本文共 10002 字，大约阅读时间需要 33 分钟。

前言

想在sshd上加点东西，先要编译替换新版sshd到试验系统.

现在试验做通了。

试验目标

自己编译一个sshd工程, 替换试验系统的sshd

试验系统做通了，再去实际系统上做

试验环境

fedora-pc版64bits

实际系统sshd信息

fedora-powerpc版的sshd版本

[root@jhnmsserver ~]# sshd –version unknown option – - OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]

在试验用的fedora-pc版64bits上更换的版本也是OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016,这样，等试验成功后，在实际系统上，就可以放心的去试验了。

试验材料

下载点：

试验用的材料列表： openssl-fips-2.0.13.tar.gz openssl-1.0.2h.tar.gz zlib-1.2.11.tar.gz openssh-7.2p2.tar.gz

安装PAM

dnf install pam-devel

编译zlib

cd /home/dev/

tar -xzvf ./zlib-1.2.11.tar.gz cd zlib-1.2.11/ ./configure –prefix=/usr make make test make install

编译OpenSSL FIPS 2.0 module

cd /home/dev

tar -xzvf ./openssl-fips-2.0.13.tar.gz cd openssl-fips-2.0.13/

// 必须带-fPIC 选项

./config -fPIC

make clean

make make install

// 安装后位置

// /usr/local/ssl/fips-2.0/lib/

编译OpenSSL 1.0.2h-fips

cd /home/dev

tar -xzvf ./openssl-1.0.2h.tar.gz cd ./openssl-1.0.2h/

./config –prefix=/usr fips shared

make depend make

make test

// 安装后位置

OPENSSLDIR: “/usr/ssl” /usr/lib64/ // 动态库的位置 [root@localhost openssl-1.0.2h]# ls /usr/lib64/ssl.* /usr/lib64/libevent_openssl-2.0.so.5 /usr/lib64/libopenhpi_ssl.so.3 /usr/lib64/libssl3.so /usr/lib64/libssl.so /usr/lib64/libssl.so.1.0.0 /usr/lib64/libevent_openssl-2.0.so.5.1.9 /usr/lib64/libopenhpi_ssl.so.3.4.0 /usr/lib64/libssl.a /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.1.0.1k

make install

[root@localhost openssl-1.0.2h]# whereis openssl

openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz

// 确认openssl新版已经更换成功

[root@localhost openssl-1.0.2h]# openssl version OpenSSL 1.0.2h-fips 3 May 2016

// 如果动态库不在/usr/lib64下, 手工更新库位置信息

echo “/usr/ssl/lib” >> /etc/ld.so.conf ldconfig

编译OpenSSH_7.2p2

cd /home/dev/

tar -xzvf ./openssh-7.2p2.tar.gz cd openssh-7.2p2/ ./configure –prefix=/usr –sysconfdir=/etc/ssh –with-ssl-dir=/usr/ssl/ –with-pam –with-tcp-wrappers

openssh的编译配置选项

OpenSSH has been configured with the following options:                     User binaries: /usr/bin                   System binaries: /usr/sbin               Configuration files: /etc/ssh                   Askpass program: /usr/libexec/ssh-askpass                      Manual pages: /usr/share/man/manX                          PID file: /var/run  Privilege separation chroot path: /var/empty            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin                    Manpage format: doc                       PAM support: yes                   OSF SIA support: no                 KerberosV support: no                   SELinux support: no                 Smartcard support:                      S/KEY support: no              MD5 password support: no                   libedit support: no  Solaris process contract support: no           Solaris project support: no         Solaris privilege support: no       IP address in $DISPLAY hack: no           Translate v4 in v6 hack: yes                  BSD Auth support: no              Random number source: OpenSSL internal ONLY             Privsep sandbox style: seccomp_filter              Host: x86_64-unknown-linux-gnu          Compiler: gcc    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: -I/usr/ssl/       Linker flags: -L/usr/ssl/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie         Libraries: -lcrypto -ldl -lutil -lz  -lcrypt -lresolv         +for sshd:  -lpamPAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory

make

make install

// 因为/etc/ssl有旧版sshd的服务端配置，所以不会覆盖，如果有错误(原来是openssh6.8, 现在是openssh7.2p2), 可能是选项不兼容，手工排错 // 重新运行make install，直到没有报错为止.

/etc/ssh/sshd_config line 93: Unsupported option GSSAPIAuthentication

/etc/ssh/sshd_config line 94: Unsupported option GSSAPICleanupCredentials // 根据 报错提示，注释掉93，94行.

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for ‘/etc/ssh/ssh_host_rsa_key’ are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_rsa_key

ssh_host_rsa_key 是以前服务端的通讯私钥, 删掉。

根据提示，将无效的密钥都删掉。

Permissions 0640 for ‘/etc/ssh/ssh_host_ecdsa_key’ are too open. Permissions 0640 for ‘/etc/ssh/ssh_host_ed25519_key’ are too open.

新版sshd安装成功的提示

/etc/ssh/ssh_config already exists, install will not overwrite /etc/ssh/sshd_config already exists, install will not overwrite /etc/ssh/moduli already exists, install will not overwrite ssh-keygen: generating new host keys: ED25519 /usr/sbin/sshd -t -f /etc/ssh/sshd_config

// 重启sshd服务

systemctl stop sshd.service systemctl start sshd.service systemctl enable sshd.service

此时，只能以非root用户登陆

vi /etc/ssh/sshd_config 49gg 将允许root用户远程登陆的选项放开 PermitRootLogin yes

:wq

// 重启sshd服务

systemctl stop sshd.service systemctl start sshd.service

// 现在可以用root用户登陆了

// 试验成功

确认新版openssh的版本

[root@localhost ~]# sshd –help

unknown option – - OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]

完美，和目标系统一样.

完整的 /etc/ssh/sshd_config 配置内容

#   $OpenBSD: sshd_config,v 1.94 2015/02/02 01:57:44 deraadt Exp $# This is the sshd server system-wide configuration file.  See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented.  Uncommented options override the# default value.# If you want to change the port on a SELinux system, you have to tell# SELinux about this change.# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER##Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# The default requires explicit activation of protocol 1#Protocol 2# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_ed25519_key# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h#ServerKeyBits 1024# Ciphers and keying#RekeyLimit default none# Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2mPermitRootLogin yes#StrictModes yes#MaxAuthTries 6#MaxSessions 10#RSAAuthentication yes#PubkeyAuthentication yes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2# but this is overridden so installations will only check .ssh/authorized_keysAuthorizedKeysFile  .ssh/authorized_keys#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI options# GSSAPIAuthentication yes# GSSAPICleanupCredentials no#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no#GSSAPIEnablek5users no# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication.  Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.# WARNING: 'UsePAM no' is not supported in Fedora and may cause several# problems.UsePAM yes#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PermitTTY yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin noUsePrivilegeSeparation sandbox      # Default for new installations.#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS no#PidFile /var/run/sshd.pid#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none#VersionAddendum none# no default banner path#Banner none# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS# override default of no subsystemsSubsystem   sftp    /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs#   X11Forwarding no#   AllowTcpForwarding no#   PermitTTY no#   ForceCommand cvs server

转载地址：https://lostspeed.blog.csdn.net/article/details/80700245 如侵犯您的版权，请留言回复原文章的地址，我们会给您删除此文章，给您带来不便请您谅解！