Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende Überarbeitung Nächste ÜberarbeitungBeide Seiten der Revision | ||
centos:ssh-install [12.11.2016 19:34. ] – [Dokumentation] django | centos:ssh-install [13.11.2016 16:46. ] – [Zielverzeichnis anlegen und öffentlichen Schlüssel kopieren] django | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
====== Secure Shell - ssh ====== | ====== Secure Shell - ssh ====== | ||
- | {{: | + | {{: |
+ | |||
+ | ===== openSSH - Programmsuite ===== | ||
+ | Die für die **// | ||
+ | * openssh : Die OpenSSH-Implementierung der SSH Protokoll-Versionen 2 (und 1) | ||
+ | * openssh-clients : Die OpenSSH-Client-Anwendungen | ||
+ | * openssh-server : Der OpenSSH-Server Daemon | ||
+ | * openssh-askpass : Passphrase-Dialog für OpenSSH und X | ||
+ | ==== openssh ==== | ||
+ | Mittels '' | ||
+ | |||
+ | # rpm -qil openssh | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Wed 23 Mar 2016 07:14:52 PM CET | ||
+ | Group : Applications/ | ||
+ | Size : 1450050 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | ||
+ | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | ||
+ | Build Host : worker1.bsys.centos.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | SSH (Secure SHell) is a program for logging into and executing | ||
+ | commands on a remote machine. SSH is intended to replace rlogin and | ||
+ | rsh, and to provide secure encrypted communications between two | ||
+ | untrusted hosts over an insecure network. X11 connections and | ||
+ | arbitrary TCP/IP ports can also be forwarded over the secure channel. | ||
+ | |||
+ | OpenSSH is OpenBSD' | ||
+ | it up to date in terms of security and features. | ||
+ | |||
+ | This package includes the core files necessary for both the OpenSSH | ||
+ | client and server. To make this package useful, you should also | ||
+ | install openssh-clients, | ||
+ | /etc/ssh | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | |||
+ | |||
+ | ==== openssh-clients ==== | ||
+ | Beim Paket **openssh-clients** wird mitgeliefert: | ||
+ | |||
+ | # rpm -qil openssh-clients | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Wed 23 Mar 2016 07:14:59 PM CET | ||
+ | Group : Applications/ | ||
+ | Size : 2298871 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | ||
+ | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | ||
+ | Build Host : worker1.bsys.centos.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
+ | into and executing commands on a remote machine. This package includes | ||
+ | the clients necessary to make encrypted connections to SSH servers. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | ==== openssh-server ==== | ||
+ | Hingegen liefert uns **openssh-server** folgende Dateien: | ||
+ | |||
+ | # rpm -qil openssh-server | ||
+ | < | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Wed 23 Mar 2016 07:14:58 PM CET | ||
+ | Group : System Environment/ | ||
+ | Size : 943088 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | ||
+ | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | ||
+ | Build Host : worker1.bsys.centos.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
+ | into and executing commands on a remote machine. This package contains | ||
+ | the secure shell daemon (sshd). The sshd daemon allows SSH clients to | ||
+ | securely connect to your SSH server. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | ==== openssh-askpass ==== | ||
+ | Zu guter Letzt sehen wir uns noch das Paket **openssh-askpass** genauer an: | ||
+ | |||
+ | # rpm -qil openssh-askpass | ||
+ | < | ||
+ | Version | ||
+ | Release | ||
+ | Architecture: | ||
+ | Install Date: Sat 12 Nov 2016 08:22:40 PM CET | ||
+ | Group : Applications/ | ||
+ | Size : 15944 | ||
+ | License | ||
+ | Signature | ||
+ | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | ||
+ | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | ||
+ | Build Host : worker1.bsys.centos.org | ||
+ | Relocations : (not relocatable) | ||
+ | Packager | ||
+ | Vendor | ||
+ | URL : http:// | ||
+ | Summary | ||
+ | Description : | ||
+ | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
+ | into and executing commands on a remote machine. This package contains | ||
+ | an X11 passphrase dialog for OpenSSH. | ||
+ | / | ||
+ | / | ||
+ | / | ||
+ | / | ||
===== Dokumentation ===== | ===== Dokumentation ===== | ||
Zeile 6: | Zeile 193: | ||
Die Optionen rund um opennssh findet amn wie immer, in der manpage zu **ssh**. | Die Optionen rund um opennssh findet amn wie immer, in der manpage zu **ssh**. | ||
- | < | + | < |
NAME | NAME | ||
Zeile 12: | Zeile 199: | ||
SYNOPSIS | SYNOPSIS | ||
- | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address: | + | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address: |
- | [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address: | + | [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] |
- | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | + | [-L [bind_address: |
- | [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address: | + | [-p port] [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address: |
- | [-W host:port] [-w local_tun[: | + | [-S ctl_path] [-W host:port] [-w local_tun[: |
DESCRIPTION | DESCRIPTION | ||
- | ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote | + | ssh (SSH client) is a program for logging into a remote machine and for executing commands on a |
- | | + | remote |
- | | + | tions between two untrusted hosts over an insecure network. |
- | the secure channel. | + | ports can also be forwarded over the secure channel. |
- | ssh connects and logs into the specified hostname (with optional user name). | + | ssh connects and logs into the specified hostname (with optional user name). |
- | identity to the remote machine using one of several methods depending on the protocol | + | his/her identity to the remote machine using one of several methods depending on the protocol |
- | below). | + | |
If command is specified, it is executed on the remote host instead of a login shell. | If command is specified, it is executed on the remote host instead of a login shell. | ||
Zeile 40: | Zeile 227: | ||
| | ||
- | | + | |
- | basis in a configuration file. | + | per-host basis in a configuration file. |
- | Agent forwarding should be enabled with caution. | + | Agent forwarding should be enabled with caution. |
- | on the remote host (for the agent' | + | permissions |
- | | + | agent through the forwarded |
- | operations on the keys that enable them to authenticate using the identities loaded into the agent. | + | agent, however they can perform operations on the keys that enable them to authenticate |
+ | using the identities loaded into the agent. | ||
| | ||
-b bind_address | -b bind_address | ||
- | Use bind_address on the local machine as the source address of the connection. | + | Use bind_address on the local machine as the source address of the connection. |
- | tems with more than one address. | + | on systems |
- | | + | |
- | connections). | + | X11 and TCP connections). |
- | | + | “level” can be controlled |
- | lines and other slow connections, | + | |
- | can be set on a host-by-host basis in the configuration | + | on fast networks. |
+ | | ||
-c cipher_spec | -c cipher_spec | ||
| | ||
- | | + | |
- | “blowfish”, | + | “3des”, “blowfish”, |
- | | + | three different |
- | much faster than 3des. des is only supported in the ssh client for interoperability with legacy | + | appears very secure and is much faster than 3des. des is only supported in the ssh client |
- | | + | for interoperability with legacy |
- | cryptographic weaknesses. | + | cipher. |
+ | “3des”. | ||
- | For protocol version 2, cipher_spec is a comma-separated list of ciphers listed in order of prefer‐ | + | For protocol version 2, cipher_spec is a comma-separated list of ciphers listed in order of |
- | ence. See the Ciphers keyword in ssh_config(5) for more information. | + | preference. See the Ciphers keyword in ssh_config(5) for more information. |
-D [bind_address: | -D [bind_address: | ||
- | | + | |
- | | + | socket to listen to port on the local side, optionally bound to the specified bind_address. |
- | tion is made to this port, the connection is forwarded over the secure channel, and the application | + | Whenever a connection |
- | protocol is then used to determine where to connect to from the remote machine. | + | channel, and the application protocol is then used to determine where to connect to from |
- | and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. | + | the remote machine. |
- | | + | act as a SOCKS server. |
+ | can also be specified in the configuration file. | ||
- | IPv6 addresses can be specified by enclosing the address in square brackets. | + | IPv6 addresses can be specified by enclosing the address in square brackets. |
- | | + | superuser can forward privileged ports. |
- | setting. | + | with the GatewayPorts setting. |
- | The bind_address of “localhost” indicates that the listening | + | connection to a specific address. |
- | an empty address or ‘*’ indicates that the port should be available from all interfaces. | + | |
