- openssh移植到RAM平台
- 1 下载
- 2 部署
- 3 下载解压
- 4 交叉编译 zlib
- 5 交叉编译openssl
- 6 交叉编译openssh
- 7 目标板准备
- 8 生成Key文件
- 9 目标板用户信息
- 10 测试
- 11 错误问题解决方法
- 1. error while loading shared libraries: libz.so.1
- 2. sshd_config: No such file or directory
- 3. strip process terminated abnormally
- 4.make: [check-config] Error 2 (ignored)
- 5. sshd re-exec requires execution with an absolute path
- 6. Privilege separation user sshd does not exist
- 7.Could not load host key或/var/empty must be owned by root
- 8. ssh_exchange_identification: Connection closed by remote host
- 9. ssh:Permission denied, please try again.
- 10. 可以SSH远程用密码验证登录开发板,但无法使用秘钥对验证登录。
- 11.Host key verification failed
openssh移植到RAM平台
环 境:ubuntu16.04.3 32bit
交叉编译器:arm-linux-gnueabihf-gcc(4.7.3)
1 下载
1、移植openssh需要三个包:openssh、openssl 和 zlib,地址如下:
- zlib官方下载:http://www.zlib.net/
- openssl官方下载:http://www.openssl.org/source
- openssh官网下载:http://www.openssh.com/portable.html
因为它们之间没有版本所谓的版本冲突,所以都下载最新板的即可。本文以zlib-1.2.11.tar.gz、openssl-1.0.1u.tar.gz、openssh-7.7p1.tar.gz这三个版本为例,其他版本过程一样。
2 部署
因为移植过程涉及到三个包,所以先部署好工作目录,有利于移植过程的顺利进行。
$ cd ~ # 切换到用户目录
$ mkdir ssh # 新建 ssh 工作目录
$ cd ssh
# zlib openssl 安装目录
$ mkdir -p install/zlib
$ mkdir -p install/openssl
$ export PATH=$PATH:/opt/gcc-linaro-arm-linux-gnueabihf-4.7-2012.11-20121123_linux/bin/arm-linux-gnueabihf- # 配置交叉编译器路径到 PATH 环境变量,已经配置了就无需在配置
3 下载解压
将 zlib-1.2.8.tar.gz、openssl-1.0.1h.tar.gz、openssh-6.6p1.tar.gz 三个源码包复制到ssh目录下,并解压:
#由于源码的升级可能下边的下载地址会发生改变
$ wget https://www.openssl.org/source/old/1.0.1/openssl-1.0.1u.tar.gz
$ wget https://cloudflare.cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-7.7p1.tar.gz
$ wget http://www.zlib.net/zlib-1.2.11.tar.gz
$ tar zxvf zlib-1.2.11.tar.gz
$ tar zxvf openssl-1.0.1u.tar.gz
$ tar zxvf openssh-7.7p1.tar.gz
4 交叉编译 zlib
首先编译zlib成镜像,供最后编译 openssh 用。
$ cd zlib-1.2.11
$ prefix=/home/wyy/Develop/ssh/install/zlib CC=arm-linux-gnueabihf-gcc ./configure
$ make -j4
$ make install
这里第二部配置的时候,prefix前面没有“–”,CC后面是交叉编译器,“./configure”要放在最后。
5 交叉编译openssl
编译 openssl 成镜像,也是供最后编译 openssh 用。
#openssl-1.0.1u编译方法
$ ./Configure --prefix=/home/wyy/Develop/ssh/install/openssl os/compiler:arm-linux-gnueabihf-gcc
$ make -j4
$ make install
#openssl-1.1.0h编译方法
$ cd ../openssl-1.1.0h
$ ./config no-asm --prefix=/home/wyy/Develop/ssh/install/openssl
$ vi Makefile
#修改不要有空格
#74 CROSS_COMPILE= arm-linux-gnueabihf-
