“UbuntuHelp:SSHHowto”的版本间的差异

2007年11月30日 (五) 21:34的版本

文章出处:

https://help.ubuntu.com/community/SSHHowto

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

title SSH

Parent page: Internet and Networking

1 Introduction
2 Installing the SSH Server
3 Logging in to a remote computer over ssh
- 3.1 From *nux
- 3.2 From Windows
  - 3.2.1 Using Putty
    - 3.2.1.1 Keep alive
  - 3.2.2 Using Cygwin
    - 3.2.2.1 Keep Alive
4 Transferring Files Remotely With SSH
- 4.1 Graphically
- 4.2 Using the Command Line (Terminal)
5 Advanced options
6 Public key authentication
7 Restricting SSH access
8 Automated access in batch scripts
9 Using the ssh-agent
10 Security
11 Advanced Configuration
12 GPG & OpenSSH
13 SSH as a Proxy
14 OpenSSH 4.3 VPNs

Introduction

OpenSSH provides secure remote access, including command line sessions, graphical apps via X forwarding, and file transfer using secure copy (SCP) and Secure FTP protocols. Additionally, it can act as a encrypting tunnel for other protocols via port forwarding. SSH replaces older, insecure apps like telnet, rlogin, and FTP. These older apps transmit passwords across the Internet without encryption, meaning the password could easily be stolen. By providing encryption, SSH fixes these problems.

Installing the SSH Server

If you want to securely connect to your machine from a remote computer, even a MS Windows machine using Putty, then you need to install a server that allows you to connect. Ubuntu uses the openssh-server for which you need the openssh-server package.

Logging in to a remote computer over ssh

From *nux

To login a remote computer running a ssh-server, open a terminal and log in with ssh <user>@<server> like this:

ssh <username>@<computer name or ip_address>

example:

ssh joe@laptop

example:

ssh [email protected]

Keep Alive

Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to /etc/ssh/ssh_config on the client. ServerAliveInterval 5 This will send a "keep alive: signal to the server every 5 seconds. You can usually increase this interval and I use 120.

Using Putty

Putty is a gui tool to configure your ssh connection and works on Linux as well as windows. sudo apt-get install putty See the windows section for further information.

Using SecPanel

SecPanel is an SSH and SCP frontend for OpenSSH sudo apt-get install secpanel

From Windows

Using Putty

Putty is a graphical tool available here : Download Putty [1] Once the connection is made you will be given a Terminal (Command Line Interface). If you generated a Public Key (see next section) you will need to import it to Putty. Download puttygen.exe from th ePutty site above and use it to import your open-ssh key. There is a walk through for how to do this here Otherwise you can generate a key with puttygen (I do not think you can import a putty key to open-ssh)

Keep alive

Your putty (ssh) session will automatically log out if it is idle. To keep the connection active (alive), before you make the connection, select "Connection" on the left and in the box " Seconds between keepalives (0 to turn off) enter 120 (this = 120 seconds).

Using Cygwin

Cygwin is a unix like environment for Windows. You can download it here : Cygwin To install it run the Setup.exe , choose a server. To use ssh you need to install the openssh package (it includes BOTH a server and client). It is located under "Net" and is called openssh [2] You then launch Cygwin as a .bat file and you get a Terminal Interface : Cygwin on Windows, running zsh : [3] You then use ssh from the Cygwin shell as you normally would on *nix (see above)

Keep Alive

See the "Keep alive" section under *nix above.

Transferring Files Remotely With SSH

Graphically

From Gnome

Nautilus can access remote computers via SSH, and browse and transfer files. Click Places -> Connect to Server. Select SSH for Service Type, write the name or IP address of the computer you're connecting to in Server, the user you'd like to connect as in User Name, and a name for the connection if you wish. Files can be copied by dragging and dropping between this window and other windows.

From KDE

Konqueror can access remote computers via SSH, and browse and transfer files. Open Konqueror, and in the address bar type:

fish://username@server_address

Files can be copied by dragging and dropping them between this window or tab and to other windows or tabs.