+ | port should be available from all interfaces. | ||
-E log_file | -E log_file | ||
Zeile 91: | Zeile 283: | ||
-e escape_char | -e escape_char | ||
- | Sets the escape character for sessions with a pty (default: ‘~’). | + | Sets the escape character for sessions with a pty (default: ‘~’). |
- | ognized | + | only recognized |
- | tion; followed by control-Z suspends the connection; and followed by itself sends the escape | + | closes the connection; followed by control-Z suspends the connection; and followed by |
- | | + | itself sends the escape |
- | ent. | + | escapes and makes the session fully transparent. |
-F configfile | -F configfile | ||
- | | + | |
- | mand line, the system-wide configuration file (/ | + | the command |
- | the per-user configuration file is ~/ | + | The default for the per-user configuration file is ~/ |
- | | + | |
- | ask for passwords or passphrases, | + | going to ask for passwords or passphrases, |
- | recommended way to start X11 programs at a remote site is with something like ssh -f host xterm. | + | implies -n. The recommended way to start X11 programs at a remote site is with something |
+ | like ssh -f host xterm. | ||
- | If the ExitOnForwardFailure configuration option is set to “yes”, then a client started with -f will | + | If the ExitOnForwardFailure configuration option is set to “yes”, then a client started |
- | wait for all remote port forwards to be successfully established before | + | with -f will wait for all remote port forwards to be successfully established before |
- | ground. | + | ing itself in the background. |
| | ||
-I pkcs11 | -I pkcs11 | ||
- | | + | |
- | | + | viding the user's private RSA key. |
-i identity_file | -i identity_file | ||
- | | + | |
- | | + | The default is ~/ |
- | | + | |
- | a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple | + | specified on a per-host basis in the configuration file. It is possible to have multiple |
- | identities specified in configuration files). | + | -i options (and multiple identities specified in configuration files). |
- | the filename obtained by appending -cert.pub to identity | + | to load certificate information from the filename obtained by appending -cert.pub to iden‐ |
+ | | ||
- | | + | |
+ | the server. | ||
| | ||
-L [bind_address: | -L [bind_address: | ||
- | | + | |
- | port on the remote side. This works by allocating a socket to listen to port on the local side, | + | host and port on the remote side. This works by allocating a socket to listen to port on |
- | optionally bound to the specified bind_address. | + | the local side, optionally bound to the specified bind_address. |
- | | + | made to this port, the connection |
- | remote machine. | + | made to host port hostport from the remote machine. |
- | can be specified by enclosing the address in square brackets. | + | in the configuration file. IPv6 addresses can be specified by enclosing the address in |
- | | + | square brackets. |
- | ever, an explicit bind_address may be used to bind the connection to a specific address. | + | port is bound in accordance with the GatewayPorts setting. |
- | bind_address of “localhost” indicates that the listening port be bound for local use only, while an | + | bind_address may be used to bind the connection to a specific address. |
- | empty address or ‘*’ indicates that the port should be available from all interfaces. | + | “localhost” indicates that the listening port be bound for local use only, while an empty |
+ | | ||
-l login_name | -l login_name | ||
- | | + | |
- | basis in the configuration file. | + | per-host basis in the configuration file. |
- | | + | |
- | “master” mode with confirmation required before slave connections are accepted. | + | places ssh into “master” mode with confirmation required before slave connections are |
- | description of ControlMaster in ssh_config(5) for details. | + | accepted. |
-m mac_spec | -m mac_spec | ||
- | | + | |
- | | + | code) algorithms can be specified in order of preference. |
+ | information. | ||
- | | + | |
+ | | ||
- | | + | |
- | is run in the background. | + | when ssh is run in the background. |
- | For example, ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi, and the X11 | + | remote machine. |
- | connection will be automatically forwarded over an encrypted channel. | + | ows.cs.hut.fi, and the X11 connection will be automatically forwarded over an encrypted |
- | the background. | + | channel. |
- | -f option.) | + | to ask for a password or passphrase; see also the -f option.) |
-O ctl_cmd | -O ctl_cmd | ||
- | | + | |
- | | + | the ctl_cmd argument is interpreted and passed to the master process. |
- | that the master process is running), “forward” (request forwardings without command execution), | + | “check” (check that the master process is running), “forward” (request forwardings without |
- | “cancel” (cancel forwardings), | + | command execution), “cancel” (cancel forwardings), |
- | stop accepting further multiplexing requests). | + | “stop” (request the master to stop accepting further multiplexing requests). |
-o option | -o option | ||
- | Can be used to give options in the format used in the configuration file. This is useful | + | Can be used to give options in the format used in the configuration file. This is useful |
- | fying options for which there is no separate command-line flag. For full details of the options | + | for specifying |
- | listed below, and their possible values, see ssh_config(5). | + | of the options listed below, and their possible values, see ssh_config(5). |
| | ||
Zeile 257: | Zeile 455: | ||
-p port | -p port | ||
- | Port to connect to on the remote host. This can be specified on a per-host basis in the configura‐ | + | Port to connect to on the remote host. This can be specified on a per-host basis in the |
- | tion file. | + | configuration |
-Q cipher | cipher-auth | mac | kex | key | -Q cipher | cipher-auth | mac | kex | key | ||
- | | + | |
- | | + | tures are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers |
- | cated encryption), | + | that support authenticated |
- | types). | + | exchange algorithms), |
| | ||
-R [bind_address: | -R [bind_address: | ||
- | | + | |
- | port on the local side. This works by allocating a socket to listen to port on the remote side, and | + | host and port on the local side. This works by allocating a socket to listen to port on |
- | whenever a connection is made to this port, the connection is forwarded | + | the remote side, and whenever a connection is made to this port, the connection is for‐ |
- | a connection is made to host port hostport from the local machine. | + | |
+ | local machine. | ||
- | Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded | + | Port forwardings can also be specified in the configuration file. Privileged ports can be |
- | only when logging in as root on the remote machine. | + | forwarded |
- | address in square brackets. | + | |
- | By default, the listening socket on the server will be bound to the loopback interface only. This | + | By default, the listening socket on the server will be bound to the loopback interface |
- | may be overridden by specifying a bind_address. | + | only. This may be overridden by specifying a bind_address. |
- | that the remote socket should listen on all interfaces. | + | address ‘*’, indicates that the remote socket should listen on all interfaces. |
- | succeed if the server' | + | a remote bind_address will only succeed if the server' |
+ | sshd_config(5)). | ||
- | If the port argument is ‘0’, the listen port will be dynamically allocated on the server | + | If the port argument is ‘0’, the listen port will be dynamically allocated on the server |
- | to the client at run time. When used together with -O forward the allocated port will be printed to | + | and reported |
- | the standard output. | + | port will be printed to the standard output. |
-S ctl_path | -S ctl_path | ||
- | | + | |
- | | + | disable |
- | details. | + | ssh_config(5) for details. |
- | | + | |
- | the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg. | + | feature of the SSH2 protocol which facilitate the use of SSH as a secure transport for |
- | sftp(1)). | + | other applications (eg. sftp(1)). |
| | ||
- | | + | |
- | machine, which can be very useful, e.g. when implementing menu services. | + | on a remote machine, which can be very useful, e.g. when implementing menu services. |
- | tty allocation, even if ssh has no local tty. | + | |
| | ||
- | | + | |
- | ging connection, authentication, | + | in debugging |
- | bosity. The maximum is 3. | + | increase the verbosity. The maximum is 3. |
-W host:port | -W host:port | ||
- | | + | |
- | | + | secure |
- | 2 only. | + | Protocol version |
-w local_tun[: | -w local_tun[: | ||
- | | + | |
- | and the server (remote_tun). | + | (local_tun) and the server (remote_tun). |
- | The devices may be specified by numerical ID or the keyword “any”, which uses the next available tun‐ | + | The devices may be specified by numerical ID or the keyword “any”, which uses the next |
- | nel device. | + | available tunnel |
