|
|
| (未显示同一用户的6个中间版本) |
| 第1行: |
第1行: |
| | + | #REDIRECT [[UbuntuHelp:SSH]] |
| | + | This page now redirects to the [[UbuntuHelp:SSH|SSH]] article |
| | {{From|https://help.ubuntu.com/community/SSHHowto}} | | {{From|https://help.ubuntu.com/community/SSHHowto}} |
| | {{Languages|UbuntuHelp:SSHHowto}} | | {{Languages|UbuntuHelp:SSHHowto}} |
| − | #title SSH
| |
| − | Parent page: [[UbuntuHelp:InternetAndNetworking| Internet and Networking]]
| |
| − | == Introduction ==
| |
| − | OpenSSH provides secure remote access, including command line sessions, graphical apps via X forwarding, and file transfer using secure copy (SCP) and Secure FTP protocols. Additionally, it can act as a encrypting tunnel for other protocols via port forwarding.
| |
| − | SSH replaces older, insecure apps like telnet, rlogin, and FTP. These older apps transmit passwords across the Internet without encryption, meaning the password could easily be stolen. By providing encryption, SSH fixes these problems.
| |
| − | == Installing the SSH Server ==
| |
| − | If you want to securely connect to your machine from a remote computer, even a MS Windows machine using Putty, then you need to install a server that allows you to connect. Ubuntu uses the openssh-server for which you need the '''openssh-server''' package.
| |
| − | == Logging in to a remote computer over ssh ==
| |
| − | === From *nux ===
| |
| − | To login a remote computer running a ssh-server, open a terminal and log in with ''ssh <user>@<server>'' like this:
| |
| − | <pre><nowiki>
| |
| − | ssh <username>@<computer name or ip_address>
| |
| − | </nowiki></pre>
| |
| − | example:
| |
| − | <pre><nowiki>
| |
| − | ssh joe@laptop
| |
| − | </nowiki></pre>
| |
| − | example:
| |
| − | <pre><nowiki>
| |
| − | | |
| − | </nowiki></pre>
| |
| − | ===== Keep Alive =====
| |
| − | Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to '''/etc/ssh/ssh_config''' on the client.
| |
| − | <code><nowiki>ServerAliveInterval 5</nowiki></code>
| |
| − | This will send a "keep alive: signal to the server every 5 seconds. You can usually increase this interval and I use 120.
| |
| − | ==== Using Putty ====
| |
| − | Putty is a gui tool to configure your ssh connection and works on Linux as well as windows.
| |
| − | <code><nowiki>sudo apt-get install putty</nowiki></code>
| |
| − | See the windows section for further information.
| |
| − | ==== Using SecPanel ====
| |
| − | SecPanel is an SSH and SCP frontend for OpenSSH
| |
| − | <code><nowiki>sudo apt-get install secpanel</nowiki></code>
| |
| − | === From Windows ===
| |
| − | ==== Using Putty ====
| |
| − | Putty is a graphical tool available here : [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Download Putty]
| |
| − | [http://img296.imageshack.us/img296/7404/putty3zv1.png]
| |
| − | Once the connection is made you will be given a Terminal (Command Line Interface).
| |
| − | If you generated a Public Key (see next section) you will need to import it to Putty. Download ''puttygen.exe'' from th ePutty site above and use it to import your open-ssh key. There is a walk through for how to do this [http://linux-sxs.org/networking/openssh.putty.html here]
| |
| − | Otherwise you can generate a key with ''puttygen'' (I do not think you can import a putty key to open-ssh)
| |
| − | ===== Keep alive =====
| |
| − | Your putty (ssh) session will automatically log out if it is idle. To keep the connection active (alive), '''before you make the connection''', select "Connection" on the left and in the box " Seconds between keepalives (0 to turn off) enter 120 (this = 120 seconds).
| |
| − | ==== Using Cygwin ====
| |
| − | Cygwin is a unix like environment for Windows. You can download it here : [http://www.cygwin.com/ Cygwin]
| |
| − | To install it run the ''Setup.exe'' , choose a server.