Using SecPanel

SecPanel is an SSH and SCP frontend for OpenSSH sudo apt-get install secpanel

From Windows

WinSCP can be used to transfer files between Linux machines running SSH and Windows. WinSCP is capable of using either scp or sftp. You can download it for free from [4]. [5] Note: Winscp uses Putty keys (See the Using Putty section below)

Using the Command Line (Terminal)

To copy a file from your computer to another computer with ssh you will need to use secure copy, the scp command. The command would look like this.

scp <file> <username>@<IP address or hostname>:<DestinationDirectory>

An example: Copying file.txt from my local computer to a remote computer, and placing it in the /home/joe/downloads directory

scp file.txt [email protected]:downloads/

Another example:

scp "New Document.odw" joe@laptop:"/home/joe/Summer 2005"

So you have to include the <file>, the <username> of the computer you are logging into and the <ipaddress> and <Destination``Directory> for which the file is going to be moved to. To copy files from remote computers to your local disk:

scp [email protected]:/home/hornbeck/otherfile.txt .

The '.' means to copy the file to the current directory. You could instead put 'my.txt' and the file would be renamed during copying. Two handy options to scp are '-r' and '-C'. '-r' enables recursive copying, for when you want to copy an entire directory tree. '-C' enables compression, which will probably improve the transfer speed. '-C' is also an option for ssh and sftp. Important: you can not move files between two remote computers. Either the source or destination must be a local file. However, if you login to one of the remote machines via ssh, you can copy files between two remote machines. Note that if your local userid is the same as the remote userid then the user@ part can be omitted. Also, if the remote directory is omitted, the home directory will be used.

scp 192.168.1.103:file.txt .

Advanced options

Forward X

To forward X check in /etc/ssh/sshd_config to be sure you have allowed X forwarding (it is enabled by default) Look for this line :

X11Forwarding yes

Single Applications

You can forward graphical applications with the -X option.

ssh -X user@server

Once the connection is made enter your command in the terminal, firefox & for example. This will start Firefox on the server and forward the Firefox interface to the client. You can do this as a single command/application if you like :

ssh -XC user@server firefox

Entire Desktop

In order to do this you must enter the command from a console (Ctrl-Alt-F1) and not from a terminal in X 1. Switch to a console session (Ctrl-Alt-F1 or Ctrl-Alt-F2. To return Ctrl-Alt-F7) 2. Start a ssh connection in conjunction with xinit :

xinit -e ssh -XCT user@server fluxbox -- :1

Substitute gnome-session, xfce4-session, or startkde for fluxbox as needed (I use fluxbox as an example as it is a light weight window manager).
-C allows compression
the -- :1 starts a session on your second virtual console located at Ctrl-Alt-F8 (your first is at Ctrl-Alt-F7)

Note: If you would like to forward the entire desktop you will likely discover tunneling a VNC connection is faster. See slso Vnc Over SSH Ubuntu Wiki and FreeNX Ubuntu Wiki

Nested windows

You may use Xephyr to give you an X server within your current server. Two ssh forwarded desktops on dual monitors, click to enlarge Ubuntu forums, How to Xephyr ~ it is short Connections are encrypted and compressed.

Running single commands on the open-ssh server

You can run a single command on the open-ssh server by adding the command to the end of the ssh command.

ssh -fCT user@server <command>

-f = Allows ssh to close after the connection is established.
-C = Use Compression
-T = No terminal session will be started

Mounting directories using sshfs

sshfs will allow you to mount directories from the open-ssh server to your client very similar to nfs SSHFS Ubuntu Wiki

Tunneling VNC connections through ssh

This obviously increases the security of your VNC sessions. VNC Over SSH Ubuntu Wiki Anchor(public-key-auth)

