參考:
https://yq.aliyun.com/articles/57916
假設我們不知道目前機器的sshd用的是哪個配置檔案,sshd使用了哪些配置。由于sshd沒有提供顯示目前sshd的配置的接口,是以當我們需要了解它的配置時,就需要通過其他的方式。
本次通過strace和gdb來擷取目前配置
安裝工具
擷取sshd目前的配置檔案
strace -e open -ostrace.out /usr/sbin/sshd
檢視結果,找出sshd_config
[[email protected] ~]# cat strace.out
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) =
open("/lib64/libfipscheck.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/libwrap.so.0", O_RDONLY|O_CLOEXEC) =
open("/lib64/libaudit.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/libpam.so.0", O_RDONLY|O_CLOEXEC) =
open("/lib64/libselinux.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/libcrypto.so.10", O_RDONLY|O_CLOEXEC) =
open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) =
open("/lib64/libldap-2.4.so.2", O_RDONLY|O_CLOEXEC) =
open("/lib64/liblber-2.4.so.2", O_RDONLY|O_CLOEXEC) =
open("/lib64/libutil.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/libz.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/libnsl.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/libcrypt.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/libresolv.so.2", O_RDONLY|O_CLOEXEC) =
open("/lib64/libgssapi_krb5.so.2", O_RDONLY|O_CLOEXEC) =
open("/lib64/libkrb5.so.3", O_RDONLY|O_CLOEXEC) =
open("/lib64/libk5crypto.so.3", O_RDONLY|O_CLOEXEC) =
open("/lib64/libcom_err.so.2", O_RDONLY|O_CLOEXEC) =
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) =
open("/lib64/libpcre.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/liblzma.so.5", O_RDONLY|O_CLOEXEC) =
open("/lib64/libsasl2.so.3", O_RDONLY|O_CLOEXEC) =
open("/lib64/libssl3.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libsmime3.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libnss3.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libnssutil3.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libplds4.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libplc4.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libnspr4.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libpthread.so.0", O_RDONLY|O_CLOEXEC) =
open("/lib64/libfreebl3.so", O_RDONLY|O_CLOEXEC) =
open("/lib64/libkrb5support.so.0", O_RDONLY|O_CLOEXEC) =
open("/lib64/libkeyutils.so.1", O_RDONLY|O_CLOEXEC) =
open("/lib64/librt.so.1", O_RDONLY|O_CLOEXEC) =
open("/proc/filesystems", O_RDONLY) =
open("/etc/pki/tls/openssl.cnf", O_RDONLY) =
open("/dev/null", O_RDWR) =
open("/etc/ssh/sshd_config", O_RDONLY) =
open("/dev/urandom", O_RDONLY) =
open("/etc/gai.conf", O_RDONLY|O_CLOEXEC) = - ENOENT (No such file or directory)
open("/etc/nsswitch.conf", O_RDONLY|O_CLOEXEC) =
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) =
open("/lib64/libnss_files.so.2", O_RDONLY|O_CLOEXEC) =
open("/etc/passwd", O_RDONLY|O_CLOEXEC) =
open("/etc/ssh/ssh_host_rsa_key", O_RDONLY) =
open("/etc/group", O_RDONLY|O_CLOEXEC) =
open("/etc/ssh/ssh_host_rsa_key", O_RDONLY) =
open("/etc/ssh/ssh_host_rsa_key", O_RDONLY) =
open("/etc/ssh/ssh_host_rsa_key", O_RDONLY) =
open("/etc/ssh/ssh_host_rsa_key.pub", O_RDONLY) =
open("/etc/ssh/ssh_host_ecdsa_key", O_RDONLY) =
open("/etc/group", O_RDONLY|O_CLOEXEC) =
open("/etc/ssh/ssh_host_ecdsa_key", O_RDONLY) =
open("/etc/ssh/ssh_host_ecdsa_key", O_RDONLY) =
open("/etc/ssh/ssh_host_ecdsa_key", O_RDONLY) =
open("/etc/ssh/ssh_host_ecdsa_key.pub", O_RDONLY) =
open("/etc/ssh/ssh_host_ed25519_key", O_RDONLY) =
open("/etc/group", O_RDONLY|O_CLOEXEC) =
open("/etc/ssh/ssh_host_ed25519_key", O_RDONLY) =
open("/etc/ssh/ssh_host_ed25519_key", O_RDONLY) =
open("/etc/ssh/ssh_host_ed25519_key", O_RDONLY) =
open("/etc/ssh/ssh_host_ed25519_key.pub", O_RDONLY) =
+++ exited with +++
可以看到,裡面有一項open(“/etc/ssh/sshd_config”, O_RDONLY) = 3,配置檔案就找到了。
檢視目前的sshd配置
1.通過ps找出sshd程序
[root@centos-- ~]# ps uax | grep sshd
root . . ? Ss : : /usr/sbin/sshd -D
root . . ? Ss : : sshd: root@pts/
root . . pts/ S+ :09 : grep --color=auto sshd
可以看到目前的sshd程序是1122
2.使用gcore 将pid的memory dump出來
gcore 1122
3.使用gdb 分析
如果提示:
Missing separate debuginfos, use: debuginfo-install openssh-server-6.6.1p1-25.el7_2.x86_64
安裝下對應的debuginfo包
debuginfo-install openssh-server-p1-el7_2.x86_64
重新gdb,提示需要其他的debug包,繼續安裝
debuginfo-install cyrus-sasl-lib--el7_2.x86_64 keyutils-libs--el7.x86_64 nspr--el7_1.x86_64 nss--el7_2.x86_64 nss-softokn-freebl--el7_1.x86_64 nss-util--el7_2.x86_64 pcre--el7.x86_64 xz-libs--alpha.el7.x86_64
這裡包比較多,安裝時間會長一點,可以先去喝一杯咖啡。
安裝完成後,再次進入
列印options檢視選項,這些就是目前sshd程序的配置了
(gdb) print options
$1 = {num_ports = , ports_from_cmdline = , ports = {, <repeats times>}, listen_addr = , listen_addrs = , address_family = , host_key_files = {
"/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key", <repeats times>},
num_host_key_files = , host_cert_files = { <repeats times>}, num_host_cert_files = , host_key_agent = , pid_file = "/var/run/sshd.pid",
server_key_bits = , login_grace_time = , key_regeneration_time = , permit_root_login = , ignore_rhosts = , ignore_user_known_hosts = , print_motd = , print_lastlog = ,
x11_forwarding = , x11_display_offset = , x11_use_localhost = , xauth_location = "/usr/bin/xauth", permit_tty = , strict_modes = , tcp_keep_alive = ,
ip_qos_interactive = , ip_qos_bulk = , ciphers = , macs = , kex_algorithms = , protocol = , gateway_ports = , log_facility = SYSLOG_FACILITY_LOCAL,
log_level = SYSLOG_LEVEL_INFO, rhosts_rsa_authentication = , hostbased_authentication = , hostbased_uses_name_from_packet_only = , rsa_authentication = , pubkey_authentication = ,
kerberos_authentication = , kerberos_or_local_passwd = , kerberos_ticket_cleanup = , kerberos_get_afs_token = , gss_authentication = , gss_keyex = , gss_cleanup_creds = ,
gss_strict_acceptor = , gss_store_rekey = , gss_kex_algorithms = "gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-", password_authentication = ,
kbd_interactive_authentication = , challenge_response_authentication = , permit_empty_passwd = , permit_user_env = , use_login = , compression = , allow_tcp_forwarding = ,
allow_agent_forwarding = , num_allow_users = , allow_users = { <repeats times>}, num_deny_users = , deny_users = { <repeats times>}, num_allow_groups = ,
allow_groups = { <repeats times>}, num_deny_groups = , deny_groups = { <repeats times>}, num_subsystems = , subsystem_name = { "sftp",
<repeats times>}, subsystem_command = { "/usr/libexec/openssh/sftp-server", <repeats times>}, subsystem_args = {
"/usr/libexec/openssh/sftp-server", <repeats times>}, num_accept_env = , accept_env = { "LANG", "LC_CTYPE",
"LC_NUMERIC", "LC_TIME", "LC_COLLATE", "LC_MONETARY", "LC_MESSAGES", "LC_PAPER",
"LC_NAME", "LC_ADDRESS", "LC_TELEPHONE", "LC_MEASUREMENT", "LC_IDENTIFICATION", "LC_ALL",
"LANGUAGE", "XMODIFIERS", <repeats times>}, max_startups_begin = , max_startups_rate = , max_startups = , max_authtries = ,
max_sessions = , banner = , show_patchlevel = , use_dns = , client_alive_interval = , client_alive_count_max = , num_authkeys_files = , authorized_keys_files = {
".ssh/authorized_keys", <repeats times>}, adm_forced_command = , use_pam = , permit_tun = , num_permitted_opens = -, use_kuserok = , enable_k5users = ,
chroot_directory = , revoked_keys_file = , trusted_user_ca_keys = , authorized_principals_file = , authorized_keys_command = , authorized_keys_command_user = ,
rekey_limit = , rekey_interval = , version_addendum = "", num_auth_methods = , auth_methods = { <repeats times>}}
我們可以調整參數來測試下。
比如,目前的值如下:
使用sshd -T 檢視下:
[root@centos-- ~]# sshd -T | grep maxstartups
maxstartups ::
可以看到值是一緻的。
修改/etc/ssh/sshd_config,在末尾添加如下配置:
測試下配置是否正确:
[root@centos-- ~]# sshd -T | grep maxstartups
maxstartups ::
重新開機下sshd:
這時pid變了,現在是5376
[root@centos-- ~]# ps aux | grep sshd
root . . ? Ss : : sshd: root@pts/
root . . ? Ss : : sshd: root@pts/
root . . ? Ss : : /usr/sbin/sshd -D
root . . pts/ S+ : : grep --color=auto sshd
再次使用gcore 将pid的memory dump出來:
gcore 537
通過gdb進入,檢視選項
[[email protected] ~]# gdb -core=core /usr/sbin/sshd
GNU gdb (GDB) Red Hat Enterprise Linux -el7
Copyright (C) Free Software Foundation, Inc.