| |
| − | To use ssh you need to install the openssh package (it includes BOTH a server and client). It is located under "Net" and is called ''openssh''
| |
| − | [http://img296.imageshack.us/img296/4139/cygwinopensshpv3.png]
| |
| − | You then launch Cygwin as a .bat file and you get a Terminal Interface :
| |
| − | Cygwin on Windows, running zsh :
| |
| − | [http://img127.imageshack.us/img127/9751/zshdx1.png]
| |
| − | You then use ssh from the Cygwin shell as you normally would on *nix (see above)
| |
| − | ===== Keep Alive =====
| |
| − | See the "Keep alive" section under *nix above.
| |
| − | == Transferring Files Remotely With SSH ==
| |
| − | === Graphically ===
| |
| − | ==== From Gnome ====
| |
| − | Nautilus can access remote computers via SSH, and browse and transfer files. Click '''Places''' -> '''Connect to Server'''. Select '''SSH''' for '''Service Type''', write the name or IP address of the computer you're connecting to in '''Server''', the user you'd like to connect as in '''User Name''', and a name for the connection if you wish.
| |
| − | Files can be copied by dragging and dropping between this window and other windows.
| |
| − | ==== From KDE ====
| |
| − | Konqueror can access remote computers via SSH, and browse and transfer files. Open Konqueror, and in the address bar type:
| |
| − | <pre><nowiki>
| |
| − | fish://username@server_address
| |
| − | </nowiki></pre>
| |
| − | Files can be copied by dragging and dropping them between this window or tab and to other windows or tabs.
| |
| − | ==== Using SecPanel ====
| |
| − | SecPanel is an SSH and SCP frontend for OpenSSH
| |
| − | <code><nowiki>sudo apt-get install secpanel</nowiki></code>
| |
| − | ==== From Windows ====
| |
| − | WinSCP can be used to transfer files between Linux machines running SSH and Windows.
| |
| − | WinSCP is capable of using either scp or sftp.
| |
| − | You can download it for free from [http://winscp.net].
| |
| − | [http://img296.imageshack.us/img296/491/winscpnh5.png]
| |
| − | <u>Note</u>: Winscp uses ''Putty keys'' (See the [[UbuntuHelp:SSHHowto?#head-85bd741dfccdb511a16353d657923ae24903003d|Using Putty]] section below)
| |
| − | === Using the Command Line (Terminal) ===
| |
| − | To copy a file from your computer to another computer with ssh you will need to use secure copy, the ''scp'' command. The command would look like this.
| |
| − | <pre><nowiki>
| |
| − | scp <file> <username>@<IP address or hostname>:<DestinationDirectory>
| |
| − | </nowiki></pre>
| |
| − | An example: Copying file.txt from my local computer to a remote computer, and placing it in the /home/joe/downloads directory
| |
| − | <pre><nowiki>
| |
| − | | |
| − | </nowiki></pre>
| |
| − | Another example:
| |
| − | <pre><nowiki>
| |
| − | scp "New Document.odw" joe@laptop:"/home/joe/Summer 2005"
| |
| − | </nowiki></pre>
| |
| − | So you have to include the <file>, the <username> of the computer you are logging into and the <ipaddress> and <Destination``Directory> for which the file is going to be moved to.
| |
| − | To copy files from remote computers to your local disk:
| |
| − | <pre><nowiki>
| |
| − | | |
| − | </nowiki></pre>
| |
| − | The '.' means to copy the file to the current directory. You could instead put 'my.txt' and the file would be renamed during copying.
| |
| − | Two handy options to scp are '-r' and '-C'. '-r' enables recursive copying, for when you want to copy an entire directory tree. '-C' enables compression, which will probably improve the transfer speed. '-C' is also an option for ssh and sftp.
| |
| − | Important: you can not move files between two remote computers. Either the source or destination must be a local file. However, if you login to one of the remote machines via ssh, you can copy files between two remote machines.
| |
| − | Note that if your local userid is the same as the remote userid then the user@ part can be omitted. Also, if the remote directory is omitted, the home directory will be used.
| |
| − | <pre><nowiki>
| |
| − | scp 192.168.1.103:file.txt .
