特殊:Badtitle/NS100:SSHHowto

来自Ubuntu中文
Oneleaf留言 | 贡献2007年5月24日 (四) 14:48的版本
跳到导航跳到搜索
可打印版本不再受到支持且可能有渲染错误。请更新您的浏览器书签并改用浏览器默认打印功能。

{{#ifexist: :SSHHowto/zh | | {{#ifexist: SSHHowto/zh | | {{#ifeq: {{#titleparts:SSHHowto|1|-1|}} | zh | | }} }} }} {{#ifeq: {{#titleparts:SSHHowto|1|-1|}} | zh | | }}

Parent page: Internet and Networking


SSH

OpenSSH provides secure remote access, including command line sessions, graphical apps via X forwarding, and file transfer using secure copy (SCP) and Secure FTP protocols. Additionally, it can act as a encrypting tunnel for other protocols via port forwarding.

SSH replaces older, insecure apps like telnet, rlogin, and FTP. These older apps transmit passwords across the Internet without encryption, meaning the password peing could easily be stolen. By providing encryption, SSH fixes these problems.

Installing the SSH Server

If you want to securely connect to your machine from a remote computer, even a MS Windows machine using Putty, then you need to install a server that allows you to connect. Ubuntu uses the openssh-server for which you need the openssh-server package.

Transferring Files Remotely With SSH

Graphically (from GNOME)

Nautilus can access remote computers via SSH, and browse and transfer files. Click Places -> Connect to Server. Select SSH for Service Type, write the name or IP address of the computer you're connecting to in Server, the user you'd like to connect as in User Name, and a name for the connection if you wish.

Files can be copied by dragging and dropping between this window and other windows.

Graphically (from KDE)

Konqueror can access remote computers via SSH, and browse and transfer files. Open Konqueror, and in the address bar type:

fish://username@server_address

Files can be copied by dragging and dropping them between this window or tab and to other windows or tabs.

Graphically (from Windows)

WinSCP can be used to transfer files between Linux machines running SSH and Windows. You can download it for free from [1].

Using the Command Line

To copy a file from your computer to another computer with ssh you will need to use secure copy, the scp command. The command would look like this.

scp <file> <username>@<IP address or hostname>:<DestinationDirectory>

An example: Copying file.txt from my local computer to a remote computer, and placing it in the /home/joe/downloads directory

scp file.txt [email protected]:downloads/

Another example:

scp "New Document.odw" joe@laptop:"/home/joe/Summer 2005"

So you have to include the <file>, the <username> of the computer you are logging into and the <ipaddress> and <Destination``Directory> for which the file is going to be moved to.

To copy files from remote computers to your local disk::

scp [email protected]:/home/hornbeck/otherfile.txt .

The '.' means to copy the file to the current directory. You could instead put 'my.txt' and the file would be renamed during copying.

Two handy options to scp are '-r' and '-C'. '-r' enables recursive copying, for when you want to copy an entire directory tree. '-C' enables compression, which will probably improve the transfer speed. '-C' is also an option for ssh and sftp.

Important: you can not move files between two remote computers. Either the source or destination must be a local file. However, if you login to one of the remote machines via ssh, you can copy files between two remote machines.

Note that if your local userid is the same as the remote userid then the user@ part can be omitted. Also, if the remote directory is omitted, the home directory will be used.

scp 192.168.1.103:file.txt .

Logging in to a remote computer over ssh

To log in a remote computer running a ssh-server you have to enter something like this:

ssh <username>@<computer name or ipaddress>

example:

ssh joe@laptop

example:

ssh [email protected]

Anchor(public-key-auth)

Public key authentication

Formerly everybody has used the typical username/password authentication. However if someone had guessed or sniffed your password then security was compromised. For quite some time SSH has offered public key authentication. It uses private and public keys instead of simple passwords.

Unless you already have a private key you first need to create one. Enter::

ssh-keygen -t dsa

You will then be asked where to save the private key (just accept the default location) and to choose a passphrase. The passphrase is used to encrypt your private key. Everybody that gets access to your (unprotected) private key will have your permissions on other computers. Please take a moment and think of a really good password. See UbuntuHelp:ChoosingSecurePassword if you don't know what that means.

Now to gain access to other computers they need to *trust* your public key. Your public key was created along with the new private key. It is usually located at::

~/.ssh/id_dsa.pub

The target user needs to have this key (it is a line of ASCII characters) in its authorized key file located at::

~/.ssh/authorized_keys

on the target system. So either you just copy and paste the line into the authorized_keys file or use the "ssh-copy-id" command like this::

ssh-copy-id -i ~/.ssh/id_dsa.pub root@fileserver01

You would be asked for the root password of that computer. If password authentication is disabled then you need to copy and paste your key using another medium. After your public key has been added you are trusted.

IconsPage?action=AttachFile&do=get&target=IconNote.png In order to use ssh-copy-id you need to have saved your passphrase to the ssh-agent using ssh-add (see below).

Run::

ssh root@fileserver01

and you should no longer be asked for the password but for the *passphrase*. Please note that the password and the passphrase do different things. The password is saved in the /etc/passwd of the target system. The passphrase is used to decrypt your private key on your system.

