柔中带刚,刚中带柔,淫荡中富含柔和,刚猛中荡漾风骚,无坚不摧,无孔不入!
全部博文(1669)
分类: LINUX
2011-12-02 17:02:59
一)客户端与服务端的通讯认证流程:
第一阶段:
双方协商SSH版本号和协议,协商过程数据不加密.
SSH-.-
对映如下:
SSH-2.0-OpenSSH_5.3(我们可以通过telnet localhost 22得到SSH的版本号)
第二阶段:
双方协商RSA/DSA主机密钥,数据加密算法,消息摘要.
其中主机密钥用于确认服务端的身份,数据加密算法用于加密通信数据,消息摘要用于校验数据的完整性,登录认证方式.
主要思想是服务端提供各种加密/认证方式,客户端在这中间选择加密/认证方式.
第三阶段:
由于双方已经确认了可以使用的加密算法,消息摘要,协议版本号,主机密钥等信息,这阶段由客户端根据选择的认证方式发起登录验证申请.
服务端对客户端提供的密码等信息进行校验.如认证不通过,则试图进行下一种认证方式的申核,直到成功/失败,或者超时.
第四阶段:
客户端如果校验成功,则服务端会创建一个客户端的session(进程),同时会转送环境变量,最后给客户端一个bash的机会.
我们在客户端用debug的方式进行登录,注意这里只用了debug1.
ssh -v 192.168.27.142
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010 #第一阶段,双方确认协议版本号和ssh版本号
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.142 [192.168.27.142] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent #第二阶段,双方确认/支持使用的数据加密算法,消息摘要算法,主机公钥等信息.
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ’192.168.27.142′ is known and matches the RSA host key.
debug1: Found key in /home/chenkuo/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/chenkuo/.ssh/identity
debug1: Trying private key: /home/chenkuo/.ssh/id_rsa
debug1: Offering public key: /home/chenkuo/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 434
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type
Enter passphrase for key ‘/home/chenkuo/.ssh/id_dsa’:
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Linux test2 2.6.18-4-k7 #1 SMP Mon Mar 26 17:57:15 UTC 2007 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Sun May 29 05:21:04 2011 from 192.168.27.134
注:
如果要关闭用DSA公密钥认证的方式,也要将PubkeyAuthentication改成no.
而DSA应用于ssh v2,而RSA在ssh v1上也得到支持.
另外我们可以在ssh配置文件中定义用于公/私钥认证的公钥文件物理位置,默认是:
AuthorizedKeysFile .ssh/authorized_keys
如果采用RSA/DSA这种公/私钥认证方式,我们建议这个采用默认配置,而不去更改它,因为ssh-copy-id等命令传输到被登录服务器的公钥文件就是~/.ssh/authorized_keys,例如:
ssh-copy-id -i /root/.ssh/id_rsa.pub test@192.168.27.142
test@192.168.27.142′s password:
Now try logging into the machine, with “ssh ‘test@192.168.27.142′”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.
3)关于免密码的登入
在RSA/DSA生成密钥对的时候,不输入口令,直接回车,以这样的密钥对进行登录,将不会提示用户输入密码.
我们先生成RSA密钥对,对下:
ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/chenkuo/.ssh/id_rsa):
/home/chenkuo/.ssh/id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase): 注意这里不要输入密码,直接回车通过
Enter same passphrase again: 同样输入回车
Your identification has been saved in /home/chenkuo/.ssh/id_rsa.
Your public key has been saved in /home/chenkuo/.ssh/id_rsa.pub.
The key fingerprint is:
27:f4:4d:61:5b:02:3f:d3:fc:a3:5b:d4:9b:08:81:64 chenkuo@test2
将id_rsa.pub传输到ssh服务端,如下:
chenkuo@test2:~$ ssh-copy-id -i /home/chenkuo/.ssh/id_rsa.pub chenkuo@192.168.27.142
29
chenkuo@192.168.27.142′s password:
Now try logging into the machine, with “ssh ‘chenkuo@192.168.27.142′”, and check in:
.ssh/authorized_keys
to make sure we haven’t added extra keys that you weren’t expecting.
再次登录ssh服务端,这里不用输入密码,如下:
ssh chenkuo@192.168.27.142
Linux test2 2.6.18-4-k7 #1 SMP Mon Mar 26 17:57:15 UTC 2007 i686
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon May 30 18:48:38 2011 from 192.168.27.134
chenkuo@test2:~$
4)拒绝用UNIX/password的方式登录系统
UNIX/password是传统的认证方式,我们可以通过ssh配置参数拒绝以这种方式登录服务器.
控制UNIX/password的登录方式的配置选项是:
PasswordAuthentication yes
默认是UNIX/password登录方式是开启的,如果关闭UNIX/password登录方式将yes改成no即可,如下:
vi /etc/ssh/sshd_config
PasswordAuthentication no
存盘退出
重启ssh服务:
/etc/init.d/ssh restart
在客户端再次登录,发现没有password登录方式,如下:
ssh -v chenkuo@192.168.27.142
OpenSSH_4.3p2 Debian-9, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.142 [192.168.27.142] port 22.
debug1: Connection established.
debug1: identity file /home/chenkuo/.ssh/identity type -1
debug1: identity file /home/chenkuo/.ssh/id_rsa type 1
debug1: identity file /home/chenkuo/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.3p2 Debian-9
debug1: match: OpenSSH_4.3p2 Debian-9 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3p2 Debian-9
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024 open localhost 2001
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
我们在服务端看到了监听到的数据,如下:
tcpdump -X -n -i eth1 ‘host 192.168.27.143′
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth1, link-type EN10MB (Ethernet), capture size 65535 bytes
20:35:56.392261 IP 192.168.27.1.mgcp-callagent > 192.168.27.143.ssh: Flags [P.], seq 1685371148:1685371200, ack 2463559151, win 15280, length 52
下面都是通过SSH加密后的数据,结果略.
而如果我们没有使用SSH映射的方式进行FTP连接,则会产生明文数据(PASS.123456).
