在ARM平台上编译移植openssh

1. 下载源代码

    移植openssh需要三个包：openssh、openssl 和 zlib

•     zlib官方下载：http://www.zlib.net/
•     openssl官方下载：http://www.openssl.org/source  （ OpenSSL >= 1.0.1 < 1.1.0）或     LibreSSL http://www.libressl.org/
•     openssh官网下载：http://www.openssh.com/portable.html

由于OpenSSL 最新版本不支持，再加上曝光出的一些漏洞，所以决定用LibreSSL ，

所以下面都是用libressl的库的。

2. 编译

2.1 环境变量配置

#!/bin/sh   TOOLCHAIN_PATH=/home/semilog/semilog/gcc-linaro-5.3-2016.02-x86_64_arm-linux-gnueabihf export CROSS_COMPILE=$TOOLCHAIN_PATH/bin/arm-linux-gnueabihf- export PATH=$TOOLCHAIN_PATH/bin:$PATH export HOSTCC=gcc

存为 env_setup.sh， 然后 source env_setup.sh

2.2. 编译zlib

当前下载版本：zlib-1.2.11

https://jaist.dl.sourceforge.net/project/libpng/zlib/1.2.11/zlib-1.2.11.tar.gz

CC=arm-linux-gnueabihf-gcc CFLAGS="-O4"  ./configure --static --prefix=/home/semilog/out/lib/zlib   make  &&  make install

2.3. 编译libressl

当前下载版本：libressl-2.7.3

https://ftp.openbsd.org/pub/OpenBSD/LibreSSL/libressl-2.7.3.tar.gz

./configure --prefix=/home/semilog/out/lib/libressl  --with-pic --host=arm CC="arm-linux-gnueabihf-gcc -march=armv7-a" LIBS="-lpthread" HOST_OS=linux   make &&  make install

2.4如果要支持PAM

由于还要支持pam, 所以下载了openpam
openpam-20170430.tar.gz
https://www.openpam.org/downloads/35

./configure --prefix=/home/semilog/out/lib/openpam  --with-pic --host=arm CC="arm-linux-gnueabihf-gcc -march=armv7-a" LIBS="-lpthread" HOST_OS=linux --with-gnu-ld   make &&  make install

2.5. 编译 openssh

当前下载版本：openssh-7.7p1

https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz

./configure --host=arm --with-libs --with-zlib=/home/semilog/out/lib/zlib --with-ssl-dir=/home/semilog/out/lib/libressl --disable-etc-default-login --with-md5-passwords CC="arm-linux-gnueabihf-gcc -march=armv7-a" HOST_OS=linux --with-ssl-engine --with-openssl LIBS="-lpthread"   make

注：--with-ssl-dir 用来指定 openssl 的库和头文件路径

编译完不需要用命令安装。

3. 安装

确保目标板上有以下目录，若没有，则新建：

/usr/bin/

/usr/sbin/

/etc/ssh

/usr/libexec/

/var/run/

/var/empty

将PC机 /home/semilog/openssh_install/ 目录下文件拷贝到目标板系统中，具体为：

·        scp、sftp、ssh、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan共8个文件拷贝到目标板/usr/bin

·       sshd 放在/usr/sbin  下面

·        moduli、ssh_config、sshd_config共3个文件拷贝到目标板 /etc/ssh

·        sftp-server、ssh-keysign 共2个文件拷贝到目标板 /usr/libexec

下面这个脚本先把所需的文件提取出来，放在out_bin下：（脚本写的粗糙，见谅）

#!/bin/sh if test -e out_bin; then     rm -rf out_bin fi mkdir -p out_bin/etc/ssh mkdir -p out_bin/usr/libexec mkdir -p out_bin/usr/bin mkdir -p out_bin/usr/sbin cp openssh*/scp                out_bin/usr/bin/ cp openssh*/sftp            out_bin/usr/bin/ cp openssh*/ssh                out_bin/usr/bin/ cp openssh*/ssh-add            out_bin/usr/bin/ cp openssh*/ssh-agent        out_bin/usr/bin/ cp openssh*/ssh-keygen        out_bin/usr/bin/ cp openssh*/ssh-keyscan        out_bin/usr/bin/ cp openssh*/sshd            out_bin/usr/sbin/ cp openssh*/moduli            out_bin/etc/ssh/ cp openssh*/ssh_config        out_bin/etc/ssh/ cp openssh*/sshd_config        out_bin/etc/ssh/ cp openssh*/sftp-server        out_bin/usr/libexec/ cp openssh*/ssh-keysign        out_bin/usr/libexec/ chmod +x     out_bin/usr/sbin/* chmod +x     out_bin/usr/bin/* chmod +x    out_bin/usr/libexec/*

