This is Gentoo's testing wiki. It is a non-operational environment and its textual content is outdated.

Please visit our production wiki at https://wiki.gentoo.org

SSH

From Gentoo Wiki (test)
Jump to:navigation Jump to:search
This page is a translated version of the page SSH and the translation is 85% complete.
Outdated translations are marked like this.
Other languages:
Resources

SSH (Secure SHell) 是 一个加密的终端程序,用于替代类Unix操作系统上传统的 telnet 工具。

SSH已经发展成为一组软件系列,除了提供用于远程终端访问的 ssh 这个主要的程序,还包括其他的工具如 scp(Secure Copy Program) 和 sftp (Secure File Transfer Protocol)。

最初,SSH并不是免费的。然而,当今最流行并成为实际标准的SSH实现是 [httsp://www.openbsd.org/ OpenBSD] 的OpenSSH,它在Gentoo中已预安装。

安装

检查安装

绝大多数的 Gentoo Linux 系统都已经预装了 OpenSSH。可以通过运行 ssh 命令进行检查。如果已经安装,会输出使用说明:

user $ssh
usage: ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec]
           [-D [bind_address:]port] [-E log_file] [-e escape_char]
           [-F configfile] [-I pkcs11] [-i identity_file]
           [-L [bind_address:]port:host:hostport] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-p port]
           [-Q cipher | cipher-auth | mac | kex | key]
           [-R [bind_address:]port:host:hostport] [-S ctl_path] [-W host:port]
           [-w local_tun[:remote_tun]] [user@]hostname [command]

如果没有输出使用说明,那么 ssh 要么损坏了要么没有安装。也有可能是用户添加了新的 USE 配置之后正在重新编译 OpenSSH。无论何种情况,请继续查看可能的 USE 设定。

USE flags

USE flags for net-misc/openssh Port of OpenBSD's free SSH release

audit Enable support for Linux audit subsystem using sys-process/audit
debug Enable extra debug codepaths, like asserts and extra output. If you want to get meaningful backtraces see https://wiki.gentoo.org/wiki/Project:Quality_Assurance/Backtraces
kerberos Add kerberos support
ldns Use LDNS for DNSSEC/SSHFP validation.
libedit Use the libedit library (replacement for readline)
livecd Enable root password logins for live-cd environment.
pam Add support for PAM (Pluggable Authentication Modules) - DANGEROUS to arbitrarily flip
pie Build programs as Position Independent Executables (a security hardening technique)
security-key Include builtin U2F/FIDO support
selinux  !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
ssl Enable additional crypto algorithms via OpenSSL
static  !!do not set this during bootstrap!! Causes binaries to be statically linked instead of dynamically
test Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently)
verify-sig Verify upstream signatures on distfiles
xmss Enable XMSS post-quantum authentication algorithm
Data provided by the Gentoo Package Database · Last update: 2024-05-17 14:53 More information about USE flags

Emerge

在修改了必要的 USE 标志之后,不要忘记安装(或重装) OpenSSH:

root #emerge --ask --changed-use net-misc/openssh

配置

创建密钥

为了提供一个安全的 shell,加密的密钥用于管理 SSH 提供的加密、解密和哈希功能。

在第一次启动 SSH 服务的时候,会生成系统密钥。密钥可以使用 ssh-keygen(重新)生成。

生成SSH协议2的密钥(DSA和RSA算法):

root #/usr/bin/ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
root #/usr/bin/ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""

The article Secure Secure Shell suggests using Ed25519 and RSA public key algorithms with:

root #/usr/bin/ssh-keygen -t ed25519 -a 100 -f /etc/ssh/ssh_host_dsa_key -N ""
root #/usr/bin/ssh-keygen -t rsa -b 4096 -o -a 100 -f /etc/ssh/ssh_host_rsa_key -N ""

服务器端配置

SSH服务器配置文件通常是 /etc/ssh/sshd_config,虽然也有可能通过OpenRC的/etc/conf.d/sshd文件进行进一步的配置,包括修改配置文件的位置。关于如何配置服务器的详细信息请参考sshd_config man page

您也应该学习 Sven Vermeulen (SwifT) 的这篇偏重于安全配置的OpenSSH 指南

客户端配置

ssh 客户端与相关的程序(scpsftp 等)可以通过下面的文件进行配置:

  • ~/.ssh/config
  • /etc/ssh/ssh_config

更多的信息请阅读 ssh_config 手册:

user $man ssh_config

无密码验证

对于管理 git 服务器非常便利。

客户端

On the client, if not already done, create a key pair. This can be done by running the following command (of course, not entering a passphrase):

user $ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/larry/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/larry/.ssh/id_rsa.
Your public key has been saved in /home/larry/.ssh/id_rsa.pub.
The key fingerprint is:
de:ad:be:ef:15:g0:0d:13:37:15:ad:cc:dd:ee:ff:61 larry@client
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|     .           |
| . .. n   .      |
|   . (: . .      |
|  o   . . : .    |
| . ..: >.> .     |
|  * ?. .         |
| o.. .. ..       |
| :. .  ! .       |
+-----------------+

