安全攻略 Openssh的安装和启动方法

Openssh的安装和启动

tony@tonybox:~$ sudo aptitude update

tony@tonybox:~$ sudo aptitude install openssh-server

Reading package lists... Done

Building dependency tree... Done

Reading extended state information

Initializing package states... Done

Reading task descriptions... Done

Building tag database... Done

The following NEW packages will be automatically installed:

libedit2 openssh-client

The following NEW packages will be installed:

libedit2 openssh-client openssh-server

0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded.

Need to get 55.4kB/879kB of archives. After unpacking 2130kB will be used.

Do you want to continue? [Y/n/?]y

...

Setting up openssh-server (4.3p2-5) ...

Creating SSH2 RSA key; this may take some time ...

Creating SSH2 DSA key; this may take some time ...

Restarting OpenBSD Secure Shell server: sshd.

//创建服务器RSA/DSA密钥对

tony@tonybox:~$

安装完毕后默认生成以下配制文件:

tony@tonybox:~$ ls /etc/ssh -l

total 160

-rw-r--r-- 1 root root 132839 2006-10-07 23:10 moduli //ssh服务器的Diffie-Hellman密钥文件

-rw-r--r-- 1 root root 1423 2006-10-07 23:10 ssh_config //ssh客户端配置文件

-rw-r--r-- 1 root root 1874 2006-10-20 17:45 sshd_config //ssh服务器配置文件

-rw------- 1 root root 668 2006-10-20 17:46 ssh_host_dsa_key //ssh服务器dsa算法私钥

-rw-r--r-- 1 root root 602 2006-10-20 17:46 ssh_host_dsa_key.pub //ssh服务器dsa算法公钥

-rw------- 1 root root 1679 2006-10-20 17:46 ssh_host_rsa_key //ssh服务器rsa算法私钥

-rw-r--r-- 1 root root 394 2006-10-20 17:46 ssh_host_rsa_key.pub //ssh服务器rsa算法公钥

tony@tonybox:~$

如果没有特别要求使用默认设置即可满足使用要求.

启动ssh服务

$ sudo /etc/init.d/ssh start

停止ssh服务

$ sudo /etc/init.d/ssh stop

重启ssh服务

$ sudo /etc/init.d/ssh restart

使用ssh首次连接一个远程ssh服务器时，会出现类似下边的信息。这是因为ssh不能识别这台主机，键入yes将会把这台服务器的信息写入 /.ssh/known_hosts文件，下次连入这台远程服务器时就不会出现这类信息。

tony@tonybox:~$ ssh root@192.168.102.50

The authenticity of host '192.168.102.50 (192.168.102.50)' can't be established.

RSA key fingerprint is c6:d4:e7:23:03:ce:15:2c:08:ec:39:7e:52:29:a5:a6.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.102.50' (RSA) to the list of known hosts.

root@192.168.102.50's password:******

Last login: Thu Oct 26 10:38:41 2006

Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

vmdebian:~#

默认配置

默认sshd_config文件

# Package generated configuration file

# See the sshd(8) manpage for details

# What ports, IPs and protocols we listen for

Port 22

#默认使用22端口

# Use these options to restrict which interfaces/protocols sshd will bind to

#ListenAddress ::

#ListenAddress 0.0.0.0

Protocol 2

#使用ssh2协议

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

#主机密钥存储在此

#Privilege Separation is turned on for security

UsePrivilegeSeparation yes

#需要sshd用户启动ssh服务

# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 3600

ServerKeyBits 768

服务器在启动时生成这个密钥。并以固定的周期重新生成。这里指定长度是768位，最小为512，周期为3600。

# Logging

SyslogFacility AUTH

#设置syslog的facility（KERN,DAEMON,USER,AUTH,MAIL等）

LogLevel INFO

#指定记录日志级别为INFO，该值从低到高顺序是：QUIET,FATAL,ERROR,INFO,VERBOSE,DEBUG,使用DEBUG会侵犯用

户的隐私权，这个级别只能用于诊断，而不能用于普通操作。

# Authentication:

LoginGraceTime 120

#设置如果用户不能成功登录，在切断连接之前服务器需要等待的时间（以秒为单位）。

PermitRootLogin yes

#允许root登录

StrictModes yes

#设置ssh在接收登录请求之前是否检查用户家目录和rhosts文件的权限和所有权。这通常是必要的，因为新手经常会把自己的目录和文件设成任何人都有写权限。

RSAAuthentication yes

PubkeyAuthentication yes

#AuthorizedKeysFile %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

#完全禁止SSHD使用.rhosts文件

# For this to work you will also need host keys in /etc/ssh_known_hosts

RhostsRSAAuthentication no

#设置是否使用用RSA算法的基于rhosts的安全验证。

# similar for protocol version 2

HostbasedAuthentication no

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

#IgnoreUserKnownHosts yes

#设置ssh　daemon是否在进行RhostsRSAAuthentication安全验证的时候忽略用户的“$HOME/.ssh/known_hosts”　

