第1页 / 共668页
第2页 / 共668页
第3页 / 共668页
第4页 / 共668页
第5页 / 共668页
第6页 / 共668页
第7页 / 共668页
第8页 / 共668页
SSH, The Secure Shell, 2nd Edition.pdf
Table of Contents
Preface
Protect Your Network with SSH
Intended Audience
End-User Audience
Prerequisites
System-Administrator Audience
Prerequisites
Reading This Book
Our Approach
Which Chapters Are for You?
Supported Platforms
Disclaimers
Conventions Used in This Book
Comments and Questions
Safari Enabled
Acknowledgments
Introduction to SSH
1.1 What Is SSH?
1.2 What SSH Is Not
1.3 The SSH Protocol
1.3.1 Protocols, Products, Clients, and Confusion
1.4 Overview of SSH Features
1.4.1 Secure Remote Logins
1.4.2 Secure File Transfer
1.4.3 Secure Remote Command Execution
1.4.4 Keys and Agents
1.4.5 Access Control
1.4.6 Port Forwarding
1.5 History of SSH
1.6 Related Technologies
1.6.1 rsh Suite (r-Commands)
1.6.2 Pretty Good Privacy (PGP) and GNU Privacy Guard (GnuPG)
1.6.3 Kerberos
1.6.4 IPSEC and Virtual Private Networks
1.6.5 Secure Remote Password (SRP)
1.6.6 Secure Socket Layer (SSL) Protocol
1.6.7 SSL-Enhanced Telnet and FTP
1.6.8 stunnel
1.6.9 Firewalls
1.7 Summary
Basic Client Use
2.1 A Running Example
2.2 Remote Terminal Sessions with ssh
2.2.1 File Transfer with scp
2.3 Adding Complexity to the Example
2.3.1 Known Hosts
2.3.2 The Escape Character
2.4 Authentication by Cryptographic Key
2.4.1 A Brief Introduction to Keys
2.4.2 Generating Key Pairs with ssh-keygen
2.4.3 Installing a Public Key on an SSH Server Machine
2.4.3.1 Instructions for OpenSSH
2.4.3.2 Instructions for Tectia
2.4.4 If You Change Your Key
2.5 The SSH Agent
2.5.1 Agents and Automation
2.5.2 A More Complex Passphrase Problem
2.5.3 Agent Forwarding
2.6 Connecting Without a Password or Passphrase
2.7 Miscellaneous Clients
2.7.1 sftp
2.7.2 slogin
2.8 Summary
Inside SSH
3.1 Overview of Features
3.1.1 Privacy (Encryption)
3.1.2 Integrity
3.1.3 Authentication
3.1.4 Authorization
3.1.5 Forwarding ( Tunneling)
3.2 A Cryptography Primer
3.2.1 How Secure Is Secure?
3.2.2 Public- and Secret-Key Cryptography
3.2.3 Hash Functions
3.3 The Architecture of an SSH System
3.4 Inside SSH-2
3.4.1 Protocol Summary
3.4.2 SSH Transport Layer Protocol (SSH-TRANS)
3.4.2.1 Connection
3.4.2.2 Protocol version selection
3.4.2.3 Parameter negotiation
3.4.2.4 Key exchange and server authentication
3.4.2.5 Server authentication and antispoofing: some gory details
3.4.2.6 Wonder security powers, activate!
3.4.3 SSH Authentication Protocol (SSH-AUTH)
3.4.3.1 The authentication request
3.4.3.2 The authentication response
3.4.3.3 Getting started: the “none” request
3.4.3.4 Public-key authentication
3.4.3.5 Password authentication
3.4.3.6 Hostbased authentication
3.4.4 SSH Connection Protocol (SSH-CONN)
3.4.4.1 Channels
3.4.4.2 Requests
3.4.4.3 The finish line
3.5 Inside SSH-1
3.6 Implementation Issues
3.6.1 Host Keys
3.6.2 Authorization in Hostbased Authentication
3.6.2.1 Hostbased access files
3.6.2.2 Control file details
3.6.2.3 Netgroups as wildcards
3.6.2.4 Summary
3.6.3 SSH-1 Backward Compatibility
3.6.4 Randomness
3.6.5 Privilege Separation in OpenSSH
3.7 SSH and File Transfers (scp and sftp)
3.7.1 What’s in a Name?
3.7.2 scp Details
3.7.3 scp2/sftp Details
3.8 Algorithms Used by SSH
3.8.1 Public-Key Algorithms
3.8.1.1 Rivest-Shamir-Adleman (RSA)
3.8.1.2 Digital Signature Algorithm (DSA)
3.8.1.3 Diffie-Hellman key agreement
3.8.2 Secret-Key Algorithms
3.8.2.1 International Data Encryption Algorithm (IDEA)
3.8.2.2 Advanced Encryption Standard (AES)
3.8.2.3 Data Encryption Standard (DES)
3.8.2.4 Triple-DES
