SSH

From Gentoo Wiki
Jump to: navigation, search
This page is a translated version of the page SSH and the translation is 66% complete.

Other languages:
Deutsch • ‎English • ‎español • ‎français • ‎italiano • ‎日本語 • ‎한국어 • ‎русский • ‎中文(中国大陆)‎


Resources

SSH (Secure SHell) 是一个加密的终端程序,用于替代类Unix操作系统上传统的 telnet 工具。

SSH已经发展成为一组软件系列,除了提供用于远程终端访问的 ssh 这个主要的程序,还包括其他的工具如 scp(Secure Copy Program) 和 sftp (Secure File Transfer Protocol)。

最初,SSH并不是免费的。然而,当今最流行并成为实际标准的SSH实现是 OpenBSD 的OpenSSH,它在Gentoo中已预安装。

安装

检查安装

绝大多数的 Gentoo Linux 系统都已经预装了 OpenSSH。可以通过运行 ssh 命令进行检查。如果已经安装,会输出使用说明:

user $ssh
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

如果没有输出使用说明,那么 ssh 要么损坏了要么没有安装。也有可能是用户添加了新的 USE 配置之后正在重新编译 OpenSSH。无论何种情况,请继续查看可能的 USE 设定。

USE flags

USE flags for net-misc/openssh Port of OpenBSD's free SSH release

X Add support for X11 global
X509 Adds support for X.509 certificate authentication local
bindist Disable EC/RC5 algorithms in OpenSSL for patent reasons. local
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces global
hpn Enable high performance ssh local
kerberos Add kerberos support global
ldap Add support for storing SSH public keys in LDAP local
ldns Use LDNS for DNSSEC/SSHFP validation. local
libedit Use the libedit library (replacement for readline) global
libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
livecd Enable root password logins for live-cd environment. local
pam Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip global
pie Build programs as Position Independent Executables (a security hardening technique) global
sctp Support for Stream Control Transmission Protocol global
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
skey Enable S/Key (Single use password) authentication support global
ssh1 Support the legacy/weak SSH1 protocol local
ssl Enable additional crypto algorithms via OpenSSL local
static !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically global
test Workaround to pull in packages needed to run with FEATURES=test. Portage-2.1.2 handles this internally, so don't set it in make.conf/package.use anymore global

Emerge

在修改了必要的 USE 标志之后,不要忘记安装(或重装) OpenSSH:

root #emerge --ask --changed-use net-misc/openssh

配置

创建密钥

为了提供一个安全的 shell,加密的密钥用于管理 SSH 提供的加密、解密和哈希功能。

在第一次启动 SSH 服务的时候,会生成系统密钥。密钥可以使用 ssh-keygen(重新)生成。

生成用于 SSH 协议版本1的密钥(通常并不再使用,取而代之的是协议版本2):

root #/usr/bin/ssh-keygen -t rsa1 -b 1024 -f /etc/ssh/ssh_host_key -N ""

生成SSH协议2的密钥(DSA和RSA算法):

root #/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
root #/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""

服务器端配置

SSH服务器配置文件通常是 /etc/ssh/sshd_config,虽然也有可能通过OpenRC的/etc/conf.d/sshd文件进行进一步的配置,包括修改配置文件的位置。关于如何配置服务器的详细信息请参考sshd_config man page

您也应该学习这篇偏重于安全配置的Sven 的 OpenSSH 指南

客户端配置

The ssh client and related programs (scp, sftp, etc.) can be configured using the following files:

  • ~/.ssh/config
  • /etc/ssh/ssh_config

更多的信息请阅读 ssh_config 手册:

user $man ssh_config

无密码验证

对于管理 git 服务器非常便利。

客户端

在客户端执行下面的命令:

user $ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/larry/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/larry/.ssh/id_rsa.
Your public key has been saved in /home/larry/.ssh/id_rsa.pub.
The key fingerprint is:
de:ad:be:ef:15:g0:0d:13:37:15:ad:cc:dd:ee:ff:61 larry@client
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|     .           |
| . .. n   .      |
|   . : . .      |
|  o   . . : .    |
| . ..: >.> .     |
|  * ?. .         |
| o.. .. ..       |
| :. .  ! .       |
+-----------------+