# To enable empty passwords, change to yes (NOT RECOMMENDED)

PermitEmptyPasswords no

#设置不允许使用空密码

# Change to yes to enable challenge-response passwords (beware issues with

# some PAM modules and threads)

ChallengeResponseAuthentication no

#关闭挑战响应

# Change to no to disable tunnelled clear text passwords

#PasswordAuthentication yes

#设置是否使用明文密码认证

# Kerberos options

#KerberosAuthentication no

#KerberosGetAFSToken no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#有关Kerberos的相关选项

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

#有关GSSAPI的相关选项

X11Forwarding yes

#允许X转发

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

#UseLogin no

#MaxStartups 10:30:60

#Banner /etc/issue.net

# Allow client to pass locale environment variables

AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

UsePAM yes

如果没有特别要求使用默认设置即可满足使用要求.

基于口令的认证

缺省情况下，ssh仍然使用传统的口令验证，在使用这种认证方式时，我们不需要进行任何配置。你可以使用自己帐号和口令登录到远程主机。所有传输的数据都会被加密，但是不能保证你正在连接的服务器就是你想连接的服务器。可能会有别的服务器在冒充真正的服务器，也就是受到“中间人”这种方式的攻击。

使用以下方法登录服务器：

$ ssh tony@192.168.102.50

tony@192.168.102.50's password:

Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Fri Dec 8 12:31:58 2006 from 192.168.102.249

$

基于密钥的认证

密匙认证需要依靠密匙，可以使用ssh-keygen 命令生成密钥对，将会把生成的私钥存储在 /.ssh/id_rsa文件中，公钥存储在/.ssh/id_rsa.pub文件中,需要将其复制到远程服务器上, 这样当登录远程服务器时，客户端软件就会向服务器发出请求，请求用你的密匙进行认证,服务器收到请求之后，先在你在该服务器的宿主目录下寻找你的公匙,进行身份认证. ssh-keygen 默认使用rsa算法生成密钥，如果要使用dsa算法，则需要使用-t 指定比如($ ssh-keygen -t dsa)

tony@tonybox:~$ ssh-keygen

Generating public/private rsa key pair.

Enter file in which to save the key (/home/tony/.ssh/id_rsa):

Enter passphrase (empty for no passphrase):

Enter same passphrase again:

Your identification has been saved in /home/tony/.ssh/id_rsa.

Your public key has been saved in /home/tony/.ssh/id_rsa.pub.

The key fingerprint is:

5e:25:fe:32:af:96:e5:e2:c9:55:ad:f9:d2:f1:67:5d tony@tonybox

tony@tonybox:~$

然后使用scp 命令将公钥上传到远程SSH服务器的对应用户的.ssh目录下，并更名为authorized_keys并确保权限为644

tony@tonybox:~/.ssh$ scp id_rsa.pub tony@192.168.102.50:.ssh/authorized_keys

tony@192.168.102.50's password:

id_rsa.pub 100% 394 0.4KB/s 00:00

tony@tonybox:~/.ssh$

这样，以后登录这台SSH服务器的时候，就会使用您上传的公钥进行身份认证。

tony@tonybox:~$ ssh tony@192.168.102.50

Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Thu Oct 26 12:59:12 2006 from 192.168.102.43

tony@vmdebian:~$

如果为密钥设置了 passphrase, 则登录过程如下:

tony@tonybox:~$ ssh tony@192.168.102.50

Enter passphrase for key '/home/tony/.ssh/id_rsa':

Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Thu Oct 26 14:27:58 2006 from 192.168.102.43

tony@vmdebian:~$

如果将客户端私钥 id_rsa 更名, 并在服务器端sshd_config文件中做如下设置:

PasswordAuthentication no

tony@tonybox:$ mv /home/tony/.ssh/id_rsa /home/tony/.ssh/id_rsa.bak

tony@tonybox:$ ssh tony@192.168.102.50

Permission denied (publickey).

tony@tonybox:~$

如果在服务器端sshd_config文件中做如下设置:

PasswordAuthentication yes

则当密钥口令输入错误, 或密钥不存在是,就会使用口令认证

tony@tonybox:~$ ssh tony@192.168.102.50

Enter passphrase for key '/home/tony/.ssh/id_rsa':

tony@192.168.102.50's password:

Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

The programs included with the Debian GNU/Linux system are free software;

the exact distribution terms for each program are described in the

individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

permitted by applicable law.

Last login: Thu Oct 26 17:30:43 2006 from 192.168.102.43

tony@vmdebian:~$