#75 CC= $(CROSS_COMPILE)gcc
#删除两处 -m32 提示编译器无法识别
$ make -j4
$ make install
6 交叉编译openssh
编译openssh会引用上面编译的zlib和openssl的安装目录,如下。
$ cd ../openssh-7.7p1
#TMD要加上该选项才能配置通过 --without-pie
$ ./configure --host=arm-linux-gnueabihf --with-libs --with-zlib=/home/wyy/Develop/ssh/install/zlib --with-ssl-dir=/home/wyy/Develop/ssh/install/openssl --disable-etc-default-login CC=arm-linux-gnueabihf-gcc AR=arm-linux-gnueabihf-ar --without-pie
$ make -j4
注意:openssh不需要 make install。
7 目标板准备
确保目标板上有以下目录,若没有,则新建:
/usr/local/bin
/usr/local/etc
/usr/libexec
/var/run
/var/empty
将PC机 /home/wyy/Develop/ssh/openssh-7.7p1/ 目录下文件拷贝到目标板系统中,具体为:
- scp、sftp、ssh、sshd、ssh-add、ssh-agent、ssh-keygen、ssh-keyscan共8个文件拷贝到目标板/usr/local/bin
- moduli、ssh_config、sshd_config共3个文件拷贝到目标板 /usr/local/etc
- sftp-server、ssh-keysign 共2个文件拷贝到目标板 /usr/libexec
将交叉编译的zlib拷贝到目标板的/opt/目录下
sudo cp -a zlib /opt/
#在/etc/profile中添加库环境变量
vi /etc/profile
#在后面加上
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/zlib/lib
#修改生效
source /etc/profile
8 生成Key文件
在目标版 /usr/local/etc/ 目录下生成key文件:
$ cd /usr/local/etc/
$ ssh-keygen -t rsa -f ssh_host_rsa_key -N ""
$ ssh-keygen -t dsa -f ssh_host_dsa_key -N ""
$ ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""
$ ssh-keygen -t dsa -f ssh_host_ed25519_key -N ""
修改 ssh_host_ed25519_key 权限为 600:
$ chmod 600 ssh_host_ed25519_key
其中 ssh_host_ed25519_key 是SSH第二版协议用到的key,需要修改权限,否则会提示以下错误:
Permissions 0644 for '/usr/local/etc/ssh_host_ed25519_key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
bad permissions: ignore key: /usr/local/etc/ssh_host_ed25519_key
Could not load host key: /usr/local/etc/ssh_host_ed25519_key
修改sshd_config配置文件
#去掉第13,19,32行前的#号
Port 22
HostKey /usr/local/etc/ssh_host_ecdsa_key #主要文件的路径
PermitRootLogin yes #修改为yes
ClientAliveCountMax 480 #8小时后自动断开
9 目标板用户信息
打开 /etc/passwd 文件,在最后添加下面这一行:
#如果存在sshd用户删除后在添加
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
如果开发板的 root 用户还没有密码,键入以下命令然输入两次密码来修改,否其他设备无法连:
$ passwd root
10 测试
在目标板上运行:
$ /usr/local/bin/sshd
可以用 ps 命令查看sshd是否在工作。
如果运行的过程中有提示缺少动态连接库,可以在主机上搜索相应文件,拷贝到目标板/lib/目录下面,注意创建软连接!
OK!不出意外的话可以成功,
主机上:
$ ssh root@192.168.1.250(开发板的ip)
然后输入开发板的root密码就就可以了。
为了在登录后自动启动,修改profile文件
#由于sshd需要zlib库的支持所以将它放在profile动态库环境变量的后面
vi /etc/profile
#添加在$LD_LIBRARY_PATH:/opt/zlib/lib后面
/usr/local/bin/sshd #全路径
出现该问题
/var/empty must be owned by root and not group or world-writable.