Public key authentication

Formerly everybody has used the typical username/password authentication. However if someone had guessed or sniffed your password then security was compromised. For quite some time SSH has offered public key authentication. It uses private and public keys instead of simple passwords. Unless you already have a private key you first need to create one. Enter:

ssh-keygen -t dsa

You will then be asked where to save the private key (just accept the default location) and to choose a passphrase. The passphrase is used to encrypt your private key. Everybody that gets access to your (unprotected) private key will have your permissions on other computers. Please take a moment and think of a really good password. See UbuntuHelp:ChoosingSecurePassword if you do not know what that means. Now to gain access to other computers they need to trust your public key. Your public key was created along with the new private key. It is usually located at:

~/.ssh/id_dsa.pub

The target user needs to have this key (it is a line of ASCII characters) in its authorized key file located at:

~/.ssh/authorized_keys

on the target system. So either just copy and paste the line into the authorized_keys file, or use the "ssh-copy-id" command like this:

ssh-copy-id -i ~/.ssh/id_dsa.pub root@fileserver01

You will be asked for the root password of that computer. If password authentication is disabled then you need to copy and paste your key using another medium. After your public key has been added you are trusted. IconsPage?action=AttachFile&do=get&target=IconNote.png In order to use ssh-copy-id you need to have saved your passphrase to the ssh-agent ssh-agent using ssh-add (ssh-agent see below). Run:

ssh root@fileserver01

and you should no longer be asked for the password but for the passphrase. Please note that the password and the passphrase do different things. The password is saved in the /etc/passwd of the target system. The passphrase is used to decrypt your private key on your system. To reiterate: the actual security of public key authentication over password authentication is that two things are needed to get access:

your (encrypted) private key
your passphrase (which is needed to decrypt the private key)

So if you would choose no password at all (which is possible - see the next section) you would have even less security than using a password alone. IconsPage?action=AttachFile&do=get&target=IconNote.png Password based authentication is enabled per default in Ubuntu. If you want to stop users from logging in remotely using passwords, disable password authentication manually, by setting "Password``Authentication no" in the file /etc/ssh/sshd_config. Do not forget to restart your ssh server after changing the configuration (sudo /etc/init.d/ssh restart).

Restricting SSH access

When using SSH public key authentication there is another nifty feature. The target server can restrict which commands you are allowed to run. If you maintain a CVS repository you could use lines like this in the authorized_keys file: command="/usr/bin/cvs server" ssh-dss AAAAB3N.... This would allow only this command to be run, and nothing else.

Automated access in batch scripts

public-key-auth Public key authentication can also be used to automate tasks that would usually require typing in a password. Imagine you want to copy a file from a remote computer every midnight. All you needed to do is establish the trust between those two computers. Create a service account on one computer, create a keypair (ssh-keygen -t dsa) and when asked for a passphrase just press 'ENTER'. This will leave the private key unprotected. Add the public key to the other computer's authorized_keys file (ssh-copy-id). Now you can SSH to that machine without being asked for a passphrase. Add an SSH call to your crontab and you are set. IconsPage?action=AttachFile&do=get&target=IconWarning3.png Be careful! Having an unprotected private key may be a security hole. Hackers would only need to get access to the private key and could access the target computer. Anchor(ssh-agent)

Using the ssh-agent

If you frequently need to copy files over SSH or access other computers in your network (which is a common task for administrators) you probably wonder if there is way to simplify entering the passphrase. Actually there is - it's called the SSH agent. You only need to enter your passphrase once using "ssh-add" and everything you start as a subprocess of the SSH agent will remember that passphrase. Too much theory? Well, you will not need to worry about the agent. Your X session is already run in an ssh-agent session automatically. All you need to do is launch "ssh-add" and type in your passphrase. Next time you use SSH to access another computer you will not have to enter your passphrase again. IconsPage?action=AttachFile&do=get&target=IconNote.png Important: You should lock your screen if you leave your desktop. Other people could access other computers from your computer over ssh without even knowing your passphrase. If you like to be asked for the passphrase once after login to Ubuntu you can add a call to "ssh-add" like this:

Click on System
Choose Preferences
Choose Sessions
Select the Startup Programs tab
Click on Add
Enter "ssh-add" as a command

After the next login you should be asked for the passphrase. KDE users can also make use of ssh-add: Open a Konsole session:

Click on Kmenu
Choose System
Choose Konsole Terminal Program

At the command prompt, type:

user@user-computer:~$ ln -s /usr/bin/ssh-add .kde/Autostart

Logout of your KDE session and login again. A menu will pop up at startup asking for your SSH passphrase.

