“UbuntuHelp:SSHHowto”的版本间的差异

2008年5月9日 (五) 19:22的版本

文章出处:

https://help.ubuntu.com/community/SSHHowto

点击翻译:

English

请不要直接编辑翻译本页，本页将定期与来源同步。

1. title SSH

Parent page: Internet and Networking

Introduction

OpenSSH provides secure remote access, including command line sessions, graphical apps via X forwarding, and file transfer using secure copy (SCP) and Secure FTP protocols. Additionally, it can act as a encrypting tunnel for other protocols via port forwarding. SSH replaces older, insecure apps like telnet, rlogin, and FTP. These older apps transmit passwords across the Internet without encryption, meaning the password could easily be stolen. By providing encryption, SSH fixes these problems.

Installing the SSH Server

If you want to securely connect to your machine from a remote computer, even a MS Windows machine using Putty, then you need to install a server that allows you to connect. Ubuntu uses the openssh-server for which you need the openssh-server package.

# sudo apt-get install openssh-server

Logging in to a remote computer over ssh

From *nux

To login a remote computer running a ssh-server, open a terminal and log in with ssh <user>@<server> like this:

ssh <username>@<computer name or ip_address>

example:

ssh joe@laptop

example:

ssh [email protected]

Keep Alive

Your ssh session will automatically log out if it is idle. To keep the connection active (alive) add this to /etc/ssh/ssh_config on the client. ServerAliveInterval 5 This will send a "keep alive: signal to the server every 5 seconds. You can usually increase this interval and I use 120.

Using Putty

Putty is a gui tool to configure your ssh connection and works on Linux as well as windows. sudo apt-get install putty See the windows section for further information.

Using SecPanel

SecPanel is an SSH and SCP frontend for OpenSSH sudo apt-get install secpanel

From Windows

Using Putty

Putty is a graphical tool available here : Download Putty [1] Once the connection is made you will be given a Terminal (Command Line Interface). If you generated a Public Key (see next section) you will need to import it to Putty. Download puttygen.exe from th ePutty site above and use it to import your open-ssh key. There is a walk through for how to do this here Otherwise you can generate a key with puttygen (I do not think you can import a putty key to open-ssh)

Keep alive

Your putty (ssh) session will automatically log out if it is idle. To keep the connection active (alive), before you make the connection, select "Connection" on the left and in the box " Seconds between keepalives (0 to turn off) enter 120 (this = 120 seconds).

Using Cygwin

Cygwin is a unix like environment for Windows. You can download it here : Cygwin To install it run the Setup.exe , choose a server. To use ssh you need to install the openssh package (it includes BOTH a server and client). It is located under "Net" and is called openssh [2] You then launch Cygwin as a .bat file and you get a Terminal Interface : Cygwin on Windows, running zsh : [3] You then use ssh from the Cygwin shell as you normally would on *nix (see above)

Keep Alive

See the "Keep alive" section under *nix above.

Transferring Files Remotely With SSH

Graphically

From Gnome

Nautilus can access remote computers via SSH, and browse and transfer files. Click Places -> Connect to Server. Select SSH for Service Type, write the name or IP address of the computer you're connecting to in Server, the user you'd like to connect as in User Name, and a name for the connection if you wish. Files can be copied by dragging and dropping between this window and other windows.

From KDE

Konqueror can access remote computers via SSH, and browse and transfer files. Open Konqueror, and in the address bar type:

fish://username@server_address

Files can be copied by dragging and dropping them between this window or tab and to other windows or tabs.

Using SecPanel

SecPanel is an SSH and SCP frontend for OpenSSH sudo apt-get install secpanel

From Windows

WinSCP can be used to transfer files between Linux machines running SSH and Windows. WinSCP is capable of using either scp or sftp. You can download it for free from [4]. [5] Note: Winscp uses Putty keys (See the Using Putty section below)

Using the Command Line (Terminal)

To copy a file from your computer to another computer with ssh you will need to use secure copy, the scp command. The command would look like this.

scp <file> <username>@<IP address or hostname>:<DestinationDirectory>

An example: Copying file.txt from my local computer to a remote computer, and placing it in the /home/joe/downloads directory

scp file.txt [email protected]:downloads/

Another example:

scp "New Document.odw" joe@laptop:"/home/joe/Summer 2005"

So you have to include the <file>, the <username> of the computer you are logging into and the <ipaddress> and <Destination``Directory> for which the file is going to be moved to. To copy files from remote computers to your local disk:

scp [email protected]:/home/hornbeck/otherfile.txt .

