openssh.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>OpenSSH</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Security" href="security.html" />
<link rel="PREVIOUS" title="VPN over IPsec" href="ipsec.html" />
<link rel="NEXT" title="File System Access Control Lists" href="fs-acl.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="ipsec.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 14 Security</td>
<td width="10%" align="right" valign="bottom"><a href="fs-acl.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="OPENSSH" name="OPENSSH">14.12 OpenSSH</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Chern Lee.</i> 

<p><b class="APPLICATION">OpenSSH</b> is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct replacement for <tt
class="COMMAND">rlogin</tt>, <tt class="COMMAND">rsh</tt>, <tt class="COMMAND">rcp</tt>,
and <tt class="COMMAND">telnet</tt>. Additionally, any other TCP/IP connections can be
tunneled/forwarded securely through SSH. <b class="APPLICATION">OpenSSH</b> encrypts all
traffic to effectively eliminate eavesdropping, connection hijacking, and other
network-level attacks.</p>

<p><b class="APPLICATION">OpenSSH</b> is maintained by the OpenBSD project, and is based
upon SSH v1.2.12 with all the recent bug fixes and updates. It is compatible with both
SSH protocols 1 and 2. <b class="APPLICATION">OpenSSH</b> has been in the base system
since FreeBSD&nbsp;4.0.</p>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN21406" name="AEN21406">14.12.1 Advantages of Using
OpenSSH</a></h2>

<p>Normally, when using <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=telnet&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">telnet</span>(1)</span></a> or <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=rlogin&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">rlogin</span>(1)</span></a>, data is
sent over the network in an clear, un-encrypted form. Network sniffers anywhere in
between the client and server can steal your user/password information or data
transferred in your session. <b class="APPLICATION">OpenSSH</b> offers a variety of
authentication and encryption methods to prevent this from happening.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN21416" name="AEN21416">14.12.2 Enabling sshd</a></h2>

<p>Be sure to make the following addition to your <tt class="FILENAME">rc.conf</tt>
file:</p>

<pre class="SCREEN">
sshd_enable="YES"
</pre>

<p>This will load <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=sshd&sektion=8&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">sshd</span>(8)</span></a>, the daemon
program for <b class="APPLICATION">OpenSSH</b>, the next time your system initializes.
Alternatively, you can simply run directly the <b class="APPLICATION">sshd</b> daemon by
typing <tt class="COMMAND">sshd</tt> on the command line.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN21431" name="AEN21431">14.12.3 SSH Client</a></h2>

<p>The <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span></a> utility works
similarly to <a href="http://www.FreeBSD.org/cgi/man.cgi?query=rlogin&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">rlogin</span>(1)</span></a>.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ssh <var
class="REPLACEABLE">user@example.com</var></kbd>
Host key not found from the list of known hosts.
Are you sure you want to continue connecting (yes/no)? <kbd class="USERINPUT">yes</kbd>
Host 'example.com' added to the list of known hosts.
user@example.com's password: <kbd class="USERINPUT">*******</kbd>
</pre>

<p>The login will continue just as it would have if a session was created using <tt
class="COMMAND">rlogin</tt> or <tt class="COMMAND">telnet</tt>. SSH utilizes a key
fingerprint system for verifying the authenticity of the server when the client connects.
The user is prompted to enter <var class="LITERAL">yes</var> only when connecting for the
first time. Future attempts to login are all verified against the saved fingerprint key.
The SSH client will alert you if the saved fingerprint differs from the received
fingerprint on future login attempts. The fingerprints are saved in <tt
class="FILENAME">~/.ssh/known_hosts</tt>, or <tt
class="FILENAME">~/.ssh/known_hosts2</tt> for SSH v2 fingerprints.</p>

<p>By default, <b class="APPLICATION">OpenSSH</b> servers are configured to accept both
SSH v1 and SSH v2 connections. The client, however, can choose between the two. Version 2
is known to be more robust and secure than its predecessor.</p>

