“UbuntuHelp:SSH/OpenSSH/Advanced”的版本间的差异
来自Ubuntu中文
小 (创建新页面为 '{{From|https://help.ubuntu.com/community/SSH/OpenSSH/Advanced}} {{Languages|UbuntuHelp:SSH/OpenSSH/Advanced}} Parent page: [[UbuntuHelp:InternetAndNetworking| Internet and Netwo...') |
小 |
||
第7行: | 第7行: | ||
Virtual Network Computing ("VNC") is a cross-platform way of sharing a desktop. Once you've set your SSH server up, see [[UbuntuHelp:VNC|VNC]] for more information. | Virtual Network Computing ("VNC") is a cross-platform way of sharing a desktop. Once you've set your SSH server up, see [[UbuntuHelp:VNC|VNC]] for more information. | ||
== Mounting a remote directory == | == Mounting a remote directory == | ||
− | The SSH protocol includes SFTP (the Secure File Transfer Protocol). Ubuntu can use SFTP to treat your SSH server rather like a removable drive. For example, if your Ubuntu computer has an SSH account on a computer called `alpha-centauri`, you could create a folder `alpha-centauri` in your home folder, then do the following: | + | The SSH protocol includes [http://en.wikipedia.org/wiki/SSH_file_transfer_protocol SFTP] (the Secure File Transfer Protocol). Ubuntu can use SFTP to treat your SSH server rather like a removable drive. For example, if your Ubuntu computer has an SSH account on a computer called `alpha-centauri`, you could create a folder `alpha-centauri` in your home folder, then do the following: |
<pre><nowiki> | <pre><nowiki> | ||
sshfs -o idmap=user alpha-centuari: ~/alpha-centauri/ | sshfs -o idmap=user alpha-centuari: ~/alpha-centauri/ | ||
第17行: | 第17行: | ||
Although this SSH filesystem is extremely useful, it's not what the SFTP protocol was designed for. As such, some ordinary operations might not behave the way you'd expect - for example, you can't unmount an SSHFS directory from the file browser. | Although this SSH filesystem is extremely useful, it's not what the SFTP protocol was designed for. As such, some ordinary operations might not behave the way you'd expect - for example, you can't unmount an SSHFS directory from the file browser. | ||
== Running from (x)inetd == | == Running from (x)inetd == | ||
− | The OpenSSH server can also be called into service as needed by the Internet Daemon, `inetd`, or its modern replacement, | + | The OpenSSH server can also be called into service as needed by the Internet Daemon, `inetd`, or its modern replacement, [http://en.wikipedia.org/wiki/Xinetd xinetd]. To do this, you must configure (x)inetd to listen on TCP port 22, and to run `/usr/sbin/sshd -i` when a connection is established. |
== Logging in with Kerberos == | == Logging in with Kerberos == | ||
− | Kerberos is a security system used in some large organisations. It allows a user to have a single company-wide password, that they use to log in to all their services. | + | [[UbuntuHelp:Samba/Kerberos|Kerberos]] is a security system used in some large organisations. It allows a user to have a single company-wide password, that they use to log in to all their services. |
Kerberos isn't recommended for general use, but it can be useful if you have an existing security infrastructure. | Kerberos isn't recommended for general use, but it can be useful if you have an existing security infrastructure. | ||
== Limiting the number of connections == | == Limiting the number of connections == | ||
− | If you allow passwords on your SSH server, you can use Ubuntu's firewall ( | + | If you allow passwords on your SSH server, you can use Ubuntu's firewall ([[UbuntuHelp:IptablesHowTo|iptables]]) to limit the rate at which passwords can be guessed. This forces an attacker to probe your computer slowly, so it might take weeks or months to guess your password. But it also allows an attacker to stop anybody from logging in, by flooding the server with bogus connection attempts. |
You should only try this if you fully understand how `iptables` works. As root, you can do this: | You should only try this if you fully understand how `iptables` works. As root, you can do this: | ||
<pre><nowiki> | <pre><nowiki> | ||
第44行: | 第44行: | ||
|<code><nowiki>man ssh-keygen</nowiki></code>|| System manual page for the <code><nowiki>ssh-keygen</nowiki></code> application | |<code><nowiki>man ssh-keygen</nowiki></code>|| System manual page for the <code><nowiki>ssh-keygen</nowiki></code> application | ||
|- | |- | ||
− | |<code><nowiki>~/.ssh/authorized_keys</nowiki></code>|| | + | |<code><nowiki>~/.ssh/authorized_keys</nowiki></code>|| List of "authorized" public keys (with limiting options) |
|- | |- | ||
|<code><nowiki>/etc/ssh/sshd_config</nowiki></code>|| The OpenSSH Secure Shell Daemon (<code><nowiki>sshd</nowiki></code>) configuration file | |<code><nowiki>/etc/ssh/sshd_config</nowiki></code>|| The OpenSSH Secure Shell Daemon (<code><nowiki>sshd</nowiki></code>) configuration file |
2010年5月20日 (四) 00:16的最新版本
点击翻译: |
English |
请不要直接编辑翻译本页,本页将定期与来源同步。 |
Parent page: Internet and Networking >> SSH
目录
Introduction
This page discusses a collection of advanced uses for SSH. This list is far from complete - it should only serve to get you thinking about possible uses.
