平台:rk3399
有个需求需要设备支持ssh功能,这东西网上也有类似的资料.
具体的需求是客户提供ssh的公钥,公钥加入到固件里面,烧录后开机起来,设备用ssh 就可以直接连上3399.
本来是做openbear的支持,因为有设备在5.1上支持过,编译没问题,但连接的时候总是被拒绝,找了很久原因没解决,很绝望,只好回头来搞openssh的.
好了,进入主题,其实源码里面external/openssh有了,external/zlib已经支持了,openssl的库也支持了,所以只需要调试openssh.
步骤1:device/rockchip/rk3399/rk3399.mk 添加:
diff --git a/device/rockchip/rk3399/rk3399.mk b/device/rockchip/rk3399/rk3399.mk
index 9125ef8..ab35580 100755
--- a/device/rockchip/rk3399/rk3399.mk
+++ b/device/rockchip/rk3399/rk3399.mk
@@ -52,6 +52,18 @@ PRODUCT_PACKAGES += \
MmsService
+
+# Openssh
+PRODUCT_PACKAGES += \
+ scp \
+ sftp \
+ ssh \
+ sshd \
+ sshd_config \
+ ssh-keygen \
+ start-ssh
编译烧录system.img后,板子上已经有ssh相关命令了
步骤2:先创建出几个key:
mkdir -p /data/ssh
mkdir -p /data/ssh/empty
chmod 700 /data/ssh
chmod 700 /data/ssh/empty
cd /data/ssh/
ssh-keygen -t rsa -f ssh_host_rsa_key -N “”
ssh-keygen -t dsa -f ssh_host_dsa_key -N “”
ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""步骤3:将我们电脑上的公钥push进去
adb push id_rsa.pub /data/ssh/authorized_keys
步骤4:更改sshd服务配置文件/system/etc/ssh/sshd_config
将#Port 22改为Port 22
讲#PermitRootLogin yes改为PermitRootLogin without-password
将#RSAAuthentication yes改为RSAAuthentication yes
将#PubkeyAuthentication yes改为PubkeyAuthentication yes
将PasswordAuthentication no改为#PasswordAuthentication no
将#PermitEmptyPasswords no改为PermitEmptyPasswords yes
将#ChallengeResponseAuthenticationyes改为ChallengeResponseAuthentication yes
将#UsePrivilegeSeparation yes改为UsePrivilegeSeparation no步骤5:启动ssh服务
start-ssh启动失败,提示有几个文件找不到,原来是配置目录的路径不对,更改源码:
diff --git a/external/openssh/config.h b/external/openssh/config.h
index 053c276..82aeb89 100644
--- a/external/openssh/config.h
+++ b/external/openssh/config.h
@@ -1574,13 +1574,13 @@
/* #undef _LARGE_FILES */
/* log for bad login attempts */
-#define _PATH_BTMP "/var/log/btmp"
+#define _PATH_BTMP "/data/ssh"
/* Full path of your "passwd" program */
#define _PATH_PASSWD_PROG "/usr/bin/passwd"
/* Specify location of ssh.pid */
-#define _PATH_SSH_PIDDIR "/var/run"
+#define _PATH_SSH_PIDDIR "/data/ssh"
/* Define if we don't have struct __res_state in resolv.h */
/* #undef __res_state */
@@ -1595,7 +1595,7 @@
/* #undef socklen_t */
#ifndef SSHDIR
-#define SSHDIR "/var/run/ssh"
+#define SSHDIR "/data/ssh"
#endif
#define _PATH_PRIVSEP_CHROOT_DIR SSHDIR "/empty"
步骤6:编译后再push到设备上,然后sshd_config拷贝到/data/ssh/目录
步骤7:再启动,提示avc denied,这是3399上的selinux的安全策略配置为permissive导致的,可用setenforce先关掉验证,我这里是直接将访问域权限加进去:
diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
index bf59a9e..631c9ed 100755
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -168,3 +168,4 @@
/backup(/.*)? u:object_r:system_file:s0
/system/bin/daemonsu u:object_r:daemonsu_exec:s0
+/system/bin/start-ssh u:object_r:start-ssh_exec:s0
diff --git a/device/rockchip/common/sepolicy/start-ssh.te b/device/rockchip/common/sepolicy/start-ssh.te
new file mode 100644
index 0000000..abff468
--- /dev/null
+++ b/device/rockchip/common/sepolicy/start-ssh.te
@@ -0,0 +1,18 @@
+type start-ssh, domain;
+type start-ssh_exec, exec_type, file_type;
+
+init_daemon_domain(start-ssh)
+allow start-ssh start-ssh:tcp_socket { read write getopt getattr setopt accept create bind listen name_bind node_bind };
+allow start-ssh fwmarkd_socket:sock_file { write };
+allow start-ssh netd:unix_stream_socket { connectto };
+allow start-ssh start-ssh:fd { use };
+allow start-ssh port:tcp_socket { name_bind };
+allow start-ssh node:tcp_socket { node_bind };
+allow start-ssh system_file:file { execute_no_trans };
+allow start-ssh start-ssh:capability { setgid net_raw setuid dac_override net_bind_service };
+allow start-ssh start-ssh:udp_socket { create };
