📄 openssh.html

📁 FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主
💻 HTML
📖 第 1 页 / 共 2 页
字号:
上一页 12
<p>A SSH protocol version 2 DSA key can be created for the same purpose by using the <ttclass="COMMAND">ssh-keygen -t dsa</tt> command. This will create a public/private DSA keyfor use in SSH protocol version 2 sessions only. The public key is stored in <ttclass="FILENAME">~/.ssh/id_dsa.pub</tt>, while the private key is in <ttclass="FILENAME">~/.ssh/id_dsa</tt>.</p><p>DSA public keys are also placed in <tt class="FILENAME">~/.ssh/authorized_keys</tt> onthe remote machine.</p><p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-agent</span>(1)</span> and<span class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-add</span>(1)</span> areutilities used in managing multiple passworded private keys.</p><div class="WARNING"><blockquote class="WARNING"><p><b>Warning</b>The various options and files can be different according to the <bclass="APPLICATION">OpenSSH</b> version you have on your system, to avoid problems youshould consult the <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">ssh-keygen</span>(1)</span> manual page.</p></blockquote></div></div><div class="SECT2"><h2 class="SECT2"><a id="SECURITY-SSH-TUNNELING" name="SECURITY-SSH-TUNNELING">10.11.7.SSH Tunneling</a></h2><p><b class="APPLICATION">OpenSSH</b> has the ability to create a tunnel to encapsulateanother protocol in an encrypted session.</p><p>The following command tells <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">ssh</span>(1)</span> to create a tunnel for <bclass="APPLICATION">telnet</b>:</p><pre class="SCREEN"><samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <varclass="REPLACEABLE">5023:localhost:23 user@foo.example.com</var></kbd><samp class="PROMPT">%</samp></pre><p>The <tt class="COMMAND">ssh</tt> command is used with the following options:</p><div class="VARIABLELIST"><dl><dt><var class="OPTION">-2</var></dt><dd><p>Forces <tt class="COMMAND">ssh</tt> to use version 2 of the protocol. (Do not use ifyou are working with older SSH servers)</p></dd><dt><var class="OPTION">-N</var></dt><dd><p>Indicates no command, or tunnel only. If omitted, <tt class="COMMAND">ssh</tt> wouldinitiate a normal session.</p></dd><dt><var class="OPTION">-f</var></dt><dd><p>Forces <tt class="COMMAND">ssh</tt> to run in the background.</p></dd><dt><var class="OPTION">-L</var></dt><dd><p>Indicates a local tunnel in <varclass="REPLACEABLE">localport:remotehost:remoteport</var> fashion.</p></dd><dt><var class="OPTION">user@foo.example.com</var></dt><dd><p>The remote SSH server.</p></dd></dl></div><p>An SSH tunnel works by creating a listen socket on <tt class="HOSTID">localhost</tt>on the specified port. It then forwards any connection received on the local host/portvia the SSH connection to the specified remote host and port.</p><p>In the example, port <var class="REPLACEABLE">5023</var> on <ttclass="HOSTID">localhost</tt> is being forwarded to port <varclass="REPLACEABLE">23</var> on <tt class="HOSTID">localhost</tt> of the remote machine.Since <var class="REPLACEABLE">23</var> is <b class="APPLICATION">telnet</b>, this wouldcreate a secure <b class="APPLICATION">telnet</b> session through an SSH tunnel.</p><p>This can be used to wrap any number of insecure TCP protocols such as SMTP, POP3, FTP,etc.</p><div class="EXAMPLE"><a id="AEN13200" name="AEN13200"></a><p><b>Example 10-1. Using SSH to Create a Secure Tunnel for SMTP</b></p><pre class="SCREEN"><samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <varclass="REPLACEABLE">5025:localhost:25 user@mailserver.example.com</var></kbd>user@mailserver.example.com's password: <kbd class="USERINPUT">*****</kbd><samp class="PROMPT">%</samp> <kbd class="USERINPUT">telnet localhost 5025</kbd>Trying 127.0.0.1...Connected to localhost.Escape character is '^]'.220 mailserver.example.com ESMTP</pre><p>This can be used in conjunction with an <span class="CITEREFENTRY"><spanclass="REFENTRYTITLE">ssh-keygen</span>(1)</span> and additional user accounts to createa more seamless/hassle-free SSH tunneling environment. Keys can be used in place oftyping a password, and the tunnels can be run as a separate user.</p></div><div class="SECT3"><h3 class="SECT3"><a id="AEN13213" name="AEN13213">10.11.7.1. Practical SSH TunnelingExamples</a></h3><div class="SECT4"><h4 class="SECT4"><a id="AEN13215" name="AEN13215">10.11.7.1.1. Secure Access of a POP3Server</a></h4><p>At work, there is an SSH server that accepts connections from the outside. On the sameoffice network resides a mail server running a POP3 server. The network, or network pathbetween your home and office may or may not be completely trustable. Because of this, youneed to check your e-mail in a secure manner. The solution is to create an SSH connectionto your office's SSH server, and tunnel through to the mail server.</p><pre class="SCREEN"><samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <varclass="REPLACEABLE">2110:mail.example.com:110 user@ssh-server.example.com</var></kbd>user@ssh-server.example.com's password: <kbd class="USERINPUT">******</kbd></pre><p>When the tunnel is up and running, you can point your mail client to send POP3requests to <tt class="HOSTID">localhost</tt> port 2110. A connection here will beforwarded securely across the tunnel to <tt class="HOSTID">mail.example.com</tt>.</p></div><div class="SECT4"><h4 class="SECT4"><a id="AEN13226" name="AEN13226">10.11.7.1.2. Bypassing a DraconianFirewall</a></h4><p>Some network administrators impose extremely draconian firewall rules, filtering notonly incoming connections, but outgoing connections. You may be only given access tocontact remote machines on ports 22 and 80 for SSH and web surfing.</p><p>You may wish to access another (perhaps non-work related) service, such as an OggVorbis server to stream music. If this Ogg Vorbis server is streaming on some other portthan 22 or 80, you will not be able to access it.</p><p>The solution is to create an SSH connection to a machine outside of your network'sfirewall, and use it to tunnel to the Ogg Vorbis server.</p><pre class="SCREEN"><samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <varclass="REPLACEABLE">8888:music.example.com:8000 user@unfirewalled-system.example.org</var></kbd>user@unfirewalled-system.example.org's password: <kbd class="USERINPUT">*******</kbd></pre><p>Your streaming client can now be pointed to <tt class="HOSTID">localhost</tt> port8888, which will be forwarded over to <tt class="HOSTID">music.example.com</tt> port8000, successfully evading the firewall.</p></div></div></div><div class="SECT2"><h2 class="SECT2"><a id="AEN13239" name="AEN13239">10.11.8. Further Reading</a></h2><p><a href="http://www.openssh.com/" target="_top">OpenSSH</a></p><p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span> <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">scp</span>(1)</span> <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span> <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-agent</span>(1)</span> <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-add</span>(1)</span></p><p><span class="CITEREFENTRY"><span class="REFENTRYTITLE">sshd</span>(8)</span> <spanclass="CITEREFENTRY"><span class="REFENTRYTITLE">sftp-server</span>(8)</span></p></div></div><div class="NAVFOOTER"><hr align="LEFT" width="100%" /><table summary="Footer navigation table" width="100%" border="0" cellpadding="0"cellspacing="0"><tr><td width="33%" align="left" valign="top"><a href="ipsec.html"accesskey="P">Prev</a></td><td width="34%" align="center" valign="top"><a href="index.html"accesskey="H">Home</a></td><td width="33%" align="right" valign="top"><a href="mac.html" accesskey="N">Next</a></td></tr><tr><td width="33%" align="left" valign="top">VPN over IPsec</td><td width="34%" align="center" valign="top"><a href="security.html"accesskey="U">Up</a></td><td width="33%" align="right" valign="top">Mandatory Access Control (MAC)</td></tr></table></div></body></html>
上一页 12
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -