¸ÅÊö
Ðí¶àÍøÂç³ÌÐò£¬Èçtelnet¡¢rsh¡¢rlogin»òrexec£¬ÓÃÃ÷ÎÄ£¨plain text£©´«ËÍ¿ÚÁîºÍÃØÃܵÄÐÅ
Ï¢£¬ËùÒԾͿÉÀûÓÃÈκÎÁ¬½Óµ½ÍøÂçÉϵļÆËã»ú¼àÌýÕâЩ³ÌÐòºÍ·þÎñÆ÷Ö®¼äµÄͨÐŲ¢»ñÈ¡¿ÚÁîºÍ
ÃØÃÜÐÅÏ¢¡£ÏÖÔÚ£¬telnet³ÌÐò¶ÔÓÚÈÕ³£µÄ¹ÜÀí¹¤×÷ÊDZز»¿ÉÉٵģ¬µ«ÊÇËüÓÖÊDz»°²È«µÄ£¬ÄÇô
ÓÃʲôÀ´Ìæ´úËüÄØ£¿OpenSSH¾ÍÊÇÄÇЩ¹ýʱµÄ¡¢²»°²È«µÄÔ¶³ÌµÇ¼³ÌÐò£¬È磺telnet¡¢rlogin
¡¢rsh¡¢rdist»òrcpµÄÌæ´úÆ·¡£
ÔÚOpenSSHµÄREADMEÎļþÖÐÌáµ½£ºssh£¨Secure Shell£©³ÌÐò¿ÉÒÔͨ¹ýÍøÂçµÇ¼µ½Ô¶³ÌÖ÷»ú²¢Ö´
ÐÐÃüÁî¡£ËüÌṩÁ˺ÜÇ¿µÄ°²È«ÑéÖ¤¿ÉÒÔÔÚ²»°²È«µÄÍøÂçÖнøÐа²È«µÄͨÐÅ¡£
ÎÒÃÇ°ÑOpenSSHÅäÖóÉÖ§³ÖTCP-Wrappers£¨inetd³¬¼¶·þÎñÆ÷£©£¬ÕâÑùÄܹ»½øÒ»²½µØÌá¸ß°²È«ÐÔ
¶øÇÒҲûÓбØÒª°ÑOpenSSH×÷ΪÊØ»¤½ø³Ì£¨daemon£©ÔÚºǫ́ÔËÐС£µ±¿Í»§¶ËµÄ³ÌÐòÌá³öÁ¬½ÓÇë
ÇóµÄʱºò£¬TCP-WrappersÊØ»¤½ø³Ì¾Í»áÔÚ°ÑÁ¬½ÓÖض¨Ïòµ½OpenSSH֮ǰ£¬¶ÔÁ¬½ÓÇëÇó½øÐÐÑéÖ¤
ºÍÊÚȨ¡£OpenSSHÊÇ×ÔÓÉÈí¼þ¶øÇÒʹÓò»ÊÜרÀû±£»¤µÄ¼ÓÃÜËã·¨¡£Òò´Ë£¬ÎÒ½¨ÒéÄãʹÓÃOpenSSH
£¨Ãâ·Ñ¶øÇÒÐÞÕýÁËһЩbug£©£¬¶ø²»Ê¹ÓÃSSH1£¨Ãâ·Ñµ«ÊÇÓÐbug£©ºÍSSH2£¨ÏÖÔÚʹÓÃÉÌÓõÄÐí¿É
ÐÒ飩¡£
×¢ÒâÊÂÏî
ÏÂÃæËùÓеÄÃüÁÊÇUnix¼æÈݵÄÃüÁî¡£
Դ·¾¶¶¼Îª¡°/var/tmp¡±£¨µ±È»ÔÚʵ¼ÊÇé¿öÖÐÒ²¿ÉÒÔÓÃÆäËü·¾¶£©¡£
°²×°ÔÚRedHat Linux 6.1ºÍ6.2ϲâÊÔͨ¹ý¡£
ÒªÓá°root¡±Óû§½øÐа²×°¡£
OpenSSHµÄ°æ±¾ÊÇ1.2.3¡£
Èí¼þ°üµÄÀ´Ô´
OpenSSHµÄÖ÷Ò³£ºhttp://violet.ibs.com.au/openssh/¡£
ÏÂÔØ£ºopenssh-1.2.3.tar.gz¡£
×¼±¸¹¤×÷
±àÒëOpenSSHÐèÒªzlib-develÈí¼þ°ü£¬Õâ¸öÈí¼þ°ü°üÀ¨Í·ÎļþºÍº¯Êý¿â¡£±àÒëʹÓÃzlibµÄѹËõ
ºÍ½âѹº¯ÊýµÄ³ÌÐò£¬¾ÍÒªÊÂÏÈ°²×°Õâ¸öÈí¼þ°ü¡£¿ÉÒÔÓÃRedHat 6.1»ò6.2µÄ¹âÅÌ°²×°¡£
l ÓÃÏÂÃæµÄÃüÁîÑéÖ¤Ò»ÏÂÔÚϵͳÖÐÊÇ·ñÒѾ°²×°ÁËzlib-develÈí¼þ°ü£º
[root@deep /]# rpm -qi zlib-devel
l ÓÃÏÂÃæÃüÁîÔÚϵͳÖа²×°zlib-develÈí¼þ°ü£º
[root@deep /]# mount /dev/cdrom /mnt/cdrom/
[root@deep /]# cd /mnt/cdrom/RedHat/RPMS/
[root@deep RPMS]# rpm -Uvh zlib-devel-version.i386.rpm
gd ##################################################
[root@deep RPMS]# rpm -Uvh gd-devel-version.i386.rpm