3.8.2.5 ARCFOUR (RC4)
3.8.2.6 Blowfish
3.8.2.7 Twofish
3.8.2.8 CAST
3.8.3 Hash Functions
3.8.3.1 CRC-32
3.8.3.2 MD5
3.8.3.3 SHA-1
3.8.3.4 RIPEMD-160
3.8.4 Compression Algorithms: zlib
3.9 Threats SSH Can Counter
3.9.1 Eavesdropping
3.9.2 Name Service and IP Spoofing
3.9.3 Connection Hijacking
3.9.4 Man-in-the-Middle Attacks
3.10 Threats SSH Doesn’t Prevent
3.10.1 Password Cracking
3.10.2 IP and TCP Attacks
3.10.3 Traffic Analysis
3.10.4 Covert Channels
3.10.5 Carelessness
3.11 Threats Caused by SSH
3.12 Summary
Installation and Compile-Time Configuration
4.1. Overview
4.1.1 Install the Prerequisites
4.1.2 Obtain the Sources
4.1.3 Verify the Signature
4.1.4 Extract the Source Files
4.1.5 Perform Compile-Time Configuration
4.1.6 Compile Everything
4.1.7 Install the Programs and Configuration Files
4.2 Installing OpenSSH
4.2.1 Prerequisites
4.2.2 Downloading and Extracting the Files
4.2.2.1 Verifying with GnuPG
4.2.3 Building and Installing
4.2.4 Configuration Options
4.2.4.1 File locations
4.2.4.2 Random number generation
4.2.4.3 Networking
4.2.4.4 Authentication
4.2.4.5 Access control
4.3 Installing Tectia
4.3.1 Prerequisites
4.3.2 Obtaining and Extracting the Files
4.3.3 Verifying with md5sum
4.3.4 Building and Installing
4.3.5 Configuration Options
4.3.5.1 File locations and permission
4.3.5.2 Random number generation
4.3.5.3 Networking
4.3.5.4 X Window System
4.3.5.5 TCP port forwarding
4.3.5.6 Encryption
4.3.5.7 Authentication
4.3.5.8 SOCKS proxies
4.3.5.9 Debugging
4.3.5.10 SSH-1 protocol compatibility
4.3.6 SSH-1 Compatibility Support for Tectia
4.4 Software Inventory
4.5 Replacing r Commands with SSH
4.5.1 Concurrent Versions System (CVS)
4.5.2 GNU Emacs
4.5.3 Pine
4.5.4 rsync, rdist
4.6 Summary
Serverwide Configuration
5.1 Running the Server
5.1.1 Running sshd as the Superuser
5.1.2 Running sshd as an Ordinary User
5.2 Server Configuration: An Overview
5.2.1 Server Configuration Files
5.2.2 Checking Configuration Files
5.2.2.1 Checking OpenSSH configuration files
5.2.2.2 Checking Tectia configuration files
5.2.3 Command-Line Options
5.2.4 Changing the Configuration
5.2.5 A Tricky Reconfiguration Example
5.3 Getting Ready: Initial Setup
5.3.1 File Locations
5.3.1.1 Host key files
5.3.1.2 Random seed file
5.3.1.3 Process ID file
5.3.1.4 Server configuration file
5.3.1.5 User SSH directory
5.3.1.6 Per-account authorization files
5.3.1.7 utmp file structure
5.3.2 File Permissions
5.3.2.1 Acceptable permissions for user files
5.3.3 TCP/IP Settings
5.3.3.1 Port number and network interface
5.3.3.2 Invocation by inetd or xinetd
5.3.3.3 Restarting the SSH server for each connection
5.3.3.4 Keepalive messages
5.3.3.5 Idle connections
5.3.3.6 Failed logins
5.3.3.7 Limiting simultaneous connections
5.3.3.8 Reverse IP mappings
5.3.3.9 Controlling the Nagle Algorithm
5.3.3.10 Discovering other servers
5.3.4 Key Regeneration
5.3.5 Encryption Algorithms
5.3.6 Integrity-Checking (MAC) Algorithms
5.3.7 SSH Protocol Settings
5.3.7.1 Protocol version string
5.3.8 Compression
5.4 Authentication: Verifying Identities
5.4.1 Authentication Syntax
5.4.2 Password Authentication
5.4.2.1 Failed password attempts
5.4.2.2 Empty passwords
5.4.2.3 Expired passwords
5.4.3 Public-Key Authentication
5.4.4 Hostbased Authentication
5.4.5 Keyboard-Interactive Authentication
5.4.5.1 OpenSSH keyboard-interactive authentication
5.4.5.2 Tectia’s keyboard-interactive authentication
5.4.6 PGP Authentication
5.4.7 Kerberos Authentication
5.4.7.1 Kerberos and OpenSSH
5.4.7.2 Kerberos and Tectia
5.4.8 PAM Authentication
