分类: LINUX
2010-01-04 13:36:13
ssh命令的使用
SSH(1) BSD General Commands Manual SSH(1)
NAME
ssh - OpenSSH SSH 客户端 (远程登录程序)
总览 (SYNOPSIS)
ssh [-l login_name] hostname | user@hostname [command]
ssh [-afgknqstvxACNTX1246] [-b bind_address] [-c cipher_spec]
[-e escape_char] [-i identity_file] [-l login_name] [-m mac_spec]
[-o option] [-p port] [-F configfile] [-L port:host:hostport]
[-R port:host:hostport] [-D port] hostname | user@hostname [command]
描述 (DESCRIPTION)
ssh (SSH 客户端) 用于登录远程主机, 并且在远程主机上执行命令. 它的目的是
替换 rlogin 和 rsh, 同时在不安全的网络之上, 两个互不信任的主机之间, 提供
加密的, 安全的通信连接. X11 连接和任意 TCP/IP 端口均可以通过此安全通道转
发(forward).
.........
X11 和 TCP 转发 (forwarding)
如果 ForwardX11 变量设为 “yes” (或参见后面对 -X 和 -x 选项的描述), 并且用
户正在使用 X11 (设置了 DISPLAY 环境变量), 和 X11 显示器的连接将自动以这种
形式转发到远端: 任何用 shell 或命令启动的 X11 程序将穿过加密的通道, 从本
地机器连接真正的 X 服务器. 用户不应该手动设置 DISPLAY. 可以在命令行上,
也可以在配置文件中设置 X11 连接的转发.
ssh 设置的 DISPLAY 值将指向服务器, 但是显示器号大于零. 这很自然, 因为 ssh
在服务器上创建了一个 “proxy” X 服务器, 把连接通过加密通道转发出去.
ssh 将自动在服务器上设置 Xauthority 数据. 目的是这样的: SSH 生成一个随机
的授权 cookie, 存放在服务器的 Xauthority 中. SSH 检查并确保转发的连接携
带了这个 cookie, 打开连接后, 把它替换为真正的 cookie. 真正的认证 cookie
绝不会送往服务器 (也不会有任何明文传送的 cookie).
如果 ForwardAgent 变量设为 “yes” (或参见后面对 -A 和 -a 选项的描述), 并且
用户正在使用认证代理(authentication agent), 则和代理的连接将自动转发到远
程主机.
既可以在命令行上, 也可以在配置文件中指定通过加密通道转发的任何 TCP/IP 连
接. TCP/IP 转向的应用有, 比如说, 和电子钱包的安全连接, 或者是穿过防火墙
等.
命令行选项有:
............
-x 禁止 X11 转发.
-X 允许 X11 转发. 可以在配置文件中对每个主机单独设定这个参数.
应该谨慎使用 X11 转发. 如果用户在远程主机上能够绕过文件访问权限 (
根据用户的X授权数据库), 他就可以通过转发的连接访问本地 X11 显示
器. 攻击者可以据此采取行动, 如监视键盘输入等.
............ssh_config配置文件
SSH_CONFIG(5) BSD File Formats Manual SSH_CONFIG(5)
NAME
ssh_config - OpenSSH SSH client configuration files
SYNOPSIS
~/.ssh/config
/etc/ssh/ssh_config
DESCRIPTION
ssh(1) obtains configuration data from the following sources in the fol-
lowing order:
1. command-line options
2. user's configuration file (~/.ssh/config)
3. system-wide configuration file (/etc/ssh/ssh_config)
For each parameter, the first obtained value will be used. The configu-
ration files contain sections separated by ``Host'' specifications, and
that section is only applied for hosts that match one of the patterns
given in the specification. The matched host name is the one given on
the command line.
Since the first obtained value for each parameter is used, more host-spe-
cific declarations should be given near the beginning of the file, and
general defaults at the end.
............
ForwardAgent
Specifies whether the connection to the authentication agent (if
any) will be forwarded to the remote machine. The argument must
be ``yes'' or ``no''. The default is ``no''.
Agent forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
agent's Unix-domain socket) can access the local agent through
the forwarded connection. An attacker cannot obtain key material
from the agent, however they can perform operations on the keys
that enable them to authenticate using the identities loaded into
the agent.
ForwardX11
Specifies whether X11 connections will be automatically redi-
rected over the secure channel and DISPLAY set. The argument
must be ``yes'' or ``no''. The default is ``no''.
X11 forwarding should be enabled with caution. Users with the
ability to bypass file permissions on the remote host (for the
user's X11 authorization database) can access the local X11 dis-
play through the forwarded connection. An attacker may then be
able to perform activities such as keystroke monitoring if the
ForwardX11Trusted option is also enabled.
ForwardX11Trusted
If this option is set to ``yes'', remote X11 clients will have
full access to the original X11 display.
If this option is set to ``no'', remote X11 clients will be con-
sidered untrusted and prevented from stealing or tampering with
data belonging to trusted X11 clients. Furthermore, the xauth(1)
token used for the session will be set to expire after 20 min-
utes. Remote clients will be refused access after this time.
The default is ``yes'' (Debian-specific).
See the X11 SECURITY extension specification for full details on
the restrictions imposed on untrusted clients.
............使用ssh -X -l username Rhost(远程主机,IP或域名表示) 命令或者ssh -X username@Rhost命令登录到远程主机(服务器)则可以执行远程主机上的X程序(比如gvim、firefox等),并在本地机器中显示程序的界面(类似于远程桌面)。
前提是远程机器安装了openssh-server程序,并且sshd_config文件配置为允许转发X11。
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none本地机器安装了openssh-client程序,并在ssh_config文件中增加
ForwardX11 yes ForwardX11Trusted yes
ps:貌似这个不是必须
进行上面的配置后便可以使用ssh登录到远程主机,执行远程的X程序并显示在本地的机器中,效果见下图:
(图的左上角是本地机器上(ubuntu系统)的gvim程序界面,右下角是启动远程主机上(虚拟机中的arch系统)的gvim程序在本地机器中的图形界面显示)
通过此例,我们可以更深刻的理解 X window 的工作方式,即能够更深刻的理解X server/X client这种C/S模式。
与X window(以及远程桌面)相关的一些应用
用VNC实现远程桌面共享(支持Windows, Linux, …)
使用cygwin X server实现Linux远程桌面 (for windows)
关于x server/client的一些讨论: