Back to Unix_Utilities

See Also OpenSSL


OpenSSH(OpenBSD Secure Shell)是一组使用SSH协议的计算机程序,用来为计算机网络提供加密通信会话。它是取代由SSH Communications Security所提供的商用版本的开放源代码方案。



1. 历史

OpenSSH是在1999年10月第一次在OpenBSD 2.6里出现,当初的项目是取代由SSH Communications Security所提供的SSH软件。


2. The OpenSSH Suite

2.1. ssh

     ssh (SSH client) is a program for logging into a remote machine and for
     executing commands on a remote machine.  It is intended to replace rlogin
     and rsh, and provide secure encrypted communications between two
     untrusted hosts over an insecure network.  X11 connections and arbitrary
     TCP ports can also be forwarded over the secure channel.

     ssh connects and logs into the specified hostname (with optional user
     name).  The user must prove his/her identity to the remote machine using
     one of several methods depending on the protocol version used (see

     If command is specified, it is executed on the remote host instead of a
     login shell.

2.1.1. command sample

➜  ~  ssh -vT ec2_host1      
OpenSSH_6.0a2, OSSLShim 0.9.8r 8 Dec 2011
debug1: Reading configuration data /etc/ssh_config
debug1: /etc/ssh_config line 20: Applying options for *
debug1: Connecting to ec2_host1 [] port 22.
debug1: Connection established.
debug1: identity file /Users/liyan/.ssh/id_rsa type 1
debug1: identity file /Users/liyan/.ssh/id_rsa-cert type -1
debug1: identity file /Users/liyan/.ssh/id_dsa type -1
debug1: identity file /Users/liyan/.ssh/id_dsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.4
debug1: match: OpenSSH_6.4 pat OpenSSH*
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr none
debug1: kex: client->server aes128-ctr none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 47:5a:61:ec:13:aa:02:27:67:f8:b7:f6:e1:bf:29:87
debug1: Host 'ec2_host1' is known and matches the RSA host key.
debug1: Found key in /Users/liyan/.ssh/known_hosts:47
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /Users/liyan/.ssh/id_rsa
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
debug1: Trying private key: /Users/liyan/.ssh/id_dsa
debug1: Next authentication method: password
liyan@ec2_host1's password: 
debug1: Authentication succeeded (password).
Authenticated to ec2_host1 ([]:22).
debug1: channel 0: new [client-session]
debug1: Requesting
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_CTYPE = UTF-8
debug1: Sending env LANG = en_US.UTF-8

2.1.2. ssh with socks

# -D [bind_address:]port
➜  ~ ssh -D 1080
# -o ProxyCommand in ssh & type nc for help
➜  ~ ssh -o "ProxyCommand=nc -X 5 -x %h %p"
Last login: ...

2.2. sshd

     sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
     programs replace rlogin(1) and rsh(1), and provide secure encrypted com-
     munications between two untrusted hosts over an insecure network.

     sshd listens for connections from clients.  It is normally started at
     boot from /etc/rc.  It forks a new daemon for each incoming connection.
     The forked daemons handle key exchange, encryption, authentication, com-
     mand execution, and data exchange.

     sshd can be configured using command-line options or a configuration file
     (by default sshd_config(5)); command-line options override values speci-
     fied in the configuration file.  sshd rereads its configuration file when
     it receives a hangup signal, SIGHUP, by executing itself with the name
     and options it was started with, e.g. /usr/sbin/sshd.

参考: sshd 服务器细部设定(《鸟哥的Linux私房菜》)

2.2.1. configuration sample

# Logging: /var/log/secure
SyslogFacility AUTHPRIV
LogLevel INFO

# Authentication:
#PermitRootLogin yes
PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
PermitEmptyPasswords no

service sshd restart

2.3. ssh-keygen

man ssh-keygen

     ssh-keygen -- authentication key generation, management and conversion

     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1] [-N new_passphrase]
                [-C comment] [-f output_keyfile]

$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/li3huo/.ssh/id_rsa): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/boss/.ssh/id_rsa.
Your public key has been saved in /home/boss/.ssh/
The key fingerprint is:
The key's randomart image is:
+--[ RSA 2048]----+
|        ...+  .  |
|         .+ oo . |
|      o o  o..o. |
|     . +     ..o.|
|      . F   . = +|
|       .     U =o|
|              + +|
|               o |
|                 |
$ ll ~/.ssh/
total 12
-rw------- 1 li3huo admin 1675 Oct 21 18:08 id_rsa
-rw-r--r-- 1 li3huo admin  400 Oct 21 18:08
-rw-r--r-- 1 li3huo admin  222 Oct 21 17:58 known_hosts
## cp to remote ~/.ssh/authorized_keys
## chmod 400 ~/.ssh/authorized_keys
$ ssh remote

$ ssh-keygen -q -t rsa -C ""
Enter file in which to save the key (/c/Users/liyan/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:

2.3.1. debug for Authentication refused

# tail -f /var/log/secure
Authentication refused: bad ownership or modes for directory /home/li3huo/.ssh
# chmod 700 /home/li3huo/.ssh

3. Reference


MainWiki: OpenSSH (last edited 2012-06-03 00:15:46 by twotwo)