- | TunnelDevice directives in ssh_config(5). | + | the Tunnel and TunnelDevice directives in ssh_config(5). |
- | tunnel mode, which is “point-to-point”. | + | it is set to the default tunnel mode, which is “point-to-point”. |
- | | + | |
+ | file. | ||
- | X11 forwarding should be enabled with caution. | + | X11 forwarding should be enabled with caution. |
- | the remote host (for the user's X authorization database) can access the local X11 display through | + | missions on the remote host (for the user's X authorization database) can access the local |
- | the forwarded connection. | + | X11 display through the forwarded connection. |
- | | + | activities such as keystroke |
- | For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. | + | For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by |
- | | + | default. |
- | information. | + | ssh_config(5) for more information. |
| | ||
- | | + | |
- | sion controls. | + | RITY extension |
- | | + | |
- | | + | sent to stderr. |
- | ssh may additionally obtain configuration data from a per-user configuration file and a system-wide | + | ssh may additionally obtain configuration data from a per-user configuration file and a system-wide |
- | ration | + | configuration |
AUTHENTICATION | AUTHENTICATION | ||
- | The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to use protocol 2 only, though this | + | The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to use protocol 2 only, |
- | can be changed via the Protocol option in ssh_config(5) or the -1 and -2 options (see above). | + | though this can be changed via the Protocol option in ssh_config(5) or the -1 and -2 options (see |
- | support similar authentication methods, but protocol 2 is the default since it provides additional mechanisms | + | above). |
- | for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and integrity | + | it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, |
- | (hmac-md5, hmac-sha1, hmac-sha2-256, | + | Blowfish, CAST128, or Arcfour) and integrity (hmac-md5, hmac-sha1, hmac-sha2-256, |
- | strong mechanism for ensuring the integrity of the connection. | + | umac-64, umac-128, hmac-ripemd160). |
+ | of the connection. | ||
- | The methods available for authentication are: GSSAPI-based authentication, | + | The methods available for authentication are: GSSAPI-based authentication, |
- | key authentication, | + | tion, public key authentication, |
- | are tried in the order specified above, though protocol 2 has a configuration | + | Authentication methods are tried in the order specified above, though protocol 2 has a configura‐ |
- | order: PreferredAuthentications. | + | |
| | ||
- | / | + | / |
- | | + | both sides, or if the files ~/.rhosts or ~/.shosts exist in the user's home directory on the remote |
- | | + | machine and contain a line containing the name of the client machine and the name of the user on |
- | is considered for login. | + | that machine, the user is considered for login. |
- | description of / | + | the client' |
- | authentication method closes security holes due to IP spoofing, DNS spoofing, and routing spoofing. | + | below) for login to be permitted. |
- | the administrator: | + | spoofing, DNS spoofing, and routing spoofing. |
- | | + | ~/.rhosts, and the rlogin/rsh protocol in general, are inherently |
+ | if security is desired.] | ||
- | | + | |
- | tems where encryption and decryption are done using separate keys, and it is unfeasible to derive the decryp‐ | + | cryptosystems |
- | tion key from the encryption key. The idea is that each user creates a public/private key pair for authenti‐ | + | derive the decryption |
- | | + | lic/private key pair for authentication |
- | public key authentication protocol automatically, | + | user knows the private key. ssh implements public key authentication protocol automatically, |
- | Protocol 1 is restricted to using only RSA keys, but protocol 2 may use any. The HISTORY section of ssl(8) | + | one of the DSA, ECDSA, ED25519 or RSA algorithms. |
- | contains a brief discussion of the DSA and RSA algorithms. | + | but protocol 2 may use any. The HISTORY section of ssl(8) contains a brief discussion of the DSA |
+ | and RSA algorithms. | ||
- | The file ~/ | + | The file ~/ |
- | in, the ssh program tells the server which key pair it would like to use for authentication. The client | + | user logs in, the ssh program tells the server which key pair it would like to use for authentica‐ |
- | proves that it has access to the private key and the server checks that the corresponding | + | tion. The client proves that it has access to the private key and the server checks that the cor‐ |
- | authorized to accept the account. | + | |
- | The user creates his/her key pair by running ssh-keygen(1). | + | The user creates his/her key pair by running ssh-keygen(1). |
- | (protocol 1), ~/ | + | ~/ |
- | 2 ED25519), or ~/ | + | ~/ |
- | ~/ | + | in ~/ |
- | ED25519), or ~/ | + | |
- | public key to ~/ | + | in the user's home directory. |
- | file corresponds to the conventional | + | in his/her home directory on the remote machine. |
- | long. After this, the user can log in without giving the password. | + | |
+ | the user can log in without giving the password. | ||
- | A variation on public key authentication is available in the form of certificate authentication: | + | A variation on public key authentication is available in the form of certificate authentication: |
- | set of public/ | + | instead of a set of public/ |
- | | + | a single trusted |
- | ssh-keygen(1) for more information. | + | CERTIFICATES section of ssh-keygen(1) for more information. |
- | The most convenient way to use public key or certificate authentication may be with an authentication agent. | + | The most convenient way to use public key or certificate authentication may be with an authentica‐ |
- | See ssh-agent(1) for more information. | + | tion agent. |
- | | + | |
- | | + | and prompts for a response. |
- | just one challenge/ | + | restricted to just one challenge/ |
- | login.conf(5)) and PAM (some non-OpenBSD systems). | + | BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD systems). |
- | | + | |
- | the remote host for checking; however, since all communications are encrypted, the password | + | is sent to the remote host for checking; however, since all communications are encrypted, the pass‐ |
- | someone listening on the network. | + | |
- | ssh automatically maintains and checks a database containing identification for all hosts it has ever been | + | ssh automatically maintains and checks a database containing identification for all hosts it has |
- | used with. Host keys are stored in ~/ | + | ever been used with. Host keys are stored in ~/ |
- | / | + | Additionally, |
- | the user's file. If a host's identification ever changes, ssh warns about this and disables password | + | hosts are automatically added to the user's file. If a host's identification ever changes, ssh |
- | | + | warns about this and disables password |
- | the encryption. | + | |
- | not known or has changed. | + | option can be used to control logins to machines whose host key is not known or has changed. |
- | When the user's identity has been accepted by the server, the server either executes the given command, or | + | When the user's identity has been accepted by the server, the server either executes the given com‐ |
- | logs into the machine and gives the user a normal shell on the remote machine. | + | mand, or logs into the machine and gives the user a normal shell on the remote machine. |
- | | + | nication with the remote command or shell will be automatically encrypted. |
- | If a pseudo-terminal has been allocated (normal login session), the user may use the escape | + | If a pseudo-terminal has been allocated (normal login session), the user may use the escape |
- | | + | ters noted below. |
- | If no pseudo-tty has been allocated, the session is transparent and can be used to reliably | + | If no pseudo-tty has been allocated, the session is transparent and can be used to reliably |
- | | + | fer binary |
- | a tty is used. | + | |
- | The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections | + | The session terminates when the command or shell on the remote machine exits and all X11 and TCP |
- | have been closed. | + | connections |
ESCAPE CHARACTERS | ESCAPE CHARACTERS | ||
- | When a pseudo-terminal has been requested, ssh supports a number of functions through the use of an escape | + | When a pseudo-terminal has been requested, ssh supports a number of functions through the use of an |
- | | + | escape |
- | A single tilde character can be sent as ~~ or by following the tilde by a character other than those | + | A single tilde character can be sent as ~~ or by following the tilde by a character other than |
- | | + | those described below. |
- | character can be changed in configuration files using the EscapeChar | + | cial. The escape character can be changed in configuration files using the EscapeChar |
- | | + | |
The supported escapes (assuming the default ‘~’) are: | The supported escapes (assuming the default ‘~’) are: | ||
Zeile 449: | Zeile 654: | ||
| | ||
- | | + | |
