Android7.1 新增SSH 功能
阿新 • • 發佈:2018-12-07
平臺:rk3399
有個需求需要裝置支援ssh功能,這東西網上也有類似的資料.
具體的需求是客戶提供ssh的公鑰,公鑰加入到韌體裡面,燒錄後開機起來,裝置用ssh 就可以直接連上3399.
本來是做openbear的支援,因為有裝置在5.1上支援過,編譯沒問題,但連線的時候總是被拒絕,找了很久原因沒解決,很絕望,只好回頭來搞openssh的.
好了,進入主題,其實原始碼裡面external/openssh有了,external/zlib已經支援了,openssl的庫也支援了,所以只需要除錯openssh.
步驟1:device/rockchip/rk3399/rk3399.mk 新增:
diff --git a/device/rockchip/rk3399/rk3399.mk b/device/rockchip/rk3399/rk3399.mk index 9125ef8..ab35580 100755 --- a/device/rockchip/rk3399/rk3399.mk +++ b/device/rockchip/rk3399/rk3399.mk @@ -52,6 +52,18 @@ PRODUCT_PACKAGES += \ MmsService + +# Openssh +PRODUCT_PACKAGES += \ + scp \ + sftp \ + ssh \ + sshd \ + sshd_config \ + ssh-keygen \ + start-ssh
編譯燒錄system.img後,板子上已經有ssh相關命令了
步驟2:先創建出幾個key:
mkdir -p /data/ssh
mkdir -p /data/ssh/empty
chmod 700 /data/ssh
chmod 700 /data/ssh/empty
cd /data/ssh/
ssh-keygen -t rsa -f ssh_host_rsa_key -N “”
ssh-keygen -t dsa -f ssh_host_dsa_key -N “”
ssh-keygen -t ecdsa -f ssh_host_ecdsa_key -N ""步驟3:將我們電腦上的公鑰push進去
adb push id_rsa.pub /data/ssh/authorized_keys
步驟4:更改sshd服務配置檔案/system/etc/ssh/sshd_config
將#Port 22改為Port 22
講#PermitRootLogin yes改為PermitRootLogin without-password
將#RSAAuthentication yes改為RSAAuthentication yes
將#PubkeyAuthentication yes改為PubkeyAuthentication yes
將PasswordAuthentication no改為#PasswordAuthentication no
將#PermitEmptyPasswords no改為PermitEmptyPasswords yes
將#ChallengeResponseAuthenticationyes改為ChallengeResponseAuthentication yes
將#UsePrivilegeSeparation yes改為UsePrivilegeSeparation no步驟5:啟動ssh服務
start-ssh啟動失敗,提示有幾個檔案找不到,原來是配置目錄的路徑不對,更改原始碼:
diff --git a/external/openssh/config.h b/external/openssh/config.h
index 053c276..82aeb89 100644
--- a/external/openssh/config.h
+++ b/external/openssh/config.h
@@ -1574,13 +1574,13 @@
/* #undef _LARGE_FILES */
/* log for bad login attempts */
-#define _PATH_BTMP "/var/log/btmp"
+#define _PATH_BTMP "/data/ssh"
/* Full path of your "passwd" program */
#define _PATH_PASSWD_PROG "/usr/bin/passwd"
/* Specify location of ssh.pid */
-#define _PATH_SSH_PIDDIR "/var/run"
+#define _PATH_SSH_PIDDIR "/data/ssh"
/* Define if we don't have struct __res_state in resolv.h */
/* #undef __res_state */
@@ -1595,7 +1595,7 @@
/* #undef socklen_t */
#ifndef SSHDIR
-#define SSHDIR "/var/run/ssh"
+#define SSHDIR "/data/ssh"
#endif
#define _PATH_PRIVSEP_CHROOT_DIR SSHDIR "/empty"
步驟6:編譯後再push到裝置上,然後sshd_config拷貝到/data/ssh/目錄
步驟7:再啟動,提示avc denied,這是3399上的selinux的安全策略配置為permissive導致的,可用setenforce先關掉驗證,我這裡是直接將訪問域許可權加進去:
diff --git a/device/rockchip/common/sepolicy/file_contexts b/device/rockchip/common/sepolicy/file_contexts
index bf59a9e..631c9ed 100755
--- a/device/rockchip/common/sepolicy/file_contexts
+++ b/device/rockchip/common/sepolicy/file_contexts
@@ -168,3 +168,4 @@
/backup(/.*)? u:object_r:system_file:s0
/system/bin/daemonsu u:object_r:daemonsu_exec:s0
+/system/bin/start-ssh u:object_r:start-ssh_exec:s0
diff --git a/device/rockchip/common/sepolicy/start-ssh.te b/device/rockchip/common/sepolicy/start-ssh.te
new file mode 100644
index 0000000..abff468
--- /dev/null
+++ b/device/rockchip/common/sepolicy/start-ssh.te
@@ -0,0 +1,18 @@
+type start-ssh, domain;
+type start-ssh_exec, exec_type, file_type;
+
+init_daemon_domain(start-ssh)
+allow start-ssh start-ssh:tcp_socket { read write getopt getattr setopt accept create bind listen name_bind node_bind };
+allow start-ssh fwmarkd_socket:sock_file { write };
+allow start-ssh netd:unix_stream_socket { connectto };
+allow start-ssh start-ssh:fd { use };
+allow start-ssh port:tcp_socket { name_bind };
+allow start-ssh node:tcp_socket { node_bind };
+allow start-ssh system_file:file { execute_no_trans };
+allow start-ssh start-ssh:capability { setgid net_raw setuid dac_override net_bind_service };
+allow start-ssh start-ssh:udp_socket { create };
