Back to Unix_Utilities

See Also OpenSSL

OpenSSH

OpenSSH(OpenBSD Secure Shell)是一组使用SSH协议的计算机程序,用来为计算机网络提供加密通信会话。它是取代由SSH Communications Security所提供的商用版本的开放源代码方案。

OpenSSH是OpenBSD项目的一部分,这是一个安全类unix操作系统。这一项目的发展是通过捐款资助的。

OpenSSH常常被误认以为与OpenSSL有关系,但实际上这两个项目的有不同的目的,不同的发展团队,名称相近只是因为两者有同样的软件发展目标──提供开放源代码的加密通信软件。

1. 历史

OpenSSH是在1999年10月第一次在OpenBSD 2.6里出现,当初的项目是取代由SSH Communications Security所提供的SSH软件。

发布历史:

2. The OpenSSH Suite

2.1. ssh

DESCRIPTION
     ssh (SSH client) is a program for logging into a remote machine and for
     executing commands on a remote machine.  It is intended to replace rlogin
     and rsh, and provide secure encrypted communications between two
     untrusted hosts over an insecure network.  X11 connections and arbitrary
     TCP ports can also be forwarded over the secure channel.

     ssh connects and logs into the specified hostname (with optional user
     name).  The user must prove his/her identity to the remote machine using
     one of several methods depending on the protocol version used (see
     below).

     If command is specified, it is executed on the remote host instead of a
     login shell.

2.1.1. command sample

➜  ~  ssh -vT ec2_host1      
OpenSSH_6.0a2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to ec2_host1 [38.38.14.250] port 22.
debug1: Connection established.
debug1: identity file /Users/liyan/.ssh/id_rsa type 1
debug1: identity file /Users/liyan/.ssh/id_rsa-cert type -1
debug1: identity file /Users/liyan/.ssh/id_dsa type -1
debug1: identity file /Users/liyan/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4
debug1: match: OpenSSH_6.4 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none
debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 47:5a:61:ec:13:aa:02:27:67:f8:b7:f6:e1:bf:29:87
debug1: Host 'ec2_host1' is known and matches the RSA host key.
debug1: Found key in /Users/liyan/.ssh/known_hosts:47
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/liyan/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/liyan/.ssh/id_dsa
debug1: Next authentication method: password
liyan@ec2_host1's password: 
debug1: Authentication succeeded (password).
Authenticated to ec2_host1 ([38.38.14.250]:22).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_CTYPE = UTF-8
debug1: Sending env LANG = en_US.UTF-8

2.1.2. ssh with socks

# -D [bind_address:]port
➜  ~ ssh -D 1080 li3huo.com
# -o ProxyCommand in ssh & type nc for help
➜  ~ ssh li3huo.com -o "ProxyCommand=nc -X 5 -x 127.0.0.1:1080 %h %p"
Last login: ...

2.2. sshd

DESCRIPTION
     sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
     programs replace rlogin(1) and rsh(1), and provide secure encrypted com-
     munications between two untrusted hosts over an insecure network.

     sshd listens for connections from clients.  It is normally started at
     boot from /etc/rc.  It forks a new daemon for each incoming connection.
     The forked daemons handle key exchange, encryption, authentication, com-
     mand execution, and data exchange.

     sshd can be configured using command-line options or a configuration file
     (by default sshd_config(5)); command-line options override values speci-
     fied in the configuration file.  sshd rereads its configuration file when
     it receives a hangup signal, SIGHUP, by executing itself with the name
     and options it was started with, e.g. /usr/sbin/sshd.

参考:http://vbird.dic.ksu.edu.tw/linux_server/0310telnetssh_2.php#ssh_sshdconfig:11.2.5 sshd 服务器细部设定(《鸟哥的Linux私房菜》)

2.2.1. configuration sample

# Logging: /var/log/secure
SyslogFacility AUTHPRIV
#记录所有登录信息
LogLevel INFO

# Authentication:
#不允许Root登录
#PermitRootLogin yes
#允许用户自行使用成对的密钥系统进行登入
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#支持输入密码进行验证的方式
PasswordAuthentication yes
#不允许空密码
PermitEmptyPasswords no

service sshd restart

2.3. ssh-keygen

man ssh-keygen

NAME
     ssh-keygen -- authentication key generation, management and conversion

SYNOPSIS
     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase]
                [-C comment] [-f output_keyfile]

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/li3huo/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/boss/.ssh/id_rsa.
Your public key has been saved in /home/boss/.ssh/id_rsa.pub.
The key fingerprint is:
12:76:16:95:8d:73:df:7b:49:88:e3:bf:15:ca:2d:0f li3huo@li3huo.com
The key's randomart image is:
+--[ RSA 2048]----+
|        ...+  .  |
|         .+ oo . |
|      o o  o..o. |
|     . +     ..o.|
|      . F   . = +|
|       .     U =o|
|              + +|
|               o |
|                 |
+-----------------+
$ ll ~/.ssh/
total 12
-rw------- 1 li3huo admin 1675 Oct 21 18:08 id_rsa
-rw-r--r-- 1 li3huo admin  400 Oct 21 18:08 id_rsa.pub
-rw-r--r-- 1 li3huo admin  222 Oct 21 17:58 known_hosts
## cp id_rsa.pub to remote ~/.ssh/authorized_keys
## chmod 400 ~/.ssh/authorized_keys
$ ssh remote

$ ssh-keygen -q -t rsa -C "twotwo.li@gmail.com"
Enter file in which to save the key (/c/Users/liyan/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

2.3.1. debug for Authentication refused

# tail -f /var/log/secure
Authentication refused: bad ownership or modes for directory /home/li3huo/.ssh
# chmod 700 /home/li3huo/.ssh

3. Reference


CategoryTool

MainWiki: OpenSSH (last edited 2012-06-03 00:15:46 by twotwo)