20:30:16.091389 IP 192.168.27.143.43867 > 192.168.27.142.ftp: Flags [P.], seq 11:24, ack 35, win 183, options [nop,nop,TS val 3656782 ecr 9909216], length 13
0×0000: 4510 0041 a4de 4000 4006 dd5a c0a8 1b8f E..A..@.@..Z….
0×0010: c0a8 1b8e ab5b 0015 40ff 06e5 551a 542c …..[..@...U.T,
0x0020: 8018 00b7 0a07 0000 0101 080a 0037 cc4e .............7.N
0x0030: 0097 33e0 5041 5353 2068 6974 6c65 720d ..3.PASS.123456.
0x0040: 0a .
远程转发:
将远程主机(服务器)的某个端口转发到本地端指定机器的指定端口.
下面是一个远程转发的应用:
在SSH服务端执行下面远程转发的命令,其中192.168.27.143为ssh客户端,如下:
ssh -CNf -R 2001:localhost:21 root@192.168.27.143
此时由于ssh远程转发我们会有下面的端口,如下:
netstat -tnp
Active Internet connections (w/o servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 192.168.27.142:48413 192.168.27.143:22 ESTABLISHED 1875/ssh
tcp 0 52 192.168.27.142:22 192.168.27.1:2279 ESTABLISHED 1714/0
我们在客户端上看下如下的端口:
netstat -tulnp|grep 2001
tcp 0 0 127.0.0.1:2001 0.0.0.0:* LISTEN 1651/sshd: root
tcp 0 0 ::1:2001 :::* LISTEN 1651/sshd: root
此时我们可以在客户端上连接本地地址及端口,如下:
[root@ssh-client ~]# ftp
ftp> open localhost 2001
Connected to localhost (127.0.0.1).
220 (vsFTPd 2.2.2)
Name (localhost:root): test
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
注:
我们可以选择远程端口转发的方式来绕过防火墙.
最后我们言归正转,来看一下AllowTcpForwarding选项.
如果采用本地转发方式,例如在客户端执行:ssh -CNf -L 2001:localhost:21 root@192.168.27.142,此时服务端(192.168.27.142)如果AllowTcpForwarding选项是no,则不允许转发.
如果采用远程转发方式,例如在服务端执行:ssh -CNf -R 2001:localhost:21 root@192.168.27.143,此时客户端(192.168.27.143)如果AllowTcpForwarding选项是no,则不允许转发.
10)远程主机连接本地转发端口
GatewayPorts是否允许远程主机连接本地的转发端口.默认值是”no”.
sshd 默认将远程端口转发绑定到loopback地址.这样将阻止其它远程主机连接到转发端口。
GatewayPorts 指令可以让 sshd 将远程端口转发绑定到非loopback地址,这样就可以允许远程主机连接了。
“no”表示仅允许本地连接,”yes”表示强制将远程端口转发绑定到统配地址(wildcard address),
这个配置项是要修改本地转发机的ssh配置,如下:
vi /etc/ssh/ssh_config
GatewayPorts yes
ssh -v -CNf -L 2001:192.168.27.142:22 root@192.168.27.143 /*注意:192.168.27.143为当前客户端的IP,而192.168.27.142是远程SSH服务端*/
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.143 [192.168.27.143] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ’192.168.27.143′ is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: password
root@192.168.27.143′s password:
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (password).
debug1: Local connections to *:2001 forwarded to remote address 192.168.27.142:22
debug1: Local forwarding listening on 0.0.0.0 port 2001.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on :: port 2001.
bind: Address already in use
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
此时连接本地的eth1网卡地址:
ssh -p 2001 192.168.27.143
debug1: Connection to port 2001 forwarding to 192.168.27.142 port 22 requested.
debug1: channel 1: new [direct-tcpip]
root@192.168.27.143′s password:
Last login: Sat Jun 18 13:23:04 2011 from localhost.localdomain
Welcome to
_ _
| ||_|
| | _ ____ _ _ _ _
| || | _ \| | | |\ \/ /
| || | | | | |_| |/ \
|_||_|_| |_|\____|\_/\_/
Linux support by
My homepage:
[root@ssh-server ~]# exit
logout
Connection to 192.168.27.143 closed.
[root@ssh-client ~]# debug1: channel 1: free: direct-tcpip: listening port 2001 for 192.168.27.142 port 22, connect from 192.168.27.143 port 43295, nchannels 2
注:
我们通过打开GatewayPorts选项,使用我们即可以用回环地址转发,也可以用其它IP地址转发,这样就使我们可以通过ssh将该服务器做成一个转发机.
我们关闭GatewayPorts选项后,只能使用本地连接,如下:
vi /etc/ssh/ssh_config
GatewayPorts no
ssh -v -CNf -L 2001:192.168.27.142:22 root@192.168.27.143
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.143 [192.168.27.143] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type 2
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024 debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host ’192.168.27.143′ is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:2
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Offering public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Offering public key: /root/.ssh/id_dsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Next authentication method: password
root@192.168.27.143′s password:
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,hostbased
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (password).
debug1: Local connections to LOCALHOST:2001 forwarded to remote address 192.168.27.142:22 /*我们看到这里只做了将本地localhost:2001转发到192.168.27.142:22*/
debug1: Local forwarding listening on ::1 port 2001.
debug1: channel 0: new [port listener]
debug1: Local forwarding listening on 127.0.0.1 port 2001.
debug1: channel 1: new [port listener]
debug1: Requesting no-more-sessions@openssh.com
[root@ssh-client ~]# debug1: Entering interactive session.
11)登录时显示的信息
有如下的选项可以控制登录ssh时显示的信息
11.1)Banner
Banner用于在登录之前显示在用户屏幕上,如果定义为none,则不显示任何信息,我们可以指定Banner为相应的文件,如下:
Banner /etc/issue
cat /etc/issue
#############################################################################
# Warning: Unauthorized access to this system is strictly prohibited. #
# Use of this system is limited to authorized individuals only. #
# All activities are monitored. #
#############################################################################
这样在我们登录的时候,可以看到/etc/issue中的信息,如下:
ssh 192.168.27.142
#############################################################################
# Warning: Unauthorized access to this system is strictly prohibited. #
# Use of this system is limited to authorized individuals only. #
# All activities are monitored. #
#############################################################################
root@192.168.27.142′s password:
11.2)PrintLastLog
PrintLastLog用于显示在每一次成功登录后显示最后一位用户的登录信息,如下:
PrintLastLog yes
ssh 192.168.27.142
root@192.168.27.142′s password:
Last login: Mon Jun 6 14:23:24 2011 from 192.168.27.143
11.3)PrintMotd
PrintMotd用于显示在每一次成功登录后显示/etc/motd中的信息,如下:
cat /etc/motd
Welcome to
_ _
| ||_|
| | _ ____ _ _ _ _
| || | _ \| | | |\ \/ /
| || | | | | |_| |/ \
|_||_|_| |_|\____|\_/\_/
Linux support by
My homepage:
ssh 192.168.27.142
root@192.168.27.142′s password:
Welcome to
_ _
| ||_|
| | _ ____ _ _ _ _
| || | _ \| | | |\ \/ /
| || | | | | |_| |/ \
|_||_|_| |_|\____|\_/\_/
Linux support by
My homepage:
11.4)ShowPatchLevel
ShowPatchLevel用于在连接ssh端口时,是否返回SSH的补丁版本信息,如下:
telnet 192.168.27.142 22
Trying 192.168.27.142…
Connected to 192.168.27.142.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_5.3p1-FC-0.9-20.el6
^]
telnet> quit
Connection closed.
以上是指定ShowPatchLevel yes的结果.
[root@ssh-client ~]# telnet 192.168.27.142 22
Trying 192.168.27.142…
Connected to 192.168.27.142.
Escape character is ‘^]’.
SSH-2.0-OpenSSH_5.3
^]
telnet> quit
Connection closed.
以上是指定ShowPatchLevel no的结果.
我们建议如下的设置:
Banner /etc/issue,/etc/issue放入警告信息.
PrintMotd yes,在/etc/motd放入登录后的欢迎信息.
ShowPatchLevel no,不显示ssh的补丁信息.
PrintLastLog no,不显示最后一次的登录信息.
12)数据加密算法
我们可以通过Ciphers配置项来选择数据加密算法,如果服务端仅支持aes128-cbc,而客户端指定用arcfour加密算法连接登录服务端则不会成功.
sshv2支持如下的加密算法,相同默认值也是如下的算法:
aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
上面的这些算法都是对称加密算法,而arcfour是最快的,这里的arcfour算法也就是rc4.
下面是arcfour(rc4)对称加密算法的说明:
会话密钥的前16个字节被服务器用作加密密钥,紧接着的下一个16字节被客户端用作加密密钥.结果是两个数据流方向上有两个独立的129位密钥.这种加密算法非常快
我们可以通过openssl speed对加密算法进行测试,也可以指定几种加密算法进行测试,如下:
openssl speed aes rc4 blowfish
Doing rc4 for 3s on 16 size blocks: 40757592 rc4′s in 1.28s
Doing rc4 for 3s on 64 size blocks: 11500211 rc4′s in 1.23s
Doing rc4 for 3s on 256 size blocks: 2994613 rc4′s in 1.45s
Doing rc4 for 3s on 1024 size blocks: 770815 rc4′s in 1.50s
Doing rc4 for 3s on 8192 size blocks: 97511 rc4′s in 1.37s
Doing aes-128 cbc for 3s on 16 size blocks: 7294501 aes-128 cbc’s in 1.39s
Doing aes-128 cbc for 3s on 64 size blocks: 1996086 aes-128 cbc’s in 1.30s
Doing aes-128 cbc for 3s on 256 size blocks: 514051 aes-128 cbc’s in 1.32s
Doing aes-128 cbc for 3s on 1024 size blocks: 314747 aes-128 cbc’s in 1.32s
Doing aes-128 cbc for 3s on 8192 size blocks: 39487 aes-128 cbc’s in 1.33s
Doing aes-192 cbc for 3s on 16 size blocks: 6322661 aes-192 cbc’s in 1.36s
Doing aes-192 cbc for 3s on 64 size blocks: 1709890 aes-192 cbc’s in 1.29s
Doing aes-192 cbc for 3s on 256 size blocks: 431680 aes-192 cbc’s in 1.39s
Doing aes-192 cbc for 3s on 1024 size blocks: 271721 aes-192 cbc’s in 1.37s
Doing aes-192 cbc for 3s on 8192 size blocks: 32095 aes-192 cbc’s in 1.54s
Doing aes-256 cbc for 3s on 16 size blocks: 5116714 aes-256 cbc’s in 1.49s
Doing aes-256 cbc for 3s on 64 size blocks: 1406771 aes-256 cbc’s in 1.43s
Doing aes-256 cbc for 3s on 256 size blocks: 350117 aes-256 cbc’s in 1.61s
Doing aes-256 cbc for 3s on 1024 size blocks: 215622 aes-256 cbc’s in 1.51s
Doing aes-256 cbc for 3s on 8192 size blocks: 28925 aes-256 cbc’s in 1.47s
Doing blowfish cbc for 3s on 16 size blocks: 14535384 blowfish cbc’s in 1.41s
Doing blowfish cbc for 3s on 64 size blocks: 3924785 blowfish cbc’s in 1.27s
Doing blowfish cbc for 3s on 256 size blocks: 993143 blowfish cbc’s in 1.34s
Doing blowfish cbc for 3s on 1024 size blocks: 248679 blowfish cbc’s in 1.34s
Doing blowfish cbc for 3s on 8192 size blocks: 30867 blowfish cbc’s in 1.46s
OpenSSL 1.0.0-fips 29 Mar 2010
built on: Wed Jun 30 08:58:02 EDT 2010
options:bn(64,32) md2(int) rc4(4x,int) des(ptr,risc1,16,long) aes(partial) blowfish(idx)
compiler: gcc -fPIC -DOPENSSL_PIC -DZLIB -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DKRB5_MIT -DL_ENDIAN -DTERMIO -Wall -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector –param=ssp-buffer-size=4 -m32 -march=i686 -mtune=atom -fasynchronous-unwind-tables -Wa,–noexecstack -DOPENSSL_BN_ASM_PART_WORDS -DOPENSSL_IA32_SSE2 -DOPENSSL_BN_ASM_MONT -DSHA1_ASM -DSHA256_ASM -DSHA512_ASM -DMD5_ASM -DRMD160_ASM -DAES_ASM -DWHIRLPOOL_ASM
The ‘numbers’ are in 1000s of bytes per second processed.
type 16 bytes 64 bytes 256 bytes 1024 bytes 8192 bytes
rc4 509469.90k 598384.96k 528704.09k 526209.71k 583073.07k
blowfish cbc 164940.53k 197784.44k 189734.78k 190035.30k 173193.47k
aes-128 cbc 83965.48k 98268.85k 99694.74k 244167.37k 243216.17k
aes-192 cbc 74384.25k 84831.75k 79503.65k 203096.57k 170728.73k
aes-256 cbc 54944.58k 62960.38k 55670.78k 146223.13k 161192.93k
我们生成一个100MB的数据文件进行测试,如下:
dd if=/dev/zero of=/tmp/bigfile.dat bs=1M count=100; shred -v -n3 /tmp/bigfile.dat
我们指定用arcfour对称加密算法进行加密传输,这里用了2分10秒
rsync -apur –stats –progress -e “ssh -c arcfour” bigfile.dat root@192.168.27.142:/tmp/
root@192.168.27.142′s password:
sending incremental file list
bigfile.dat
1048576000 100% 7.66MB/s 0:02:10 (xfer#1, to-check=0/1)
Number of files: 1
Number of files transferred: 1
Total file size: 1048576000 bytes
Total transferred file size: 1048576000 bytes
Literal data: 1048576000 bytes
Matched data: 0 bytes
File list size: 28
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 1048704076
Total bytes received: 31
sent 1048704076 bytes received 31 bytes 7464086.17 bytes/sec
total size is 1048576000 speedup is 1.00
我们指定用blowfish-cbc对称加密算法进行加密传输,这里用了2分17秒
rsync -apur –stats –progress -e “ssh -c blowfish-cbc” bigfile.dat root@192.168.27.142:/tmp/
root@192.168.27.142′s password:
sending incremental file list
bigfile.dat
1048576000 100% 7.26MB/s 0:02:17 (xfer#1, to-check=0/1)
Number of files: 1
Number of files transferred: 1
Total file size: 1048576000 bytes
Total transferred file size: 1048576000 bytes
Literal data: 1048576000 bytes
Matched data: 0 bytes
File list size: 28
File list generation time: 0.001 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 1048704076
Total bytes received: 31
sent 1048704076 bytes received 31 bytes 7464086.17 bytes/sec
total size is 1048576000 speedup is 1.00
我们指定用aes128-ctr对称加密算法进行加密传输,这里用了2秒55秒
rsync -apur –stats –progress -e “ssh -c aes128-ctr” bigfile.dat root@192.168.27.142:/tmp/
root@192.168.27.142′s password:
sending incremental file list
bigfile.dat
1048576000 100% 5.71MB/s 0:02:55 (xfer#1, to-check=0/1)
Number of files: 1
Number of files transferred: 1
Total file size: 1048576000 bytes
Total transferred file size: 1048576000 bytes
Literal data: 1048576000 bytes
Matched data: 0 bytes
File list size: 28
File list generation time: 0.003 seconds
File list transfer time: 0.000 seconds
Total bytes sent: 1048704076
Total bytes received: 31
sent 1048704076 bytes received 31 bytes 5941666.33 bytes/sec
total size is 1048576000 speedup is 1.00
注:
1)如果我们没有指Ciphers,将支持所有的加密算法,而客户端没有指定加密算法的话,我们首先使用的将是aes128-ctr对称加密算法.
2)如果我们在服务端同时指定Ciphers arcfour,blowfish-cbc,aes128-ctr,而优先使用aes128-ctr其次是blowfish-cbc,最后是arcfour.
最后我们建议在服务端的ciphers选项上仅指定arcfour算法.这样能最优化的进行数据加密传输.
13)使用login程序登录
UseLogin默认值是”no”,如果指定UseLogin为yes,我们将在登录的过程中使用ssh服务端的login程序进行登录验证.
我们对使用login程序进行测试如下:
将UseLogin修改为yes,如下:
vi /etc/ssh/sshd_config
UseLogin yes
保存退出
重启sshd服务
/etc/init.d/sshd restart
用客户端连接sshd服务端,如下:
ssh 192.168.27.142
查看是否使用login程序,如下:
ps -ef|grep login
test 1717 1 0 03:59 ? 00:00:00 /usr/bin/gnome-keyring-daemon –daemonize –login
root 2711 2709 0 05:25 ? 00:00:00 login — root
root 2732 2712 0 05:25 pts/2 00:00:00 grep login
注:如果将login程序移走或删除,我们如果使用UseLogin yes,此时将无法登录ssh服务端.
我们可以使用pam(基于Linux的插入式验证模块)加入一些login的认证功能.
我们在/etc/pam.d/remote文件中加入pam_access.so模块,如下:
vi /etc/pam.d/remote
account required pam_access.so
保存退出
修改/etc/security/access.conf文件,如下:
vi /etc/security/access.conf
加入:
- : ALL : ALL
保存退出.
注:
现在我们拒绝所有通过ssh客户端的连接,但我们没有修改/etc/pam.d/login,所以我们本地我们还可以用login进行登录.
通过ssh客户端连接报错如下:
[root@ssh-client ~]# ssh 192.168.27.142
root@192.168.27.142′s password:
Permission denied
Connection to 192.168.27.142 closed.