编写启动脚本：

/etc/init.d/sshd

#! /bin/sh set -e PIDFILE=/var/run/sshd.pid # source function library . /etc/init.d/functions # /etc/init.d/ssh: start and stop the OpenBSD "secure shell" daemon test -x /usr/sbin/sshd || exit 0 ( /usr/sbin/sshd -\? 2>&1 | grep -q OpenSSH ) 2>/dev/null || exit 0 # /etc/default/ssh may set SYSCONFDIR and SSHD_OPTS if test -f /etc/default/ssh; then     . /etc/default/ssh fi [ -z "$SYSCONFDIR" ] && SYSCONFDIR=/etc/ssh mkdir -p $SYSCONFDIR HOST_KEY_RSA=$SYSCONFDIR/ssh_host_rsa_key HOST_KEY_DSA=$SYSCONFDIR/ssh_host_dsa_key HOST_KEY_ECDSA=$SYSCONFDIR/ssh_host_ecdsa_key HOST_KEY_ED25519=$SYSCONFDIR/ssh_host_ed25519_key check_for_no_start() {     # forget it if we're trying to start, and /etc/ssh/sshd_not_to_be_run exists     if [ -e $SYSCONFDIR/sshd_not_to_be_run ]; then     echo "OpenBSD Secure Shell server not in use ($SYSCONFDIR/sshd_not_to_be_run)"     exit 0     fi } check_privsep_dir() {     # Create the PrivSep empty dir if necessary     if [ ! -d /var/run/sshd ]; then     mkdir /var/run/sshd     chmod 0755 /var/run/sshd     fi } check_config() {     /usr/sbin/sshd -t $SSHD_OPTS || exit 1 } check_keys() {     # create keys if necessary     if [ ! -f $HOST_KEY_RSA ]; then         echo "  generating ssh RSA key..."         ssh-keygen -q -f $HOST_KEY_RSA -N '' -t rsa     fi     if [ ! -f $HOST_KEY_ECDSA ]; then         echo "  generating ssh ECDSA key..."         ssh-keygen -q -f $HOST_KEY_ECDSA -N '' -t ecdsa     fi     if [ ! -f $HOST_KEY_DSA ]; then         echo "  generating ssh DSA key..."         ssh-keygen -q -f $HOST_KEY_DSA -N '' -t dsa     fi     if [ ! -f $HOST_KEY_ED25519 ]; then         echo "  generating ssh ED25519 key..."         ssh-keygen -q -f $HOST_KEY_ED25519 -N '' -t ed25519     fi } export PATH="${PATH:+$PATH:}/usr/sbin:/sbin" case "$1" in   start)     check_for_no_start     echo "Starting OpenBSD Secure Shell server: sshd"     check_keys     check_privsep_dir     start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS         echo "done."     ;;   stop)         echo -n "Stopping OpenBSD Secure Shell server: sshd"     start-stop-daemon -K -p $PIDFILE -x /usr/sbin/sshd         echo "."     ;;   reload|force-reload)     check_for_no_start     check_keys     check_config         echo -n "Reloading OpenBSD Secure Shell server's configuration"     start-stop-daemon -K -p $PIDFILE -s 1 -x /usr/sbin/sshd     echo "."     ;;   restart)       check_keys     check_config         echo -n "Restarting OpenBSD Secure Shell server: sshd"     start-stop-daemon -K -p $PIDFILE --oknodo -x /usr/sbin/sshd     check_for_no_start     check_privsep_dir     sleep 2     start-stop-daemon -S -p $PIDFILE -x /usr/sbin/sshd -- $SSHD_OPTS     echo "."     ;;   status)     status /usr/sbin/sshd     exit $?   ;;   *)     echo "Usage: /etc/init.d/ssh {start|stop|status|reload|force-reload|restart}"     exit 1 esac exit 0

然后，使用install 脚本先安装到目标板中：

#!/bin/sh OPENSSH_PATH=$(pwd) SBIN_PATH=$OPENSSH_PATH/usr/sbin/ BIN_PATH=$OPENSSH_PATH/usr/bin/ LIBEXEC_PATH=$OPENSSH_PATH/usr/libexec/ ETC_PATH=$OPENSSH_PATH/etc/ssh/ if [ ! -d /etc/ssh ]; then     mkdir -p /etc/ssh fi cp -f $SBIN_PATH/sshd /usr/sbin/ cp -f $BIN_PATH/ssh /usr/bin/ cp -f $BIN_PATH/ssh-keygen /usr/bin/ cp -f $BIN_PATH/ssh-keyscan /usr/bin/ cp -f $BIN_PATH/ssh-agent /usr/bin/ cp -f $BIN_PATH/ssh-add /usr/bin/ cp -f $BIN_PATH/scp /usr/bin/ cp -f $BIN_PATH/sftp /usr/bin/ cp -f $ETC_PATH/moduli /etc/ssh/ cp -f $ETC_PATH/ssh_config /etc/ssh/ cp -f $ETC_PATH/sshd_config /etc/ssh/ cp -f $LIBEXEC_PATH/sftp-server /usr/libexec/ cp -f $LIBEXEC_PATH/ssh-keysign /usr/libexec/ cp -f $OPENSSH_PATH/init.d/sshd /etc/init.d/