Security

User logins and other data are stored in /var/log/auth.log (and auth.log.0, etc.). If you would like to see if anybody has attempted to login to your system, you can examine the log files. The command:

awk '/Invalid user/ {print $8}' /var/log/auth.log{,.0} | sort | uniq -c

will show you who (often an automated attack) has attempted to login with an Invalid Username, preceded by the number of times that name was used. For a list of users and where they logged in the "last" command, and "lastb" (last bad) should allow for a quick check. For enhanced security, see the advanced Advanced Configuration page. Anchor(advanced)

Advanced Configuration

See UbuntuHelp:AdvancedOpenSSH for advanced configuration and extra security.

GPG & OpenSSH

See UbuntuHelp:GPGsigningforSSHHowTo for using GPG to sign SSH keys.

SSH as a Proxy

If you can make an SSH connection, you can (most likely) use that connection as a SOCKS proxy without any extra setup on the remote computer. Traffic is tunneled securely through the SSH connection. If you are on an unsecured wireless connection, you can use this to effectively secure all your traffic from snooping. You can also use this to bypass IP restrictions because you will appear to be connecting from the remote computer. Pick some big port number (bigger than 1024 so you can use it as non-root). Here I choose 1080, the standard SOCKS port. Use the -D option for dynamic port forwarding.

ssh -D 1080 user@host

Now as long as the SSH connection is open, your application can use a SOCKS proxy on port 1080 on your own computer (localhost). For example, in Firefox:

go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
check "Manual proxy configuration"
make sure "Use this proxy server for all protocols" is cleared
clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
enter "127.0.0.1" for "SOCKS Host", and "1080" (or whatever port you chose) for Port.

OpenSSH 4.3 VPNs

OpenSSH 4.3 added the ability to create tunnels; see UbuntuHelp:SSH VPN for how to set up a VPN using this new feature.