5.4.9 Privilege Separation
5.4.10 Selecting a Login Program
5.5 Access Control: Letting People In
5.5.1 Account Access Control
5.5.1.1 Restricting all logins
5.5.2 Group Access Control
5.5.3 Hostname Access Control
5.5.4 shosts Access Control
5.5.5 Root Access Control
5.5.6 External Access Control
5.5.7 Restricting Directory Access with chroot
5.5.8 Summary of Authentication and Access Control
5.6 User Logins and Accounts
5.6.1 Welcome Messages for the User
5.6.2 Setting Environment Variables
5.6.3 Initialization Scripts
5.7 Forwarding
5.7.1 Port Forwarding
5.7.2 X Forwarding
5.7.3 Agent Forwarding
5.8 Subsystems
5.9 Logging and Debugging
5.9.1 OpenSSH Logging and Debugging
5.9.2 Tectia Logging and Debugging
5.9.3 Debugging Under inetd or xinetd
5.10 Compatibility Between SSH-1 and SSH-2 Servers
5.10.1 Security Issues with Tectia’s SSH-1 Compatibility Mode
5.11 Summary
Key Management and Agents
6.1 What Is an Identity?
6.1.1 OpenSSH Identities
6.1.2 Tectia Identities
6.2 Creating an Identity
6.2.1 Generating Keys for OpenSSH
6.2.1.1 Creating OpenSSH keys
6.2.1.2 Working with OpenSSH keys
6.2.2 Generating Keys for Tectia
6.2.2.1 Creating Tectia keys
6.2.2.2 Working with Tectia keys
6.2.3 Selecting a Passphrase
6.2.4 Generating New Groups for Diffie-Hellman Key Exchange
6.3 SSH Agents
6.3.1 Agents Do Not Expose Keys
6.3.2 Starting an Agent
6.3.2.1 Single-shell method
6.3.2.2 Subshell method
6.3.2.3 Format of environment variable commands
6.3.3 Loading Keys with ssh-add
6.3.3.1 Automatic agent loading (single-shell method)
6.3.3.2 Automatic agent loading (subshell method)
6.3.3.3 Automatic agent loading (X Window System)
6.3.4 Agents and Security
6.3.4.1 Access control
6.3.4.2 Cracking an agent
6.3.5 Agent Forwarding
6.3.5.1 A firewall example
6.3.5.2 How agent forwarding works
6.3.5.3 Enabling agent forwarding
6.3.6 Agent CPU Usage
6.3.7 Debugging the Agent
6.4 Multiple Identities
6.4.1 Switching Identities Manually
6.4.2 Switching Identities with an Agent
6.4.3 Tailoring Sessions Based on Identity
6.5 PGP Authentication in Tectia
6.6 Tectia External Keys
6.7 Summary
Advanced Client Use
7.1 How to Configure Clients
7.1.1 Command-Line Options
7.1.2 Client Configuration Files
7.1.2.1 Keywords versus command-line options
7.1.2.2 Global and local files
7.1.2.3 Configuration-file sections
7.1.2.4 Multiple matches
7.1.2.5 Making nicknames for hosts
7.1.2.6 Comments, indenting, and style
7.1.3 Environment Variables
7.2 Precedence
7.3 Introduction to Verbose Mode
7.4 Client Configuration in Depth
7.4.1 Remote Account Name
7.4.1.1 Tricks with remote account names
7.4.2 User Identity
7.4.2.1 Using identities
7.4.3 Host Keys and Known-Hosts Databases
7.4.3.1 Strict host-key checking
7.4.3.2 Verifying host keys by DNS
7.4.3.3 Host key aliasing
7.4.3.4 Ignoring host keys for localhost
7.4.3.5 Moving the known hosts files
7.4.4 SSH Protocol Settings
7.4.4.1 Choosing a protocol version
7.4.4.2 Connection sharing
7.4.4.3 Setting environment variables in the server
7.4.5 TCP/IP Settings
7.4.5.1 Selecting a remote port
7.4.5.2 Connecting via a given network interface
7.4.5.3 Forcing a nonprivileged local port
7.4.5.4 Keepalive messages
7.4.5.5 Controlling TCP_NODELAY
7.4.5.6 Requiring IPv4 and IPv6
7.4.6 Making Connections
7.4.6.1 Number of connection attempts
7.4.6.2 Password prompting in OpenSSH
7.4.6.3 Password prompting in Tectia
7.4.6.4 Batch mode: suppressing prompts
7.4.6.5 Pseudo-terminal allocation (TTY/PTY/PTTY)
7.4.6.6 Backgrounding a remote command
7.4.6.7 Backgrounding a remote command, take two