The '.' means to copy the file to the current directory. You could instead put 'my.txt' and the file would be renamed during copying. Two handy options to scp are '-r' and '-C'. '-r' enables recursive copying, for when you want to copy an entire directory tree. '-C' enables compression, which will probably improve the transfer speed. '-C' is also an option for ssh and sftp. Important: you can not move files between two remote computers. Either the source or destination must be a local file. However, if you login to one of the remote machines via ssh, you can copy files between two remote machines. Note that if your local userid is the same as the remote userid then the user@ part can be omitted. Also, if the remote directory is omitted, the home directory will be used.

scp 192.168.1.103:file.txt .

Advanced options

Forward X

To forward X check in /etc/ssh/sshd_config to be sure you have allowed X forwarding (it is enabled by default) Look for this line :

X11Forwarding yes

Single Applications

You can forward graphical applications with the -X option.

ssh -X user@server

Once the connection is made enter your command in the terminal, firefox & for example. This will start Firefox on the server and forward the Firefox interface to the client. You can do this as a single command/application if you like :

ssh -XC user@server firefox

If you start an application and it complains that it cannot find the display, make sure that xauth is installed. It is installed by default with desktop installations, but not server installations. If echo $DISPLAY yields nothing, trying first installing xauth to correct the deficiency.

sudo apt-get install xauth

Entire Desktop

In order to do this you must enter the command from a console (Ctrl-Alt-F1) and not from a terminal in X 1. Switch to a console session (Ctrl-Alt-F1 or Ctrl-Alt-F2. To return Ctrl-Alt-F7) 2. Start a ssh connection in conjunction with xinit :

xinit -e ssh -XCT user@server fluxbox -- :1

• Substitute gnome-session, xfce4-session, or startkde for fluxbox as needed (I use fluxbox as an example as it is a light weight window manager).
• -C allows compression
• the -- :1 starts a session on your second virtual console located at Ctrl-Alt-F8 (your first is at Ctrl-Alt-F7)

Note: If you would like to forward the entire desktop you will likely discover tunneling a VNC connection is faster. See slso Vnc Over SSH Ubuntu Wiki and FreeNX Ubuntu Wiki

Nested windows

You may use Xephyr to give you an X server within your current server. Two ssh forwarded desktops on dual monitors, click to enlarge Ubuntu forums, How to Xephyr ~ it is short Connections are encrypted and compressed.

Running single commands on the open-ssh server

You can run a single command on the open-ssh server by adding the command to the end of the ssh command.

ssh -fCT user@server <command>

-f = Allows ssh to close after the connection is established.
-C = Use Compression
-T = No terminal session will be started

Mounting directories using sshfs

sshfs will allow you to mount directories from the open-ssh server to your client very similar to nfs SSHFS Ubuntu Wiki

Tunneling VNC connections through ssh

This obviously increases the security of your VNC sessions. VNC Over SSH Ubuntu Wiki Anchor(public-key-auth)

Public key authentication

Formerly everybody has used the typical username/password authentication. However if someone had guessed or sniffed your password then security was compromised. For quite some time SSH has offered public key authentication. It uses private and public keys instead of simple passwords. Unless you already have a private key you first need to create one. Enter:

ssh-keygen -t dsa

You will then be asked where to save the private key (just accept the default location) and to choose a passphrase. The passphrase is used to encrypt your private key. Everybody that gets access to your (unprotected) private key will have your permissions on other computers. Please take a moment and think of a really good password. See ChoosingSecurePassword if you do not know what that means. Now to gain access to other computers they need to trust your public key. Your public key was created along with the new private key. It is usually located at:

~/.ssh/id_dsa.pub

The target user needs to have this key (it is a line of ASCII characters) in its authorized key file located at:

~/.ssh/authorized_keys

on the target system. So either just copy and paste the line into the authorized_keys file, or use the "ssh-copy-id" command like this:

ssh-copy-id -i ~/.ssh/id_dsa.pub root@fileserver01

You will be asked for the root password of that computer. If password authentication is disabled then you need to copy and paste your key using another medium. After your public key has been added you are trusted. In order to use ssh-copy-id you need to have saved your passphrase to the ssh-agent ssh-agent using ssh-add (ssh-agent see below). Run:

ssh root@fileserver01

and you should no longer be asked for the password but for the passphrase. Please note that the password and the passphrase do different things. The password is saved in the /etc/passwd of the target system. The passphrase is used to decrypt your private key on your system. To reiterate: the actual security of public key authentication over password authentication is that two things are needed to get access:

• your (encrypted) private key
• your passphrase (which is needed to decrypt the private key)

So if you would choose no password at all (which is possible - see the next section) you would have even less security than using a password alone. Password based authentication is enabled per default in Ubuntu. If you want to stop users from logging in remotely using passwords, disable password authentication manually, by setting "Password``Authentication no" in the file /etc/ssh/sshd_config. Do not forget to restart your ssh server after changing the configuration (sudo /etc/init.d/ssh restart). Anchor(restrict-ssh-access)

Restricting SSH access

When using SSH public key authentication there is another nifty feature. The target server can restrict which commands you are allowed to run. If you maintain a CVS repository you could use lines like this in the authorized_keys file: command="/usr/bin/cvs server" ssh-dss AAAAB3N.... This would allow only this command to be run, and nothing else.