@@ 第3行： / 第3行： @@
 #title SSH
 Parent page: [[UbuntuHelp:InternetAndNetworking| Internet and Networking]]
 == Introduction ==
 OpenSSH provides secure remote access, including command line sessions, graphical apps via X forwarding, and file transfer using secure copy (SCP) and Secure FTP protocols. Additionally, it can act as a encrypting tunnel for other protocols via port forwarding.
 SSH replaces older, insecure apps like telnet, rlogin, and FTP. These older apps transmit passwords across the Internet without encryption, meaning the password could easily be stolen. By providing encryption, SSH fixes these problems.
 == Installing the SSH Server ==
 If you want to securely connect to your machine from a remote computer, even a MS Windows machine using Putty, then you need to install a server that allows you to connect. Ubuntu uses the openssh-server for which you need the '''openssh-server''' package.
 == Logging in to a remote computer over ssh ==
 === From *nux ===
 To login a remote computer running a ssh-server, open a terminal and log in with ''ssh <user>@<server>'' like this:
 <pre><nowiki>
 ssh <username>@<computer name or ip_address>
 </nowiki></pre>
 example:
 <pre><nowiki>
 ssh joe@laptop
 </nowiki></pre>
 example:
 <pre><nowiki>
 ssh [email protected]
 </nowiki></pre>
 ===== Keep Alive =====
 Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to '''/etc/ssh/ssh_config''' on the client.
 <code><nowiki>ServerAliveInterval 5</nowiki></code>
 This will send a "keep alive: signal to the server every 5 seconds. You can usually increase this interval and I use 120.
 ==== Using Putty ====
 Putty is a gui tool to configure your ssh connection and works on Linux as well as windows.
 <code><nowiki>sudo apt-get install putty</nowiki></code>
 See the windows section for further information.
 ==== Using SecPanel ====
 SecPanel is an SSH and SCP frontend for OpenSSH
 <code><nowiki>sudo apt-get install secpanel</nowiki></code>
 === From Windows ===
 ==== Using Putty ====
 Putty is a graphical tool available here : [http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html Download Putty]
 [http://img296.imageshack.us/img296/7404/putty3zv1.png]
 Once the connection is made you will be given a Terminal (Command Line Interface).
 If you generated a Public Key (see next section) you will need to import it to Putty. Download ''puttygen.exe'' from th ePutty site above and use it to import your open-ssh key. There is a walk through for how to do this [http://linux-sxs.org/networking/openssh.putty.html here]
 Otherwise you can generate a key with ''puttygen'' (I do not think you can import a putty key to open-ssh)
 ===== Keep alive =====
 Your putty (ssh) session will automatically log out if it is idle. To keep the connection active (alive), '''before you make the connection''', select "Connection" on the left and in the box " Seconds between keepalives (0 to turn off) enter 120 (this = 120 seconds).
 ==== Using Cygwin ====
 Cygwin is a unix like environment for Windows. You can download it here : [http://www.cygwin.com/ Cygwin]
 To install it run the ''Setup.exe'' , choose a server.
 To use ssh you need to install the openssh package (it includes BOTH a server and client). It is located under "Net" and is called ''openssh''
 [http://img296.imageshack.us/img296/4139/cygwinopensshpv3.png]
 You then launch Cygwin as a .bat file and you get a Terminal Interface :
 Cygwin on Windows, running zsh :
 [http://img127.imageshack.us/img127/9751/zshdx1.png]
 You then use ssh from the Cygwin shell as you normally would on *nix (see above)
 ===== Keep Alive =====
 See the "Keep alive" section under *nix above.
 == Transferring Files Remotely With SSH ==
 === Graphically ===
 ==== From Gnome ====
 Nautilus can access remote computers via SSH, and browse and transfer files. Click '''Places''' -> '''Connect to Server'''. Select '''SSH''' for '''Service Type''', write the name or IP address of the computer you're connecting to in '''Server''', the user you'd like to connect as in '''User Name''', and a name for the connection if you wish.
 Files can be copied by dragging and dropping between this window and other windows.
 ==== From KDE ====
 Konqueror can access remote computers via SSH, and browse and transfer files. Open Konqueror, and in the address bar type:
 <pre><nowiki>
@@ 第114行： / 第64行： @@
 </nowiki></pre>
 Files can be copied by dragging and dropping them between this window or tab and to other windows or tabs.
 ==== Using SecPanel ====
 SecPanel is an SSH and SCP frontend for OpenSSH