- | it). | + | supports |
- | | + | |
- | options (see above). | + | and -D options (see above). |
- | | + | with -KL[bind_address: |
- | dynamic port-forwardings. | + | -KD[bind_address: |
- | PermitLocalCommand option is enabled in ssh_config(5). | + | local command if the PermitLocalCommand option is enabled in ssh_config(5). |
+ | available, using the -h option. | ||
- | | + | |
- | it). | + | supports |
| | ||
Zeile 466: | Zeile 672: | ||
TCP FORWARDING | TCP FORWARDING | ||
- | | + | |
- | or in a configuration file. One possible application of TCP forwarding is a secure | + | mand line or in a configuration file. One possible application of TCP forwarding is a secure |
- | server; another is going through firewalls. | + | |
- | In the example below, we look at encrypting communication between an IRC client and server, even though the | + | In the example below, we look at encrypting communication between an IRC client and server, even |
- | IRC server does not directly support encrypted communications. | + | though the IRC server does not directly support encrypted communications. |
- | the remote host using ssh, specifying a port to be used to forward connections to the remote server. | + | the user connects to the remote host using ssh, specifying a port to be used to forward connections |
- | that it is possible to start the service which is to be encrypted on the client machine, connecting to the | + | to the remote server. |
- | same local port, and ssh will encrypt and forward the connection. | + | the client machine, connecting to the same local port, and ssh will encrypt and forward the connec‐ |
+ | tion. | ||
- | The following example tunnels an IRC session from client machine “127.0.0.1” (localhost) to remote | + | The following example tunnels an IRC session from client machine “127.0.0.1” (localhost) to remote |
- | | + | server |
$ ssh -f -L 1234: | $ ssh -f -L 1234: | ||
$ irc -c '# | $ irc -c '# | ||
- | This tunnels a connection to IRC server “server.example.com”, | + | This tunnels a connection to IRC server “server.example.com”, |
- | using port 1234. It doesn' | + | “pinky”, |
- | root can open sockets on privileged ports) and doesn' | + | (remember, only root can open sockets on privileged ports) and doesn' |
- | | + | already in use. The connection |
+ | standard port for IRC services. | ||
- | The -f option backgrounds ssh and the remote command “sleep 10” is specified to allow an amount of time (10 | + | The -f option backgrounds ssh and the remote command “sleep 10” is specified to allow an amount of |
- | seconds, in the example) to start the service which is to be tunnelled. | + | time (10 seconds, in the example) to start the service which is to be tunnelled. |
- | the time specified, ssh will exit. | + | are made within the time specified, ssh will exit. |
X11 FORWARDING | X11 FORWARDING | ||
- | If the ForwardX11 variable is set to “yes” (or see the description of the -X, -x, and -Y options above) and | + | If the ForwardX11 variable is set to “yes” (or see the description of the -X, -x, and -Y options |
- | the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is auto‐ | + | above) and the user is using X11 (the DISPLAY environment variable is set), the connection to the |
- | | + | X11 display is automatically |
- | mand) will go through the encrypted channel, and the connection to the real X server will be made from the | + | started from the shell (or command) will go through the encrypted channel, and the connection to |
- | local machine. | + | the real X server will be made from the local machine. |
- | the command line or in configuration files. | + | Forwarding of X11 connections can be configured on the command line or in configuration files. |
- | The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. | + | The DISPLAY value set by ssh will point to the server machine, but with a display number greater |
- | This is normal, and happens because ssh creates a “proxy” X server on the server machine for forwarding the | + | than zero. This is normal, and happens because ssh creates a “proxy” X server on the server |
- | connections over the encrypted channel. | + | machine for forwarding the connections over the encrypted channel. |
- | ssh will also automatically set up Xauthority data on the server machine. | + | ssh will also automatically set up Xauthority data on the server machine. |
- | a random authorization cookie, store it in Xauthority on the server, and verify that any forwarded connec‐ | + | will generate |
- | tions carry this cookie and replace it by the real cookie when the connection is opened. | + | any forwarded connections |
- | | + | is opened. |
+ | sent in the plain). | ||
- | If the ForwardAgent variable is set to “yes” (or see the description of the -A and -a options above) and the | + | If the ForwardAgent variable is set to “yes” (or see the description of the -A and -a options |
- | user is using an authentication agent, the connection to the agent is automatically forwarded to the remote | + | above) and the user is using an authentication agent, the connection to the agent is automatically |
- | side. | + | forwarded to the remote side. |
VERIFYING HOST KEYS | VERIFYING HOST KEYS | ||
- | When connecting to a server for the first time, a fingerprint of the server' | + | When connecting to a server for the first time, a fingerprint of the server' |
- | user (unless the option StrictHostKeyChecking has been disabled). | + | sented to the user (unless the option StrictHostKeyChecking has been disabled). |
- | ssh-keygen(1): | + | be determined using ssh-keygen(1): |
$ ssh-keygen -l -f / | $ ssh-keygen -l -f / | ||
- | If the fingerprint is already known, it can be matched and the key can be accepted or rejected. | + | If the fingerprint is already known, it can be matched and the key can be accepted or rejected. |
- | the difficulty of comparing host keys just by looking at hex strings, there is also support | + | Because of the difficulty of comparing host keys just by looking at hex strings, there is also sup‐ |
- | keys visually, using random art. By setting the VisualHostKey option to “yes”, a small ASCII graphic gets | + | |
- | displayed on every login to a server, no matter if the session itself is interactive or not. By learning the | + | “yes”, a small ASCII graphic gets displayed on every login to a server, no matter if the session |
- | pattern a known server produces, a user can easily find out that the host key has changed when a completely | + | itself is interactive or not. By learning the pattern a known server produces, a user can easily |
- | different pattern is displayed. | + | find out that the host key has changed when a completely different pattern is displayed. |
- | similar to the pattern remembered only gives a good probability that the host key is the same, not guaranteed | + | these patterns are not unambiguous however, a pattern that looks similar to the pattern remembered |
- | proof. | + | only gives a good probability that the host key is the same, not guaranteed proof. |
- | To get a listing of the fingerprints along with their random art for all known hosts, the following | + | To get a listing of the fingerprints along with their random art for all known hosts, the following |
- | line can be used: | + | command |
$ ssh-keygen -lv -f ~/ | $ ssh-keygen -lv -f ~/ | ||
- | If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints | + | If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints |
- | by DNS. An additional resource record (RR), SSHFP, is added to a zonefile and the connecting | + | verified |
- | to match the fingerprint with that of the key presented. | + | |
- | In this example, we are connecting a client to a server, “host.example.com”. | + | In this example, we are connecting a client to a server, “host.example.com”. |
- | | + | records |
$ ssh-keygen -r host.example.com. | $ ssh-keygen -r host.example.com. | ||
- | The output lines will have to be added to the zonefile. | + | The output lines will have to be added to the zonefile. |
- | | + | gerprint |
$ dig -t SSHFP host.example.com | $ dig -t SSHFP host.example.com | ||
Zeile 557: | Zeile 766: | ||
SSH-BASED VIRTUAL PRIVATE NETWORKS | SSH-BASED VIRTUAL PRIVATE NETWORKS | ||
- | ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo-device, | + | ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo- |
- | | + | device, |
- | | + | PermitTunnel controls |
- | The following example would connect client network 10.0.50.0/ | + | The following example would connect client network 10.0.50.0/ |
- | | + | using a point-to-point connection from 10.1.1.1 to 10.1.1.2, provided that the SSH server running |
- | the remote network, at 192.168.1.15, | + | on the gateway to the remote network, at 192.168.1.15, |
On the client: | On the client: | ||
Zeile 577: | Zeile 786: | ||
| | ||
- | | + | |
- | | + | from user “jane” and on tun device 2 from user “john”, if PermitRootLogin is set to |
+ | “forced-commands-only”: | ||
| | ||
| | ||
- | Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary | + | Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary |
- | as for wireless VPNs. More permanent VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8). | + | ups, such as for wireless VPNs. More permanent VPNs are better provided by tools such as |
+ | ipsecctl(8) and isakmpd(8). | ||
ENVIRONMENT | ENVIRONMENT | ||
ssh will normally set the following environment variables: | ssh will normally set the following environment variables: | ||
- | | + | |
- | by ssh to point to a value of the form “hostname: | + | matically set by ssh to point to a value of the form “hostname: |
- | host where the shell runs, and ‘n’ is an integer ≥ 1. ssh uses this special value to | + | “hostname” indicates the host where the shell runs, and ‘n’ is an integer ≥ |
- | forward X11 connections over the secure channel. | + | 1. ssh uses this special value to forward X11 connections over the secure |
- | DISPLAY explicitly, as that will render the X11 connection insecure (and will require | + | channel. |
- | the user to manually copy any required authorization cookies). | + | render the X11 connection insecure (and will require the user to manually |
+ | copy any required authorization cookies). | ||
| | ||
Zeile 604: | Zeile 816: | ||
| | ||
- | | + | |
- | was run from a terminal. | + | minal if it was run from a terminal. |
- | DISPLAY and SSH_ASKPASS are set, it will execute the program specified by SSH_ASKPASS | + | |
- | and open an X11 window to read the passphrase. | + | specified by SSH_ASKPASS and open an X11 window to read the passphrase. |
- | | + | is particularly useful when calling |
- | | + | (Note that on some machines it may be necessary |
+ | /dev/null to make this work.) | ||
- | | + | |
+ | agent. | ||
- | | + | |
- | | + | tains four space-separated values: client IP address, client port number, |
- | server port number. | + | server IP address, and server port number. |
- | | + | |
- | can be used to extract the original arguments. | + | cuted. It can be used to extract the original arguments. |
- | | + | |
- | shell or command. | + | current |
+ | is not set. | ||
- | | + | |
- | was started (i.e. the daemon passes the value on to new connections). | + | daemon |
| | ||
- | | + | |
- | if the file exists and users are allowed to change their environment. | + | environment |
- | PermitUserEnvironment option in sshd_config(5). | + | |
ENVIRONMENT | ENVIRONMENT | ||
| | ||
The reseeding of the OpenSSL random generator is usually done from / | The reseeding of the OpenSSL random generator is usually done from / | ||
- | | + | |
- | | + | generator is reseeded from / |
- | Minimum is 14 bytes. | + | SSH_USE_STRONG_RNG value. |
- | generator because insufficient entropy causes the connection to be blocked until enough entropy is | + | computers without the hardware random generator because insufficient entropy causes the |
- | available. | + | connection to be blocked until enough entropy is available. |
FILES | FILES | ||
| | ||
- | This file is used for host-based authentication (see above). | + | This file is used for host-based authentication (see above). |
- | be world-readable if the user's home directory is on an NFS partition, because sshd(8) reads it as | + | may need to be world-readable if the user's home directory is on an NFS partition, because |
- | root. Additionally, | + | sshd(8) reads it as root. Additionally, |
- | anyone else. The recommended permission for most machines is read/write for the user, and not acces‐ | + | have write permissions for anyone else. The recommended permission for most machines is |
- | | + | read/write for the user, and not accessible |
| | ||
- | This file is used in exactly the same way as .rhosts, but allows host-based authentication | + | This file is used in exactly the same way as .rhosts, but allows host-based authentication |
- | | + | without |
| | ||
- | This directory is the default location for all user-specific configuration and authentication infor‐ | + | This directory is the default location for all user-specific configuration and authentica‐ |
- | mation. There is no general requirement to keep the entire contents of this directory secret, but | + | tion information. There is no general requirement to keep the entire contents of this |
- | the recommended permissions are read/ | + | directory secret, but the recommended permissions are read/ |
+ | not accessible by others. | ||
| | ||
- | Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used for logging in as this user. The | + | Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used for logging in as this |
- | format of this file is described in the sshd(8) manual page. This file is not highly sensitive, but | + | user. The format of this file is described in the sshd(8) manual page. This file is not |
- | the recommended permissions are read/write for the user, and not accessible by others. | + | highly sensitive, but the recommended permissions are read/write for the user, and not |
+ | accessible by others. | ||
| | ||
- | This is the per-user configuration file. The file format and configuration options are described in | + | This is the per-user configuration file. The file format and configuration options are |
- | | + | described in ssh_config(5). |
- | | + | permissions: |
| | ||
Zeile 676: | Zeile 893: | ||
| | ||
| | ||
- | | + | |
- | able by the user but not accessible by others (read/ | + | be readable |
- | key file if it is accessible by others. | + | ignore a private key file if it is accessible by others. |
- | key which will be used to encrypt the sensitive part of this file using 3DES. | + | passphrase when generating the key which will be used to encrypt the sensitive part of this |
+ | file using 3DES. | ||
| | ||
Zeile 686: | Zeile 904: | ||
| | ||
| | ||
- | | + | |
- | readable by anyone. | + | need not) be readable by anyone. |
| | ||
- | | + | |
- | temwide | + | the systemwide |
+ | this file. | ||
| | ||
- | | + | |
- | command) is started. | + | shell (or command) is started. |
/ | / | ||
- | This file is for host-based authentication (see above). | + | This file is for host-based authentication (see above). |
+ | root. | ||
/ | / | ||
- | This file is used in exactly the same way as hosts.equiv, | + | This file is used in exactly the same way as hosts.equiv, |
- | out permitting login with rlogin/rsh. | + | tion without |
/ | / | ||
Zeile 713: | Zeile 933: | ||
/ | / | ||
/ | / | ||
- | These files contain the private parts of the host keys and are used for host-based | + | These files contain the private parts of the host keys and are used for host-based |
- | If protocol version 1 is used, ssh must be setuid root, since the host key is readable only by root. | + | tication. |
- | For protocol version 2, ssh uses ssh-keysign(8) to access the host keys, eliminating the requirement | + | readable only by root. For protocol version 2, ssh uses ssh-keysign(8) to access the host |
- | that ssh be setuid root when host-based authentication is used. By default ssh is not setuid root. | + | keys, eliminating the requirement that ssh be setuid root when host-based authentication is |
+ | used. By default ssh is not setuid root. | ||
/ | / | ||
- | | + | |
- | tain the public host keys of all machines in the organization. | + | tor to contain |
- | sshd(8) for further details of the format of this file. | + | world-readable. |
/ | / | ||
- | | + | |
- | command) is started. | + | shell (or command) is started. |
EXIT STATUS | EXIT STATUS | ||
Zeile 731: | Zeile 952: | ||
IPV6 | IPV6 | ||
- | IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address | + | IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address |
- | | + | enclosed in square brackets. Note: The square brackets are metacharacters for the shell and must be |
+ | escaped in shell. | ||
SEE ALSO | SEE ALSO | ||
Zeile 739: | Zeile 961: | ||
STANDARDS | STANDARDS | ||
- | S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, January 2006. | + | S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, January |
+ | 2006. | ||
T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture, | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture, | ||
Zeile 749: | Zeile 972: | ||
T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC 4254, January 2006. | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC 4254, January 2006. | ||
- | J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, | + | J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, |
- | | + | 4255, January 2006. |
- | F. Cusack and M. Forssen, Generic Message Exchange Authentication for the Secure Shell Protocol (SSH), RFC | + | F. Cusack and M. Forssen, Generic Message Exchange Authentication for the Secure Shell Protocol |
- | 4256, January 2006. | + | (SSH), RFC 4256, January 2006. |
- | J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, January 2006. | + | J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, |
- | + | ||
- | M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, | + | |
| | ||
- | B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol, RFC 4345, January | + | M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport Layer Encryption Modes, |
- | 2006. | + | RFC 4344, January 2006. |
+ | |||
