openssh.html

FreeBSD操作系统的详细使用手册

<p>DSA public keys are also placed in <tt class="FILENAME">~/.ssh/authorized_keys</tt> on
the remote machine.</p>

<p><a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-agent&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-agent</span>(1)</span></a> and <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-add&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-add</span>(1)</span></a> are
utilities used in managing multiple passworded private keys.</p>

<div class="WARNING">
<blockquote class="WARNING">
<p><b>Warning:</b> The various options and files can be different according to the <b
class="APPLICATION">OpenSSH</b> version you have on your system, to avoid problems you
should consult the <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span></a> manual
page.</p>
</blockquote>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="SECURITY-SSH-TUNNELING" name="SECURITY-SSH-TUNNELING">14.12.7
SSH Tunneling</a></h2>

<p><b class="APPLICATION">OpenSSH</b> has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.</p>

<p>The following command tells <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span></a> to create a
tunnel for <b class="APPLICATION">telnet</b>:</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <var
class="REPLACEABLE">5023:localhost:23 user@foo.example.com</var></kbd>
<samp class="PROMPT">%</samp>
</pre>

<p>The <tt class="COMMAND">ssh</tt> command is used with the following options:</p>

<div class="VARIABLELIST">
<dl>
<dt><var class="OPTION">-2</var></dt>

<dd>
<p>Forces <tt class="COMMAND">ssh</tt> to use version 2 of the protocol. (Do not use if
you are working with older SSH servers)</p>
</dd>

<dt><var class="OPTION">-N</var></dt>

<dd>
<p>Indicates no command, or tunnel only. If omitted, <tt class="COMMAND">ssh</tt> would
initiate a normal session.</p>
</dd>

<dt><var class="OPTION">-f</var></dt>

<dd>
<p>Forces <tt class="COMMAND">ssh</tt> to run in the background.</p>
</dd>

<dt><var class="OPTION">-L</var></dt>

<dd>
<p>Indicates a local tunnel in <var
class="REPLACEABLE">localport:remotehost:remoteport</var> fashion.</p>
</dd>

<dt><var class="OPTION">user@foo.example.com</var></dt>

<dd>
<p>The remote SSH server.</p>
</dd>
</dl>
</div>

<p>An SSH tunnel works by creating a listen socket on <tt class="HOSTID">localhost</tt>
on the specified port. It then forwards any connection received on the local host/port
via the SSH connection to the specified remote host and port.</p>

<p>In the example, port <var class="REPLACEABLE">5023</var> on <tt
class="HOSTID">localhost</tt> is being forwarded to port <var
class="REPLACEABLE">23</var> on <tt class="HOSTID">localhost</tt> of the remote machine.
Since <var class="REPLACEABLE">23</var> is <b class="APPLICATION">telnet</b>, this would
create a secure <b class="APPLICATION">telnet</b> session through an SSH tunnel.</p>

<p>This can be used to wrap any number of insecure TCP protocols such as SMTP, POP3, FTP,
etc.</p>

<div class="EXAMPLE"><a id="AEN21617" name="AEN21617"></a>
<p><b>Example 14-1. Using SSH to Create a Secure Tunnel for SMTP</b></p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <var
class="REPLACEABLE">5025:localhost:25 user@mailserver.example.com</var></kbd>
user@mailserver.example.com's password: <kbd class="USERINPUT">*****</kbd>
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">telnet localhost 5025</kbd>
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 mailserver.example.com ESMTP
</pre>

<p>This can be used in conjunction with an <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span></a> and
additional user accounts to create a more seamless/hassle-free SSH tunneling environment.
Keys can be used in place of typing a password, and the tunnels can be run as a separate
user.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN21630" name="AEN21630">14.12.7.1 Practical SSH Tunneling
Examples</a></h3>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN21632" name="AEN21632">14.12.7.1.1 Secure Access of a POP3
Server</a></h4>

<p>At work, there is an SSH server that accepts connections from the outside. On the same
office network resides a mail server running a POP3 server. The network, or network path
between your home and office may or may not be completely trustable. Because of this, you
need to check your e-mail in a secure manner. The solution is to create an SSH connection
to your office's SSH server, and tunnel through to the mail server.</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <var
class="REPLACEABLE">2110:mail.example.com:110 user@ssh-server.example.com</var></kbd>
user@ssh-server.example.com's password: <kbd class="USERINPUT">******</kbd>
</pre>

<p>When the tunnel is up and running, you can point your mail client to send POP3
requests to <tt class="HOSTID">localhost</tt> port 2110. A connection here will be
forwarded securely across the tunnel to <tt class="HOSTID">mail.example.com</tt>.</p>
</div>

<div class="SECT4">
<h4 class="SECT4"><a id="AEN21643" name="AEN21643">14.12.7.1.2 Bypassing a Draconian
Firewall</a></h4>

<p>Some network administrators impose extremely draconian firewall rules, filtering not
only incoming connections, but outgoing connections. You may be only given access to
contact remote machines on ports 22 and 80 for SSH and web surfing.</p>

<p>You may wish to access another (perhaps non-work related) service, such as an Ogg
Vorbis server to stream music. If this Ogg Vorbis server is streaming on some other port
than 22 or 80, you will not be able to access it.</p>

<p>The solution is to create an SSH connection to a machine outside of your network's
firewall, and use it to tunnel to the Ogg Vorbis server.</p>

<pre class="SCREEN">
<samp class="PROMPT">%</samp> <kbd class="USERINPUT">ssh -2 -N -f -L <var
class="REPLACEABLE">8888:music.example.com:8000 user@unfirewalled-system.example.org</var></kbd>
user@unfirewalled-system.example.org's password: <kbd class="USERINPUT">*******</kbd>
</pre>

<p>Your streaming client can now be pointed to <tt class="HOSTID">localhost</tt> port
8888, which will be forwarded over to <tt class="HOSTID">music.example.com</tt> port
8000, successfully evading the firewall.</p>
</div>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN21656" name="AEN21656">14.12.8 Further Reading</a></h2>

<p><a href="http://www.openssh.com/" target="_top">OpenSSH</a></p>

<p><a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh</span>(1)</span></a> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=scp&sektion=1&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">scp</span>(1)</span></a> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-keygen&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-keygen</span>(1)</span></a> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-agent&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-agent</span>(1)</span></a> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ssh-add&sektion=1&manpath=OpenBSD+3.4"><span
 class="CITEREFENTRY"><span class="REFENTRYTITLE">ssh-add</span>(1)</span></a></p>

<p><a
href="http://www.FreeBSD.org/cgi/man.cgi?query=sshd&sektion=8&manpath=OpenBSD+3.4"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">sshd</span>(8)</span></a> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=sftp-server&sektion=8&manpath=OpenBSD+3.4">
<span class="CITEREFENTRY"><span
class="REFENTRYTITLE">sftp-server</span>(8)</span></a></p>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="ipsec.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="fs-acl.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">VPN over IPsec</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">File System Access Control Lists</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>