7.4.6.8 Escaping
7.4.7 Proxies and SOCKS
7.4.7.1 SOCKS in OpenSSH: using DynamicForward
7.4.7.2 SOCKS in Tectia
7.4.8 Forwarding
7.4.9 Encryption Algorithms
7.4.10 Integrity-Checking (MAC) Algorithms
7.4.11 Host Key Types
7.4.12 Session Rekeying
7.4.13 Authentication
7.4.13.1 Requesting an authentication technique
7.4.13.2 The server is the boss
7.4.13.3 Detecting successful authentication
7.4.13.4 Using ssh-keysign for hostbased authentication
7.4.14 Data Compression
7.4.15 Program Locations
7.4.16 Subsystems
7.4.17 Logging and Debugging
7.4.18 Random Seeds
7.5 Secure Copy with scp
7.5.1 Full Syntax of scp
7.5.2 Handling of Wildcards
7.5.3 Recursive Copy of Directories
7.5.4 Preserving Permissions
7.5.5 Automatic Removal of Original File
7.5.6 Safety Features
7.5.6.1 Directory confirmation
7.5.6.2 No-execute mode
7.5.6.3 Overwriting existing files
7.5.7 Batch Mode
7.5.8 User Identity
7.5.9 SSH Protocol Settings
7.5.10 TCP/IP Settings
7.5.11 Encryption Algorithms
7.5.12 Controlling Bandwidth
7.5.13 Data Compression
7.5.14 File Conversion
7.5.15 Optimizations
7.5.16 Statistics Display
7.5.17 Locating the ssh Executable
7.5.18 Getting Help
7.5.19 For Internal Use Only
7.5.20 Further Configuration
7.6 Secure, Interactive Copy with sftp
7.6.1 Interactive Commands
7.6.2 Command-Line Options
7.7 Summary
Per-Account Server Configuration
8.1 Limits of This Technique
8.1.1 Overriding Serverwide Settings
8.1.2 Authentication Issues
8.2 Public-Key-Based Configuration
8.2.1 OpenSSH Authorization Files
8.2.2 Tectia Authorization Files
8.2.2.1 Tectia PGP key authentication
8.2.3 Forced Commands
8.2.3.1 Security issues
8.2.3.2 Rejecting connections with a custom message
8.2.3.3 Displaying a command menu
8.2.3.4 Examining the client’s original command
8.2.3.5 Restricting a client’s original command
8.2.3.6 Logging a client’s original command
8.2.3.7 Forced commands and secure copy (scp)
8.2.4 Restricting Access by Host or Domain
8.2.4.1 OpenSSH host access control
8.2.4.2 Tectia host access control
8.2.5 Setting Environment Variables
8.2.5.1 Example: CVS and $LOGNAME
8.2.6 Setting Idle Timeout
8.2.7 Disabling or Limiting Forwarding
8.2.8 Disabling TTY Allocation
8.3 Hostbased Access Control
8.4 The User rc File
8.5 Summary
Port Forwarding and X Forwarding
9.1 What Is Forwarding?
9.2 Port Forwarding
9.2.1 Local Forwarding
9.2.1.1 Local forwarding and GatewayPorts
9.2.1.2 Remote forwarding
9.2.2 Trouble with Multiple Connections
9.2.3 Comparing Local and Remote Port Forwarding
9.2.3.1 Common elements
9.2.3.2 Local versus remote forwarding: the distinction
9.2.4 Forwarding Off-Host
9.2.4.1 Privacy
9.2.4.2 Access control and the loopback address
9.2.4.3 Listening on (“binding”) an interface
9.2.5 Bypassing a Firewall
9.2.6 Port Forwarding Without a Remote Login
9.2.6.1 One-shot forwarding
9.2.7 The Listening Port Number
9.2.8 Choosing the Target Forwarding Address
9.2.9 Termination
9.2.9.1 The TIME_WAIT problem
9.2.10 Configuring Port Forwarding in the Server
9.2.10.1 Compile-time configuration
9.2.10.2 Serverwide configuration
9.2.10.3 Per-account configuration
9.2.11 Protocol-Specific Forwarding: FTP
9.3 Dynamic Port Forwarding
9.3.1 SOCKS v4, SOCKS v5, and Names
9.3.2 Other Uses of Dynamic Forwarding
9.4 X Forwarding
9.4.1 The X Window System
9.4.2 How X Forwarding Works
9.4.3 Enabling X Forwarding
9.4.4 Configuring X Forwarding
9.4.4.1 Compile-time configuration
9.4.4.2 Serverwide configuration
9.4.4.3 Per-account configuration
9.4.5 X Authentication
9.4.5.1 How X authentication works