<p>The <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span></a> command can be
forced to use either protocol by passing it the <var class="OPTION">-1</var> or <var
class="OPTION">-2</var> argument for v1 and v2, respectively.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN21463" name="AEN21463">14.12.4 Secure Copy</a></h2>

<p>The <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=scp&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">scp</span>(1)</span></a> command works
similarly to <a href="http://www.FreeBSD.org/cgi/man.cgi?query=rcp&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">rcp</span>(1)</span></a>; it copies a
file to or from a remote machine, except in a secure fashion.</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">scp <var
class="REPLACEABLE">user@example.com:/COPYRIGHT COPYRIGHT</var></kbd>
user@example.com's password: <kbd class="USERINPUT">*******</kbd>
COPYRIGHT            100% |*****************************|  4735       
00:00    
<samp class="PROMPT">#</samp>
</pre>

<p>Since the fingerprint was already saved for this host in the previous example, it is
verified when using <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=scp&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">scp</span>(1)</span></a> here.</p>

<p>The arguments passed to <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=scp&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">scp</span>(1)</span></a> are similar to
<a href="http://www.FreeBSD.org/cgi/man.cgi?query=cp&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">cp</span>(1)</span></a>, with the file
or files in the first argument, and the destination in the second. Since the file is
fetched over the network, through SSH, one or more of the file arguments takes on the
form <var class="OPTION">user@host:&lt;path_to_remote_file&gt;</var>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN21496" name="AEN21496">14.12.5 Configuration</a></h2>

<p>The system-wide configuration files for both the <b class="APPLICATION">OpenSSH</b>
daemon and client reside within the <tt class="FILENAME">/etc/ssh</tt> directory.</p>

<p><tt class="FILENAME">ssh_config</tt> configures the client settings, while <tt
class="FILENAME">sshd_config</tt> configures the daemon.</p>

<p>Additionally, the <var class="OPTION">sshd_program</var> (<tt
class="FILENAME">/usr/sbin/sshd</tt> by default), and <var
class="OPTION">sshd_flags</var> <tt class="FILENAME">rc.conf</tt> options can provide
more levels of configuration.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN21512" name="AEN21512">14.12.6 ssh-keygen</a></h2>

<p>Instead of using passwords, <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span></a> can be
used to generate RSA keys to authenticate a user:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh-keygen -t <var
class="REPLACEABLE">rsa1</var></kbd>
Initializing random number generator...
Generating p:  .++ (distance 66)
Generating q:  ..............................++ (distance 498)
Computing the keys...
Key generation complete.
Enter file in which to save the key (/home/user/.ssh/identity):
Enter passphrase:
Enter the same passphrase again:
Your identification has been saved in /home/user/.ssh/identity.
...
</pre>

<p><a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span></a> will
create a public and private key pair for use in authentication. The private key is stored
in <tt class="FILENAME">~/.ssh/identity</tt>, whereas the public key is stored in <tt
class="FILENAME">~/.ssh/identity.pub</tt>. The public key must be placed in <tt
class="FILENAME">~/.ssh/authorized_keys</tt> of the remote machine in order for the setup
to work.</p>

<p>This will allow connection to the remote machine based upon RSA authentication instead
of passwords.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> The <var class="OPTION">-t rsa1</var> option will create RSA keys for use
by SSH protocol version 1. If you want to use RSA keys with the SSH protocol version 2,
you have to use the command <tt class="COMMAND">ssh-keygen -t rsa</tt>.</p>
</blockquote>
</div>

<p>If a passphrase is used in <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span></a>, the
user will be prompted for a password each time in order to use the private key.</p>

<p>A SSH protocol version 2 DSA key can be created for the same purpose by using the <tt
class="COMMAND">ssh-keygen -t dsa</tt> command. This will create a public/private DSA key
for use in SSH protocol version 2 sessions only. The public key is stored in <tt
class="FILENAME">~/.ssh/id_dsa.pub</tt>, while the private key is in <tt
class="FILENAME">~/.ssh/id_dsa</tt>.</p>