 <code><nowiki>sudo apt-get install secpanel</nowiki></code>
 ==== From Windows ====
 WinSCP can be used to transfer files between Linux machines running SSH and Windows.
 WinSCP is capable of using either scp or sftp.
 You can download it for free from [http://winscp.net].
 [http://img296.imageshack.us/img296/491/winscpnh5.png]
 <u>Note</u>: Winscp uses ''Putty keys'' (See the [https://help.ubuntu.com/community/SSHHowto?#head-85bd741dfccdb511a16353d657923ae24903003d Using Putty] section below)
 === Using the Command Line (Terminal) ===
 To copy a file from your computer to another computer with ssh you will need to use secure copy, the ''scp'' command. The command would look like this.
@@ 第143行： / 第82行： @@
 scp file.txt [email protected]:downloads/
 </nowiki></pre>
 Another example:
 <pre><nowiki>
 scp "New Document.odw" joe@laptop:"/home/joe/Summer 2005"
 </nowiki></pre>
 So you have to include the <file>, the <username> of the computer you are logging into and the <ipaddress> and <Destination``Directory> for which the file is going to be moved to.
 To copy files from remote computers to your local disk:
 <pre><nowiki>
@@ 第157行： / 第92行： @@
 </nowiki></pre>
 The '.' means to copy the file to the current directory. You could instead put 'my.txt' and the file would be renamed during copying.
 Two handy options to scp are '-r' and '-C'.  '-r' enables recursive copying, for when you want to copy an entire directory tree.  '-C' enables compression, which will probably improve the transfer speed.  '-C' is also an option for ssh and sftp.
 Important: you can not move files between two remote computers. Either the source or destination must be a local file.  However, if you login to one of the remote machines via ssh, you can copy files between two remote machines.
 Note that if your local userid is the same as the remote userid then the user@ part can be omitted. Also, if the remote directory is omitted, the home directory will be used.
 <pre><nowiki>
 scp 192.168.1.103:file.txt .
 </nowiki></pre>
 == Advanced options ==
 === Forward X ===
 To forward X check in '''/etc/ssh/sshd_config''' to be sure you have allowed X forwarding (it is enabled by default)
 Look for this line :
 <pre><nowiki>
 X11Forwarding yes
 </nowiki></pre>
 ==== Single Applications ====
 You can forward graphical applications with the -X option.
 <pre><nowiki>
 ssh -X user@server
 </nowiki></pre>
 Once the connection is made enter your command in the terminal, ''firefox &'' for example. This will start Firefox on the server and forward the Firefox interface to the client.
 You can do this as a single command/application if you like :
 <pre><nowiki>
 ssh -XC user@server firefox
 </nowiki></pre>
 ==== Entire Desktop ====
 In order to do this you must enter the command from a console (Ctrl-Alt-F1) and not from a terminal in X
 . Switch to a console session (Ctrl-Alt-F1 or Ctrl-Alt-F2. To return Ctrl-Alt-F7)
 . Start a ssh connection in conjunction with xinit :
 <pre><nowiki>
 xinit -e ssh -XCT user@server fluxbox -- :1
 </nowiki></pre>
 *Substitute gnome-session, xfce4-session, or startkde for fluxbox as needed (I use fluxbox as an example as it is a light weight window manager).
 * -C allows compression
 * the ''-- :1'' starts a session on your second virtual console located at '''Ctrl-Alt-F8''' (your first is at Ctrl-Alt-F7)
 <u>Note</u>: If you would like to forward the entire desktop you will likely discover tunneling a VNC connection is faster.  See slso [[UbuntuHelp:VNCOverSSH| Vnc Over SSH Ubuntu Wiki]] and [[UbuntuHelp:FreeNX| FreeNX Ubuntu Wiki]]
+==== Nested windows ====
+You may use Xephyr to give you an X server within your current server.
+[http://cafelinux.org/OptickleArt/albums/userpics/Xephyr.png http://cafelinux.org/OptickleArt/albums/userpics/normal_Xephyr.png]
+Two ssh forwarded desktops on dual monitors, click to enlarge
+[http://ubuntuforums.org/showthread.php?t=620003 Ubuntu forums, How to Xephyr] ~ it is short
+Connections are encrypted and compressed.
 === Running single commands on the open-ssh server ===
 You can run a single command on the open-ssh server by adding the command to the end of the ssh command.
 <pre><nowiki>
 ssh -fCT user@server <command>
 </nowiki></pre>
 <pre><nowiki>
 -f = Allows ssh to close after the connection is established.
@@ 第227行： / 第142行： @@
 -T = No terminal session will be started
 </nowiki></pre>
 === Mounting directories using sshfs ===
 sshfs will allow you to mount directories from the open-ssh server to your client very similar to nfs