9.4.5.2 xauth and the SSH rc files
9.4.5.3 Trusted X forwarding
9.4.5.4 Problems with X authentication
9.4.5.5 SSH and authentication spoofing
9.4.5.6 Improving authentication spoofing
9.4.5.7 Nonstandard X clients
9.4.6 Further Issues
9.4.6.1 X server configuration
9.4.6.2 Setting your DISPLAY environment variable
9.4.6.3 Shared accounts
9.4.6.4 Location of the xauth program
9.4.6.5 X forwarding and the GatewayPorts feature
9.5 Forwarding Security: TCP-Wrappers and libwrap
9.5.1 TCP-Wrappers Configuration
9.5.2 Notes About TCP-Wrappers
9.6 Summary
A Recommended Setup
10.1 The Basics
10.2 Compile-Time Configuration
10.3 Serverwide Configuration
10.3.1 Disable Other Means of Access
10.3.2 sshd_config for OpenSSH
10.3.2.1 Choice of protocol
10.3.2.2 Important files
10.3.2.3 File and directory permissions
10.3.2.4 TCP/IP settings
10.3.2.5 Login time
10.3.2.6 Authentication
10.3.2.7 Access control
10.3.2.8 Forwarding
10.3.2.9 SFTP
10.3.3 sshd2_config for Tectia
10.3.3.1 Choice of protocol
10.3.3.2 Important files
10.3.3.3 File and directory permissions
10.3.3.4 TCP/IP settings
10.3.3.5 Login time
10.3.3.6 Authentication
10.3.3.7 Access control
10.3.3.8 Forwarding
10.3.3.9 Encryption
10.3.3.10 SFTP
10.4 Per-Account Configuration
10.5 Key Management
10.6 Client Configuration
10.7 Remote Home Directories (NFS, AFS)
10.7.1 NFS Security Risks
10.7.2 NFS Access Problems
10.7.3 AFS Access Problems
10.8 Summary
Case Studies
11.1 Unattended SSH: Batch or cron Jobs
11.1.1 Password Authentication
11.1.2 Public-Key Authentication
11.1.2.1 Storing the passphrase in the filesystem
11.1.2.2 Using a plaintext key
11.1.2.3 Using an agent
11.1.3 Hostbased Authentication
11.1.4 Kerberos
11.1.5 General Precautions for Batch Jobs
11.1.5.1 Least-privilege accounts
11.1.5.2 Separate, locked-down automation accounts
11.1.5.3 Restricted-use keys
11.1.5.4 Useful ssh options
11.1.6 Recommendations
11.2 FTP and SSH
11.2.1 FTP-Specific Tools for SSH
11.2.1.1 VanDyke’s SecureFX
11.2.1.2 Tectia client
11.2.2 Static Port Forwarding and FTP: A Study in Pain
11.2.3 The FTP Protocol
11.2.4 Forwarding the Control Connection
11.2.4.1 Choosing the forwarding target
11.2.4.2 Using passive mode
11.2.4.3 The “PASV port theft” problem
11.2.5 FTP, Firewalls, and Passive Mode
11.2.6 FTP and Network Address Translation (NAT)
11.2.6.1 Server-side NAT issues
11.2.7 All About Data Connections
11.2.7.1 The usual method of file transfer
11.2.7.2 Passive mode in depth
11.2.7.3 FTP with the default data ports
11.2.8 Forwarding the Data Connection
11.3 Pine, IMAP, and SSH
11.3.1 Securing IMAP Authentication
11.3.1.1 Pine and preauthenticated IMAP
11.3.1.2 Making Pine use SSH
11.3.2 Mail Relaying and News Access
11.3.3 Using a Connection Script
11.4 Connecting Through a Gateway Host
11.4.1 Making Transparent SSH Connections
11.4.2 Using SCP Through a Gateway
11.4.3 Another Approach: SSH-in-SSH (Port Forwarding)
11.4.4 SSH-in-SSH with a Proxy Command (OpenSSH)
11.4.5 Comparing the Techniques
11.4.5.1 Smoothness
11.4.5.2 Security
11.5 Scalable Authentication for SSH
11.5.1 Tectia with X.509 Certificates
11.5.1.1 What’s a PKI?
11.5.1.2 Using certificates with Tectia host keys
11.5.1.3 A simple configuration
11.5.1.4 Getting a certificate
11.5.1.5 Hostkey verification: configuring the server
11.5.1.6 Hostkey verification: configuring the Client
11.5.1.7 User authentication: configuring the client
11.5.1.8 User authentication: configuring the server
11.5.2 OpenSSH and Tectia with Kerberos
11.5.2.1 How Kerberos works
11.5.2.2 Kerberos support in SSH