14)超时断开
可以通过ClientAliveCountMax和ClientAliveInterval两个选项控制客户端在无响应的情况下断开连接.
ClientAliveCountMax:
sshd在未收到任何客户端回应前最多允许发送多少个”alive”消息,到达这个上限后,sshd 将强制断开连接,关闭会话.
注:
需要注意的是,”alive”消息与TCPKeepAlive有很大差异.alive”消息是通过加密连接发送的,因此不会被欺骗,而TCPKeepAlive却是可以被欺骗的.
如果ClientAliveInterval被设为15并且将ClientAliveCountMax保持为默认值(3),那么无应答的客户端大约会在45秒后被强制断开.这个指令仅可以用于SSH-2协议.
ClientAliveInterval:
设置一个以秒记的时长,如果超过这么长时间没有收到客户端的任何数据,sshd 将通过安全通道向客户端发送一个”alive”消息,并等候应答.
默认值0表示不发送”alive”消息.这个选项仅对SSH-2有效.
我们通过试验来测试超时断开的情况,如下:
vi /etc/ssh/sshd_config
ClientAliveCountMax 10
ClientAliveInterval 1
我们通过客户端连接SSH服务端,此时服务端向客户端发送alive消息,而客户端回应reply消息给服务端,发送的频率是每秒发送一次,如果没有响应则超过(10*1)秒后断开,如下:
[root@ssh-client ~]# ssh -v 192.168.27.142
登录信息略…
[root@ssh-server ~]#
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
我们断开client端的网卡,如下:
[root@ssh-client ~]# ifconfig eth1 down
此时服务端继续发送alive消息,而客户端由于断开,所以没有reply消息,所以我在刚才的登录终端再也看不到reply消息,我们可以通过tcpdump抓包来证实,如下:
[root@ssh-server ~]# tcpdump -i eth1 ‘port 22 and host 192.168.27.143′
此时客户端没有断开,所以服务端与客户端和3次握手的交互,如下:
19:40:46.677914 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 2910:2974, ack 2422, win 478, options [nop,nop,TS val 9540813 ecr 9291132], length 64
19:40:46.678596 IP 192.168.27.143.45105 > ssh-server.ssh: Flags [P.], seq 2422:2454, ack 2974, win 379, options [nop,nop,TS val 9292137 ecr 9540813], length 32
19:40:46.678640 IP ssh-server.ssh > 192.168.27.143.45105: Flags [.], ack 2454, win 478, options [nop,nop,TS val 9540814 ecr 9292137], length 0
19:40:47.681213 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 2974:3038, ack 2454, win 478, options [nop,nop,TS val 9541816 ecr 9292137], length 64
19:40:47.682130 IP 192.168.27.143.45105 > ssh-server.ssh: Flags [P.], seq 2454:2486, ack 3038, win 379, options [nop,nop,TS val 9293140 ecr 9541816], length 32
19:40:47.682167 IP ssh-server.ssh > 192.168.27.143.45105: Flags [.], ack 2486, win 478, options [nop,nop,TS val 9541817 ecr 9293140], length 0
19:40:48.685266 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3038:3102, ack 2486, win 478, options [nop,nop,TS val 9542820 ecr 9293140], length 64
19:40:48.685863 IP 192.168.27.143.45105 > ssh-server.ssh: Flags [P.], seq 2486:2518, ack 3102, win 379, options [nop,nop,TS val 9294144 ecr 9542820], length 32
19:40:48.685911 IP ssh-server.ssh > 192.168.27.143.45105: Flags [.], ack 2518, win 478, options [nop,nop,TS val 9542821 ecr 9294144], length 0
19:40:49.690680 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3102:3166, ack 2518, win 478, options [nop,nop,TS val 9543826 ecr 9294144], length 64
19:40:49.691261 IP 192.168.27.143.45105 > ssh-server.ssh: Flags [P.], seq 2518:2550, ack 3166, win 379, options [nop,nop,TS val 9295149 ecr 9543826], length 32
19:40:49.691311 IP ssh-server.ssh > 192.168.27.143.45105: Flags [.], ack 2550, win 478, options [nop,nop,TS val 9543826 ecr 9295149], length 0
此时客户端已经断开,所以只有服务端的发送消息,没有客户端回应的消息,如下:
19:40:50.698084 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3166:3230, ack 2550, win 478, options [nop,nop,TS val 9544833 ecr 9295149], length 64
19:40:50.902427 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3166:3230, ack 2550, win 478, options [nop,nop,TS val 9545037 ecr 9295149], length 64
19:40:51.311739 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3166:3230, ack 2550, win 478, options [nop,nop,TS val 9545447 ecr 9295149], length 64
19:40:52.128414 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3166:3230, ack 2550, win 478, options [nop,nop,TS val 9546263 ecr 9295149], length 64
19:40:53.763202 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3166:3230, ack 2550, win 478, options [nop,nop,TS val 9547898 ecr 9295149], length 64
19:40:57.028357 IP ssh-server.ssh > 192.168.27.143.45105: Flags [P.], seq 3166:3230, ack 2550, win 478, options [nop,nop,TS val 9551163 ecr 9295149], length 64
19:41:00.749900 IP ssh-server.ssh > 192.168.27.143.45105: Flags [FP.], seq 3230:3806, ack 2550, win 478, options [nop,nop,TS val 9554885 ecr 9295149], length 576
19:41:03.559115 IP ssh-server.ssh > 192.168.27.143.45105: Flags [FP.], seq 3166:3806, ack 2550, win 478, options [nop,nop,TS val 9557694 ecr 9295149], length 640
19:41:16.616455 IP ssh-server.ssh > 192.168.27.143.45105: Flags [FP.], seq 3166:3806, ack 2550, win 478, options [nop,nop,TS val 9570751 ecr 9295149], length 640
19:41:42.729343 IP ssh-server.ssh > 192.168.27.143.45105: Flags [FP.], seq 3166:3806, ack 2550, win 478, options [nop,nop,TS val 9596864 ecr 9295149], length 640
最后我们看到服务端向客户端发送alive消息,客户端没有响应,服务端再不发送消息,此时客户端已经被认定断开.
这里我们注意,断开后服务端不会一直向客户端发送消息,在发送了几次消息之后,客户端无响应,此时服务端将不会发送消息,直到等ClientAliveCountMax*ClientAliveInterval秒后断开.
我们开启client端的网卡,如下:
[root@ssh-client ~]# ifconfig eth1 up
此时客户端连接服务端的ssh终端表现如下:
[root@ssh-server ~]# debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
debug1: client_input_channel_req: channel 0 rtype keepalive@openssh.com reply 1
Write failed: Broken pipe
注:
开启网卡后,但是已经超过了断开的限制,客户端已经断开,我们按回车后终端显示:Write failed: Broken pipe
最后ssh服务端向被认定已经断开的客户端发送断开的命令,我们回到刚才的tcpdump抓包终端,显示如下:
19:44:48.757691 IP ssh-server.ssh > 192.168.27.143.45105: Flags [R], seq 3345246483, win 0, length 0
我们再来说明一下默认的配置:
clientaliveinterval 0
clientalivecountmax 3
在这种情况下,我们视为ssh服务端为长连接,在这种情况上,客户端连接上后,服务端不再发送alive消息.如果客户端断开,服务端一直等待客户端的连接,不会主动断开.
同时我们也可以在客户端配置监测服务端的断开状态,如下:
vi /etc/ssh/ssh_config
ServerAliveCountMax 100
ServerAliveInterval 1
此时如果服务端断开,客户端将向服务端发送alive消息,判断服务端的状态.如果服务端断开,客户端将在ServerAliveCountMax*ServerAliveInterval秒后断开连接.
断开消息如下:
Timeout, server not responding.
我们建议如下的配置:
服务端:
clientaliveinterval 300
clientalivecountmax 2
这样我们300秒向客户端发送一次alive信息,在600秒内客户端没有响应,客户端被断开,并且服务端清理客户端的连接.
客户端:
serveraliveinterval 300
serveralivecountmax 2
同时将客户端/服务端的tcpkeepalive选项关闭:
tcpkeepalive no
15)host-based验证
我们这里看到了另外一种验证(此前我们接触了password,rsa/dsa,GSSAPI等三种验证方式),这种验证方式基于主机名和公/私钥.
其中host-based验证是基于ssh-v2
首先我们要在客户端/服务端加入对方的主机名及IP对映,如下:
服务端:
vi /etc/hosts
192.168.27.142 ssh-server # Added by NetworkManager
192.168.27.143 ssh-client # Added by NetworkManager
客户端:
vi /etc/hosts
192.168.27.142 ssh-server # Added by NetworkManager
192.168.27.143 ssh-client # Added by NetworkManager
修改服务端的ssh配置,如下:
vi /etc/ssh/sshd_config
#打开host_based的验证
HostbasedAuthentication yes
#不允许忽略~/.ssh/known_hosts
IgnoreUserKnownHosts no
#不允许忽略~/.shosts
IgnoreRhosts no
在服务端生成客户主机的密钥对,如下:
ssh-keyscan -t rsa,dsa ssh-client > ~/.ssh/known_hosts
将客户端主机名写入到用户主目录的.shosts文件中
vi ~/.shosts
ssh-client
重启ssh服务端,如下:
/etc/init.d/sshd restart
在客户端修改ssh配置,如下:
vi /etc/ssh/ssh_config
#打开客户端的host_based验证
HostbasedAuthentication yes
EnableSSHKeysign yes
我们在客户端登录SSH服务端,如下:
ssh -v 192.168.27.142
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.142 [192.168.27.142] port 22.
debug1: Connection established.
debug1: read PEM private key done: type DSA
debug1: read PEM private key done: type RSA
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024client aes128-ctr hmac-sha1 none
debug1: kex: client->server aes128-ctr hmac-sha1 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024
我们看一下服务端的进程:
ps -ef|grep ssh
avahi 1133 1 0 03:08 ? 00:00:00 avahi-daemon: registering [ssh-server.local]
root 1718 1 0 03:14 ? 00:00:00 sshd: root@pts/0
root 2005 1 0 03:50 ? 00:00:00 /usr/sbin/sshd
root 2023 2005 0 03:52 ? 00:00:00 sshd: root@notty
root 2025 2023 0 03:52 ? 00:00:00 /usr/libexec/openssh/sftp-server
注:
我们看到服务端启用了sftp-server为sftp客户请求服务.
31)设定主机的私钥文件
在ssh中可以用HostKey指定主机的私钥文件,如不指定则无法启用ssh服务,默认的是如下的配置:
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
我们看到这里支持两个非对称加密算法,分别是rsa和dsa.
事实上在进入身份验证之前,客户端要与服务端确认服务端的公/私钥是否改变过,
即客户端会用服务端主机公钥对一段消息进行加密,而服务端会用自己的主机密钥进行解密.
从而校验数据,达到主机身份确认的效果.
如果主机被重装过,或重新生成了新的RSA/DSA密钥,则登录该主机时会重新在客户端生成公钥并写入到~/.ssh/known_hosts
32)Kerberos的身份验证
Kerberos是针对分布式环境而设计的,如果不需要可以关闭这种身份验证方式.
所以建议如下的配置:
kerberosauthentication no
kerberosorlocalpasswd no
kerberosticketcleanup yes
三)SSH客户端的配置项:
1)客户端发现SSH服务端timeout后,可以在指定的秒数后断开连接,避免不必要的等待,这个参数就是:
ConnectTimeout 3
注:这里是等待3秒.
例如:我们连接一个不存在的服务器(192.168.27.155)
time ssh -v 192.168.27.155
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.27.155 [192.168.27.155] port 22.
debug1: Allocated local port 1023.
debug1: connect to address 192.168.27.155 port 22: Connection timed out
ssh: connect to host 192.168.27.155 port 22: Connection timed out
real 0m3.029s
user 0m0.006s
sys 0m0.007s
注:我们在这里看到一共等待在大概3秒钟.