zlib-devel ##################################################
[root@deep RPMS]# cd /; umount /mnt/cdrom/
ÔÚʹÓÃOpenSSH֮ǰ£¬»¹±ØÐë°²×°OpenSSL¡£ÒòΪ¾ÍËãÄ㲻ʹÓÃOpenSSL´´½¨»ò±£´æ¼ÓÃÜÎļþ£¬
OpenSSHÐèÒªÓÃOpenSSLµÄ¿âÎļþ²ÅÄÜÕý³£ÔËÐС£
°²×°Èí¼þ°üÐèҪעÒâµÄÎÊÌâ
×îºÃÔÚ±àÒëÇ°ºÍ±àÒëºó¶¼×öÒ»ÕÅϵͳÖÐËùÓÐÎļþµÄÁÐ±í£¬È»ºóÓá°diff¡±ÃüÁîÈ¥±È½ÏËüÃÇ£¬ÕÒ
³öÆäÖеIJî±ð²¢ÖªµÀµ½µ×°ÑÈí¼þ°²×°ÔÚÄÄÀï¡£Ö»Òª¼òµ¥µØÔÚ±àÒë֮ǰÔËÐÐÒ»ÏÂÃüÁî¡°find /*
>OpenSSH1¡±£¬ÔÚ±àÒëºÍ°²×°ÍêÈí¼þÖ®ºóÔËÐÐÃüÁî¡°find /* > OpenSSH2¡±£¬×îºóÓÃÃüÁî
¡°diff OpenSSH1 OpenSSH2 > OpenSSH-Installed¡±ÕÒ³ö±ä»¯¡£
±àÒëºÍ°²×°
°ÑÈí¼þ°ü£¨tar.gz£©½âѹ£º
[root@deep /]# cp openssh-version.tar.gz /var/tmp
[root@deep /]# cd /var/tmp
[root@deep tmp]# tar xzpf openssh-version.tar.gz
±àÒëºÍÓÅ»¯
µÚÒ»²½
תµ½OpenSSHµÄÐÂĿ¼Ï£¬ÏÈÉèÖñàÒëÆ÷µÄ±àÒë²ÎÊý£º
CC="egcs" \
CFLAGS="-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -
march=pentiumpro -fomit-frame-
pointer -fno-exceptions" \
./configure \
--prefix=/usr \
--sysconfdir=/etc/ssh \
--with-tcp-wrappers \
--with-ipv4-default \
--with-ssl-dir=/usr/include/openssl
ÕâЩÉèÖøæËß±àÒëÆ÷ÈçºÎ±àÒëOpenSSH£º
l Á´½ÓÉÏlibwrapº¯Êý¿â²¢ÇÒ¼ÓÉ϶ÔTCP WrappersµÄÖ§³Ö
l ½ûÖ¹Linux/glibc-2.1.2ÖÐÓòÃû½âÎöµÄÑÓʱ£¬Ëõ¶Ì½¨Á¢Á¬½ÓµÄʱ¼ä
l ÉèÖÃOpenSSLº¯Êý¿âµÄ·¾¶£¬ÕâÑùOpenSSH²ÅÄÜÕý³£ÔËÐÐ
µÚ¶þ²½
ÏÖÔÚ£¬±àÒëºÍ°²×°OpenSSH£º
[root@deep openssh-1.2.3]# make
[root@deep openssh-1.2.3]# make install
[root@deep openssh-1.2.3]# make host-key
[root@deep openssh-1.2.3]# install -m644 contrib/redhat/sshd.pam /etc/pam.d/sshd
¡°make¡±ÃüÁî°ÑÔ´Îļþ±àÒë³É¿ÉÖ´ÐеĶþ½øÖÆÎļþ£¬¡°make install¡±°Ñ¶þ½øÖÆÎļþºÍÅäÖÃÎÄ
¼þ°²×°ÔÚºÏÊʵÄĿ¼Ï¡£¡°make host-key¡±Éú³ÉÖ÷»úÃܳף¬¡°install¡±ÃüÁîÔÚRedHat Linux
ÉÏ°²×°¶ÔOpenSSHµÄPAMÖ§³Ö¡£
Çå³ý²»±ØÒªµÄÎļþ
ÓÃÏÂÃæµÄÃüÁîɾ³ý²»±ØÒªµÄÎļþ£º
[root@deep /]# cd /var/tmp
[root@deep tmp]# rm -rf openssh-version/ openssh-version.tar.gz
¡°rm¡±ÃüÁîɾ³ýËùÓбàÒëºÍ°²×°OpenSSHËùÐèÒªµÄÔ´³ÌÐò£¬²¢ÇÒ°ÑOpenSSHÈí¼þµÄѹËõ°üɾ³ýµô
¡£
ÅäÖÃ
¿ÉÒÔµ½ÕâÈ¥ÏÂÔØ¡°floppy.tgz¡±Îļþ£ºhttp://www.openna.com/books/floppy.tgz¡£°Ñ
¡°floppy.tgz¡±Îļþ½â¿ªÖ®ºó£¬¿ÉÒÔÔÚÏàÓ¦µÄĿ¼Ï·¢ÏÖÎÒÃÇÔÚÕâ±¾ÊéÖнéÉܵÄËùÓÐÈí¼þµÄÅä
ÖÃÎļþ¡£ÕâÑù¾ÍûÓбØÒªÊÖ¹¤ÖØÐÂÉú³ÉÕâЩÎļþ£¬»òÕßÓÿ½±´Õ³ÌùµÄ·½·¨°ÑËüÃÇÕ³Ìùµ½ÅäÖÃÎÄ
¼þÖÐÈ¥¡£²»¹ÜÊÇ´òËã×Ô¼º¶¯ÊÖÉú³ÉÅäÖÃÎļþ»¹ÊÇ¿½±´Ïֳɵģ¬Ä㶼Ҫѧ»á×Ô¼ºÐÞ¸ÄÅäÖÃÎļþ²¢
ÇÒ°ÑÅäÖÃÎļþ¿½±´µ½ÕýÈ·µÄĿ¼Ï¡£ÏÂÃ潫¾ßÌå˵Ã÷¡£
ΪÁËÔËÐÐOpenSSH£¬±ØÐë´´½¨»òÕß°ÑÏÂÃæµÄÎļþ¿½±´µ½ÏàÓ¦µÄĿ¼Ï£º
l °Ñ¡°sshd_config¡±Îļþ¿½±´µ½¡°/etc/ssh¡±Ä¿Â¼ÏÂ
l °Ñ¡°ssh_config¡±Îļþ¿½±´µ½¡°/etc/ssh¡±Ä¿Â¼ÏÂ
l °Ñ¡°ssh¡±Îļþ¿½±´µ½¡°/etc/pam.d/¡±Ä¿Â¼ÏÂ
¿ÉÒÔ°Ñ¡°floppy.tgz¡±½âѹ֮ºó£¬ÕÒµ½ÉÏÃæÁгöÀ´µÄÎļþ£¬²¢¿½±´µ½ºÏÊʵÄĿ¼Ï£¬»òÕßÓÿ½
±´Õ³ÌùµÄ·½·¨´Ó±¾ÊéÖÐÖ±½ÓÕ³Ìù³ö¡£
ÅäÖá°/etc/ssh/ssh_config¡±Îļþ
¡°/etc/ssh/ssh_config¡±ÎļþÊÇOpenSSHϵͳ·¶Î§µÄÅäÖÃÎļþ£¬ÔÊÐíÄãͨ¹ýÉèÖò»Í¬µÄÑ¡ÏîÀ´
¸Ä±ä¿Í»§¶Ë³ÌÐòµÄÔËÐз½Ê½¡£Õâ¸öÎļþµÄÿһÐаüº¬¡°¹Ø¼ü´Ê£Öµ¡±µÄÆ¥Å䣬ÆäÖС°¹Ø¼ü´Ê¡±
ÊǺöÂÔ´óСдµÄ¡£ÏÂÃæÁгöÀ´µÄÊÇ×îÖØÒªµÄ¹Ø¼ü´Ê£¬ÓÃmanÃüÁî²é¿´°ïÖúÒ³£¨ssh (1)£©¿ÉÒÔµÃ
µ½ÏêϸµÄÁÐ±í¡£
±à¼¡°ssh_config¡±Îļþ£¨vi /etc/ssh/ssh_config£©£¬Ìí¼Ó»ò¸Ä±äÏÂÃæµÄ²ÎÊý£º
# Site-wide defaults for various options
Host *
ForwardAgent no
ForwardX11 no
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
BatchMode no
CheckHostIP yes
StrictHostKeyChecking no
IdentityFile ~/.ssh/identity
Port 22
Cipher blowfish
EscapeChar ~
ÏÂÃæÖðÐÐ˵Ã÷ÉÏÃæµÄÑ¡ÏîÉèÖãº
Host *
Ñ¡Ïî¡°Host¡±Ö»¶ÔÄܹ»Æ¥ÅäºóÃæ×Ö´®µÄ¼ÆËã»úÓÐЧ¡£¡°*¡±±íʾËùÓеļÆËã»ú¡£
ForwardAgent no
¡°ForwardAgent¡±ÉèÖÃÁ¬½ÓÊÇ·ñ¾¹ýÑéÖ¤´úÀí£¨Èç¹û´æÔÚ£©×ª·¢¸øÔ¶³Ì¼ÆËã»ú¡£
ForwardX11 no
¡°ForwardX11¡±ÉèÖÃX11Á¬½ÓÊÇ·ñ±»×Ô¶¯Öض¨Ïòµ½°²È«µÄͨµÀºÍÏÔʾ¼¯£¨DISPLAY set£©¡£
RhostsAuthentication no
¡°RhostsAuthentication¡±ÉèÖÃÊÇ·ñʹÓûùÓÚrhostsµÄ°²È«ÑéÖ¤¡£
RhostsRSAAuthentication no