11.5.2.3 Kerberos interoperability with OpenSSH and Tectia
11.6 Tectia Extensions to Server Configuration Files
11.6.1 Metaconfiguration
11.6.2 Subconfiguration Files
11.6.3 Quoted Values
11.7 Tectia Plugins
11.7.1 A Plugin for Changing Expired Passwords
11.7.1.1 The ssh-passwd-plugin program
11.7.1.2 A Perl package implementing the Tectia plugin protocol
11.7.1.3 Creating a customized password-change plugin
11.7.2 A Plugin for Keyboard-Interactive Authentication
11.7.3 A Plugin for External Authorization
Troubleshooting and FAQ
12.1 Debug Messages: Your First Line of Defense
12.1.1 Client Debugging
12.1.2 Server Debugging
12.2 Problems and Solutions
12.2.1 General Problems
12.2.2 Authentication Problems
12.2.2.1 General authentication problems
12.2.2.2 Password authentication
12.2.2.3 Hostbased authentication
12.2.2.4 Public-key authentication
12.2.2.5 PGP key authentication
12.2.3 Key and Agent Problems
12.2.3.1 ssh-keygen
12.2.3.2 ssh-agent and ssh-add
12.2.3.3 Per-account authorization files
12.2.4 Server Problems
12.2.4.1 sshd_config, sshd2_config
12.2.5 Client Problems
12.2.5.1 General client problems
12.2.5.2 Client configuration file
12.2.5.3 ssh
12.2.5.4 scp
12.2.5.5 sftp
12.2.5.6 Port forwarding
12.3 Other SSH Resources
12.3.1 Web Sites
12.3.2 Usenet Newsgroups
Overview of Other Implementations
13.1 Common Features
13.2 Covered Products
13.3 Other SSH Products
13.3.1 BeOS
13.3.2 Commodore Amiga
13.3.3 GNU Emacs
13.3.4 Java
13.3.5 Macintosh OS 9
13.3.6 Macintosh OS X
13.3.7 Microsoft Windows
13.3.8 Microsoft Windows CE (PocketPC)
13.3.9 OS/2
13.3.10 Palm OS
13.3.11 Perl
13.3.12 Unix Variants (Linux, OpenBSD, etc.)
13.3.13 VMS
OpenSSH for Windows
14.1 Installation
14.2 Using the SSH Clients
14.3 Setting Up the SSH Server
14.3.1 Opening Remote Windows on the Desktop
14.4 Public-Key Authentication
14.4.1 Running an Agent
14.5 Troubleshooting
14.6 Summary
OpenSSH for Macintosh
15.1 Using the SSH Clients
15.2 Using the OpenSSH Server
15.2.1 Enabling the Server
15.2.2 Opening the Firewall
15.2.3 Control by xinetd
15.2.4 Server Configuration Details
15.2.5 Kerberos Support
Tectia for Windows
16.1 Obtaining and Installing
16.2 Basic Client Use
16.3 Key Management
16.4 Accession Lite
16.5 Advanced Client Use
16.6 Port Forwarding
16.7 Connector
16.7.1 General Settings
16.7.2 Servers for Outgoing SSH Connections
16.7.3 Filter Rules for Dynamic Port Forwarding
16.7.4 Configuration File
16.8 File Transfers
16.9 Command-Line Programs
16.10 Troubleshooting
16.11 Server
16.11.1 Server Operation
16.11.2 Server Configuration
16.11.3 Commands and Interactive Sessions
16.11.4 Authentication
16.11.5 Access Control
16.11.6 Forwarding
16.11.7 SFTP Server
16.11.8 Logging and Debugging
SecureCRT and SecureFX for Windows
17.1 Obtaining and Installing
17.2 Basic Client Use
17.3 Key Management
17.3.1 Key Generation Wizard
17.3.1.1 Automatic installation of keys
17.3.1.2 Manual installation of keys
17.3.2 Using Multiple Identities
17.3.3 The SSH Agent
17.4 Advanced Client Use
17.4.1 Mandatory Fields
17.4.2 Data Compression
17.4.3 Firewall Use
17.5 Forwarding
17.5.1 Port Forwarding
17.5.2 X Forwarding
17.6 Command-Line Client Programs
17.7 File Transfer
17.7.1 The vcp and vsftp Commands
17.7.2 Zmodem File Transfer
17.7.3 SecureFX
17.8 Troubleshooting
17.8.1 Authentication
17.8.2 Forwarding
17.9 VShell
17.10 Summary
PuTTY for Windows
18.1 Obtaining and Installing
18.2 Basic Client Use
18.2.1 Plink, a Console Client
18.2.2 Running Remote Commands
18.3 File Transfer
18.3.1 File Transfer with PSCP
