个人工具

Quick HOWTO : Ch17 : Secure Remote Logins and File Copying/zh

来自Ubuntu中文

Ninesun讨论 | 贡献2008年5月1日 (四) 00:12的版本

跳转至: 导航, 搜索


介绍

OpenSSH是最流行的文件传输和远程登录Linux应用程序之一,它提供了多种在客户端和服务器之间建立加密的远程终端和文件传输连接的方式。 OpenSSH Secure Copy (SCP) 和 Secure FTP (SFTP) 程序是FTP的安全替代品, 同时Secure Shell (SSH) 常常被用作是TELNET的一个默认替代程序。OpenSSH 并不局限于Linux系统; SSH 和 SCP 客户端可以运行在包括windows在内的绝大多数操作系统上。



SSH加密简介

Data encryption is accomplished by using special mathematical equations to scramble the bits in a data stream to make it unreadable to anyone who does not have access to the corresponding decryption equation. The process is usually made even harder through the use of an encryption key that is used to modify the way the equations do the scrambling. You can recover the original data only if you have access to this key and the corresponding programs. Data encryption helps to prevent unauthorized users from having access to the data.

SSH uses the concept of randomly generated private and public keys to do its encryption. The keys are usually created only once, but you have the option of regenerating them should they become compromised.

A successful exchange of encrypted data requires the receiver to have a copy of the sender's public key beforehand. Here's how it's done with SSH.

When you log into an SSH server, you are prompted as to whether you want to accept the download of the server's public key before you can proceed. The SSH client's key is uploaded to the server at the same time. This creates a situation in which the computers at each end of the SSH connection have each other's keys and are able to decrypt the data sent from the other end of the encrypted link or "tunnel".

All the public keys that an SSH client's Linux user encounters are stored in a file named ~/.ssh/known_hosts along with the IP address that provided it. If a key and IP address no longer match, then SSH knows that something is wrong. For example, reinstalling the operating system or upgrading the SSH application might regenerate the keys. Of course, keys changes can be caused by someone trying some sort of cyber attack, as well. Always investigate changes to be safe. Your server's own public and private SSH keys are stored in the /etc/ssh/ directory.

Note: The .ssh directory is a hidden directory, as are all files and directories whose names begin with a period. The ls -a command lists all normal and hidden files in a directory. The ~/ notation is a universally accepted way of referring to your home directory and is recognized by all Linux commands.

Linux uses other key files also to provide the capability of password-less logins and file copying to remote servers using SSH and SCP. In this case, the SSH connection is established, then the client automatically sends its public key which the server uses to match against a predefined list in the user's directory. If there is a match then the login is authorized. These files are also stored in your ~/.ssh directory and need to be specially generated. The id_dsa and id_dsa.pub files are your private and public keys respectively, and authorized_keys stores all the authorized public keys from remote hosts that may log into your account without the need for passwords (more on this later).