| |
| − | </nowiki></pre>
| |
| − | == Advanced options ==
| |
| − | === Forward X ===
| |
| − | To forward X check in '''/etc/ssh/sshd_config''' to be sure you have allowed X forwarding (it is enabled by default)
| |
| − | Look for this line :
| |
| − | <pre><nowiki>
| |
| − | X11Forwarding yes
| |
| − | </nowiki></pre>
| |
| − | ==== Single Applications ====
| |
| − | You can forward graphical applications with the -X option.
| |
| − | <pre><nowiki>
| |
| − | ssh -X user@server
| |
| − | </nowiki></pre>
| |
| − | Once the connection is made enter your command in the terminal, ''firefox &'' for example. This will start Firefox on the server and forward the Firefox interface to the client.
| |
| − | You can do this as a single command/application if you like :
| |
| − | <pre><nowiki>
| |
| − | ssh -XC user@server firefox
| |
| − | </nowiki></pre>
| |
| − | ==== Entire Desktop ====
| |
| − | In order to do this you must enter the command from a console (Ctrl-Alt-F1) and not from a terminal in X
| |
| − | 1. Switch to a console session (Ctrl-Alt-F1 or Ctrl-Alt-F2. To return Ctrl-Alt-F7)
| |
| − | 2. Start a ssh connection in conjunction with xinit :
| |
| − |
| |
| − | <pre><nowiki>
| |
| − | xinit -e ssh -XCT user@server fluxbox -- :1
| |
| − | </nowiki></pre>
| |
| − | *Substitute gnome-session, xfce4-session, or startkde for fluxbox as needed (I use fluxbox as an example as it is a light weight window manager).
| |
| − | * -C allows compression
| |
| − | * the ''-- :1'' starts a session on your second virtual console located at '''Ctrl-Alt-F8''' (your first is at Ctrl-Alt-F7)
| |
| − | <u>Note</u>: If you would like to forward the entire desktop you will likely discover tunneling a VNC connection is faster. See slso [[UbuntuHelp:VNCOverSSH| Vnc Over SSH Ubuntu Wiki]] and [[UbuntuHelp:FreeNX| FreeNX Ubuntu Wiki]]
| |
| − | ==== Nested windows ====
| |
| − | You may use Xephyr to give you an X server within your current server.
| |
| − | [http://cafelinux.org/OptickleArt/albums/userpics/Xephyr.png http://cafelinux.org/OptickleArt/albums/userpics/normal_Xephyr.png]
| |
| − | Two ssh forwarded desktops on dual monitors, click to enlarge
| |
| − | [http://ubuntuforums.org/showthread.php?t=620003 Ubuntu forums, How to Xephyr] ~ it is short
| |
| − | Connections are encrypted and compressed.
| |
| − | === Running single commands on the open-ssh server ===
| |
| − | You can run a single command on the open-ssh server by adding the command to the end of the ssh command.
| |
| − | <pre><nowiki>
| |
| − | ssh -fCT user@server <command>
| |
| − | </nowiki></pre>
| |
| − | <pre><nowiki>
| |
| − | -f = Allows ssh to close after the connection is established.
| |
| − | -C = Use Compression
| |
| − | -T = No terminal session will be started
| |
| − | </nowiki></pre>
| |
| − | === Mounting directories using sshfs ===
| |
| − | sshfs will allow you to mount directories from the open-ssh server to your client very similar to nfs
| |
| − | [[UbuntuHelp:SSHFS| SSHFS Ubuntu Wiki]]
| |
| − | === Tunneling VNC connections through ssh ===
| |
| − | This obviously increases the security of your VNC sessions. [[UbuntuHelp:VNCOverSSH| VNC Over SSH Ubuntu Wiki]]
| |
| − | [[Anchor(public-key-auth)]]
| |
| − | == Public key authentication ==
| |
| − | Formerly everybody has used the typical username/password authentication. However if
| |
| − | someone had guessed or sniffed your password then security was compromised.
| |
| − | For quite some time SSH has offered '''public key authentication'''. It uses private and
| |
| − | public keys instead of simple passwords.
| |
| − | Unless you already have a private key you first need to create one. Enter:
| |
| − | <pre><nowiki>
| |
| − | ssh-keygen -t dsa
| |
| − | </nowiki></pre>
| |
| − | You will then be asked where to save the private key (just accept the default
| |
| − | location) and to choose a passphrase. The passphrase is used to encrypt your
| |
| − | private key. Everybody that gets access to your (unprotected) private key
| |
| − | will have your permissions on other computers. Please take a moment and think
| |
| − | of a really good password. See [[UbuntuHelp:ChoosingSecurePassword|ChoosingSecurePassword]] if you do not know
| |
| − | what that means.