 [[UbuntuHelp:SSHFS| SSHFS Ubuntu Wiki]]
 === Tunneling VNC connections through ssh ===
 This obviously increases the security of your VNC sessions. [[UbuntuHelp:VNCOverSSH| VNC Over SSH Ubuntu Wiki]]
 [[Anchor(public-key-auth)]]
 == Public key authentication ==
 Formerly everybody has used the typical username/password authentication. However if
 someone had guessed or sniffed your password then security was compromised.
 For quite some time SSH has offered '''public key authentication'''. It uses private and
 public keys instead of simple passwords.
 Unless you already have a private key you first need to create one. Enter:
 <pre><nowiki>
 ssh-keygen -t dsa
 </nowiki></pre>
 You will then be asked where to save the private key (just accept the default
 location) and to choose a passphrase. The passphrase is used to encrypt your
@@ 第259行： / 第163行： @@
 of a really good password. See [[UbuntuHelp:ChoosingSecurePassword]] if you do not know
 what that means.
 Now to gain access to other computers they need to '''trust''' your public key.
 Your public key was created along with the new private key. It is usually
@@ 第275行： / 第178行： @@
 </nowiki></pre>
 You will be asked for the root password of that computer. If password authentication is disabled then you need to copy and paste your key using another medium. After your public key has been added you are trusted.
 https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png In order to use <code><nowiki>ssh-copy-id</nowiki></code> you need to have saved your passphrase to the [[ssh-agent ssh-agent]] using <code><nowiki>ssh-add</nowiki></code> ([[ssh-agent see below]]).
 Run:
 <pre><nowiki>
@@ 第283行： / 第184行： @@
 </nowiki></pre>
 and you should no longer be asked for the password but for the '''passphrase'''. Please note that the password and the passphrase do different things. The password is saved in the /etc/passwd of the target system. The passphrase is used to decrypt your private key on your system.
 To reiterate: the actual security of public key authentication over password authentication is that two things are needed to get access:
 * your (encrypted) private key
 * your passphrase (which is needed to decrypt the private key)
 So if you would choose no password at all (which is possible - see the next section) you would have even less security than using a password alone.
 https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png Password based authentication is enabled per default in Ubuntu. If you want to stop users from logging in remotely using passwords, disable password authentication manually, by setting "''Password``Authentication no''" in the file /etc/ssh/sshd_config. Do not forget to restart your ssh server after changing the configuration (<code><nowiki>sudo /etc/init.d/ssh restart</nowiki></code>).
 == Restricting SSH access ==
 When using SSH public key authentication there is another nifty feature. The target server can restrict which commands you are allowed to run. If you maintain a CVS repository you could use lines like this in the
 authorized_keys file:
 command="/usr/bin/cvs server" ssh-dss AAAAB3N....
 This would allow only this command to be run, and nothing else.
 == Automated access in batch scripts ==
 [[public-key-auth Public key authentication]] can also be used to automate tasks that would usually require typing in a password. Imagine you want to copy a file from a remote computer every midnight. All you needed to do is establish the trust between those two computers. Create a service account on one computer, create a keypair (ssh-keygen -t dsa) and when asked for a passphrase just press 'ENTER'. This will leave the private key unprotected. Add the public key to the other computer's authorized_keys file (ssh-copy-id). Now you can SSH to that machine without being asked for a passphrase. Add an SSH call to your crontab and you are set.
 https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconWarning3.png '''Be careful!'''
 Having an unprotected private key may be a security hole. Hackers would only need to get access to the private key and could access the target computer.
 [[Anchor(ssh-agent)]]
 == Using the ssh-agent ==
 If you frequently need to copy files over SSH or access other computers in your network (which is a common task for administrators) you probably wonder if there is way to simplify entering the passphrase. Actually there is - it's called the '''SSH agent'''. You only need to enter your passphrase once using "ssh-add" and everything you start as a subprocess of the SSH agent will remember that passphrase.