License GPLv3+: GNU GPL version or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-redhat-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...
Reading symbols from /usr/sbin/sshd...Reading symbols from /usr/lib/debug/usr/sbin/sshd.debug...done.
done.
[New LWP ]
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
Core was generated by `/usr/sbin/sshd'.
# in __select_nocancel () at ../sysdeps/unix/syscall-template.S:
T_PSEUDO (SYSCALL_SYMBOL, SYSCALL_NAME, SYSCALL_NARGS)
可以看到相關的值已經改了
(gdb) print options
$1 = {num_ports = , ports_from_cmdline = , ports = {, <repeats times>}, listen_addr = , listen_addrs = , address_family = , host_key_files = {
"/etc/ssh/ssh_host_rsa_key", "/etc/ssh/ssh_host_ecdsa_key", "/etc/ssh/ssh_host_ed25519_key", <repeats times>},
num_host_key_files = , host_cert_files = { <repeats times>}, num_host_cert_files = , host_key_agent = , pid_file = "/var/run/sshd.pid",
server_key_bits = , login_grace_time = , key_regeneration_time = , permit_root_login = , ignore_rhosts = , ignore_user_known_hosts = , print_motd = , print_lastlog = ,
x11_forwarding = , x11_display_offset = , x11_use_localhost = , xauth_location = "/usr/bin/xauth", permit_tty = , strict_modes = , tcp_keep_alive = ,
ip_qos_interactive = , ip_qos_bulk = , ciphers = , macs = , kex_algorithms = , protocol = , gateway_ports = , log_facility = SYSLOG_FACILITY_LOCAL,
log_level = SYSLOG_LEVEL_INFO, rhosts_rsa_authentication = , hostbased_authentication = , hostbased_uses_name_from_packet_only = , rsa_authentication = , pubkey_authentication = ,
kerberos_authentication = , kerberos_or_local_passwd = , kerberos_ticket_cleanup = , kerberos_get_afs_token = , gss_authentication = , gss_keyex = , gss_cleanup_creds = ,
gss_strict_acceptor = , gss_store_rekey = , gss_kex_algorithms = "gss-gex-sha1-,gss-group1-sha1-,gss-group14-sha1-", password_authentication = ,
kbd_interactive_authentication = , challenge_response_authentication = , permit_empty_passwd = , permit_user_env = , use_login = , compression = , allow_tcp_forwarding = ,
allow_agent_forwarding = , num_allow_users = , allow_users = { <repeats times>}, num_deny_users = , deny_users = { <repeats times>}, num_allow_groups = ,
allow_groups = { <repeats times>}, num_deny_groups = , deny_groups = { <repeats times>}, num_subsystems = , subsystem_name = { "sftp",
<repeats times>}, subsystem_command = { "/usr/libexec/openssh/sftp-server", <repeats times>}, subsystem_args = {
"/usr/libexec/openssh/sftp-server", <repeats times>}, num_accept_env = , accept_env = { "LANG", "LC_CTYPE",
"LC_NUMERIC", "LC_TIME", "LC_COLLATE", "LC_MONETARY", "LC_MESSAGES", "LC_PAPER",
"LC_NAME", "LC_ADDRESS", "LC_TELEPHONE", "LC_MEASUREMENT", "LC_IDENTIFICATION", "LC_ALL",
"LANGUAGE", "XMODIFIERS", <repeats times>}, max_startups_begin = , max_startups_rate = , max_startups = , max_authtries = ,
max_sessions = , banner = , show_patchlevel = , use_dns = , client_alive_interval = , client_alive_count_max = , num_authkeys_files = , authorized_keys_files = {
".ssh/authorized_keys", <repeats times>}, adm_forced_command = , use_pam = , permit_tun = , num_permitted_opens = -, use_kuserok = , enable_k5users = ,
chroot_directory = , revoked_keys_file = , trusted_user_ca_keys = , authorized_principals_file = , authorized_keys_command = , authorized_keys_command_user = ,
rekey_limit = , rekey_interval = , version_addendum = "", num_auth_methods = , auth_methods = { <repeats times>}}
![更改LYNC SIP位址[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)