Tunneling VNC connections through ssh
Virtual Network Computing ("VNC") is a cross-platform way of sharing a desktop. Once you've set your SSH server up, see VNC for more information.
Mounting a remote directory
The SSH protocol includes SFTP (the Secure File Transfer Protocol). Ubuntu can use SFTP to treat your SSH server rather like a removable drive. For example, if your Ubuntu computer has an SSH account on a computer called `alpha-centauri`, you could create a folder `alpha-centauri` in your home folder, then do the following:
sshfs -o idmap=user alpha-centuari: ~/alpha-centauri/
Now when you look in your `alpha-centuari` folder, you will see your home folder on `alpha-centauri`. You can safely remove this device by doing:
fusermount -u ~/alpha-centauri/
Although this SSH filesystem is extremely useful, it's not what the SFTP protocol was designed for. As such, some ordinary operations might not behave the way you'd expect - for example, you can't unmount an SSHFS directory from the file browser.
Running from (x)inetd
The OpenSSH server can also be called into service as needed by the Internet Daemon, `inetd`, or its modern replacement, xinetd. To do this, you must configure (x)inetd to listen on TCP port 22, and to run `/usr/sbin/sshd -i` when a connection is established.
Logging in with Kerberos
Kerberos is a security system used in some large organisations. It allows a user to have a single company-wide password, that they use to log in to all their services. Kerberos isn't recommended for general use, but it can be useful if you have an existing security infrastructure.
Limiting the number of connections
If you allow passwords on your SSH server, you can use Ubuntu's firewall (iptables) to limit the rate at which passwords can be guessed. This forces an attacker to probe your computer slowly, so it might take weeks or months to guess your password. But it also allows an attacker to stop anybody from logging in, by flooding the server with bogus connection attempts. You should only try this if you fully understand how `iptables` works. As root, you can do this:
iptables -N rate-limit iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN iptables -A rate-limit -j DROP iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit
This will limit you computer to 3 SSH connection attempts per minute. To make this change permanent, you will need to save these rules in whatever way you normally do. (This section was based in part on DD-WRT's guide)
Resources
Additional resources pertaining to the advanced configuration of OpenSSH for enhanced security appear below.
Local System Resources
man sshd |
System manual page for the sshd server daemon
|
man sshd_config |
System manual page for the /etc/ssh/sshd_config configuration file
|
man ssh-copy-id |
System manual page for the ssh-copy-id application
|
man ssh-keygen |
System manual page for the ssh-keygen application
|
~/.ssh/authorized_keys |
List of "authorized" public keys (with limiting options) |
/etc/ssh/sshd_config |
The OpenSSH Secure Shell Daemon (sshd ) configuration file
|
Ubuntu Wiki Resources
- OpenSSH 4.3 VPNs describes how to create a Virtual Private Network with recent versions of SSH.
- GPG & OpenSSH describes how to use GPG to sign SSH keys.
WWW Resources
Keeping SSH access secure OpenSSH Website Password-less logins with OpenSSH