¡°RhostsRSAAuthentication¡±ÉèÖÃÊÇ·ñʹÓÃÓÃRSAËã·¨µÄ»ùÓÚrhostsµÄ°²È«ÑéÖ¤¡£
RSAAuthentication yes
¡°RSAAuthentication¡±ÉèÖÃÊÇ·ñʹÓÃRSAËã·¨½øÐа²È«ÑéÖ¤¡£
PasswordAuthentication yes
¡°PasswordAuthentication¡±ÉèÖÃÊÇ·ñʹÓÿÚÁîÑéÖ¤¡£
FallBackToRsh no
¡°FallBackToRsh¡±ÉèÖÃÈç¹ûÓÃsshÁ¬½Ó³öÏÖ´íÎóÊÇ·ñ×Ô¶¯Ê¹ÓÃrsh¡£
UseRsh no
¡°UseRsh¡±ÉèÖÃÊÇ·ñÔÚÕą̂¼ÆËã»úÉÏʹÓá°rlogin/rsh¡±¡£
BatchMode no
¡°BatchMode¡±Èç¹ûÉèΪ¡°yes¡±£¬passphrase/password£¨½»»¥Ê½ÊäÈë¿ÚÁµÄÌáʾ½«±»½ûÖ¹
¡£µ±²»Äܽ»»¥Ê½ÊäÈë¿ÚÁîµÄʱºò£¬Õâ¸öÑ¡Ïî¶Ô½Å±¾ÎļþºÍÅú´¦ÀíÈÎÎñÊ®·ÖÓÐÓá£
CheckHostIP yes
¡°CheckHostIP¡±ÉèÖÃsshÊÇ·ñ²é¿´Á¬½Óµ½·þÎñÆ÷µÄÖ÷»úµÄIPµØÖ·ÒÔ·ÀÖ¹DNSÆÛÆ¡£½¨ÒéÉèÖÃΪ
¡°yes¡±¡£
StrictHostKeyChecking no
¡°StrictHostKeyChecking¡±Èç¹ûÉèÖóɡ°yes¡±£¬ssh¾Í²»»á×Ô¶¯°Ñ¼ÆËã»úµÄÃܳ׼ÓÈë
¡°$HOME/.ssh/known_hosts¡±Îļþ£¬²¢ÇÒÒ»µ©¼ÆËã»úµÄÃܳ׷¢ÉúÁ˱仯£¬¾Í¾Ü¾øÁ¬½Ó¡£
IdentityFile ~/.ssh/identity
¡°IdentityFile¡±ÉèÖôÓÄĸöÎļþ¶ÁÈ¡Óû§µÄRSA°²È«ÑéÖ¤±êʶ¡£
Port 22
¡°Port¡±ÉèÖÃÁ¬½Óµ½Ô¶³ÌÖ÷»úµÄ¶Ë¿Ú¡£
Cipher blowfish
¡°Cipher¡±ÉèÖüÓÃÜÓõÄÃÜÂë¡£
EscapeChar ~
¡°EscapeChar¡±ÉèÖÃescape×Ö·û¡£
ÅäÖá°/etc/ssh/sshd_config¡±Îļþ
¡°/etc/ssh/sshd_config¡±ÊÇOpenSSHµÄÅäÖÃÎļþ£¬ÔÊÐíÉèÖÃÑ¡Ïî¸Ä±äÕâ¸ödaemonµÄÔËÐС£Õâ
¸öÎļþµÄÿһÐаüº¬¡°¹Ø¼ü´Ê£Öµ¡±µÄÆ¥Å䣬ÆäÖС°¹Ø¼ü´Ê¡±ÊǺöÂÔ´óСдµÄ¡£ÏÂÃæÁгöÀ´µÄ
ÊÇ×îÖØÒªµÄ¹Ø¼ü´Ê£¬ÓÃmanÃüÁî²é¿´°ïÖúÒ³£¨sshd (8)£©¿ÉÒԵõ½ÏêϸµÄÁÐ±í¡£
±à¼¡°sshd_config¡±Îļþ£¨vi /etc/ssh/sshd_config£©£¬¼ÓÈë»ò¸Ä±äÏÂÃæµÄ²ÎÊý£º
# This is ssh server systemwide configuration file.
Port 22
ListenAddress 192.168.1.1
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 1024
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin no
IgnoreRhosts yes
IgnoreUserKnownHosts yes
StrictModes yes
X11Forwarding no
PrintMotd yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
AllowUsers admin
ÏÂÃæÖðÐÐ˵Ã÷ÉÏÃæµÄÑ¡ÏîÉèÖãº
Port 22
¡°Port¡±ÉèÖÃsshd¼àÌýµÄ¶Ë¿ÚºÅ¡£
ListenAddress 192.168.1.1
¡°ListenAddress¡±ÉèÖÃsshd·þÎñÆ÷°ó¶¨µÄIPµØÖ·¡£
HostKey /etc/ssh/ssh_host_key
¡°HostKey¡±ÉèÖðüº¬¼ÆËã»ú˽ÈËÃܳ׵ÄÎļþ¡£
ServerKeyBits 1024
¡°ServerKeyBits¡±¶¨Òå·þÎñÆ÷Ãܳ׵ÄλÊý¡£
LoginGraceTime 600
¡°LoginGraceTime¡±ÉèÖÃÈç¹ûÓû§²»Äܳɹ¦µÇ¼£¬ÔÚÇжÏÁ¬½Ó֮ǰ·þÎñÆ÷ÐèÒªµÈ´ýµÄʱ¼ä£¨ÒÔ
ÃëΪµ¥Î»£©¡£
KeyRegenerationInterval 3600
¡°KeyRegenerationInterval¡±ÉèÖÃÔÚ¶àÉÙÃëÖ®ºó×Ô¶¯ÖØÐÂÉú³É·þÎñÆ÷µÄÃܳף¨Èç¹ûʹÓÃÃܳ×
£©¡£ÖØÐÂÉú³ÉÃܳ×ÊÇΪÁË·ÀÖ¹ÓõÁÓõÄÃܳ׽âÃܱ»½Ø»ñµÄÐÅÏ¢¡£
PermitRootLogin no
¡°PermitRootLogin¡±ÉèÖÃrootÄܲ»ÄÜÓÃsshµÇ¼¡£Õâ¸öÑ¡ÏîÒ»¶¨²»ÒªÉè³É¡°yes¡±¡£
IgnoreRhosts yes
¡°IgnoreRhosts¡±ÉèÖÃÑéÖ¤µÄʱºòÊÇ·ñʹÓá°rhosts¡±ºÍ¡°shosts¡±Îļþ¡£
IgnoreUserKnownHosts yes
¡°IgnoreUserKnownHosts¡±ÉèÖÃssh daemonÊÇ·ñÔÚ½øÐÐRhostsRSAAuthentication°²È«ÑéÖ¤µÄ
ʱºòºöÂÔÓû§µÄ¡°$HOME/.ssh/known_hosts¡±
StrictModes yes
¡°StrictModes¡±ÉèÖÃsshÔÚ½ÓÊյǼÇëÇó֮ǰÊÇ·ñ¼ì²éÓû§¼ÒĿ¼ºÍrhostsÎļþµÄȨÏÞºÍËùÓÐ
Ȩ¡£Õâͨ³£ÊDZØÒªµÄ£¬ÒòΪÐÂÊÖ¾³£»á°Ñ×Ô¼ºµÄĿ¼ºÍÎļþÉè³ÉÈκÎÈ˶¼ÓÐдȨÏÞ¡£
X11Forwarding no
¡°X11Forwarding¡±ÉèÖÃÊÇ·ñÔÊÐíX11ת·¢¡£
PrintMotd yes
¡°PrintMotd¡±ÉèÖÃsshdÊÇ·ñÔÚÓû§µÇ¼µÄʱºòÏÔʾ¡°/etc/motd¡±ÖеÄÐÅÏ¢¡£
SyslogFacility AUTH
¡°SyslogFacility¡±ÉèÖÃÔڼǼÀ´×ÔsshdµÄÏûÏ¢µÄʱºò£¬ÊÇ·ñ¸ø³ö¡°facility code¡±¡£
LogLevel INFO
¡°LogLevel¡±ÉèÖüǼsshdÈÕÖ¾ÏûÏ¢µÄ²ã´Î¡£INFOÊÇÒ»¸öºÃµÄÑ¡Ôñ¡£²é¿´sshdµÄman°ïÖúÒ³£¬
ÒÑ»ñÈ¡¸ü¶àµÄÐÅÏ¢¡£
RhostsAuthentication no
¡°RhostsAuthentication¡±ÉèÖÃÖ»ÓÃrhosts»ò¡°/etc/hosts.equiv¡±½øÐа²È«ÑéÖ¤ÊÇ·ñÒѾ×ã
¹»ÁË¡£
RhostsRSAAuthentication no
¡°RhostsRSA¡±ÉèÖÃÊÇ·ñÔÊÐíÓÃrhosts»ò¡°/etc/hosts.equiv¡±¼ÓÉÏRSA½øÐа²È«ÑéÖ¤¡£
RSAAuthentication yes
¡°RSAAuthentication¡±ÉèÖÃÊÇ·ñÔÊÐíÖ»ÓÐRSA°²È«ÑéÖ¤¡£
PasswordAuthentication yes
¡°PasswordAuthentication¡±ÉèÖÃÊÇ·ñÔÊÐí¿ÚÁîÑéÖ¤¡£
PermitEmptyPasswords no
¡°PermitEmptyPasswords¡±ÉèÖÃÊÇ·ñÔÊÐíÓÿÚÁîΪ¿ÕµÄÕʺŵǼ¡£