+ | B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol, RFC 4345, | ||
+ | January | ||
- | M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport | + | M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) |
- | Layer Protocol, RFC 4419, March 2006. | + | Transport |
J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File Format, RFC 4716, November 2006. | J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File Format, RFC 4716, November 2006. | ||
- | D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, RFC 5656, | + | D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, |
- | December 2009. | + | RFC 5656, December 2009. |
A. Perrig and D. Song, Hash Visualization: | A. Perrig and D. Song, Hash Visualization: | ||
Zeile 775: | Zeile 999: | ||
AUTHORS | AUTHORS | ||
- | | + | |
- | Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and | + | bell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added |
- | created OpenSSH. | + | newer features and created OpenSSH. |
+ | | ||
- | BSD November 12, 2016 | + | BSD |
+ | |||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ===== ssh in der Praxis ===== | ||
+ | Auch wenn Passworte bei **ssh** verschlüsselt übertragen werden, wollen wir **__zwei wesentliche Aspekte__** bei Verwendung der **ssh** berücksichtigen: | ||
+ | - Der Benutzer **root** soll sich bei unseren Systemen nicht mehr remote anmelden dürfen. Lediglich ein oder die berechtigten Nutzern erhalten die Erlaubnis, von entfernter Stelle sich anzumelden. Via '' | ||
+ | - Wir werden Key-basierte Anmeldungen verwenden und **__keine__** Anmeldungen mit Passwort zulassen. Somit laufen wir nicht in Gefahr, Zugänge durch Trivialpassworte angreifbar zu machen. Stattdessen werden wir uns für unsere Administratoren und berechtigten Nutzern, ein Schlüsselpaar bestehend aus privaten und öffentlichen Schlüssel erzeugen. Bei der Erzeugung dieses Schlüsselpaares werden wir eine Schlüsselpasswort (passphrase) angeben, welches Zur Nutzung des Schlüssel abgefragt wird. | ||
+ | |||
+ | |||
+ | |||
+ | Zum Erstellen eines Schlüsselpaares nutzen wir das Programm **ssh-keygen**. Einen Überberlick über die möglichen Optionen erhalten wir beim Abruf der zugehörigen **manpage**. | ||
+ | # man ssh-keygen | ||
+ | |||
+ | < | ||
+ | |||
+ | NAME | ||
+ | | ||
+ | |||
+ | SYNOPSIS | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | [-K checkpt] [-W generator] | ||
+ | | ||
+ | [-V validity_interval] [-z serial_number] file ... | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | DESCRIPTION | ||
+ | | ||
+ | RSA keys for use by SSH protocol version 1 and DSA, ECDSA, ED25519 or RSA keys for use by SSH pro‐ | ||
+ | tocol version 2. The type of key to be generated is specified with the -t option. | ||
+ | | ||
+ | |||
+ | | ||
+ | the MODULI GENERATION section for details. | ||
+ | |||
+ | | ||
+ | given keys have been revoked by one. See the KEY REVOCATION LISTS section for details. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | in /etc/rc. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | of characters you want. Good passphrases are 10-30 characters long, are not simple sentences or | ||
+ | | ||
+ | very bad passphrases), | ||
+ | meric characters. | ||
+ | |||
+ | There is no way to recover a lost passphrase. | ||
+ | must be generated and the corresponding public key copied to other machines. | ||
+ | |||
+ | For RSA1 keys, there is also a comment field in the key file that is only for convenience to the | ||
+ | user to help identify the key. The comment can tell what the key is for, or whatever is useful. | ||
+ | The comment is initialized to “user@host” when the key is created, but can be changed using the -c | ||
+ | | ||
+ | |||
+ | After a key is generated, instructions below detail where the keys should be placed to be acti‐ | ||
+ | | ||
+ | |||
+ | The options are as follows: | ||
+ | |||
+ | | ||
+ | | ||
+ | bits for the key type, and default comment. | ||
+ | | ||
+ | |||
+ | -a rounds | ||
+ | When saving a new-format private key (i.e. an ed25519 key or any SSH protocol 2 key when | ||
+ | the -o flag is set), this option specifies the number of KDF (key derivation function) | ||
+ | | ||
+ | tance to brute-force password cracking (should the keys be stolen). | ||
+ | |||
+ | When screening DH-GEX candidates ( using the -T command). | ||
+ | of primality tests to perform. | ||
+ | |||
+ | | ||
+ | |||
+ | -b bits | ||
+ | | ||
+ | bits and the default is 2048 bits. Generally, 2048 bits is considered sufficient. | ||
+ | keys must be exactly 1024 bits as specified by FIPS 186-2. | ||
+ | | ||
+ | 521 bits. Attempting to use bit lengths other than these three values for ECDSA keys will | ||
+ | | ||
+ | |||
+ | -C comment | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | for the passphrase if the key has one, and for the new comment. | ||
+ | |||
+ | -D pkcs11 | ||
+ | | ||
+ | | ||
+ | the CERTIFICATES section for details). | ||
+ | |||
+ | | ||
+ | one of the formats specified by the -m option. | ||
+ | This option allows exporting OpenSSH keys for use by other programs, including several com‐ | ||
+ | | ||
+ | |||
+ | -F hostname | ||
+ | | ||
+ | This option is useful to find hashed host names or addresses and may also be used in con‐ | ||
+ | | ||
+ | |||
+ | -f filename | ||
+ | | ||
+ | |||
+ | -G output_file | ||
+ | | ||
+ | -T option) before use. | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | tions within the specified file; the original content is moved to a file with a .old suf‐ | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | the CERTIFICATES section for details. | ||
+ | |||
+ | -I certificate_identity | ||
+ | | ||
+ | for details. | ||
+ | |||
+ | | ||
+ | by the -m option and print an OpenSSH compatible private (or public) key to stdout. | ||
+ | |||
+ | -J num_lines | ||
+ | Exit after screening the specified number of lines while performing DH candidate screening | ||
+ | using the -T option. | ||
+ | |||
+ | -j start_line | ||
+ | Start screening at the specified line number while performing DH candidate screening using | ||
+ | the -T option. | ||
+ | |||
+ | -K checkpt | ||
+ | Write the last line processed to the file checkpt while performing DH candidate screening | ||
+ | using the -T option. | ||
+ | been processed if the job is restarted. | ||
+ | ware, including several commercial SSH implementations. | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | RSA and DSA keys ssh-keygen tries to find the matching public key file and prints its fin‐ | ||
+ | | ||
+ | | ||
+ | |||
+ | -M memory | ||
+ | | ||
+ | | ||
+ | |||
+ | -m key_format | ||
+ | | ||
+ | key formats are: “RFC4716” (RFC 4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public | ||
+ | key) or “PEM” (PEM public key). The default conversion format is “RFC4716”. | ||
+ | |||
+ | -N new_passphrase | ||
+ | | ||
+ | |||
+ | -n principals | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | -O option | ||
+ | | ||
+ | | ||
+ | user certificates are: | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | user when the certificate is used for authentication. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | At present, no options are valid for host keys. | ||
+ | |||
+ | | ||
+ | than the more compatible PEM format. | ||
+ | force password cracking but is not supported by versions of OpenSSH prior to 6.5. Ed25519 | ||
+ | keys always use the new private key format. | ||
+ | |||
+ | -P passphrase | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | | ||
+ | |||
+ | -R hostname | ||
+ | | ||
+ | | ||
+ | |||
+ | -r hostname | ||
+ | Print the SSHFP fingerprint resource record named hostname for the specified public key | ||
+ | | ||
+ | |||
+ | -S start | ||
+ | | ||
+ | |||
+ | -s ca_key | ||
+ | | ||
+ | tion for details. | ||
+ | |||
+ | When generating a KRL, -s specifies a path to a CA public key file used to revoke certifi‐ | ||
+ | cates directly by key ID or serial number. | ||
+ | | ||
+ | |||
+ | -T output_file | ||
+ | Test DH group exchange candidate primes (generated using the -G option) for safety. | ||
+ | |||
+ | -t type | ||
+ | | ||
+ | and “dsa”, “ecdsa”, | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | -V validity_interval | ||
+ | | ||
+ | a single time, indicating that the certificate is valid beginning now and expiring at that | ||
+ | time, or may consist of two times separated by a colon to indicate an explicit time inter‐ | ||
+ | | ||
+ | MMSS format or a relative time (to the current time) consisting of a minus sign followed by | ||
+ | a relative time in the format described in the TIME FORMATS section of sshd_config(5). | ||
+ | end time may be specified as a YYYYMMDD date, a YYYYMMDDHHMMSS time or a relative time | ||
+ | | ||
+ | |||
+ | For example: “+52w1d” (valid from now to 52 weeks and one day from now), “-4w: | ||
+ | from four weeks ago to four weeks from now), “20100101123000: | ||
+ | 12:30 PM, January 1st, 2010 to 12:30 PM, January 1st, 2011), “-1d: | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | -W generator | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | -z serial_number | ||
+ | | ||