| |
| − | Now to gain access to other computers they need to '''trust''' your public key.
| |
| − | Your public key was created along with the new private key. It is usually
| |
| − | located at:
| |
| − | <pre><nowiki>
| |
| − | ~/.ssh/id_dsa.pub
| |
| − | </nowiki></pre>
| |
| − | The target user needs to have this key (it is a line of ASCII characters) in its authorized key file located at:
| |
| − | <pre><nowiki>
| |
| − | ~/.ssh/authorized_keys
| |
| − | </nowiki></pre>
| |
| − | on the target system. So either just copy and paste the line into the authorized_keys file, or use the "ssh-copy-id" command like this:
| |
| − | <pre><nowiki>
| |
| − | ssh-copy-id -i ~/.ssh/id_dsa.pub root@fileserver01
| |
| − | </nowiki></pre>
| |
| − | You will be asked for the root password of that computer. If password authentication is disabled then you need to copy and paste your key using another medium. After your public key has been added you are trusted.
| |
| − | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png In order to use <code><nowiki>ssh-copy-id</nowiki></code> you need to have saved your passphrase to the [[ssh-agent ssh-agent]] using <code><nowiki>ssh-add</nowiki></code> ([[ssh-agent see below]]).
| |
| − | Run:
| |
| − | <pre><nowiki>
| |
| − | ssh root@fileserver01
| |
| − | </nowiki></pre>
| |
| − | and you should no longer be asked for the password but for the '''passphrase'''. Please note that the password and the passphrase do different things. The password is saved in the /etc/passwd of the target system. The passphrase is used to decrypt your private key on your system.
| |
| − | To reiterate: the actual security of public key authentication over password authentication is that two things are needed to get access:
| |
| − | * your (encrypted) private key
| |
| − | * your passphrase (which is needed to decrypt the private key)
| |
| − | So if you would choose no password at all (which is possible - see the next section) you would have even less security than using a password alone.
| |
| − | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Password based authentication is enabled per default in Ubuntu. If you want to stop users from logging in remotely using passwords, disable password authentication manually, by setting "''Password``Authentication no''" in the file /etc/ssh/sshd_config. Do not forget to restart your ssh server after changing the configuration (<code><nowiki>sudo /etc/init.d/ssh restart</nowiki></code>).
| |
| − | == Restricting SSH access ==
| |
| − | When using SSH public key authentication there is another nifty feature. The target server can restrict which commands you are allowed to run. If you maintain a CVS repository you could use lines like this in the
| |
| − | authorized_keys file:
| |
| − | command="/usr/bin/cvs server" ssh-dss AAAAB3N....
| |
| − | This would allow only this command to be run, and nothing else.
| |
| − | == Automated access in batch scripts ==
| |
| − | [[public-key-auth Public key authentication]] can also be used to automate tasks that would usually require typing in a password. Imagine you want to copy a file from a remote computer every midnight. All you needed to do is establish the trust between those two computers. Create a service account on one computer, create a keypair (ssh-keygen -t dsa) and when asked for a passphrase just press 'ENTER'. This will leave the private key unprotected. Add the public key to the other computer's authorized_keys file (ssh-copy-id). Now you can SSH to that machine without being asked for a passphrase. Add an SSH call to your crontab and you are set.
| |
| − | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconWarning3.png '''Be careful!'''
| |
| − | Having an unprotected private key may be a security hole. Hackers would only need to get access to the private key and could access the target computer.
| |
| − | [[Anchor(ssh-agent)]]
| |
| − | == Using the ssh-agent ==
| |
| − | If you frequently need to copy files over SSH or access other computers in your network (which is a common task for administrators) you probably wonder if there is way to simplify entering the passphrase. Actually there is - it's called the '''SSH agent'''. You only need to enter your passphrase once using "ssh-add" and everything you start as a subprocess of the SSH agent will remember that passphrase.