是由于empty目录在宿主机上以非root用户创建导致的
解决方法:
1.在目标板上删除后创建
2.在宿主机上以root用户来创建
11 错误问题解决方法
来源:https://blog.csdn.net/flfihpv259/article/details/51601403
1. error while loading shared libraries: libz.so.1
具体错误信息:
[root@bst:/bin]# ./ssh-keygen -t rsa -f ssh_host_rsa_key -N “”
./ssh-keygen: error while loading shared libraries: libz.so.1: cannot
open shary..[root@bst:/]# /usr/local/sbin/sshd
/usr/local/sbin/sshd: error while loading shared libraries: libz.so.1: cannot oy
[root@bst:/]#原因及解决办法 :
缺少libz.so库,到libz安装目录,将lib里的三个库拷贝到文件系统根目录anzyelay@ubuntu:install$ cd install/zlib/ anzyelay@ubuntu:zlib$ cp -av ./lib/*.so* ~/Desktop/arm/myrootfs/lib/ `./lib/libz.so' -> `/home/anzyelay/Desktop/arm/myrootfs/lib/libz.so' `./lib/libz.so.1' -> `/home/anzyelay/Desktop/arm/myrootfs/lib/libz.so.1' `./lib/libz.so.1.2.8' -> `/home/anzyelay/Desktop/arm/myrootfs/lib/libz.so.1.2.8' 123456
2. sshd_config: No such file or directory
具体错误信息:
[root@bst:/]# /usr/local/sbin/sshd /home/anzyelay/Downloads/openssh/install/openssh/etc/sshd_config: No such file or directory12
原因及解决方式:
sshd_config配置文件路径不对,使用如下命令指定sshd_config文件位置/usr/local/sbin/sshd -t -f 目录/sshd_config1
注:但我后来在做了上面第4步:sshd在开发板上的配置 后直接/usr/local/sbin/sshd未指定也能成功运行。。。
3. strip process terminated abnormally
具体错误信息:
/usr/bin/install -c -m 0755 -s ssh /home/anzyelay/Desktop/arm/myrootfs/usr/local/openssh/bin/ssh strip: Unable to recognise the format of the input file `/home/anzyelay/Desktop/arm/myrootfs/usr/local/openssh/bin/ssh' /usr/bin/install: strip process terminated abnormally 1234
原因及解决方式:
由于我们是交叉编译的文件,而在make
install时使用的strip不是交叉编译版的,所以不能正解执行。网上找了一圈也是只能注释掉Makefile中的STRIP_OPT=-s这一选项。后来自己man
install时看到有个”–strip-program”的选项,尝试了下将STRIP_OPT=改为如下,再make
install时此错误就消息了。STRIP_OPT=-s --strip-program=arm-none-linux-gnueabi-strip1
4.make: [check-config] Error 2 (ignored)
具体错误信息:
在make install时出错如下/home/anzyelay/Desktop/arm/myrootfs/usr/local/openssh/sbin/sshd -t -f /home/anzyelay/Desktop/arm/myrootfs/usr/local/openssh/etc/sshd_config /home/anzyelay/Desktop/arm/myrootfs/usr/local/openssh/sbin/sshd: 1: /home/anzyelay/Desktop/arm/myrootfs/usr/local/openssh/sbin/sshd: Syntax error: word unexpected (expecting ")") make: [check-config] Error 2 (ignored) 1234
原因及解决方式:
查看Makefile中相关信息,在安装时会自动运行ssh-keygen和sshd,而此处运行程序是ARM版的,在PC平台是不可能运行成功,因此要跳过此步。使用如下命令make install-nokeys1
这样就没有做host-key和check-config这两步,手动到运行开发板设置下。
5. sshd re-exec requires execution with an absolute path
具体错误信息:
[root@bst:/]# ./usr/local/openssh/sbin/sshd sshd re-exec requires execution with an absolute path12
原因及解决方式:
使用绝对路径启动/usr/local/openssh/sbin/sshd1
6. Privilege separation user sshd does not exist
具体错误信息:
[root@bst:/]# /usr/local/openssh/sbin/sshd Privilege separation user sshd does not exist12
原因及解决方式:
sshd账户不存在,需要增加该账户。sshd默认是使能Privilege separation,可以阅读README.privsep文档。21 You should do something like the following to prepare the privsep
22 preauth environment:
23
24 # mkdir /var/empty
25 # chown root:sys /var/empty
26 # chmod 755 /var/empty
27 # groupadd sshd
28 # useradd -g sshd -c ‘sshd privsep’ -d /var/empty -s /bin/false sshd
29
30 /var/empty should not contain any files.其中groupadd,useradd命令在我的开发板上是addgroup,adduser,但分开弄没弄好,我直接使用adduser一块把分组和账户都建立了,如下sshd那行就是多出来的:
[root@bst:/]# adduser -h /var/empty -g 'sshd privsep' -s /bin/false sshd sshd [root@bst:/]# cat etc/passwd root:x:0:0:root:/root:/bin/sh sshd:x:1001:1001:sshd privsep:/var/empty:/bin/false [root@bst:/]# cat etc/group root:x:1000: sshd:x:1001: [root@bst:/]# cat etc/shadow root:!:16884:0:99999:7::: sshd:!:24271:0:99999:7::: 12345678910
7.Could not load host key或/var/empty must be owned by root
具体错误信息:
运行sshd出如下错误[root@bst:/]# /usr/local/openssh/sbin/sshd Could not load host key: /usr/local/openssh/etc/ssh_host_ed25519_key /var/empty must be owned by root and not group or world-writable. 1234
原因及解决方式:
ed25519加密类型是新版本有的,我们移植的版本是最新版,在PC上可能版本没有这么新,无法生成这种类型的密钥。那就要升级了,看了下好麻烦,直接在开发板上试试ssh-keygen,结果还挺快的!!!,不过没有这个无所谓,主要客户端和服务器端有共同的加密方式可用就可以,在其中选一种加密方式通信就行,如果不想看到这个错误可以在配置上注释掉这种host_key。[root@bst:/etc]# /usr/local/openssh/bin/ssh-keygen -t ed25519 -f /usr/local/open ssh/etc/ssh_host_ED25519_key -N "" Generating public/private ed25519 key pair. Your identification has been saved in /usr/local/openssh/etc/ssh_host_ED25519_k. Your public key has been saved in /usr/local/openssh/etc/ssh_host_ED25519_key.p. The key fingerprint is: SHA256:ju+goS7itu3p61c66xBSo2iku46pmom9zsIJj/YuBh0 root@bst The key's randomart image is: +--[ED25519 256]--+ | | | | | . o | |+ E . | |o= o S | |+.o . + | |=o... = . | |B#o.o* o | |^O/@=oo.o | +----[SHA256]-----+ [root@bst:/etc]# 123456789101112131415161718192021
第二个错误直接更改用户组就OK
chown root:root /var/empty1
8. ssh_exchange_identification: Connection closed by remote host
具体错误信息:
从PC客户端远程登录出现如下错误anzyelay@ubuntu:etc$ ssh root@192.168.10.110 -v OpenSSH_5.9p1 Debian-5ubuntu1.9, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to 192.168.10.110 [192.168.10.110] port 22. debug1: Connection established. debug1: identity file /home/anzyelay/.ssh/id_rsa type -1 debug1: identity file /home/anzyelay/.ssh/id_rsa-cert type -1 debug1: identity file /home/anzyelay/.ssh/id_dsa type -1 debug1: identity file /home/anzyelay/.ssh/id_dsa-cert type -1 debug1: identity file /home/anzyelay/.ssh/id_ecdsa type -1 debug1: identity file /home/anzyelay/.ssh/id_ecdsa-cert type -1 ssh_exchange_identification: Connection closed by remote host 1234567891011121314
原因及解决方式:
身份交换验证时出错:查看远程服务器端的配置文件里指明的host_key位置处有没有相应的私钥,如果一个都没有就无法验证身份,所以通信关闭。制作一个私钥放到配置文件指定处就行。
9. ssh:Permission denied, please try again.
具体错误信息:
执行ssh 用户名@IP。anzyelay@ubuntu:etc$ ssh root@192.168.10.110 -v ... debug1: Next authentication method: publickey debug1: Trying private key: /home/anzyelay/.ssh/id_rsa debug1: Trying private key: /home/anzyelay/.ssh/id_dsa debug1: Trying private key: /home/anzyelay/.ssh/id_ecdsa debug1: Next authentication method: keyboard-interactive debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: Next authentication method: password root@192.168.10.110's password: debug1: Authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. [email protected]'s password: debug1: Authentications that can continue: publickey,password,keyboard-interactive Permission denied, please try again. root@192.168.10.110's password: debug1: Authentications that can continue: publickey,password,keyboard-interactive debug1: No more authentication methods to try. Permission denied (publickey,password,keyboard-interactive). 1234567891011121314151617181920
原因及解决方式:
确认过开发板上root的密码是正确的,但就是Permission denied,改为空密码也不对,连接时加上-v 查看错误信息如上。那一般就是配置sshd_config不对了。如下将PermitRootLogin修改成YES:44 #PermitRootLogin prohibit-password 45 PermitRootLogin yes12