然后通过：

/etc/init.d/sshd start 启动

ssh_config

#    $OpenBSD: ssh_config,v 1.33 2017/05/07 23:12:57 djm Exp $ # This is the ssh client system-wide configuration file.  See # ssh_config(5) for more information.  This file provides defaults for # users, and the values can be changed in per-user configuration files # or on the command line. # Configuration data is parsed as follows: #  1. command line options #  2. user-specific file #  3. system-wide file # Any configuration value is only changed the first time it is set. # Thus, host-specific definitions should be at the beginning of the # configuration file, and defaults at the end. # Site-wide defaults for some commonly used options.  For a comprehensive # list of available options, their meanings and defaults, please see the # ssh_config(5) man page.  Host *    ForwardAgent yes    ForwardX11 yes    HashKnownHosts yes    PasswordAuthentication yes #   HostbasedAuthentication no    GSSAPIAuthentication yes    GSSAPIDelegateCredentials no #   BatchMode no #   CheckHostIP yes #   AddressFamily any #   ConnectTimeout 0 #   StrictHostKeyChecking ask #   IdentityFile ~/.ssh/id_rsa #   IdentityFile ~/.ssh/id_dsa #   IdentityFile ~/.ssh/id_ecdsa #   IdentityFile ~/.ssh/id_ed25519 #   Port 22 #   Protocol 2 #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc #   MACs hmac-md5,hmac-sha1,[email protected] #   EscapeChar ~ #   Tunnel no #   TunnelDevice any:any #   PermitLocalCommand no #   VisualHostKey no #   ProxyCommand ssh -q -W %h:%p gateway.example.com #   RekeyLimit 1G 1h

在这之前还要配置 sshd_config文件和 /etc/passwd

sshd_config如下：

#    $OpenBSD: sshd_config,v 1.102 2018/02/16 02:32:40 djm Exp $ # This is the sshd server system-wide configuration file.  See # sshd_config(5) for more information. # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin # The strategy used for options in the default sshd_config shipped with # OpenSSH is to specify options with their default value where # possible, but leave them commented.  Uncommented options override the # default value. #Port 22 #AddressFamily any #ListenAddress 0.0.0.0 #ListenAddress :: # The default requires explicit activation of protocol 1 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ecdsa_key HostKey /etc/ssh/ssh_host_ed25519_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 1h ServerKeyBits 1024 # Ciphers and keying #RekeyLimit default none # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 2m PermitRootLogin yes StrictModes yes #MaxAuthTries 6 #MaxSessions 10 PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys AuthorizedKeysFile    .ssh/authorized_keys #AuthorizedPrincipalsFile none #AuthorizedKeysCommand none #AuthorizedKeysCommandUser nobody # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts HostbasedAuthentication no # Change to yes if you don't trust ~/.ssh/known_hosts for HostbasedAuthentication no #IgnoreUserKnownHosts no # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # To disable tunneled clear text passwords, change to no here! PasswordAuthentication yes PermitEmptyPasswords yes # Change to no to disable s/key passwords ChallengeResponseAuthentication no # Kerberos options #KerberosAuthentication no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes #KerberosGetAFSToken no # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication.  Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM no #AllowAgentForwarding yes #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding no #X11DisplayOffset 10 #X11UseLocalhost yes #PermitTTY yes #PrintMotd yes #PrintLastLog yes #TCPKeepAlive yes #UseLogin no UsePrivilegeSeparation sandbox # Default for new installations. #PermitUserEnvironment no Compression no ClientAliveInterval 15 ClientAliveCountMax 4 #UseDNS yes #PidFile /var/run/sshd.pid #MaxStartups 10:30:100 #PermitTunnel no #ChrootDirectory none #VersionAddendum none # no default banner path #Banner none # override default of no subsystems Subsystem    sftp    /usr/libexec/sftp-server # Example of overriding settings on a per-user basis #Match User anoncvs #    X11Forwarding no #    AllowTcpForwarding no #    PermitTTY no #    ForceCommand cvs server

/etc/passwd中加入如下：

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

然后基本上就可以了。关于建立ssh key的过程 /etc/init.d/sshd start的时候会去做