AllowUsers admin
¡°AllowUsers¡±µÄºóÃæ¿ÉÒÔ¸ú×ÅÈÎÒâµÄÊýÁ¿µÄÓû§ÃûµÄÆ¥Åä´®£¨patterns£©»òuser@hostÕâÑù
µÄÆ¥Åä´®£¬ÕâЩ×Ö·û´®Óÿոñ¸ô¿ª¡£Ö÷»úÃû¿ÉÒÔÊÇDNSÃû»òIPµØÖ·¡£
ÅäÖÃOpenSSHʹÆäʹÓÃTCP-Wrappers inetd³¬¼¶·þÎñÆ÷
TCP-WRAPPERSÓÃÀ´Æô¶¯ºÍÍ£Ö¹sshd1·þÎñ¡£µ±inetdÔËÐеÄʱºò£¬Ëü»á´ÓÅäÖÃÎļþ£¨Ä¬ÈÏΪ
¡°/etc/inetd.conf¡±£©ÖжÁÈëÅäÖÃÐÅÏ¢¡£ÔÚÅäÖÃÎļþÖÐÿһÐеIJ»Í¬ÏîÊÇÓÃTAB»ò¿Õ¸ñ·Ö¿ª¡£
µÚÒ»²½
±à¼¡°inetd.conf¡±Îļþ£¨vi /etc/inetd.conf£©²¢¼ÓÈëÕâÒ»ÐУº
ssh stream tcp nowait root /usr/sbin/tcpd sshd ¨Ci
×¢Ò⣺¡°-i¡±²ÎÊýºÜÖØÒª£¬Ëü˵Ã÷sshdÊDZ»inetdÔËÐеġ£ÔÚ¼ÓÈëÕâÒ»Ðкó£¬Í¨¹ý·¢ËÍÒ»¸ö
SIGHUPÐźţ¨killall ¨CHUP inetd£©À´¸üС°inetd.conf¡±Îļþ¡£
[root@deep /root]# killall -HUP inetd
µÚ¶þ²½
±à¼¡°hosts.allow¡±Îļþ£¨vi /etc/hosts.allow£©²¢¼ÓÈëÕâÒ»ÐУº
sshd: 192.168.1.4 win.openarch.com
ÕâÒ»ÐбíʾIPµØַΪ¡°192.168.1.4¡±£¬Ö÷»úÃûΪ¡°win.openarch.com¡±µÄ¼ÆËã»úÔÊÐíÓÃssh·Ã
ÎÊ·þÎñÆ÷¡£
ÏÂÃæÕâЩ¡°daemon¡±×Ö·û´®£¨ÓÃÓÚTCP-WRAPPERS£©±»sshd1ʹÓãº
sshdfwd-X11 (ÔÊÐí/½ûÖ¹X11ת·¢).
sshdfwd-<port-number> (TCPת·¢).
sshdfwd-<port-name> (port-nameÔÚ/etc/servicesÖж¨Òå¡£ÓÃÓÚTCPת·¢).
×¢Ò⣺Èç¹û×¼±¸Ê¹ÓÃssh£¬Ò»¶¨ÒªÓÃÔÚËùÓеķþÎñÆ÷ÉÏ¡£Èç¹ûʮ̨°²È«µÄ·þÎñÆ÷ºÍһ̨²»°²È«
µÄ·þÎñÆ÷ÅäÔÚÒ»Æð£¬Ò²Ì¸²»ÉÏʲô°²È«ÐÔ¡£
¸ü¶àµÄ×ÊÁÏ
Èç¹ûÏë²éÕÒÏêϸµÄ×ÊÁÏ¿ÉÒÔÓÃmanÃüÁî²é°ïÖúÒ³£¬¶ÁÈ¡Ïà¹ØÐÅÏ¢£º
$ man ssh (1) - OpenSSH secure shell client (remote login program)
$ man ssh [slogin] (1) - OpenSSH secure shell client (remote login program)
$ man ssh-add (1) - adds identities for the authentication agent
$ man ssh-agent (1) - authentication agent
$ man ssh-keygen (1) - authentication key generation
$ man sshd (8) - secure shell daemon
SSH1ÿÓû§ÅäÖÃ
µÚÒ»²½
Ϊ±¾µØ·þÎñÆ÷´´½¨Ë½Óк͹«ÓÃÃܳף¬Ö´ÐÐÏÂÃæµÄÃüÁ
[root@deep]# su username
[username@deep]$ ssh-keygen1
¾Ù¸öÀý×Ó£¬ÏÔʾ³öÀ´µÄ½á¹û¿ÉÄÜÊÇ£º
Initializing random number generator...
Generating p: ............................++ (distance 430)
Generating q: ......................++ (distance 456)
Computing the keys...
Testing the keys...
Key generation complete.
Enter file in which to save the key (/home/username/.ssh/identity): ¡¾°´Ï»سµ¼ü¡¿
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/username/.ssh/identity.
Your public key is:
1024 37
1493775751125195553369112031847729386229004939471513651114580610887000176437849467
6831
2975778431585322723612061006231460440536487184367748423324091941848098890786099717
5244
4697758964712775703072877997370856999301704314156353633306888894403817846160859248
3844
590202154102756903055846534063365635584899765402181 username@deep.openarch.com
Your public key has been saved in /home/username/.ssh/identity.pub
×¢Ò⣺Èç¹ûÓжà¸öÕʺÅÐèҪΪÿ¸öÕʺŴ´½¨Ò»¸öÃܳס£
Äã¿ÉÄÜҪΪÏÂÃæµÄ·þÎñÆ÷´´½¨Ãܳףº
l Mail·þÎñÆ÷
l Web·þÎñÆ÷
l Íø¹Ø·þÎñÆ÷
ÕâÔÊÐí¶ÔÕâЩ·þÎñÆ÷½øÐÐÓÐÏ޵ķÃÎÊ£¬ÀýÈ磬²»ÔÊÐíÓÃMail·þÎñÆ÷µÄÕʺŷÃÎÊWeb·þÎñÆ÷»òÍø
¹Ø·þÎñÆ÷¡£ÕâÑù¿ÉÒÔÔö¼ÓÕûÌåµÄ°²È«ÐÔ£¬¼´Ê¹ÒòΪijÖÖÔÒòÓÐÒ»¸öÃܳױ»Ð¹ÃÜÁË£¬Ò²²»»áÓ°Ïì
µ½ÆäËüµÄ·þÎñÆ÷¡£
µÚ¶þ²½
°Ñ±¾»úµÄ¹«ÓÃÃܳף¨identity.pub£©¿½±´µ½Ô¶³ÌÖ÷»úµÄ¡°/home/username/.ssh¡±Ä¿Â¼Ï£¬Àý
È磬ʹÓá°authorized_keys¡±Õâ¸öÃû×Ö¡£
×¢Ò⣺¿½±´ÎļþµÄÒ»¸ö·½·¨Ê¹ÓÃftpÃüÁÁíÒ»¸ö°ì·¨Êǰѹ«ÓÃÃܳ×ÓÃemail£¨°üº¬
¡°~/.ssh/identity.pub¡±ÎļþµÄÄÚÈÝ£©·¢¸øϵͳ¹ÜÀíÔ±¡£
¸Ä±äpass-phrase
ÓüÓÉÏ¡°-p¡±²ÎÊýµÄ¡°ssh-keygen¡±ÃüÁÔÚÈκÎʱºò¶¼¿ÉÒԸıäpass-phrase¡£ÓÃÏÂÃæµÄÃü
Á¸Ä±äpass-phrase£º
[root@deep]# su username
[username@deep]$ ssh-keygen1 ¨Cp
Enter file key is in (/home/username/.ssh/identity): [°´Ï»سµ¼ü]
Enter old passphrase:
Key has comment 'username@deep.openarch.com'
Enter new passphrase:
Enter the same passphrase again:
Your identification has been saved with the new passphrase.
OpenSSHÓû§¹¤¾ß
ÏÂÃæÁгöµÄÊÇһЩÎÒÃǾ³£ÒªÓõ½µÄÃüÁµ±È»»¹ÓкܶàÆäËüµÄÃüÁ¸üÏêϸµÄÐÅÏ¢¿ÉÒԲ鿴
man°ïÖúÒ³»òÆäËüÎĵµ¡£
ssh
ssh£¨Secure Shell£©ÊÇÓÃÀ´µÇ¼Զ³Ì¼ÆËã»úºÍÔÚÔ¶³Ì¼ÆËã»úÉÏÖ´ÐÐÃüÁîµÄ³ÌÐò¡£ËüÊÇÓÃÀ´Ìæ
´úrloginºÍrsh£¬ÒÔ¼°ÔÚ²»°²È«µÄÍøÂç»·¾³ÏÂÔÚÁ½Ì¨¼ÆËã»úÖ®¼äÌṩ°²È«ºÍ¼ÓÃܵÄÐÅÏ¢½»Á÷¡£
X11Á¬½ÓºÍTCP/IP¶Ë¿Ú¿ÉÒÔ±»×ª·¢µ½Ò»¸ö°²È«µÄͨµÀÀï¡£
ÓÃÏÂÃæµÄÃüÁµÇ¼Զ³Ì¼ÆËã»ú£º
[root@deep]# ssh <login_name> <hostname>
ÀýÈ磺
[root@deep]# ssh username www.openarch.com
username@deep.openarch.com¡¯s password:
Last login: Tue Oct 19 1999 18:13:00 -0400 from gate.openarch.com
Welcome to www.openarch.com on Deepforest.
<login_name>ÊÇÓÃÀ´µÇ¼ssh·þÎñÆ÷µÄÓû§Ãû£¬<hostname>ÊÇssh·þÎñÆ÷Ö÷»úµÄµØÖ·¡£
scp
¿ÉÒÔÓÃÕâ¸öÃüÁî°ÑÎļþ´Ó±¾µØ¼ÆËã»ú¿½±´µ½Ô¶³Ì¼ÆËã»ú£¬»òÕß·´Ö®£¬ÉõÖÁ¿ÉÒÔÔÚÁ½Ì¨Ô¶³Ì¼ÆËã
»úÖ®¼äÓá°scp¡±ÃüÁ±´Îļþ¡£°ÑÔ¶³ÌÖ÷»úÉϵÄÎļþ¿½±´µ½µ±Ç°Ä¿Â¼µÄÒ»¸ö¼òµ¥µÄ·½·¨ÈçÏÂ
¡£
ÓÃÏÂÃæµÄÃüÁî°ÑÎļþ´ÓÔ¶³ÌÖ÷»ú¿½±´µ½±¾µØÖ÷»úÉÏ£º
[root@deep /]# su admin
[admin@deep /]$ scp -p <login_name@hostname>:/dir/for/file
localdir/to/filelocation
ÀýÈ磺
[username@deep]$ scp -p username@mail:/etc/test1 /tmp
Enter passphrase for RSA key 'username@mail.openarch.com':
test1 | 2 KB | 2.0 kB/s | ETA: 00:00:00 | 100%
ÓÃÏÂÃæµÄÃüÁî°ÑÎļþ´Ó±¾µØÖ÷»ú¿½±´µ½Ô¶³ÌÖ÷»úÉÏ£º
[root@deep /]# su admin
[admin@deep /]$ scp -p localdir/to/filelocation <username@hostname>:/dir/for/file
ÀýÈ磺
[username@deep]$ scp -p /usr/bin/test2 username@mail:/var/tmp
username@mail's password:
test2 | 7 KB | 7.9 kB/s | ETA: 00:00:00 | 100%
×¢Ò⣺¡°-p¡±Ñ¡Ïî±íʾÎļþµÄ¸Ä±äºÍ·ÃÎÊʱ¼äÊôÐÔÒÔ¼°È¨ÏÞ£¬ÔÚ¿½±´¹ý³ÌÖб»±£Áô¡£Í¨³£ÊÇÐè
ÒªÕâÑùµÄ¡£
°²×°µ½ÏµÍ³ÖеÄÎļþ
> /etc/ssh
> /etc/ssh/ssh_config
> /etc/ssh/sshd_config
> /etc/ssh_host_key
> /etc/ssh_host_key.pub
> /usr/bin/ssh
> /usr/bin/slogin
> /usr/man/man1/ssh.1
> /usr/man/man1/scp.1
> /usr/man/man1/ssh-add.1
> /usr/man/man1/ssh-agent.1
> /usr/man/man1/ssh-keygen.1
> /usr/bin/scp
> /usr/bin/ssh-add
> /usr/bin/ssh-agent
> /usr/bin/ssh-keygen
> /usr/man/man1/slogin.1
> /usr/man/man8/sshd.8
> /usr/sbin/sshd
Windowsƽ̨ÉÏÃâ·ÑµÄSSH¿Í»§Èí¼þ
Putty
PuttyµÄÖ÷Ò³£ºhttp://www.chiark.greenend.org.uk/~sgtatham/putty.html
Tera Term Pro and TTSSH
Tera Term ProµÄÖ÷Ò³£ºhttp://hp.vector.co.jp/authors/VA002416/teraterm.html
TTSSH Homepage£ºhttp://www.zip.com.au/~roca/download.html
°æȨ˵Ã÷
ÕâƪÎÄÕ·ÒëºÍ¸Ä±à×ÔGerhard MouraniµÄ¡¶Securing and Optimizing Linux: RedHat
Edition¡·£¬ÔÎļ°Æä°æȨÐÒéÇë²Î¿¼£ºwww.openna.com¡£
ÖÐÎÄ°æµÄ°æȨÊôÓÚ×÷ÕßbrimmerºÍwww.linuxaid.com.cn¡£
,| ×ÔÓɹã¸æÇø |
| ¡¡ |