如何移植openssh到嵌入式平台

编译openssl

配置和设置环境变量

这里使用移远的4G模组开发，直接使用SDK中的交叉编译工具。

export PATH=/home/red/lte/ec25af/ql-ol-sdk/ql-ol-crosstool/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/:$PATH

export CC="arm-oe-linux-gnueabi-gcc  -march=armv7-a -mfloat-abi=softfp -mfpu=neon"

./Configure no-asm shared --prefix=/home/red/Downloads/openssl linux-generic32

修改Makefile如下地方

删除 CFLAG= 中的-m64

AR= arm-linux-gnueabi-ar $(ARFLAGS) r

RANLIB= arm-linux-gnueabi-ranlib

NM= arm-linux-gnueabi-nm

SHARED_LDFLAGS=
编译：

make  #这里注意，不能使用make -j8这样的命令，会出错

make install

 

openssh编译

测试平台openssh-7.0p1，ubuntu18.04, linux 5.4.0

设置环境变量，这里直接指定交叉编译器

export PATH=/home/red/lte/ec25af/ql-ol-sdk/ql-ol-crosstool/sysroots/x86_64-oesdk-linux/usr/bin/arm-oe-linux-gnueabi/:$PATH

export CC="arm-oe-linux-gnueabi-gcc  -march=armv7-a -mfloat-abi=softfp -mfpu=neon"

配置openssh与编译

./configure --host=arm-oe-linux-gnueabi --with-libs --with-zlib=/home/red/Downloads/zlib --with-ssl-dir=/home/red/Downloads/openssl --disable-etc-default-login

make -j8

注意：如果配置时加了--prefix选项，sshd会取这个默认目录去找sshd_config文件，在运行时需要用-f参数去指定目录。另外需要指定openssl的目录，openssl的版本要和目标板上的版本一致，否则运行时会出错，测试过小版本有差别的时候也可以用，但是大版本有差别不能用。

目标系统配置

确认目标系统有如下的目录，没有则新建。

/usr/local/bin
/usr/local/etc
/usr/libexec
/var/run
/var/empty/sshd

将scp、sftp、ssh 、sshd、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan共8个文件拷贝到目标板/usr/local/bin

将moduli、ssh_config、sshd_config共3个文件拷贝到目标板 /usr/local/etc

将sftp-server、ssh-keysign 共2个文件拷贝到目标板 /usr/libexec

用如下命令生成key文件，注意路径

$ cd /usr/local/etc/
$ ssh-keygen -t rsa -f ssh_host_rsa_key -N ""
$ ssh-keygen -t dsa -f ssh_host_dsa_key -N ""
$ ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""
$ ssh-keygen -t dsa -f ssh_host_ed25519_key -N ""

在/etc/passwd文件中增加如下一行

sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/bin/sh

#注意：这里sshd用户是没有密码的，使用该用户登录前，需要设置密码。前面新建的目录/var/empty/sshd是该用户登录时的工作目录，要注意权限是否正确。

使用版本6.6.1，执行完以上步骤以后，并不能登录到目标机器，即使密码正确也总是报告root@192.168.225.1: Permission denied (password,keyboard-interactive).  最后换了7.0.1后可以正常登录。最终解决问题使用了如下的sshd_config配置文件。

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /usr/local/etc/ssh_host_rsa_key
HostKey /usr/local/etc/ssh_host_dsa_key
HostKey /usr/local/etc/ssh_host_ecdsa_key
HostKey /usr/local/etc/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
MaxAuthTries 60
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox		# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

LogLevel VERBOSE
# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

如何使用公钥免密码登录：

在主机上生成key文件，并将.pub文件（公钥）添加到目标机器～/.ssh/authorize_keys文件中后，主机可以免密码登录到目标机器。添加公钥方式：cat id_rsa.pub >> ～/.ssh/authorize_keys。