前言
想在sshd上加点东西,先要编译替换新版sshd到试验系统.
现在试验做通了。
试验目标
自己编译一个sshd工程, 替换试验系统的sshd
试验系统做通了,再去实际系统上做
试验环境
fedora-pc版64bits
实际系统sshd信息
fedora-powerpc版的sshd版本
[root@jhnmsserver ~]# sshd –version
unknown option – -
OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
在试验用的fedora-pc版64bits上更换的版本也是OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016,这样,等试验成功后,在实际系统上,就可以放心的去试验了。
试验材料
下载点:sshd_stuff.7z
试验用的材料列表:
openssl-fips-2.0.13.tar.gz
openssl-1.0.2h.tar.gz
zlib-1.2.11.tar.gz
openssh-7.2p2.tar.gz
安装PAM
dnf install pam-devel
编译zlib
cd /home/dev/
tar -xzvf ./zlib-1.2.11.tar.gz
cd zlib-1.2.11/
./configure –prefix=/usr
make
make test
make install
编译OpenSSL FIPS 2.0 module
cd /home/dev
tar -xzvf ./openssl-fips-2.0.13.tar.gz
cd openssl-fips-2.0.13/
// 必须带-fPIC 选项
./config -fPIC
make clean
make
make install
// 安装后位置
// /usr/local/ssl/fips-2.0/lib/
编译OpenSSL 1.0.2h-fips
cd /home/dev
tar -xzvf ./openssl-1.0.2h.tar.gz
cd ./openssl-1.0.2h/
./config –prefix=/usr fips shared
make depend
make
make test
// 安装后位置
OPENSSLDIR: “/usr/ssl”
/usr/lib64/ // 动态库的位置
[root@localhost openssl-1.0.2h]# ls /usr/lib64/ssl.*
/usr/lib64/libevent_openssl-2.0.so.5 /usr/lib64/libopenhpi_ssl.so.3 /usr/lib64/libssl3.so /usr/lib64/libssl.so /usr/lib64/libssl.so.1.0.0
/usr/lib64/libevent_openssl-2.0.so.5.1.9 /usr/lib64/libopenhpi_ssl.so.3.4.0 /usr/lib64/libssl.a /usr/lib64/libssl.so.10 /usr/lib64/libssl.so.1.0.1k
make install
[root@localhost openssl-1.0.2h]# whereis openssl
openssl: /usr/bin/openssl /usr/lib64/openssl /usr/include/openssl /usr/share/man/man1/openssl.1ssl.gz
// 确认openssl新版已经更换成功
[root@localhost openssl-1.0.2h]# openssl version
OpenSSL 1.0.2h-fips 3 May 2016
// 如果动态库不在/usr/lib64下, 手工更新库位置信息
echo “/usr/ssl/lib” >> /etc/ld.so.conf
ldconfig
编译OpenSSH_7.2p2
cd /home/dev/
tar -xzvf ./openssh-7.2p2.tar.gz
cd openssh-7.2p2/
./configure –prefix=/usr –sysconfdir=/etc/ssh –with-ssl-dir=/usr/ssl/ –with-pam –with-tcp-wrappers
openssh的编译配置选项
OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: doc
PAM support: yes
OSF SIA support: no
KerberosV support: no
SELinux support: no
Smartcard support:
S/KEY support: no
MD5 password support: no
libedit support: no
Solaris process contract support: no
Solaris project support: no
Solaris privilege support: no
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY
Privsep sandbox style: seccomp_filter
Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags: -I/usr/ssl/
Linker flags: -L/usr/ssl/ -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
+for sshd: -lpam
PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory
make
make install
// 因为/etc/ssl有旧版sshd的服务端配置,所以不会覆盖,如果有错误(原来是openssh6.8, 现在是openssh7.2p2), 可能是选项不兼容,手工排错
// 重新运行make install,直到没有报错为止.
/etc/ssh/sshd_config line 93: Unsupported option GSSAPIAuthentication
/etc/ssh/sshd_config line 94: Unsupported option GSSAPICleanupCredentials
// 根据 报错提示,注释掉93,94行.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0640 for ‘/etc/ssh/ssh_host_rsa_key’ are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
key_load_private: bad permissions
Could not load host key: /etc/ssh/ssh_host_rsa_key
ssh_host_rsa_key 是以前服务端的通讯私钥, 删掉。
根据提示,将无效的密钥都删掉。
Permissions 0640 for ‘/etc/ssh/ssh_host_ecdsa_key’ are too open.
Permissions 0640 for ‘/etc/ssh/ssh_host_ed25519_key’ are too open.
新版sshd安装成功的提示
/etc/ssh/ssh_config already exists, install will not overwrite
/etc/ssh/sshd_config already exists, install will not overwrite
/etc/ssh/moduli already exists, install will not overwrite
ssh-keygen: generating new host keys: ED25519
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
// 重启sshd服务
systemctl stop sshd.service
systemctl start sshd.service
systemctl enable sshd.service
此时,只能以非root用户登陆
vi /etc/ssh/sshd_config
49gg
将允许root用户远程登陆的选项放开
PermitRootLogin yes
:wq
// 重启sshd服务
systemctl stop sshd.service
systemctl start sshd.service
// 现在可以用root用户登陆了
// 试验成功
确认新版openssh的版本
[root@localhost ~]# sshd –help
unknown option – -
OpenSSH_7.2p2, OpenSSL 1.0.2h-fips 3 May 2016
usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-k key_gen_time] [-o option] [-p port]
[-u len]
完美,和目标系统一样.
完整的 /etc/ssh/sshd_config 配置内容
# $OpenBSD: sshd_config,v 1.94 2015/02/02 01:57:44 deraadt Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
# GSSAPIAuthentication yes
# GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Fedora and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox # Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server