openssh.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>OpenSSH</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD 使用手册" href="index.html" />
<link rel="UP" title="安全" href="security.html" />
<link rel="PREVIOUS" title="VPN over IPsec" href="ipsec.html" />
<link rel="NEXT" title="Mandatory Access Control (MAC)" href="mac.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
<meta http-equiv="Content-Type" content="text/html; charset=GB2312" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD 使用手册</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="ipsec.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 10. 安全</td>
<td width="10%" align="right" valign="bottom"><a href="mac.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="OPENSSH" name="OPENSSH">10.11. OpenSSH</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Chern Lee.</i> 

<p><b class="APPLICATION">OpenSSH</b> is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct replacement for <tt
class="COMMAND">rlogin</tt>, <tt class="COMMAND">rsh</tt>, <tt class="COMMAND">rcp</tt>,
and <tt class="COMMAND">telnet</tt>. Additionally, any other TCP/IP connections can be
tunneled/forwarded securely through SSH. <b class="APPLICATION">OpenSSH</b> encrypts all
traffic to effectively eliminate eavesdropping, connection hijacking, and other
network-level attacks.</p>

<p><b class="APPLICATION">OpenSSH</b> is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It is compatible with both
SSH protocols 1 and 2. <b class="APPLICATION">OpenSSH</b> has been in the base system
since FreeBSD&nbsp;4.0.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN12989" name="AEN12989">10.11.1. Advantages of Using
OpenSSH</a></h2>

<p>Normally, when using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">telnet</span>(1)</span> or <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">rlogin</span>(1)</span>, data is sent over the network in an clear,
un-encrypted form. Network sniffers anywhere in between the client and server can steal
your user/password information or data transferred in your session. <b
class="APPLICATION">OpenSSH</b> offers a variety of authentication and encryption methods
to prevent this from happening.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN12999" name="AEN12999">10.11.2. Enabling sshd</a></h2>

<p>Be sure to make the following addition to your <tt class="FILENAME">rc.conf</tt>
file:</p>

<pre class="SCREEN">
sshd_enable="YES"
</pre>

<p>This will load <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">sshd</span>(8)</span>, the daemon program for <b
class="APPLICATION">OpenSSH</b>, the next time your system initializes. Alternatively,
you can simply run directly the <b class="APPLICATION">sshd</b> daemon by typing <tt
class="COMMAND">sshd</tt> on the command line.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN13014" name="AEN13014">10.11.3. SSH Client</a></h2>

<p>The <span class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span>
utility works similarly to <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">rlogin</span>(1)</span>.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ssh <var
class="REPLACEABLE">user@example.com</var></kbd>
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? <kbd class="USERINPUT">yes</kbd>
Host 'example.com' added to the list of known hosts.
user@example.com's password: <kbd class="USERINPUT">*******</kbd>
</pre>

<p>The login will continue just as it would have if a session was created using <tt
class="COMMAND">rlogin</tt> or <tt class="COMMAND">telnet</tt>. SSH utilizes a key
fingerprint system for verifying the authenticity of the server when the client connects.
The user is prompted to enter <var class="LITERAL">yes</var> only when connecting for the
first time. Future attempts to login are all verified against the saved fingerprint key.
The SSH client will alert you if the saved fingerprint differs from the received
fingerprint on future login attempts. The fingerprints are saved in <tt
class="FILENAME">~/.ssh/known_hosts</tt>, or <tt
class="FILENAME">~/.ssh/known_hosts2</tt> for SSH v2 fingerprints.</p>

<p>By default, <b class="APPLICATION">OpenSSH</b> servers are configured to accept both
SSH v1 and SSH v2 connections. The client, however, can choose between the two. Version 2
is known to be more robust and secure than its predecessor.</p>

<p>The <span class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span>
command can be forced to use either protocol by passing it the <var
class="OPTION">-1</var> or <var class="OPTION">-2</var> argument for v1 and v2,
respectively.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN13046" name="AEN13046">10.11.4. Secure Copy</a></h2>

<p>The <span class="CITEREFENTRY"><span class="REFENTRYTITLE">scp</span>(1)</span>
command works similarly to <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">rcp</span>(1)</span>; it copies a file to or from a remote machine,
except in a secure fashion.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">scp <var
class="REPLACEABLE">user@example.com:/COPYRIGHT COPYRIGHT</var></kbd>
user@example.com's password: <kbd class="USERINPUT">*******</kbd>
COPYRIGHT            100% |*****************************|  4735
00:00
<samp class="PROMPT">#</samp>
</pre>

<p>Since the fingerprint was already saved for this host in the previous example, it is
verified when using <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">scp</span>(1)</span> here.</p>

<p>The arguments passed to <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">scp</span>(1)</span> are similar to <span
class="CITEREFENTRY"><span class="REFENTRYTITLE">cp</span>(1)</span>, with the file or
files in the first argument, and the destination in the second. Since the file is fetched
over the network, through SSH, one or more of the file arguments takes on the form <var
class="OPTION">user@host:&lt;path_to_remote_file&gt;</var>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN13079" name="AEN13079">10.11.5. Configuration</a></h2>

<p>The system-wide configuration files for both the <b class="APPLICATION">OpenSSH</b>
daemon and client reside within the <tt class="FILENAME">/etc/ssh</tt> directory.</p>

<p><tt class="FILENAME">ssh_config</tt> configures the client settings, while <tt
class="FILENAME">sshd_config</tt> configures the daemon.</p>

<p>Additionally, the <var class="OPTION">sshd_program</var> (<tt
class="FILENAME">/usr/sbin/sshd</tt> by default), and <var
class="OPTION">sshd_flags</var> <tt class="FILENAME">rc.conf</tt> options can provide
more levels of configuration.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN13095" name="AEN13095">10.11.6. ssh-keygen</a></h2>

<p>Instead of using passwords, <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ssh-keygen</span>(1)</span> can be used to generate RSA keys to
authenticate a user:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh-keygen -t <var
class="REPLACEABLE">rsa1</var></kbd>
Initializing random number generator...
Generating p:  .++ (distance 66)
Generating q:  ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...
</pre>

<p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span>
will create a public and private key pair for use in authentication. The private key is
stored in <tt class="FILENAME">~/.ssh/identity</tt>, whereas the public key is stored in
<tt class="FILENAME">~/.ssh/identity.pub</tt>. The public key must be placed in <tt
class="FILENAME">~/.ssh/authorized_keys</tt> of the remote machine in order for the setup
to work.</p>

<p>This will allow connection to the remote machine based upon RSA authentication instead
of passwords.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The <var class="OPTION">-t rsa1</var> option will create RSA keys for use
by SSH protocol version 1. If you want to use RSA keys with the SSH protocol version 2,
you have to use the command <tt class="COMMAND">ssh-keygen -t rsa</tt>.</p>
</blockquote>
</div>

<p>If a passphrase is used in <span class="CITEREFENTRY"><span
class="REFENTRYTITLE">ssh-keygen</span>(1)</span>, the user will be prompted for a
password each time in order to use the private key.</p>