 deraadt Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
PermitRootLogin yes
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
RSAAuthentication yes
PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server