如果想不想输入密码,使能空密码就行。修改如下几个配置:
45 PermitRootLogin yes 72 # To disable tunneled clear text passwords, change to no here! 73 PasswordAuthentication yes 74 PermitEmptyPasswords yes 123456
10. 可以SSH远程用密码验证登录开发板,但无法使用秘钥对验证登录。
具体错误信息:
anzyelay@ubuntu:zlib$ ssh root@192.168.10.110 -v OpenSSH_7.2p2, OpenSSL 1.0.1 14 Mar 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to 192.168.10.110 [192.168.10.110] port 22. debug1: Connection established. debug1: identity file /home/anzyelay/.ssh/id_rsa type 1 debug1: key_load_public: No such file or directory debug1: identity file /home/anzyelay/.ssh/id_rsa-cert type -1 debug1: identity file /home/anzyelay/.ssh/id_dsa type 2 debug1: key_load_public: No such file or directory debug1: identity file /home/anzyelay/.ssh/id_dsa-cert type -1 debug1: identity file /home/anzyelay/.ssh/id_ecdsa type 3 debug1: key_load_public: No such file or directory debug1: identity file /home/anzyelay/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/anzyelay/.ssh/id_ed25519 type 4 debug1: key_load_public: No such file or directory debug1: identity file /home/anzyelay/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.2 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2 debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 192.168.10.110:22 as 'root' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: [email protected] debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:4QwH0ADqUb2zwenxAd/bV4xh6l9ESjIsMzrDcQOxeEw debug1: Host '192.168.10.110' is known and matches the ECDSA host key. debug1: Found key in /home/anzyelay/.ssh/known_hosts:1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS received debug1: Skipping ssh-dss key /home/anzyelay/.ssh/id_dsa - not in PubkeyAcceptedKeyTypes debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,password debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/anzyelay/.ssh/id_rsa debug1: Authentications that can continue: publickey,password debug1: Offering ECDSA public key: /home/anzyelay/.ssh/id_ecdsa debug1: Authentications that can continue: publickey,password debug1: Offering ED25519 public key: /home/anzyelay/.ssh/id_ed25519 debug1: Authentications that can continue: publickey,password debug1: Next authentication method: password root@192.168.10.110's password: 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051
上面如果输入密码是可以登录的,但先前尝试的public key却怎么都无法登录。我的sshd配置是正确的:
# Authentication: LoginGraceTime 2m PermitRootLogin yes StrictModes yes MaxAuthTries 6 MaxSessions 10 RSAAuthentication yes PubkeyAuthentication yes # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2 # but this is overridden so installations will only check .ssh/authorized_keys #AuthorizedKeysFile %h/.ssh/authorized_keys 1234567891011121314151617181920212223
出现的几种不同原因及解决方法:
原因是我的/root目录的拥有者是未知的如下:
[root@bst:/]# ls -l total 28 drwxrwxr-x 2 1000 root 4096 May 25 2016 bin drwxrwxrwt 5 root 0 13080 Jun 17 09:53 dev drwxrwxr-x 5 1000 root 4096 Jun 17 2016 etc drwxrwxr-x 3 1000 root 4096 Jun 17 2016 lib lrwxrwxrwx 1 root root 11 May 20 2016 linuxrc -> bin/busybox dr-xr-xr-x 39 root 0 0 Jan 1 1970 proc drwx------ 3 1000 root 4096 Jun 15 2016 root drwxrwxr-x 2 1000 root 4096 May 20 2016 sbin drwxr-xr-x 12 root 0 0 Jun 17 09:53 sys drwxrwxrwt 2 root 0 40 Jun 17 09:53 tmp drwxrwxr-x 6 1000 root 4096 Jun 12 2016 usr drwxrwxr-x 3 1000 root 4096 Jun 13 2016 var [root@bst:/]# 12345678910111213141516