18.3.2 File Transfer with PSFTP
18.4 Key Management
18.4.1 Choosing a Key
18.4.2 Pageant, an SSH Agent
18.5 Advanced Client Use
18.5.1 Saved Sessions
18.5.2 Host Keys
18.5.3 Choosing a Protocol Version
18.5.4 TCP/IP Settings
18.5.4.1 Selecting a remote port
18.5.4.2 Keepalive messages
18.5.4.3 The Nagle Algorithm
18.5.5 Pseudo-Terminal Allocation
18.5.6 Proxies and SOCKS
18.5.7 Encryption Algorithms
18.5.8 Authentication
18.5.9 Compression
18.5.10 Logging and Debugging
18.5.11 Batch Jobs
18.6 Forwarding
18.6.1 Forwarding with PuTTY
18.6.2 Forwarding with Plink
18.7 Summary
OpenSSH 4.0 New Features
Server Features: sshd
Logging of Access Control Violations
AddressFamily Keyword
Password and Account Expiration Warnings
Client Features: ssh, scp, and sftp
KbdInteractiveDevices Keyword
More Control for Connection Sharing
Hashing of Hostnames
Port Forwarding
sftp Command-Line Features
ssh-keygen
Hashing Your Known Hosts File
Managing Hosts
Tectia Manpage for sshregex
Regex Syntax: Egrep Patterns
Escaped Tokens for Regex Syntax Egrep
Regex Syntax: ZSH_FILEGLOB (or Traditional) Patterns
Character Sets for Egrep and ZSH_FILEGLOB
Example
Regex Syntax: SSH Patterns
Escaped Tokens for Regex Syntax SSH
Character Sets for Regex Syntax SSH
Example
Authors
See Also
Tectia Module Names for Debugging
SSH-1 Features of OpenSSH and Tectia
OpenSSH Features
Serverwide Configuration
Client Configuration
Files
Tectia Features
Serverwide Configuration
Client Configuration
File Transfers
Key Management
Authentication Agent
SSH Quick Reference
Legend
sshd Options
sshd Keywords
ssh Options
scp Options
ssh and scp Keywords
ssh-keygen Options
ssh-agent Options
ssh-add Options
Identity and Authorization Files, OpenSSH
Identity and Authorization Files, Tectia
Environment Variables
Index
SSH, the Secure Shell
The Definitive Guide
Other computer security resources from O’Reilly
Related titles
802.11 Security
Digital Identity
Firewall Warrior
Internet Forensics
Network Security Assessment
Network Security with
OpenSSL
nmap: The Definitive Guide
Managing Security with Snort
and IDS Tools
PGP: Pretty Good Privacy
Snort Cookbook
Security Books
Resource Center
security.oreilly.com is a complete catalog of O’Reilly’s books on
security and related technologies, including sample chapters
and code examples.
oreillynet.com is the essential portal for developers interested in
open and emerging technologies, including new platforms, pro-
gramming languages, and operating systems.
Conferences O’Reilly brings diverse innovators together to nurture the ideas
that spark revolutionary industries. We specialize in document-
ing the latest tools and systems, translating the innovator’s
knowledge into useful skills for those in the trenches. Visit con-
ferences.oreilly.com for our upcoming events.
Safari Bookshelf (safari.oreilly.com) is the premier online refer-
ence library for programmers and IT professionals. Conduct
searches across more than 1,000 books. Subscribers can zero in
on answers to time-critical questions in a matter of seconds.
Read the books on your Bookshelf from cover to cover or sim-
ply flip to the page you need. Try it today with a free trial.
SECOND EDITION
SSH, the Secure Shell
The Definitive Guide
Daniel J. Barrett, Richard E. Silverman,
and Robert G. Byrnes
Beijing • Cambridge • Farnham • Köln • Paris • Sebastopol • Taipei • Tokyo
SSH, the Secure Shell: The Definitive Guide™
by Daniel J. Barrett, Richard E. Silverman, and Robert G. Byrnes
Copyright © 2005, 2001 O’Reilly Media, Inc. All rights reserved.