服务器

确保服务器上存在用户的帐号,然后把客户端的 id_rsa.pub 文件拷贝到服务器端用户 home 目录的 ~/.ssh/authorized_keys 文件。

单机测试

上面的步骤可以在本地测试:

user $ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/larry/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
...
user $mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
user $ssh localhost

Intrusion prevention

SSH is a commonly attacked service. Tools such as sshguard and fail2ban monitor logs and black list remote users who have repeatedly attempted, yet failed to login. Utilize them as needed to secure a frequently attacked system.

Usage

Services

OpenRC

Add the OpenSSH daemon to the default runlevel:

root #rc-update add sshd default

Start the sshd daemon with:

root #rc-service sshd start

The OpenSSH server can be controlled like any other OpenRC-managed service:

root #rc-service sshd start
root #rc-service sshd stop
root #rc-service sshd restart
Note
Active SSH connections to the server remain unaffected when issuing rc-service sshd restart.

Systemd

To have the OpenSSH daemon start when the system starts:

root #systemctl enable sshd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sshd.service to /usr/lib64/systemd/system/sshd.service.

To start the OpenSSH daemon now:

root #systemctl start sshd.service

To check if the service has started:

root #systemctl status sshd.service

Troubleshooting

有三种不同级别的调试模式可以帮助排除故障。配合 -v 参数 SSH 会输出关于其进度的调试信息。这有助于调试连接、验证和配置的问题。多个 -v 参数会增加调试信息的详细程度。最大的详细程度是三级。

user $ssh example.org -v
user $ssh example.org -vv
user $ssh example.org -vvv

长连接被关闭

Many internet access devices perform Network Address Translation (NAT), a process that enables devices on a private network such as that typically found in a home or business place to access foreign networks, such as the internet, despite only having a single IP address on that network. Unfortunately, not all NAT devices are created equal, and some of them incorrectly close long-lived, occasional-use TCP connections such as those used by SSH. This is generally observable as a sudden inability to interact with the remote server, even though the ssh client program has not exited.

In order to resolve the issue, OpenSSH clients and servers can be configured to send a 'keep alive', or invisible message aimed at maintaining and confirming the live status of the link:

  • To enable keep alive for all clients connecting to your local server, set ClientAliveInterval 30 (or some other value, in seconds) within the /etc/ssh/sshd_config file.
  • To enable keep alive for all servers connected to by your local client, set ServerAliveInterval 30 (or some other value, in seconds) within the /etc/ssh/ssh_config file.

X11转发/隧道不工作

问题: 在对配置文件做了必要的修改以允许 X11 转发, 却发现 X 应用程序在服务器端执行却没有转发到客户端。

Solution: What is likely occurring during SSH login into the remote server or host, the DISPLAY variable is either being unset or is being set after the SSH session sets it.

远程登录后按如下步骤测试这一现象:

user $echo $DISPLAY
localhost:10.0

The output should be something similar to localhost:10.0 or localhost2.local:10.0 using server side X11UseLocalhost no setting. If the usual :0.0 is not displayed, check to make sure the DISPLAY variable within ~/.bash_profile is not being unset or re-initializing. If it is, remove or comment out any custom initialization of the DISPLAYvariable to prevent the code in ~/.bash_profile from executing during a SSH login:

user $ssh -t larry@localhost2 bash --noprofile

Be sure to substitute larry in the command above with the proper username.

一个小技巧是在用户的 ~/.bashrc 中将此命令定义为一个 alias。

参考

  • Securing the SSH service 在“Gentoo安全手册”中
  • [Keychainl| Gentoo Linux Keychain Guide]
  • autossh - 侦测何时SSH连接被断开并自动重新连接。
  • SCP - SSH 自带的安全拷贝程序。
  • SFTP - SSH 自带的安全文件传输协议客户端。
  • SSHFS - 基于 FUSE 和 SSH 的挂载客户端。

外部资源