+ | from others from the same CA. The default serial number is zero. | ||
+ | |||
+ | When generating a KRL, the -z flag is used to specify a KRL version number. | ||
+ | |||
+ | MODULI GENERATION | ||
+ | | ||
+ | | ||
+ | but memory intensive process. | ||
+ | sive process). | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | # ssh-keygen -G moduli-2048.candidates -b 2048 | ||
+ | |||
+ | By default, the search for primes begins at a random point in the desired length range. | ||
+ | be overridden using the -S option, which specifies a different start point (in hex). | ||
+ | |||
+ | Once a set of candidates have been generated, they must be screened for suitability. | ||
+ | | ||
+ | (or a file specified using the -f option). | ||
+ | |||
+ | # ssh-keygen -T moduli-2048 -f moduli-2048.candidates | ||
+ | |||
+ | By default, each candidate will be subjected to 100 primality tests. | ||
+ | the -a option. | ||
+ | | ||
+ | tor values are 2, 3, and 5. | ||
+ | |||
+ | | ||
+ | | ||
+ | |||
+ | CERTIFICATES | ||
+ | | ||
+ | | ||
+ | | ||
+ | (CA) key. Clients or servers may then trust only the CA key and verify its signature on a certifi‐ | ||
+ | cate rather than trusting many user/host keys. Note that OpenSSH certificates are a different, and | ||
+ | much simpler, format to the X.509 certificates used in ssl(8). | ||
+ | |||
+ | | ||
+ | to servers, whereas host certificates authenticate server hosts to users. | ||
+ | | ||
+ | |||
+ | $ ssh-keygen -s / | ||
+ | |||
+ | The resultant certificate will be placed in / | ||
+ | | ||
+ | |||
+ | $ ssh-keygen -s / | ||
+ | |||
+ | The host certificate will be output to / | ||
+ | |||
+ | It is possible to sign using a CA key stored in a PKCS#11 token by providing the token library | ||
+ | using -D and identifying the CA key by providing its public half as an argument to -s: | ||
+ | |||
+ | $ ssh-keygen -s ca_key.pub -D libpkcs11.so -I key_id host_key.pub | ||
+ | |||
+ | In all cases, key_id is a "key identifier" | ||
+ | used for authentication. | ||
+ | |||
+ | | ||
+ | | ||
+ | set of principals: | ||
+ | |||
+ | $ ssh-keygen -s ca_key -I key_id -n user1,user2 user_key.pub | ||
+ | $ ssh-keygen -s ca_key -I key_id -h -n host.domain user_key.pub | ||
+ | |||
+ | | ||
+ | | ||
+ | when presented from particular source addresses or may force the use of a specific command. | ||
+ | list of valid certificate options, see the documentation for the -O option above. | ||
+ | |||
+ | | ||
+ | of certificate start and end times. | ||
+ | will not be considered valid. | ||
+ | | ||
+ | |||
+ | For certificates to be used for user or host authentication, | ||
+ | | ||
+ | |||
+ | KEY REVOCATION LISTS | ||
+ | | ||
+ | ify keys or certificates to be revoked using a compact format, taking as little as one bit per cer‐ | ||
+ | | ||
+ | |||
+ | KRLs may be generated using the -k flag. This option reads one or more files from the command line | ||
+ | and generates a new KRL. The files may either contain a KRL specification (see below) or public | ||
+ | keys, listed one per line. Plain public keys are revoked by listing their hash or contents in the | ||
+ | KRL and certificates revoked by serial number or key ID (if the serial is zero or not available). | ||
+ | |||
+ | | ||
+ | | ||
+ | ing the complete original certificate on hand. A KRL specification consists of lines containing | ||
+ | one of the following directives followed by a colon and some directive-specific information. | ||
+ | |||
+ | | ||
+ | | ||
+ | not including zero and may be expressed in decimal, hex or octal. | ||
+ | are specified separated by a hyphen, then the range of serial numbers including and between | ||
+ | each is revoked. | ||
+ | the -s option. | ||
+ | |||
+ | id: key_id | ||
+ | | ||
+ | fied on the ssh-keygen command line using the -s option. | ||
+ | |||
+ | key: public_key | ||
+ | | ||
+ | lic key. | ||
+ | |||
+ | sha1: public_key | ||
+ | | ||
+ | |||
+ | KRLs may be updated using the -u flag in addition to -k. When this option is specified, keys | ||
+ | | ||
+ | |||
+ | It is also possible, given a KRL, to test whether it revokes a particular key (or keys). | ||
+ | flag will query an existing KRL, testing each key specified on the commandline. | ||
+ | on the command line has been revoked (or an error encountered) then ssh-keygen will exit with a | ||
+ | | ||
+ | |||
+ | FILES | ||
+ | | ||
+ | | ||
+ | not be readable by anyone but the user. It is possible to specify a passphrase when gener‐ | ||
+ | ating the key; that passphrase will be used to encrypt the private part of this file using | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | file should be added to ~/ | ||
+ | in using RSA authentication. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | a passphrase when generating the key; that passphrase will be used to encrypt the private | ||
+ | part of this file using 128-bit AES. This file is not automatically accessed by ssh-keygen | ||
+ | but it is offered as the default file for the private key. ssh(1) will read this file when | ||
+ | a login attempt is made. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | The contents of this file should be added to ~/ | ||
+ | the user wishes to log in using public key authentication. | ||
+ | | ||
+ | | ||
+ | |||
+ | | ||
+ | | ||
+ | file should be added to ~/ | ||
+ | in using RSA authentication. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | a passphrase when generating the key; that passphrase will be used to encrypt the private | ||
+ | part of this file using 128-bit AES. This file is not automatically accessed by ssh-keygen | ||
+ | but it is offered as the default file for the private key. ssh(1) will read this file when | ||
+ | a login attempt is made. | ||
+ | |||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | The contents of this file should be added to ~/ | ||
+ | the user wishes to log in using public key authentication. | ||
+ | | ||
+ | |||
+ | / | ||
+ | | ||
+ | |||
+ | ENVIRONMENT | ||
+ | | ||
+ | The reseeding of the OpenSSL random generator is usually done from / | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | | ||
+ | |||
+ | SEE ALSO | ||
+ | | ||
+ | |||
+ | The Secure Shell (SSH) Public Key File Format, RFC 4716, 2006. | ||
+ | |||
+ | AUTHORS | ||
+ | | ||
+ | bell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added | ||
+ | newer features and created OpenSSH. | ||
+ | sions 1.5 and 2.0. | ||
+ | |||
+ | BSD | ||
</ | </ | ||
- | ===== openSSH - Programmsuite ===== | ||
- | Die für die **// | ||
- | * openssh : Die OpenSSH-Implementierung der SSH Protokoll-Versionen 2 (und 1) | ||
- | * openssh-clients : Die OpenSSH-Client-Anwendungen | ||
- | * openssh-server : Der OpenSSH-Server Daemon | ||
- | * openssh-askpass : Passphrase-Dialog für OpenSSH und X | ||
- | ==== openssh ==== | ||
- | Mittels '' | ||
- | # rpm -qil openssh | + | Bevor wir uns die Entscheidung treffen können, welchen Schlüssel-Typ wir erzeugen wollen, müssen wir überlegen, von welchem System wir aus auf unseren Linux/ |
- | < | + | |
- | Version | + | |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Wed 23 Mar 2016 07:14:52 PM CET | + | |
- | Group : Applications/ | + | |
- | Size : 1450050 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
- | URL : http://www.openssh.com/ | + | |
- | Summary | + | |
- | Description : | + | |
- | SSH (Secure SHell) is a program for logging into and executing | + | |
- | commands on a remote machine. SSH is intended to replace rlogin and | + | |
- | rsh, and to provide secure encrypted communications between two | + | |
- | untrusted hosts over an insecure network. X11 connections and | + | |
- | arbitrary TCP/IP ports can also be forwarded over the secure channel. | + | |
- | OpenSSH is OpenBSD' | + | Hier empfiehlt es sich auf den beteiligten System zu überprüfen, welche Cipher, MACs, Schlüssel Typen und Key Exchange Algorithmen unterstützt werden. Zum Abfragen können wir den Befehl **ssh** mit der Option //**-Q**// verwenden. |
- | it up to date in terms of security and features. | + | |
- | This package includes the core files necessary for both the OpenSSH | + | === Liste der unterstützten Cipher === |
- | client and server. To make this package useful, you should also | + | # ssh -Q cipher |
- | install openssh-clients, | + | < |
- | /etc/ssh | + | blowfish-cbc |
- | / | + | cast128-cbc |
- | /usr/bin/ssh-keygen | + | arcfour |
- | / | + | arcfour128 |
- | / | + | arcfour256 |
- | / | + | aes128-cbc |
- | / | + | aes192-cbc |
- | / | + | aes256-cbc |
- | / | + | rijndael-cbc@lysator.liu.se |
- | / | + | aes128-ctr |
- | / | + | aes192-ctr |
- | / | + | aes256-ctr |
- | / | + | aes128-gcm@openssh.com |
- | / | + | aes256-gcm@openssh.com |
- | / | + | chacha20-poly1305@openssh.com</ |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
+ | === Liste der unterstützten MACs === | ||
+ | # ssh -Q mac | ||
+ | < | ||
+ | hmac-sha1-96 | ||
+ | hmac-sha2-256 | ||
+ | hmac-sha2-512 | ||
+ | hmac-md5 | ||
+ | hmac-md5-96 | ||
+ | hmac-ripemd160 | ||
+ | hmac-ripemd160@openssh.com | ||
+ | umac-64@openssh.com | ||
+ | umac-128@openssh.com | ||
+ | hmac-sha1-etm@openssh.com | ||
+ | hmac-sha1-96-etm@openssh.com | ||