2)有关于客户端的SSH压缩设定,在客户端如果设定Compression yes,则表示支持压缩,压缩会提高网络吐吞量,但会增加CPU的消耗.
如果客户大量使用gzip对数据压缩后再通过scp传输,则ssh的compression并不会有任何效果,反而会降纸网络吐吞量.
同时SSH V2中也不支持压缩级别.
我们使用ssh的debug模式连接ssh服务端,可以看到压缩的情况,我们在断开时看到如下的信息:
[test@ssh-server ~]$ exitdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
logout
debug1: channel 0: free: client-session, nchannels 1
Connection to 192.168.27.142 closed.
Transferred: sent 1104, received 2576 bytes, in 4.9 seconds
Bytes per second: sent 225.7, received 526.7
debug1: Exit status 0
debug1: compress outgoing: raw data 459, compressed 299, factor 0.65
debug1: compress incoming: raw data 455, compressed 310, factor 0.68
3)我们也可以调整使用身份验证方式的优先顺序,我们用到的选项是PreferredAuthentications,如果我们优先使用password,那么可以设定如下的配置:
PreferredAuthentications password,publickey,keyboard-interactive
4)我们可以设定CheckHostIP选项防止DNS欺骗,如下:
首先设定CheckHostIP选项,如下:
vi /etc/ssh/ssh_config
CheckHostIP yes
编辑hosts,设定192.168.27.142对映的主机名为ssh-server
vi /etc/hosts
192.168.27.142 ssh-server # Added by NetworkManager
连接ssh服务端(ssh-server),注意这里用主机名连接,如下:
ssh root@ssh-server
root@ssh-server’s password:
注:我们看到没有问题.
我们这时修改/etc/hosts中ssh-server主机名对映的IP,如下:
vi /etc/hosts
192.168.27.143 ssh-sever
再次连接ssh服务端(ssh-server),如下:
ssh test@ssh-server
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 注:我们看到checkhostip起到了作用.
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for ssh-server has changed,
and the key for the corresponding IP address 192.168.27.143
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ 注:这条信息不是checkhostip产生的.
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
49:35:e5:fe:1e:f4:cd:e2:50:d6:2e:57:35:cb:45:42.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:1
Password authentication is disabled to avoid man-in-the-middle attacks.
Keyboard-interactive authentication is disabled to avoid man-in-the-middle attacks.
Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,hostbased).
5)处理known_hosts的三种方式.
当用ssh连接对方的主机时,如果known_hosts中没有对方主机的公钥,则会看到一个加入主机公钥确认身份的提示信息,如下:
ssh test@ssh-server
The authenticity of host ‘ssh-server (192.168.27.142)’ can’t be established.
RSA key fingerprint is ce:0c:74:71:87:a2:4a:92:98:55:25:f4:51:62:ea:59.
Are you sure you want to continue connecting (yes/no)?
这是因为客户端配置了StrictHostKeyChecking ask造成的.
我们可以调整StrictHostKeyChecking选项为no,这样会把对方的公钥直接加入到known_hosts文件中.
如果调整StrictHostKeyChecking选项为yes,这样直接拒绝加入对方的公钥,需要手工来填加.如下:
ssh test@ssh-server
No RSA host key is known for ssh-server and you have requested strict checking.
Host key verification failed.
6)有关于known_hosts的两种文件格式
一种是主机名(IP)明文存放的格式
一种是主机名(IP)被哈希过的格式
我们可以通过HashKnownHosts这个选项来调整,如下:
vi /etc/ssh/ssh_config
HashKnownHosts yes
最后我们看一下明文存放的格式,如下:
ssh-server ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmgy1TPb2Beaw+XZa2ZY129nmE8klTMFPeJXZYbl577M/O2DLjInoYhK32mQKSc7NK3NQtxqkMp9Mz+vIdC4es
Lz1+mRWjBOHPIfNjhLyl1RgZHKQRJZKamRiYru2sjjv5wPM21eSgaAozDF6pPAKgda0CQUcZSUokU7AZuBETlMJkEalp/+NIVdHuCrnoUmRcc4EW7v2/xAUb9pO12lgyhg2b
j6S7BLSOSuEtKEjxHHrP5FOWwzTont78K1hrBHIFqgFmnyUIljWoRqzoufvSTMpDZHxlcjO+4o427QjS17viz7ftGpY6ObRzV1VHJJoCeUqdcWDJZDXMR+RlA1H9Q==
我们看到里面包括了主机名及非对称加密的算法.
如果是哈希过的格式,如下:
|1|u79t0dab3Mh8GnB7O4+zCzvw3Ho=|p4454t3nwTGWWWog5x21ouHANhc= ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAmgy1TPb2Beaw+XZa2ZY129nmE8klTMFPeJX
ZYbl577M/O2DLjInoYhK32mQKSc7NK3NQtxqkMp9Mz+vIdC4esLz1+mRWjBOHPIfNjhLyl1RgZHKQRJZKamRiYru2sjjv5wPM21eSgaAozDF6pPAKgda0CQUcZSUokU7AZuB
ETlMJkEalp/+NIVdHuCrnoUmRcc4EW7v2/xAUb9pO12lgyhg2bj6S7BLSOSuEtKEjxHHrP5FOWwzTont78K1hrBHIFqgFmnyUIljWoRqzoufvSTMpDZHxlcjO+4o427QjS17
viz7ftGpY6ObRzV1VHJJoCeUqdcWDJZDXMR+RlA1H9Q==
这里我们看不到主机名,因为它被哈希过了,但是还是可以看到使用的非对称加密算法.
