本文共 10002 字,大约阅读时间需要 33 分钟。
前言
想在sshd上加点东西,先要编译替换新版sshd到试验系统.
现在试验做通了。试验目标
自己编译一个sshd工程, 替换试验系统的sshd
试验系统做通了,再去实际系统上做试验环境
fedora-pc版64bits
实际系统sshd信息
fedora-powerpc版的sshd版本
[root@jhnmsserver ~]# sshd –version unknown option – - OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]在试验用的fedora-pc版64bits上更换的版本也是OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016,这样,等试验成功后,在实际系统上,就可以放心的去试验了。
试验材料
下载点:
试验用的材料列表: openssl-fips-2.0.13.tar.gz openssl-1.0.2h.tar.gz zlib-1.2.11.tar.gz openssh-7.2p2.tar.gz安装PAM
dnf install pam-devel
编译zlib
cd /home/dev/
tar -xzvf ./zlib-1.2.11.tar.gz cd zlib-1.2.11/ ./configure –prefix=/usr make make test make install编译OpenSSL FIPS 2.0 module
cd /home/dev
tar -xzvf ./openssl-fips-2.0.13.tar.gz cd openssl-fips-2.0.13/// 必须带-fPIC 选项
./config -fPICmake clean
make make install// 安装后位置
// /usr/local/ssl/fips-2.0/lib/编译OpenSSL 1.0.2h-fips
cd /home/dev
tar -xzvf ./openssl-1.0.2h.tar.gz cd ./openssl-1.0.2h/./config –prefix=/usr fips shared
make depend makemake test
// 安装后位置
OPENSSLDIR: “/usr/ssl” /usr/lib64/ // 动态库的位置 [root@localhost openssl-1.0.2h]# ls /usr/lib64/ssl.* /usr/lib64/libevent_openssl-2.0.so.5 /usr/lib64/libopenhpi_ssl.so.3 /usr/lib64/libssl3.so /usr/lib64/libssl.so /usr/lib64/libssl.so.1.0.0 /usr/lib64/libevent_openssl-2.0.so.5.1.9 /usr/lib64/libopenhpi_ssl.so.3.4.0 /usr/lib64/libssl.a /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.1.0.1kmake install
[root@localhost openssl-1.0.2h]# whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz// 确认openssl新版已经更换成功
[root@localhost openssl-1.0.2h]# openssl version OpenSSL 1.0.2h-fips 3 May 2016// 如果动态库不在/usr/lib64下, 手工更新库位置信息
echo “/usr/ssl/lib” >> /etc/ld.so.conf ldconfig编译OpenSSH_7.2p2
cd /home/dev/
tar -xzvf ./openssh-7.2p2.tar.gz cd openssh-7.2p2/ ./configure –prefix=/usr –sysconfdir=/etc/ssh –with-ssl-dir=/usr/ssl/ –with-pam –with-tcp-wrappersopenssh的编译配置选项
OpenSSH has been configured with the following options: User binaries: /usr/bin System binaries: /usr/sbin Configuration files: /etc/ssh Askpass program: /usr/libexec/ssh-askpass Manual pages: /usr/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin Manpage format: doc PAM support: yes OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: seccomp_filter Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: -I/usr/ssl/ Linker flags: -L/usr/ssl/ -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv +for sshd: -lpamPAM is enabled. You may need to install a PAM control file for sshd, otherwise password authentication may fail. Example PAM control files can be found in the contrib/ subdirectory
make
make install
// 因为/etc/ssl有旧版sshd的服务端配置,所以不会覆盖,如果有错误(原来是openssh6.8, 现在是openssh7.2p2), 可能是选项不兼容,手工排错 // 重新运行make install,直到没有报错为止./etc/ssh/sshd_config line 93: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 94: Unsupported option GSSAPICleanupCredentials // 根据 报错提示,注释掉93,94行.@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ Permissions 0640 for ‘/etc/ssh/ssh_host_rsa_key’ are too open. It is required that your private key files are NOT accessible by others. This private key will be ignored. key_load_private: bad permissions Could not load host key: /etc/ssh/ssh_host_rsa_keyssh_host_rsa_key 是以前服务端的通讯私钥, 删掉。
根据提示,将无效的密钥都删掉。
Permissions 0640 for ‘/etc/ssh/ssh_host_ecdsa_key’ are too open. Permissions 0640 for ‘/etc/ssh/ssh_host_ed25519_key’ are too open.新版sshd安装成功的提示
/etc/ssh/ssh_config already exists, install will not overwrite /etc/ssh/sshd_config already exists, install will not overwrite /etc/ssh/moduli already exists, install will not overwrite ssh-keygen: generating new host keys: ED25519 /usr/sbin/sshd -t -f /etc/ssh/sshd_config// 重启sshd服务
systemctl stop sshd.service systemctl start sshd.service systemctl enable sshd.service此时,只能以非root用户登陆
vi /etc/ssh/sshd_config 49gg 将允许root用户远程登陆的选项放开 PermitRootLogin yes:wq
// 重启sshd服务
systemctl stop sshd.service systemctl start sshd.service// 现在可以用root用户登陆了
// 试验成功确认新版openssh的版本
[root@localhost ~]# sshd –help
unknown option – - OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016 usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-k key_gen_time] [-o option] [-p port] [-u len]完美,和目标系统一样.
完整的 /etc/ssh/sshd_config 配置内容
# $OpenBSD: sshd_config,v 1.94 2015/02/02 01:57:44 deraadt Exp $# This is the sshd server system-wide configuration file. See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options override the# default value.# If you want to change the port on a SELinux system, you have to tell# SELinux about this change.# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER##Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::# The default requires explicit activation of protocol 1#Protocol 2# HostKey for protocol version 1#HostKey /etc/ssh/ssh_host_key# HostKeys for protocol version 2HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_ed25519_key# Lifetime and size of ephemeral version 1 server key#KeyRegenerationInterval 1h#ServerKeyBits 1024# Ciphers and keying#RekeyLimit default none# Logging# obsoletes QuietMode and FascistLogging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2mPermitRootLogin yes#StrictModes yes#MaxAuthTries 6#MaxSessions 10#RSAAuthentication yes#PubkeyAuthentication yes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2# but this is overridden so installations will only check .ssh/authorized_keysAuthorizedKeysFile .ssh/authorized_keys#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#RhostsRSAAuthentication no# similar for protocol version 2#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# RhostsRSAAuthentication and HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI options# GSSAPIAuthentication yes# GSSAPICleanupCredentials no#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no#GSSAPIEnablek5users no# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.# WARNING: 'UsePAM no' is not supported in Fedora and may cause several# problems.UsePAM yes#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PermitTTY yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin noUsePrivilegeSeparation sandbox # Default for new installations.#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS no#PidFile /var/run/sshd.pid#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none#VersionAddendum none# no default banner path#Banner none# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS# override default of no subsystemsSubsystem sftp /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs# X11Forwarding no# AllowTcpForwarding no# PermitTTY no# ForceCommand cvs server
转载地址:https://lostspeed.blog.csdn.net/article/details/80700245 如侵犯您的版权,请留言回复原文章的地址,我们会给您删除此文章,给您带来不便请您谅解!