服务器

Make sure an account for the user exists on the server, and then place the clients' id_rsa.pub file into the server's ~/.ssh/authorized_keys file in the user's home directory. This can be done by running the following command on the client computer (here, the user's passphrase on the server needs to be entered):

user $ssh-copy-id <server>
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/home/larry/.ssh/id_rsa.pub"
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys
larry@<server>'s password: 

Number of key(s) added: 1

Now try logging into the machine, with:   "ssh '<server>'"
and check to make sure that only the key(s) you wanted were added.

Afterwards a passwordless login should be possible doing

user $ssh <server>
larry@<server>

Then on the server, the file /etc/ssh/sshd_config should be set to PasswordAuthentication no.

单机测试

上面的步骤可以在本地测试:

user $ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/larry/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
...
user $mv ~/.ssh/id_rsa.pub ~/.ssh/authorized_keys
user $ssh localhost

防御入侵

SSH 是一个易受攻击的服务。像 sshguardfail2ban 这样的工具会监控日志并将多次尝试登录失败的远程用户加入黑名单。根据需要来使用这些工具以确保这个易受攻击系统的安全。

使用

服务

OpenRC

将OpenSSH服务加入缺省的运行级别:

root #rc-update add sshd default

启动sshd服务:

root #rc-service sshd start

OpenSSH服务可以像其它被OpenRC管理的服务一样被控制:

root #rc-service sshd start
root #rc-service sshd stop
root #rc-service sshd restart
Note
Active SSH connections to the server remain unaffected when issuing rc-service sshd restart.

systemd

当系统启动时同时启动OpenSSH:

root #systemctl enable sshd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/sshd.service to /usr/lib64/systemd/system/sshd.service.

现在启动OpenSSH服务:

root #systemctl start sshd.service

检查服务是否已经启动:

root #systemctl status sshd.service

Escape sequences

During an active SSH session, pressing the tilde (~) key starts an escape sequence. Enter the following for a list of options:

ssh>~?

故障排除

有三种不同级别的调试模式可以帮助排除故障。配合 -v 参数 SSH 会输出关于其进度的调试信息。这有助于调试连接、验证和配置的问题。多个 -v 参数会增加调试信息的详细程度。最大的详细程度是三级。

user $ssh example.org -v
user $ssh example.org -vv
user $ssh example.org -vvv

长连接被关闭

许多互联网接入设备进行网络地址转换 (NAT),使在专用网络(典型的例子像家里或者某个营业场所)内的设备可以访问外部网络如互联网,尽管该设备只拥有专用网络上的一个IP地址。不幸的是,不是所有的NAT设备都是一样的,其中一些会错误的关闭那些长时间连接,不经常使用的TCP连接,比如SSH使用的连接。这一问题通常的表现是突然无法和远程的服务器交互,尽管 ssh 客户端程序并未退出。

OpenSSH的客户端和服务器可以被配置为发送一个'keep alive',或不可见的消息,旨在保持并确认连接的实时状态:

  • 为了给连接到您的本地服务器的所有客户端使能keep alive,请在/etc/ssh/sshd_config文件中设置 ClientAliveInterval 30 (或者其它值,以秒为单位)。
  • 为了给连接到您的本地客户端的所有服务器使能keep alive,请在/etc/ssh/ssh_config文件中设置ServerAliveInterval 30 (或者其它值,以秒为单位)。

X11转发/隧道不工作

问题: 在对配置文件做了必要的修改以允许 X11 转发, 却发现 X 应用程序在服务器端执行却没有转发到客户端。

解决办法: 可能是在SSH登录到远程服务器或者主机的过程中,DISPLAY变量被取消了或者在 SSH session 设置这一变量之后又被重设了。

远程登录后按如下步骤测试这一现象:

user $echo $DISPLAY
localhost:10.0

The output should be something similar to localhost:10.0 or localhost2.local:10.0 using server side X11UseLocalhost no setting. If the usual :0.0 is not displayed, check to make sure the DISPLAY variable within ~/.bash_profile is not being unset or re-initializing. If it is, remove or comment out any custom initialization of the DISPLAY variable to prevent the code in ~/.bash_profile from executing during a SSH login:

user $ssh -t larry@localhost2 bash --noprofile

请将上面命令中的larry替换为适当的用户名。

一个小技巧是在用户的 ~/.bashrc 中将此命令定义为一个 alias。

参考

外部资源

Retrieved from "https://wikitest.gentoo.org/index.php?title=SSH/zh-cn&oldid=747190"