Printed in the United States of America.
Published by O’Reilly Media, Inc., 1005 Gravenstein Highway North, Sebastopol, CA 95472.
O’Reilly books may be purchased for educational, business, or sales promotional use. Online editions
are also available for most titles (safari.oreilly.com). For more information, contact our corporate/insti-
tutional sales department: (800) 998-9938 or corporate@oreilly.com.
Editor:
Production Editor:
Cover Designer:
Interior Designer:
Printing History:
Mike Loukides
Mary Brady
Ellie Volckhausen
David Futato
February 2001:
May 2005:
First Edition.
Second Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered trademarks of
O’Reilly Media, Inc. SSH, the Secure Shell: The Definitive Guide, the image of a land snail, and related
trade dress are trademarks of O’Reilly Media, Inc.
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and O’Reilly Media, Inc. was aware of a
trademark claim, the designations have been printed in caps or initial caps.
While every precaution has been taken in the preparation of this book, the publisher and authors
assume no responsibility for errors or omissions, or for damages resulting from the use of the
information contained herein.
This book uses RepKover™, a durable and flexible lay-flat binding.
ISBN: 0-596-00895-3
ISBN13: 978-0-596-00895-6
[M]
[1/07]
Table of Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xi
1.
Introduction to SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
1
3
3
5
9
10
15
1.1 What Is SSH?
1.2 What SSH Is Not
1.3 The SSH Protocol
1.4 Overview of SSH Features
1.5 History of SSH
1.6 Related Technologies
1.7 Summary
2. Basic Client Use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
16
16
18
21
28
32
33
34
2.1 A Running Example
2.2 Remote Terminal Sessions with ssh
2.3 Adding Complexity to the Example
2.4 Authentication by Cryptographic Key
2.5 The SSH Agent
2.6 Connecting Without a Password or Passphrase
2.7 Miscellaneous Clients
2.8 Summary
3.
Inside SSH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
36
39
43
45
68
3.1 Overview of Features
3.2 A Cryptography Primer
3.3 The Architecture of an SSH System
3.4 Inside SSH-2
3.5 Inside SSH-1
v
3.6 Implementation Issues
3.7 SSH and File Transfers (scp and sftp)
3.8 Algorithms Used by SSH
3.9 Threats SSH Can Counter
3.10 Threats SSH Doesn’t Prevent
3.11 Threats Caused by SSH
3.12 Summary
69
81
84
91
93
97
98
4.
Installation and Compile-Time Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 99
99
4.1. Overview
106
111
124
125
127
4.2 Installing OpenSSH
4.3 Installing Tectia
4.4 Software Inventory
4.5 Replacing r-Commands with SSH
4.6 Summary
5. Serverwide Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
129
132
141
171
184
198
201
206
209
223
226
5.1 Running the Server
5.2 Server Configuration: An Overview
5.3 Getting Ready: Initial Setup
5.4 Authentication: Verifying Identities
5.5 Access Control: Letting People In
5.6 User Logins and Accounts
5.7 Forwarding
5.8 Subsystems
5.9 Logging and Debugging
5.10 Compatibility Between SSH-1 and SSH-2 Servers
5.11 Summary
6. Key Management and Agents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 227
227
233
242
260
262
264
265
6.1 What Is an Identity?
6.2 Creating an Identity
6.3 SSH Agents
6.4 Multiple Identities
6.5 PGP Authentication in Tectia
6.6 Tectia External Keys
6.7 Summary
vi
|
Table of Contents
相关推荐
2023年江西萍乡中考道德与法治真题及答案.doc
2012年重庆南川中考生物真题及答案.doc
2013年江西师范大学地理学综合及文艺理论基础考研真题.doc
2020年四川甘孜小升初语文真题及答案I卷.doc
2020年注册岩土工程师专业基础考试真题及答案.doc
2023-2024学年福建省厦门市九年级上学期数学月考试题及答案.doc
2021-2022学年辽宁省沈阳市大东区九年级上学期语文期末试题及答案.doc
2022-2023学年北京东城区初三第一学期物理期末试卷及答案.doc
2018上半年江西教师资格初中地理学科知识与教学能力真题及答案.doc
2012年河北国家公务员申论考试真题及答案-省级.doc
2020-2021学年江苏省扬州市江都区邵樊片九年级上学期数学第一次质量检测试题及答案.doc
2022下半年黑龙江教师资格证中学综合素质真题及答案.doc
