1>Overview(引用):
SSH的英文全称是 Secure SHell。通过使用SSH,你可以把所有传输的数据进行加密,这样"中间人"这种攻击方式就不可能实现了,而且也能够防止DNS和IP欺骗。还有一个额外的好处就是传输的数据是经过压缩的,所以可以加快传输的速度。SSH有很多功能,它既可以代替telnet,又可以为ftp、pop、甚至ppp提供一个安全的"通道"。
最初SSH是由芬兰的一家公司开发的。但是因为受版权和加密算法的限制,现在很多人都转而使用OpenSSH。OpenSSH是SSH的替代软件,而且是免费的,可以预计将来会有越来越多的人使用它而不是SSH。
SSH是由客户端和服务端的软件组成的,有两个不兼容的版本分别是:1.x和2.x。用SSH 2.x的客户程序是不能连接到SSH 1.x的服务程序上去的。OpenSSH 2.x同时支持SSH 1.x和2.x。
SSH的安全验证是如何工作的
从客户端来看,SSH提供两种级别的安全验证。
第一种级别(基于口令的安全验证)只要你知道自己帐号和口令,就可以登录到远程主机。所有传输的数据都会被加密,但是不能保证你正在连接的服务器就是你想连接的服务器。可能会有别的服务器在冒充真正的服务器,也就是受到"中间人"这种方式的攻击。
第二种级别(基于密匙的安全验证)需要依靠密匙,也就是你必须为自己创建一对密匙,并把公用密匙放在需要访问的服务器上。如果你要连接到SSH服务器上,客户端软件就会向服务器发出请求,请求用你的密匙进行安全验证。服务器收到请求之后,先在你在该服务器的家目录下寻找你的公用密匙,然后把它和你发送过来的公用密匙进行比较。如果两个密匙一致,服务器就用公用密匙加密"质询"(challenge)并把它发送给客户端软件。客户端软件收到"质询"之后就可以用你的私人密匙解密再把它发送给服务器。
用这种方式,你必须知道自己密匙的口令。但是,与第一种级别相比,第二种级别不需要在网络上传送口令。
第二种级别不仅加密所有传送的数据,而且"中间人"这种攻击方式也是不可能的(因为他没有你的私人密匙)。但是整个登录的过程可能需要10秒。
2>Install:
#useradd -d /dev/null -s /sbin/nologin sshd
#./configure --prefix=/usr --sysconfdir=/etc/ssh
#make
#make install
#cp contrib/redhat/sshd.init /etc/rc.d/init.d/sshd
#chkconfig --add sshd
#service sshd start
3>Generate server host key(remote server end,optional if you don't want to change the default server host key):
# ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key (the name can be anyone you want)
Generating public/private rsa key pair.
/etc/ssh/ssh_host_rsa_key already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
09:ed:d2:23:e5:42:a7:3d:3a:4b:78:25:7d:d7:a4:01 root@ssn
# vi /etc/ssh/sshd_config
change to(if you change the key name,change it accordingly):
========================================
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
========================================
# vi /etc/init.d/sshd
change to(if you change the key name,change it accordingly):
========================================
RSA1_KEY=/etc/ssh/ssh_host_key
RSA_KEY=/etc/ssh/ssh_host_rsa_key
DSA_KEY=/etc/ssh/ssh_host_dsa_key
========================================
4>Generate user host key(local user end):
$ ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/sense/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/sense/.ssh/id_rsa.
Your public key has been saved in /home/sense/.ssh/id_rsa.pub.
The key fingerprint is:
d2:1c:bd:d6:01:31:b7:b7:00:3d:ea:3b:02:6d:a3:bf sense@ssn
[Note]
Remember the passphrase setted here,we'll need it next time we login to the remote server instead of the real local users' password.
$ ls
id_rsa id_rsa.pub
5>Copy local user id_rsa.pub to server(remote server end):
$ cp {local-user-end-id_rsa.pub} ~/.ssh/authorized_keys
[Note]
if you don't copy your pub key to the remote server end,then,when you ssh to the remote server,it will ask you for the password of the remote server end local users.
6>Ssh connection test(local user end):
$ ssh -l sense 192.168.2.1 (havn't copy pub key to the remote server end)
sense:192.168.2.1's password:
$ ssh -l sense 192.168.2.1 (the pub key has copied to the remote server end)
Enter passphrase for key '/home/sense/.ssh/id_rsa':
[Note]
when use key file for authentication,you gets three times to try the passphrase,then it will turn to the romote real local users' authentication.
7>Use ssh-agent(local user end,it will cache you passphrase until you logout out and then save you time):
# exec /usr/bin/ssh-agent $SHELL
# ssh-add
Enter passphrase for /home/sense/.ssh/id.rsa:
# ssh 192.168.2.1
Last login: Thu Oct 18 21:31:02 2007 from 192.168.2.90
[sense@ssn ~]$
8>Configuration files:
/usr/local/openssh/etc/ssh_config:local user end global configuration file.
/usr/local/openssh/etc/sshd_config:remote server end global configuration file.
~/.ssh/config:local user end specific user's configuration file.
create specific user's configuration file:
cp /usr/local/openssh/etc/ssh_config ~/.ssh/config
9>ssh command
ssh:
ssh username@192.168.2.1
ssh -l username 192.168.2.1
scp:
copy file to the remote server:
scp local_file_name username@192.168.2.1:/home/username
get file from the remote server:
scp username@192.168.2.1:/remotefile /local_file_name
阅读(1312) | 评论(0) | 转发(0) |