Automated access in batch scripts

public-key-auth Public key authentication can also be used to automate tasks that would usually require typing in a password. Imagine you want to copy a file from a remote computer every midnight. All you needed to do is establish the trust between those two computers. Create a service account on one computer, create a keypair (ssh-keygen -t dsa) and when asked for a passphrase just press 'ENTER'. This will leave the private key unprotected. Add the public key to the other computer's authorized_keys file (ssh-copy-id). Now you can SSH to that machine without being asked for a passphrase. Add an SSH call to your crontab and you are set. Be careful! Having an unprotected private key may be a security hole. Hackers would only need to get access to the private key and could access the target computer. Because this is an unsecure method, you should avoid using your normal public/private key pair and instead generate a new key pair that you only use for this one batch connection. That way, your normal key pair is still passphrase-protected. You can do this by specifying a different filename when prompted by ssh_keygen(1) as described in public-key-auth Public key authentication. Coupled with specifying the only command the remote machine is allowed to run, as described in restrict-ssh-access Restricting SSH access, this means someone who gains access to your account would still need the passphrase to do anything other than run the specified remote commands on your batch machines. Anchor(ssh-agent)

Using the ssh-agent

If you frequently need to copy files over SSH or access other computers in your network (which is a common task for administrators) you probably wonder if there is way to simplify entering the passphrase. Actually there is - it's called the SSH agent. You only need to enter your passphrase once using "ssh-add" and everything you start as a subprocess of the SSH agent will remember that passphrase. Too much theory? Well, you will not need to worry about the agent. Your X session is already run in an ssh-agent session automatically. All you need to do is launch "ssh-add" and type in your passphrase. Next time you use SSH to access another computer you will not have to enter your passphrase again. Important: You should lock your screen if you leave your desktop. Other people could access other computers from your computer over ssh without even knowing your passphrase. If you like to be asked for the passphrase once after login to Ubuntu you can add a call to "ssh-add" like this:

• Click on System
• Choose Preferences
• Choose Sessions
• Select the Startup Programs tab
• Click on Add
• Enter "ssh-add" as a command

After the next login you should be asked for the passphrase. KDE users can also make use of ssh-add: Open a Konsole session:

• Click on Kmenu
• Choose System
• Choose Konsole Terminal Program

At the command prompt, type:

user@user-computer:~$ ln -s /usr/bin/ssh-add .kde/Autostart

Logout of your KDE session and login again. A menu will pop up at startup asking for your SSH passphrase.

Security

User logins and other data are stored in /var/log/auth.log (and auth.log.0, etc.). If you would like to see if anybody has attempted to login to your system, you can examine the log files. The command:

awk '/Invalid user/ {print $8}' /var/log/auth.log{,.0} | sort | uniq -c

will show you who (often an automated attack) has attempted to login with an Invalid Username, preceded by the number of times that name was used. For a list of users and where they logged in the "last" command, and "lastb" (last bad) should allow for a quick check. For enhanced security, see the advanced Advanced Configuration page. Anchor(advanced)

Advanced Configuration

See AdvancedOpenSSH for advanced configuration and extra security.

GPG & OpenSSH

See GPGsigningforSSHHowTo for using GPG to sign SSH keys.

SSH as a Proxy

If you can make an SSH connection, you can (most likely) use that connection as a SOCKS proxy without any extra setup on the remote computer. Traffic is tunneled securely through the SSH connection. If you are on an unsecured wireless connection, you can use this to effectively secure all your traffic from snooping. You can also use this to bypass IP restrictions because you will appear to be connecting from the remote computer. Pick some big port number (bigger than 1024 so you can use it as non-root). Here I choose 1080, the standard SOCKS port. Use the -D option for dynamic port forwarding.

ssh -D 1080 user@host

Now as long as the SSH connection is open, your application can use a SOCKS proxy on port 1080 on your own computer (localhost). For example, in Firefox:

• go to Edit -> Preferences -> Advanced -> Network -> Connection -> Settings...
• check "Manual proxy configuration"
• make sure "Use this proxy server for all protocols" is cleared
• clear "HTTP Proxy", "SSL Proxy", "FTP Proxy", and "Gopher Proxy" fields
• enter "127.0.0.1" for "SOCKS Host", and "1080" (or whatever port you chose) for Port.

OpenSSH 4.3 VPNs

OpenSSH 4.3 added the ability to create tunnels; see SSH VPN for how to set up a VPN using this new feature.

See also

• Recovery/Remote