四)建议的配置
我们对整篇文章做了整理,建议用如下的配置,首先是SSH服务端的配置,如下:
####################################
#仅使有Protocol 2
#绑定到56000端口
#绑定到内网IP
####################################
Protocol 2
Port 56000
ListenAddress 192.168.27.141
####################################
#以下两项配置仅用于Protocol 1
####################################
RhostsRSAAuthentication no
RSAAuthentication no
####################################
#关闭Kerberos身份验证
####################################
kerberosauthentication no
kerberosorlocalpasswd no
kerberosticketcleanup yes
####################################
#关闭挑战/响应身份验证(s/key)
####################################
ChallengeResponseAuthentication no
####################################
#关闭GSSAPI身份验证
####################################
GSSAPIAuthentication no
GSSAPICleanupCredentials yes
####################################
#关闭公/私钥身份验证
####################################
PubkeyAuthentication no
AuthorizedKeysFile .ssh/authorized_keys
####################################
#关闭基于主机的身份验证
####################################
HostbasedAuthentication no
IgnoreUserKnownHosts yes
IgnoreRhosts yes
####################################
#开启unix/password身份验证
####################################
PasswordAuthentication yes
####################################
#关闭X11转发
#关闭除loopback外的其它网络接口转发
#关闭tcp端口转发
####################################
X11Forwarding no
GatewayPorts no
AllowTcpForwarding no
####################################
#日志级别调整为VERBOSE,默认为INFO
#日志Facility为AUTH
####################################
LogLevel VERBOSE
SyslogFacility AUTH
####################################
#关闭SSH客户端与服务端的变量转递
####################################
AcceptEnv none
####################################
#拒绝系统用户通过SSH登录
####################################
AllowUsers *
DenyUsers daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody Debian-exim statd identd sshd libuuid snmp
####################################
#登录警告信息
#登录欢迎信息
#关闭SSH的补丁版本号
#关闭显示最后一次登录的信息
####################################
Banner /etc/issue
PrintMotd yes
ShowPatchLevel no
PrintLastLog no
####################################
#指定支持的数据对称加密算法
#指定支持的消息摘要算法
####################################
ciphers aes128-cbc,aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr,3des-cbc,arcfour128,arcfour256,arcfour,blowfish-cbc,cast128-cbc
macs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
####################################
#每300秒向客户端发送一次alive消息,判断是否存活,如两次均检测失败,则断开与客户端的连接
#关闭tcpkeepalive
####################################
clientaliveinterval 300
clientalivecountmax 2
tcpkeepalive no
####################################
#允许有1000次验证连接请求,如20秒不能完成校验,则断开验证连接请求
#有三次密码验证机会
####################################
MaxStartups 1000
LoginGraceTime 20
MaxAuthTries 3
####################################
#支持压缩选项,从而提高数据通讯速度
#关闭DNS反向解析,从而提高验证速度
#支持PAM,从而支持可插入的安全模块,加载安全配置,如limit.conf等
####################################
Compression yes
UseDNS no
UsePAM yes
####################################
#如其它用户有读取authorized.keys的权限,则拒绝连接
#拒绝root用户登录
#拒绝空口令的身份验证
#用户验证时进程分离,ssh启用setuid切换到sshd用户启动验证进程
#拒绝在SSH验证结束后使用/bin/login程序
####################################
strictmodes yes
PermitRootLogin no
PermitEmptyPasswords no
UsePrivilegeSeparation yes
UseLogin no
####################################
#支持sftp子系统
####################################
Subsystem sftp /usr/lib/openssh/sftp-server
####################################
#SSH的pid文件存放位置/var/run/
####################################
PidFile /var/run/sshd.pid
####################################
#主机的私钥存放位置
####################################
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
下面是客户端的配置,如下:
#######################################
#针对所有主机的配置
#######################################
Host *
#######################################
#支持所有协议族
#支持SSHv2/v1,优先使用SSHv2
#ssh连接目标主机的22端口
#######################################
AddressFamily any
Protocol 2,1
Port 22
#######################################
#日志级别为VERBOSE
#关闭批处理登录方式
#防止DNS欺骗
#不检查known_hosts中主机公钥的正确性
#允许连接1024以下的端口
#允许三次尝试密码登录
#######################################
LogLevel VERBOSE
BatchMode no
HashKnownHosts yes
CheckHostIP yes
StrictHostKeyChecking no
NumberOfPasswordPrompts 3
#######################################
#仅使用hmac-md5做为消息摘要算法
#仅使用arcfour(rc4)做为数据加密算法
#######################################
MACs hmac-md5
Ciphers arcfour
#######################################
#仅在protocol 1使用
#######################################
RhostsRSAAuthentication no
RSAAuthentication no
#######################################
#关闭挑战响应身份验证(s/key)
#######################################
ChallengeResponseAuthentication no
#######################################
#关闭基于主机的身份验证
#######################################
HostbasedAuthentication no
EnableSSHKeysign no
NoHostAuthenticationForLocalhost no
#######################################
#关闭GSSAPI身份验证
#######################################
GSSAPIAuthentication no
GSSAPIDelegateCredentials no
GSSAPIKeyExchange no
GSSAPITrustDNS no
#######################################
#关闭公/私钥身份验证
#######################################
PubkeyAuthentication no
#######################################
#开启unix/password身份验证
#######################################
PasswordAuthentication yes
#######################################
#优先使用password身份验证
#######################################
PreferredAuthentications password
#######################################
#连接SSH服务端,发现timeout,3秒后强制断开连接
#每300秒向SSH服务端发送1次alive消息
#如果两次alive消息都没有到达目的主机则断开连接
#因为使用serveraliveinterval,所以关闭tcpkiipalive
#######################################
ConnectTimeout 3
serveraliveinterval 300
serveralivecountmax 2
tcpkeepalive no
#######################################
#关闭对X11的端口转发
#关闭除loopback外的其它网络接口转发
#关闭转发代理
#关闭ssh tunnel
#######################################
ForwardX11 no
ForwardX11Trusted no
GatewayPorts no
ForwardAgent no
tunnel no
#######################################
#开启压缩选项,级别为6
#######################################
Compression yes
#######################################
#以下选项仅在protocol 1支持
#######################################
CompressionLevel 1
ConnectionAttempts 1
转至lupaworld