To reiterate: the actual security of public key authentication over password authentication is that two things are needed to get access:

  • your (encrypted) private key
  • your passphrase (which is needed to decrypt the private key)

So if you would choose no password at all (which is possible - see the next section) you would have even less security than using a password alone.

IconsPage?action=AttachFile&do=get&target=IconNote.png Password based authentication is enabled per default in Ubuntu. If you want to stop users from logging in remotely using passwords, disable password authentication manually, by setting "Password``Authentication no" in the file /etc/ssh/sshd_config. Don't forget to restart your ssh server after changing the configuration (sudo /etc/init.d/ssh restart).

Restricting SSH access

When using SSH public key authentication there is another nifty feature. The target server can restrict which commands you are allowed to run. If you maintain a CVS repository you could use lines like this in the authorized_keys file::

command="/usr/bin/cvs server" ssh-dss AAAAB3N....

This would allow only this command to be run. Nothing else.

Automated access in batch scripts

Public key authentication (see above) can also be used to automate tasks that would usually require typing in a password. Imagine you want to copy a file from a remote computer every midnight. All you needed to do is establish the trust between those two computers. Create a service account on one computer, create a keypair (ssh-keygen -t dsa) and when asked for a passphrase just press 'ENTER'. This will leave the private key unprotected. Add the public key to the other computer's authorized_keys2 file (ssh-copy-id). Now you can SSH to that machine without being asked for a passphrase. Add an SSH call to your crontab and you are set.

IconsPage?action=AttachFile&do=get&target=IconWarning3.png Be careful! Having an unprotected private key may be a security hole. Hackers would only need to get access to the private key and could access the target computer.

Anchor(ssh-agent)

Using the ssh-agent

If you frequently need to copy files over SSH or access other computers in your network (which is a common task for administrators) you probably wonder if there is way to simplify entering the passphrase. Actually there is - it's called the *SSH agent*. You only need to enter your passphrase once using "ssh-add" and everything you start as a subprocess of the SSH agent will remember that passphrase.

Too much theory? Well, you won't need to worry about the agent. Your X session is already run in an ssh-agent session automatically. All you need to do is launch "ssh-add" and type in your passphrase. Next time you use *SSH* to access another computer you will not have to enter your passphrase again. Nice, huh? :)

IconsPage?action=AttachFile&do=get&target=IconNote.png Important: You should lock your screen if you leave your desktop. Other people could access other computers from your computer over ssh without even knowing your passphrase.

If you like to be asked for the passphrase once after login to Ubuntu you can add a call to "ssh-add" like this:

  • Click on *System*
  • Choose *Preferences*
  • Choose *Sessions*
  • Select the *Startup Programs* tab
  • Click on *Add*
  • Enter "ssh-add" as a command

After the next login you should be asked for the passphrase.

KDE users can also make use of ssh-add:

Open a Konsole session:

  • Click on *Kmenu*
  • Choose *System*
  • Choose *Konsole Terminal Program*

At the command prompt, type:

user@user-computer:~$ ln -s /usr/bin/ssh-add .kde/Autostart

Logout of your KDE session and log back in. A menu will pop up at startup asking for your SSH passphrase.

Security

User Log Ins and other data are stored in /var/log/auth.log (and auth.log.0, etc.). If you would like to see if anybody has attempted to log in to your system, you can examine the log files. The command

awk '/Invalid user/ {print $8}' /var/log/auth.log{,.0} | sort | uniq -c

will show you who (probably an automated attack) has attempted to login with an Invalid Username, preceded by the number of times that name was used.

For a list of users and where they logged in the "last" command, and "lastb" (last bad) should allow for a quick check.

For enhanced security, see the Advanced Configuration page, below.

Advanced Configuration

See UbuntuHelp:AdvancedOpenSSH for advanced configuration, and extra security.

GPG & OpenSSH

See UbuntuHelp:GPGsigningforSSHHowTo for using GPG to sign SSH keys.

SSH as a Proxy

If you can make an SSH connection, you can (most likely) use that connection as a SOCKS proxy, without any extra setup on the remote computer. Traffic is tunneled securely through the SSH connection. If you are on an unsecured wireless connection, you can use this to effectively secure all your traffic from snooping. You can also use this to bypass IP restrictions, because you will appear to be connecting from the remote computer.

Pick some big port number (bigger than 1024 so you can use it as non-root). Here I choose 1080, the standard SOCKS port. Use the -D option for dynamic port forwarding.

ssh -D 1080 user@host

That's it. Now as long as the SSH connection is open, your application can use a SOCKS proxy on port 1080 on your own computer (localhost). For example, in Firefox:

  • go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
  • check "Manual proxy configuration"
  • make sure "Use this proxy server for all protocols" is cleared
  • clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
  • enter "127.0.0.1" for "SOCKS Host", and "1080" (or whatever port you chose) for Port.

OpenSSH 4.3 VPNs

OpenSSH 4.3 added the ability to create tunnels; see UbuntuHelp:SSH VPN for how to set up a VPN using this new feature.