 Too much theory? Well, you will not need to worry about the agent. Your X session is already run in an ssh-agent session automatically. All you need to do is launch "ssh-add" and type in your passphrase. Next time you use SSH to access another computer you will not have to enter your passphrase again.
 https://help.ubuntu.com/community/IconsPage?action=AttachFile&do=get&target=IconNote.png '''Important:'''
 You should lock your screen if you leave your desktop. Other people could access other computers from your computer over ssh without even knowing your passphrase.
 If you like to be asked for the passphrase once after login to Ubuntu you can add a call to
 "ssh-add" like this:
 * Click on '''System'''
 * Choose '''Preferences'''
@@ 第325行： / 第212行： @@
 * Click on '''Add'''
 * Enter "ssh-add" as a command
 After the next login you should be asked for the passphrase.
 KDE users can also make use of ssh-add:
 Open a Konsole session:
 * Click on '''Kmenu'''
 * Choose '''System'''
 * Choose '''Konsole Terminal Program'''
 At the command prompt, type:
 <pre><nowiki>
 user@user-computer:~$ ln -s /usr/bin/ssh-add .kde/Autostart
 </nowiki></pre>
 Logout of your KDE session and login again. A menu will pop up at startup asking for your SSH passphrase.
 == Security ==
 User logins and other data are stored in /var/log/auth.log (and auth.log.0, etc.). If you would like to see if anybody has attempted to login to your system, you can examine the log files. The command:
@@ 第348行： / 第228行： @@
 awk '/Invalid user/ {print $8}' /var/log/auth.log{,.0} | sort | uniq -c
 </nowiki></pre>
 will show you who (often an automated attack) has attempted to login with an Invalid Username, preceded by the number of times that name was used.
 For a list of users and where they logged in the "last" command, and "lastb" (last bad) should allow for a quick check.
 For enhanced security, see the [[advanced Advanced Configuration]] page.
 [[Anchor(advanced)]]
 == Advanced Configuration ==
 See [[UbuntuHelp:AdvancedOpenSSH]] for advanced configuration and extra security.
 == GPG & OpenSSH ==
 See [[UbuntuHelp:GPGsigningforSSHHowTo]] for using GPG to sign SSH keys.
 == SSH as a Proxy ==
 If you can make an SSH connection, you can (most likely) use that connection as a SOCKS proxy without any extra setup on the remote computer. Traffic is tunneled securely through the SSH connection. If you are on an unsecured wireless connection, you can use this to effectively secure all your traffic from snooping. You can also use this to bypass IP restrictions because you will appear to be connecting from the remote computer.
 Pick some big port number (bigger than 1024 so you can use it as non-root). Here I choose 1080, the standard SOCKS port. Use the <code><nowiki>-D</nowiki></code> option for dynamic port forwarding.
 <pre><nowiki>
 ssh -D 1080 user@host
 </nowiki></pre>
 Now as long as the SSH connection is open, your application can use a SOCKS proxy on port 1080 on your own computer (localhost). For example, in Firefox:
 * go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
@@ 第379行： / 第248行： @@
 * clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
 * enter "127.0.0.1" for "SOCKS Host", and "1080" (or whatever port you chose) for Port.
 == OpenSSH 4.3 VPNs ==
 OpenSSH 4.3 added the ability to create tunnels; see [[UbuntuHelp:SSH VPN]] for how to set up a VPN using this new feature.
 ----
 [[category:CategoryDocumentation]]
 [[category:UbuntuHelp]]

	隐私政策关于Ubuntu中文免责声明
	Mozilla Cavendish Theme based on Cavendish style by Gabriel Wicke modified by DaSch for the Web Community Wiki github Projectpage – Report Bug – Skin-Version: 2.3.4

个人工具

“UbuntuHelp:SSHHowto”的版本间的差异 - Ubuntu中文

搜索

“UbuntuHelp:SSHHowto”的版本间的差异

来自Ubuntu中文

2007年11月30日 (五) 21:34的版本

目录

Introduction

Installing the SSH Server

Logging in to a remote computer over ssh

From *nux

Keep Alive

Using Putty

Using SecPanel

From Windows

Using Putty

Keep alive

Using Cygwin

Keep Alive

Transferring Files Remotely With SSH

Graphically

From Gnome

From KDE

Using SecPanel

From Windows

Using the Command Line (Terminal)

Advanced options

Forward X

Single Applications

Entire Desktop

Nested windows

Running single commands on the open-ssh server

Mounting directories using sshfs

Tunneling VNC connections through ssh

Public key authentication

Restricting SSH access

Automated access in batch scripts

Using the ssh-agent

Security

Advanced Configuration

GPG & OpenSSH

SSH as a Proxy

OpenSSH 4.3 VPNs