| |
| − | Too much theory? Well, you will not need to worry about the agent. Your X session is already run in an ssh-agent session automatically. All you need to do is launch "ssh-add" and type in your passphrase. Next time you use SSH to access another computer you will not have to enter your passphrase again.
| |
| − | https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png '''Important:'''
| |
| − | You should lock your screen if you leave your desktop. Other people could access other computers from your computer over ssh without even knowing your passphrase.
| |
| − | If you like to be asked for the passphrase once after login to Ubuntu you can add a call to
| |
| − | "ssh-add" like this:
| |
| − | * Click on '''System'''
| |
| − | * Choose '''Preferences'''
| |
| − | * Choose '''Sessions'''
| |
| − | * Select the '''Startup Programs''' tab
| |
| − | * Click on '''Add'''
| |
| − | * Enter "ssh-add" as a command
| |
| − | After the next login you should be asked for the passphrase.
| |
| − | KDE users can also make use of ssh-add:
| |
| − | Open a Konsole session:
| |
| − | * Click on '''Kmenu'''
| |
| − | * Choose '''System'''
| |
| − | * Choose '''Konsole Terminal Program'''
| |
| − | At the command prompt, type:
| |
| − | <pre><nowiki>
| |
| − | user@user-computer:~$ ln -s /usr/bin/ssh-add .kde/Autostart
| |
| − | </nowiki></pre>
| |
| − | Logout of your KDE session and login again. A menu will pop up at startup asking for your SSH passphrase.
| |
| − | == Security ==
| |
| − | User logins and other data are stored in /var/log/auth.log (and auth.log.0, etc.). If you would like to see if anybody has attempted to login to your system, you can examine the log files. The command:
| |
| − | <pre><nowiki>
| |
| − | awk '/Invalid user/ {print $8}' /var/log/auth.log{,.0} | sort | uniq -c
| |
| − | </nowiki></pre>
| |
| − | will show you who (often an automated attack) has attempted to login with an Invalid Username, preceded by the number of times that name was used.
| |
| − | For a list of users and where they logged in the "last" command, and "lastb" (last bad) should allow for a quick check.
| |
| − | For enhanced security, see the [[advanced Advanced Configuration]] page.
| |
| − | [[Anchor(advanced)]]
| |
| − | == Advanced Configuration ==
| |
| − | See [[UbuntuHelp:AdvancedOpenSSH|AdvancedOpenSSH]] for advanced configuration and extra security.
| |
| − | == GPG & OpenSSH ==
| |
| − | See [[UbuntuHelp:GPGsigningforSSHHowTo|GPGsigningforSSHHowTo]] for using GPG to sign SSH keys.
| |
| − | == SSH as a Proxy ==
| |
| − | If you can make an SSH connection, you can (most likely) use that connection as a SOCKS proxy without any extra setup on the remote computer. Traffic is tunneled securely through the SSH connection. If you are on an unsecured wireless connection, you can use this to effectively secure all your traffic from snooping. You can also use this to bypass IP restrictions because you will appear to be connecting from the remote computer.
| |
| − | Pick some big port number (bigger than 1024 so you can use it as non-root). Here I choose 1080, the standard SOCKS port. Use the <code><nowiki>-D</nowiki></code> option for dynamic port forwarding.
| |
| − | <pre><nowiki>
| |
| − | ssh -D 1080 user@host
| |
| − | </nowiki></pre>
| |
| − | Now as long as the SSH connection is open, your application can use a SOCKS proxy on port 1080 on your own computer (localhost). For example, in Firefox:
| |
| − | * go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
| |
| − | * check "Manual proxy configuration"
| |
| − | * make sure "Use this proxy server for all protocols" is cleared
| |
| − | * clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
| |
| − | * enter "127.0.0.1" for "SOCKS Host", and "1080" (or whatever port you chose) for Port.
| |
| − | == OpenSSH 4.3 VPNs ==
| |
| − | OpenSSH 4.3 added the ability to create tunnels; see [[UbuntuHelp:SSH VPN|SSH VPN]] for how to set up a VPN using this new feature.
| |
| − | ----
| |
| − | [[category:CategoryDocumentation]]
| |
| | | | |
| | [[category:UbuntuHelp]] | | [[category:UbuntuHelp]] |