更改拥有者后OK。
[root@bst:/]# chown root:root root/1
在做本地回环测试时(
ssh localhost
)也出现上述问题,发现需要把.ssh/id_rsa.pub
这个公钥添加到自己的认证列表后就应该删除它才行,否则总是无法登录。认证的用户目录的上级目录拥有者出错,比如使用SSH登录git账户时,在git目录下有.ssh/authorized_keys,并且权限拥有者都是对的,也无法使用密钥登录。后来发现是 ../这个目录的拥有者是anzye(如下),我试着改为git,就OK了,
root@ubuntu:/home/git# ll total 44 drwxr-xr-x 4 git git 4096 Jun 26 18:03 ./ drwx------ 5 anzye anzye 4096 Jun 26 17:46 ../ -rw------- 1 git git 5 Jun 26 18:03 .bash_history -rw-r--r-- 1 git git 220 Jun 26 17:46 .bash_logout -rw-r--r-- 1 git git 3486 Jun 26 17:46 .bashrc -rw-r--r-- 1 git git 8445 Jun 26 17:46 examples.desktop -rw-r--r-- 1 git git 675 Jun 26 17:46 .profile drwxrwxr-x 7 git git 4096 Jun 26 17:57 repo.git/ drwxr--r-- 2 git git 4096 Jun 26 18:03 .ssh/1234567891011
总结下使用密钥对登录验证的过程及要求:
登录客户端身份验证的过程:
先说明下登录验证是在ssh客户端与服务端通信协议建立后并且服务端验证通过了才开始的(这阶段需要服务器有自己的私钥,通过sshd_config的HostKey指明,这个私钥之所以网上方法都是在PC端做好移动过来,是因为PC做的快,开发板制作太慢了,这网上一片大抄,只懂抄抄也不说明原因,搞的莫名其妙越说越乱居然变成公钥了!!)。它的连接阶段具体可参看我上面提供的连接博文,
而登录客户验证需要客户端将自己的公钥添加到服务端的authorized_keys文件列表里面(该文件位置在sshd_config中由AuthorizedKeysFile指明,否则默认为服务器的~/.ssh/下),客户端在提出登录请求后,服务端到authorized_keys寻找公钥并利用它加密认证信息发送回给客户端,客户端通过对应的私钥(该文件位置在ssh_config中由IdentityFile指定,默认在~/.ssh/下)解密后发回信息给服务器通过认证。根据上述简要说明可知要求如下
服务器端(开发板)sshd配置及文件权限要求,使能下面两选项,指定公钥列表文件
RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys 12345
此处注释是使用默认的家目录/.ssh/authorized_keys,你可以通过cat /etc/passwd查看当前用户的家目录比如:
[root@bst:/.ssh]# cat /etc/passwd root:x:0:0:root:/root:/bin/sh sshd:x:1001:1001:sshd privsep:/var/empty:/bin/false 1234
我开发板的root的家目录是/root,如果没有请自己更改指明,重点要注意的是家目录的权限是700(其它地方测试只要限制写权限就行)及拥有者是自己,而authorized_keys的权限也要求是600,任何一处有问题都将导致无法验证,这个很好理解,客户端也是一样的,这样才使得安全性得以保证,任何一个用户只能使用自己的私钥和公钥列表而不会让其它用户登录。因此如果你想登录你开发板的其它用户(比如anzyelay)上而不是root,那么必须在/home/anzyelay/.ssh/的authorized_keys添加你的公钥。
配置好后,客户要登录服务器,必须在制作密钥对,指定私钥,添加公钥到服务器,默认私钥在~/.ssh/下(查看ssh_config)。
ssh-keygen -t rsa/dsa/ecdsa/ed25519
类型自己选一类就可,这样会在默认的~/.ssh/下出现一对密钥,如果你 -f指定了生成位置,则要将这生成的一对密钥(只私钥不行)全拷贝到~/.ssh/下ssh-copy-id -i ~/.ssh/制作出来的公钥.pub usr@IP地址
这样会自动将公钥加到开发板用户sshd服务默认的~/.ssh/authorized_keys里,这个需要能先使用密码验证.
也可手动拷贝添加:将公钥复制到开发板目录上,使用下面命令添加 :
touch ~/.ssh/authorized_keys cat **.pub >> authorized_keys12
11.Host key verification failed
具体错误信息:
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY! Someone could be eavesdropping on you right now (man-in-the-middle attack)! It is also possible that a host key has just been changed. The fingerprint for the ED25519 key sent by the remote host is SHA256:n0vBJ8X2zFGZAve8Aik1Yh+OGWPxVwEK+xg8R5RACbs. Please contact your system administrator. Add correct host key in /home/anzyelay/.ssh/known_hosts to get rid of this message. Offending ECDSA key in /home/anzyelay/.ssh/known_hosts:1 ED25519 host key for 192.168.10.110 has changed and you have requested strict checking. Host key verification failed. 1234567891011121314
原因及解决方法:
服务端的host_key改变了,与客户端的known_hosts第一行记录的有差,删除记录后重登anzyelay@ubuntu:openssh-7.2p2$ ssh-keygen -R 192.168.10.110 # Host 192.168.10.110 found: line 1 /home/anzyelay/.ssh/known_hosts updated. Original contents retained as /home/anzyelay/.ssh/known_hosts.old anzyelay@ubuntu:openssh-7.2p2$