+allow start-ssh system_data_file:file { read open getattr create write };
+allow start-ssh system_data_file:dir { read write open getattr add_name };
+allow start-ssh rootfs:lnk_file { getattr };
+allow start-ssh shell_exec:file { getattr execute read open execute_no_trans };
+allow start-ssh devpts:chr_file { open ioctl getattr read write setattr getattr };
diff --git a/system/sepolicy/domain.te b/system/sepolicy/domain.te
index 7e5dffb..14000c4 100644
--- a/system/sepolicy/domain.te
+++ b/system/sepolicy/domain.te
@@ -469,6 +469,7 @@ neverallow {
-system_server
-system_app
-init
+ -start-ssh
-installd # for relabelfrom and unlink, check for this in explicit neverallow
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
运行起来后,用电脑连接,连接进去后直接就是root用户
ssh [email protected]运行ok时的/data/ssh目录
rk3399-x24:/ # ls /data/ssh/
total 27
-rw------- 1 root root 405 2013-01-18 16:50 authorized_keys
drw------- 2 root root 3488 2018-11-28 15:14 empty
-rw------- 1 root root 668 2013-01-18 16:50 ssh_host_dsa_key
-rw------- 1 root root 604 2013-01-18 16:50 ssh_host_dsa_key.pub
-rw------- 1 root root 227 2013-01-18 16:50 ssh_host_ecdsa_key
-rw------- 1 root root 176 2013-01-18 16:50 ssh_host_ecdsa_key.pub
-rw------- 1 root root 1675 2013-01-18 16:50 ssh_host_rsa_key
-rw------- 1 root root 396 2013-01-18 16:50 ssh_host_rsa_key.pub
-rw------- 1 root root 4 2013-01-18 16:50 sshd.pid
-rw------- 1 root root 3341 2013-01-18 16:50 sshd_config
剩下的工作就是把启动服务做进固件里面去,然后将/data/ssh/里面的文件全部拷贝出来,编译的时候拷贝到system/etc/ssh/目录,开机再拷贝到data/ssh目录,并设置好相关的权限
diff --git a/device/rockchip/rk3399/rk3399_firefly_box/init.rc b/device/rockchip/rk3399/rk3399_firefly_box/init.rc
index a68ea13..a41ac46 100644
--- a/device/rockchip/rk3399/rk3399_firefly_box/init.rc
+++ b/device/rockchip/rk3399/rk3399_firefly_box/init.rc
@@ -409,8 +409,30 @@ on post-fs-data
mkdir /data/misc/profman 0770 system shell
+
+ # For ssh
+ mkdir /data/ssh
+ chmod 777 /data/ssh
+ copy /system/etc/ssh/authorized_keys /data/ssh/authorized_keys
+ copy /system/etc/ssh/ssh_host_dsa_key /data/ssh/ssh_host_dsa_key
+ copy /system/etc/ssh/ssh_host_dsa_key.pub /data/ssh/ssh_host_dsa_key.pub
+ copy /system/etc/ssh/ssh_host_ecdsa_key /data/ssh/ssh_host_ecdsa_key
+ copy /system/etc/ssh/ssh_host_ecdsa_key.pub /data/ssh/ssh_host_ecdsa_key.pub
+ copy /system/etc/ssh/ssh_host_rsa_key /data/ssh/ssh_host_rsa_key
+ copy /system/etc/ssh/ssh_host_rsa_key.pub /data/ssh/ssh_host_rsa_key.pub
+ copy /system/etc/ssh/sshd_config /data/ssh/sshd_config
+ mkdir /data/ssh/empty
+ chmod 600 /data/ssh/empty
+ chmod 600 /data/ssh/authorized_keys
+ chmod 600 /data/ssh/ssh_host_dsa_key
+ chmod 600 /data/ssh/ssh_host_dsa_key.pub
+ chmod 600 /data/ssh/ssh_host_ecdsa_key
+ chmod 600 /data/ssh/ssh_host_ecdsa_key.pub
+ chmod 600 /data/ssh/ssh_host_rsa_key
+ chmod 600 /data/ssh/ssh_host_rsa_key.pub
+ chmod 600 /data/ssh/sshd_config
# For security reasons, /data/local/tmp should always be empty.
# Do not place files or directories in /data/local/tmp
diff --git a/device/rockchip/rk3399/rk3399.mk b/device/rockchip/rk3399/rk3399.mk
index 9125ef8..ab35580 100755
--- a/device/rockchip/rk3399/rk3399.mk
+++ b/device/rockchip/rk3399/rk3399.mk
@@ -52,6 +52,18 @@ PRODUCT_PACKAGES += \
MmsService
PRODUCT_COPY_FILES += \
+ $(call find-copy-subdir-files,*,$(LOCAL_PATH)/ssh,system/etc/ssh)
diff --git a/device/rockchip/common/init.rockchip.rc b/device/rockchip/common/init.rockchip.rc
index 00078bb..4ad843e 100755
--- a/device/rockchip/common/init.rockchip.rc
+++ b/device/rockchip/common/init.rockchip.rc
@@ -197,6 +197,11 @@ service getbootmode /system/bin/getbootmode.sh
disabled
oneshot
+service daemonssh /system/bin/start-ssh
+ class main
+ user root
+ group root
+