+allow start-ssh system_data_file:file { read open getattr create write };
+allow start-ssh system_data_file:dir { read write open getattr add_name };
+allow start-ssh rootfs:lnk_file { getattr };
+allow start-ssh shell_exec:file { getattr execute read open execute_no_trans };
+allow start-ssh devpts:chr_file { open ioctl getattr read write setattr getattr };
diff --git a/system/sepolicy/domain.te b/system/sepolicy/domain.te
index 7e5dffb..14000c4 100644
--- a/system/sepolicy/domain.te
+++ b/system/sepolicy/domain.te
@@ -469,6 +469,7 @@ neverallow {
-system_server
-system_app
-init
+ -start-ssh
-installd # for relabelfrom and unlink, check for this in explicit neverallow
} system_data_file:file no_w_file_perms;
# do not grant anything greater than r_file_perms and relabelfrom unlink
執行起來後,用電腦連線,連線進去後直接就是root使用者
ssh r[email protected]執行ok時的/data/ssh目錄
rk3399-x24:/ # ls /data/ssh/
total 27
-rw------- 1 root root 405 2013-01-18 16:50 authorized_keys
drw------- 2 root root 3488 2018-11-28 15:14 empty
-rw------- 1 root root 668 2013-01-18 16:50 ssh_host_dsa_key
-rw------- 1 root root 604 2013-01-18 16:50 ssh_host_dsa_key.pub
-rw------- 1 root root 227 2013-01-18 16:50 ssh_host_ecdsa_key
-rw------- 1 root root 176 2013-01-18 16:50 ssh_host_ecdsa_key.pub
-rw------- 1 root root 1675 2013-01-18 16:50 ssh_host_rsa_key
-rw------- 1 root root 396 2013-01-18 16:50 ssh_host_rsa_key.pub
-rw------- 1 root root 4 2013-01-18 16:50 sshd.pid
-rw------- 1 root root 3341 2013-01-18 16:50 sshd_config
剩下的工作就是把啟動服務做進韌體裡面去,然後將/data/ssh/裡面的檔案全部拷貝出來,編譯的時候拷貝到system/etc/ssh/目錄,開機再拷貝到data/ssh目錄,並設定好相關的許可權
diff --git a/device/rockchip/rk3399/rk3399_firefly_box/init.rc b/device/rockchip/rk3399/rk3399_firefly_box/init.rc
index a68ea13..a41ac46 100644
--- a/device/rockchip/rk3399/rk3399_firefly_box/init.rc
+++ b/device/rockchip/rk3399/rk3399_firefly_box/init.rc
@@ -409,8 +409,30 @@ on post-fs-data
mkdir /data/misc/profman 0770 system shell
+
+ # For ssh
+ mkdir /data/ssh
+ chmod 777 /data/ssh
+ copy /system/etc/ssh/authorized_keys /data/ssh/authorized_keys
+ copy /system/etc/ssh/ssh_host_dsa_key /data/ssh/ssh_host_dsa_key
+ copy /system/etc/ssh/ssh_host_dsa_key.pub /data/ssh/ssh_host_dsa_key.pub
+ copy /system/etc/ssh/ssh_host_ecdsa_key /data/ssh/ssh_host_ecdsa_key
+ copy /system/etc/ssh/ssh_host_ecdsa_key.pub /data/ssh/ssh_host_ecdsa_key.pub
+ copy /system/etc/ssh/ssh_host_rsa_key /data/ssh/ssh_host_rsa_key
+ copy /system/etc/ssh/ssh_host_rsa_key.pub /data/ssh/ssh_host_rsa_key.pub
+ copy /system/etc/ssh/sshd_config /data/ssh/sshd_config
+ mkdir /data/ssh/empty
+ chmod 600 /data/ssh/empty
+ chmod 600 /data/ssh/authorized_keys
+ chmod 600 /data/ssh/ssh_host_dsa_key
+ chmod 600 /data/ssh/ssh_host_dsa_key.pub
+ chmod 600 /data/ssh/ssh_host_ecdsa_key
+ chmod 600 /data/ssh/ssh_host_ecdsa_key.pub
+ chmod 600 /data/ssh/ssh_host_rsa_key
+ chmod 600 /data/ssh/ssh_host_rsa_key.pub
+ chmod 600 /data/ssh/sshd_config
# For security reasons, /data/local/tmp should always be empty.
# Do not place files or directories in /data/local/tmp
diff --git a/device/rockchip/rk3399/rk3399.mk b/device/rockchip/rk3399/rk3399.mk
index 9125ef8..ab35580 100755
--- a/device/rockchip/rk3399/rk3399.mk
+++ b/device/rockchip/rk3399/rk3399.mk
@@ -52,6 +52,18 @@ PRODUCT_PACKAGES += \
MmsService
PRODUCT_COPY_FILES += \
+ $(call find-copy-subdir-files,*,$(LOCAL_PATH)/ssh,system/etc/ssh)
diff --git a/device/rockchip/common/init.rockchip.rc b/device/rockchip/common/init.rockchip.rc
index 00078bb..4ad843e 100755
--- a/device/rockchip/common/init.rockchip.rc
+++ b/device/rockchip/common/init.rockchip.rc
@@ -197,6 +197,11 @@ service getbootmode /system/bin/getbootmode.sh
disabled
oneshot
+service daemonssh /system/bin/start-ssh
+ class main
+ user root
+ group root
+