个人工具

UbuntuHelp:SSH/OpenSSH/Advanced

来自Ubuntu中文

(重定向自UbuntuHelp:AdvancedOpenSSH
跳转至: 导航, 搜索

Parent page: Internet and Networking >> SSH

Introduction

This page discusses a collection of advanced uses for SSH. This list is far from complete - it should only serve to get you thinking about possible uses.

Tunneling VNC connections through ssh

Virtual Network Computing ("VNC") is a cross-platform way of sharing a desktop. Once you've set your SSH server up, see VNC for more information.

Mounting a remote directory

The SSH protocol includes SFTP (the Secure File Transfer Protocol). Ubuntu can use SFTP to treat your SSH server rather like a removable drive. For example, if your Ubuntu computer has an SSH account on a computer called `alpha-centauri`, you could create a folder `alpha-centauri` in your home folder, then do the following:

sshfs -o idmap=user alpha-centuari: ~/alpha-centauri/

Now when you look in your `alpha-centuari` folder, you will see your home folder on `alpha-centauri`. You can safely remove this device by doing:

fusermount -u ~/alpha-centauri/

Although this SSH filesystem is extremely useful, it's not what the SFTP protocol was designed for. As such, some ordinary operations might not behave the way you'd expect - for example, you can't unmount an SSHFS directory from the file browser.

Running from (x)inetd

The OpenSSH server can also be called into service as needed by the Internet Daemon, `inetd`, or its modern replacement, xinetd. To do this, you must configure (x)inetd to listen on TCP port 22, and to run `/usr/sbin/sshd -i` when a connection is established.

Logging in with Kerberos

Kerberos is a security system used in some large organisations. It allows a user to have a single company-wide password, that they use to log in to all their services. Kerberos isn't recommended for general use, but it can be useful if you have an existing security infrastructure.

Limiting the number of connections

If you allow passwords on your SSH server, you can use Ubuntu's firewall (iptables) to limit the rate at which passwords can be guessed. This forces an attacker to probe your computer slowly, so it might take weeks or months to guess your password. But it also allows an attacker to stop anybody from logging in, by flooding the server with bogus connection attempts. You should only try this if you fully understand how `iptables` works. As root, you can do this:

iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit

This will limit you computer to 3 SSH connection attempts per minute. To make this change permanent, you will need to save these rules in whatever way you normally do. (This section was based in part on DD-WRT's guide)

Resources

Additional resources pertaining to the advanced configuration of OpenSSH for enhanced security appear below.

Local System Resources

man sshd System manual page for the sshd server daemon
man sshd_config System manual page for the /etc/ssh/sshd_config configuration file
man ssh-copy-id System manual page for the ssh-copy-id application
man ssh-keygen System manual page for the ssh-keygen application
~/.ssh/authorized_keys List of "authorized" public keys (with limiting options)
/etc/ssh/sshd_config The OpenSSH Secure Shell Daemon (sshd) configuration file

Ubuntu Wiki Resources

  • OpenSSH 4.3 VPNs describes how to create a Virtual Private Network with recent versions of SSH.
  • GPG & OpenSSH describes how to use GPG to sign SSH keys.

WWW Resources

Keeping SSH access secure OpenSSH Website Password-less logins with OpenSSH