+ | hmac-sha2-256-etm@openssh.com | ||
+ | hmac-sha2-512-etm@openssh.com | ||
+ | hmac-md5-etm@openssh.com | ||
+ | hmac-md5-96-etm@openssh.com | ||
+ | hmac-ripemd160-etm@openssh.com | ||
+ | umac-64-etm@openssh.com | ||
+ | umac-128-etm@openssh.com</ | ||
- | ==== openssh-clients | + | === Liste der unterstützten Schlüssel Typen ==== |
- | Beim Paket **openssh-clients** wird mitgeliefert: | + | # ssh -Q key |
+ | < | ||
+ | ssh-dss | ||
+ | ssh-ed25519 | ||
+ | ecdsa-sha2-nistp256 | ||
+ | ecdsa-sha2-nistp384 | ||
+ | ecdsa-sha2-nistp521 | ||
+ | ssh-rsa-cert-v01@openssh.com | ||
+ | ssh-dss-cert-v01@openssh.com | ||
+ | ecdsa-sha2-nistp256-cert-v01@openssh.com | ||
+ | ecdsa-sha2-nistp384-cert-v01@openssh.com | ||
+ | ecdsa-sha2-nistp521-cert-v01@openssh.com | ||
+ | ssh-rsa-cert-v00@openssh.com | ||
+ | ssh-dss-cert-v00@openssh.com | ||
+ | ssh-ed25519-cert-v01@openssh.com | ||
+ | null</ | ||
- | # rpm -qil openssh-clients | + | === Liste alller unterstützten Key Exchange Algorithmen === |
- | < | + | # ssh -Q kex |
- | Version | + | < |
- | Release | + | diffie-hellman-group14-sha1 |
- | Architecture: | + | diffie-hellman-group-exchange-sha1 |
- | Install Date: Wed 23 Mar 2016 07:14:59 PM CET | + | diffie-hellman-group-exchange-sha256 |
- | Group : Applications/ | + | ecdh-sha2-nistp256 |
- | Size : 2298871 | + | ecdh-sha2-nistp384 |
- | License | + | ecdh-sha2-nistp521 |
- | Signature | + | diffie-hellman-group1-sha1 |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | curve25519-sha256@libssh.org |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | gss-gex-sha1- |
- | Build Host : worker1.bsys.centos.org | + | gss-group1-sha1- |
- | Relocations : (not relocatable) | + | gss-group14-sha1-</ |
- | Packager | + | |
- | Vendor | + | |
- | URL : http:// | + | |
- | Summary | + | |
- | Description : | + | |
- | OpenSSH is a free version of SSH (Secure SHell), a program for logging | + | |
- | into and executing commands on a remote machine. This package includes | + | |
- | the clients necessary to make encrypted connections to SSH servers. | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | ==== openssh-server ==== | + | |
- | Hingegen liefert uns **openssh-server** folgende Dateien: | + | |
- | # rpm -qil openssh-server | ||
- | < | ||
- | Release | ||
- | Architecture: | ||
- | Install Date: Wed 23 Mar 2016 07:14:58 PM CET | ||
- | Group : System Environment/ | ||
- | Size : 943088 | ||
- | License | ||
- | Signature | ||
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | ||
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | ||
- | Build Host : worker1.bsys.centos.org | ||
- | Relocations : (not relocatable) | ||
- | Packager | ||
- | Vendor | ||
- | URL : http:// | ||
- | Summary | ||
- | Description : | ||
- | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
- | into and executing commands on a remote machine. This package contains | ||
- | the secure shell daemon (sshd). The sshd daemon allows SSH clients to | ||
- | securely connect to your SSH server. | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | ==== openssh-askpass ==== | ||
- | Zu guter Letzt sehen wir uns noch das Paket **openssh-askpass** genauer an: | ||
- | # rpm -qil openssh-askpass | + | ==== Erzeugung eines Schlüsselpäärchens |
- | < | + | === RSA Key === |
- | Version | + | Im ersten Beispiel |
- | Release | + | $ ssh-keygen -b 4096 -t rsa -C django@nausch.org -f ~/ |
- | Architecture: | + | |
- | Install Date: Sat 12 Nov 2016 08:22:40 PM CET | + | < |
- | Group : Applications/ | + | |
- | Size : 15944 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
- | URL : http:// | + | |
- | Summary | + | |
- | Description : | + | |
- | OpenSSH is a free version of SSH (Secure SHell), a program for logging | + | |
- | into and executing commands on a remote machine. This package contains | + | |
- | an X11 passphrase dialog for OpenSSH. | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | / | + | |
- | ===== Konfiguration ===== | + | |
- | ==== ssh Daemon ==== | + | |
- | ===== ssh in der Praxis ===== | + | |
- | Auch wenn das Passwort bei **ssh** verschlüsselt übertragen wird, lohnt ein Blick auf die Alternative | + | |
- | Einfacher geht dies über asymetrische Schlüssel. | + | |
- | ==== Erzeugung eines Schlüssel | + | |
- | Als erstes | + | |
- | < | + | |
- | Generating public/ | + | |
- | Enter file in which to save the key (/ | + | |
Enter passphrase (empty for no passphrase): | Enter passphrase (empty for no passphrase): | ||
Enter same passphrase again: | Enter same passphrase again: | ||
- | Your identification has been saved in / | + | Your identification has been saved in / |
- | Your public key has been saved in / | + | Your public key has been saved in / |
The key fingerprint is: | The key fingerprint is: | ||
- | 2b:83:69:f2:76:e8:c9:8b:cf:34:c8:c2:ae:2b:e1:ee django@host.nausch.org</ | + | 44:8b:1a:4b:87:95:3a:23:af:65:b7:e6:1a:bf:98:3d django@nausch.org |
+ | The key's randomart image is: | ||
+ | +--[ RSA 4096]----+ | ||
+ | | ... | | ||
+ | | o.o . | | ||
+ | | +.o o | | ||
+ | | ..+= . | | ||
+ | | | ||
+ | | + . | | ||
+ | | +.. . | | ||
+ | | . *E | | ||
+ | | ++=o | | ||
+ | +-----------------+</ | ||
+ | |||
+ | Die // | ||
+ | |||
+ | Nun liegen in dem Verzeichnis **/ | ||
+ | # ll ~/ | ||
+ | < | ||
+ | -rw-r--r--. 1 django django | ||
+ | |||
+ | **id_rsa4096_dmz** enthält den privaten Schlüssel und sollte auf keinen Fall weitergegeben werden und darf auch __nur__ für den Nutzer selbst lesbar sein! **id_rsa4096_dmz.pub**, | ||
+ | |||
+ | === ED25519 Key === | ||
+ | Ob man in Zeiten von Überwachungsphantasten bei einer NSA oder BND, noch solhcen Schlüssel einsetzen kann und mag, muss natürlich jeder Admin für sich sekbst entscheiden. Auf solche Schlüssel muss man aber nicht mehr zwingend zurückgreifen, | ||
$ ssh-keygen -t ed25519 -o -a 100 -C django@nausch.org -f ~/ | $ ssh-keygen -t ed25519 -o -a 100 -C django@nausch.org -f ~/ | ||
+ | < | ||
+ | Enter passphrase (empty for no passphrase): | ||
+ | Enter same passphrase again: | ||
+ | Your identification has been saved in / | ||
+ | Your public key has been saved in / | ||
+ | The key fingerprint is: | ||
+ | a3: | ||
+ | The key's randomart image is: | ||
+ | +--[ED25519 | ||
+ | | *o | | ||
+ | | o + +. | | ||
+ | | + = o | | ||
+ | | * o | | ||
+ | | + . S | | ||
+ | | + = o | | ||
+ | | = + | | ||
+ | | Eo o | | ||
+ | | ...o . | | ||
+ | +-----------------+</ | ||
Die // | Die // | ||
- | Nun liegen in dem Verzeichnis **/ | + | Nun liegen in dem Verzeichnis **/ |
- | < | + | # ll ~/.ssh/*ed25519* |
- | insgesamt 24 | + | < |
- | -rw------- 1 django django | + | -rw-r--r--. 1 django django |
- | -rw-r--r-- 1 django django | + | |
- | **id_rsa** enthält den privaten Schlüssel und sollte auf keinen Fall weitergegeben werden und darf auch __nur__ für den Nutzer selbst lesbar sein! **id_rsa.pub**, der öffentliche Schlüssel, dagegen muss auf den Zielrechner kopiert werden. | + | **id_ed25519_dmz** enthält den privaten Schlüssel und sollte auf keinen Fall weitergegeben werden und darf auch __nur__ für den Nutzer selbst lesbar sein! **id_ed25519_dmz.pub**, der öffentliche Schlüssel, dagegen muss auf den Zielrechner kopiert werden. |
==== Zielverzeichnis anlegen und öffentlichen Schlüssel kopieren | ==== Zielverzeichnis anlegen und öffentlichen Schlüssel kopieren | ||
Auf dem Zielrechner legen wir nun das Verzeichnis **.ssh** an und schützen es entsprechend. | Auf dem Zielrechner legen wir nun das Verzeichnis **.ssh** an und schützen es entsprechend. | ||
Zeile 1003: | Zeile 1684: | ||
[django@zielhost django]$ chmod 700 .ssh | [django@zielhost django]$ chmod 700 .ssh | ||
- | Den öffentlichen Schlüssel kopieren wir dann wie folgt auf das Zielsystem: | + | Den öffentlichen Schlüssel kopieren wir dann wie folgt auf das Zielsystem; hatten wir uns einen RSA-key erstellt verwenden wir folgenden Aufruf: |
- | | + | $ scp /home/django/.ssh/ |
+ | bzw. bei einem ed25519 Schlüssel: | ||
+ | $ scp / | ||
- | Anschließend | + | Anschliessend |
- | | + | |
Zu guter Letzt passen wir noch die Berechtigungen an und löschen die nicht mehr benötigte **id_rsa.pub** | Zu guter Letzt passen wir noch die Berechtigungen an und löschen die nicht mehr benötigte **id_rsa.pub** | ||
- | [django@zielhost .ssh]$ chmod 600 authorized_keys | + | $ chmod 600 authorized_keys |
- | | + | |
<WRAP round info>Das Kopieren des Public-Keys auf unseren Zielhost mit Anpassen der Dateiberechtigungen kann man natürlich auch einfacher vornehmen. Man benutzt hierzu einfach den Befehl **ssh-copy-id** aus dem Paket // | <WRAP round info>Das Kopieren des Public-Keys auf unseren Zielhost mit Anpassen der Dateiberechtigungen kann man natürlich auch einfacher vornehmen. Man benutzt hierzu einfach den Befehl **ssh-copy-id** aus dem Paket // | ||
- | $ ssh-copy-id -i ~/ | + | * RSA-Key < |
+ | * ed25519-Key < | ||
- | Die Angabe '' | + | Mit der Angabe '' |
- | '' | + | |
</ | </ | ||
==== authorized_keys vs. authorized_keys2 ==== | ==== authorized_keys vs. authorized_keys2 ==== | ||
<WRAP round tip>Bei der Einführung von SSH Version 2 kam die Datei '' | <WRAP round tip>Bei der Einführung von SSH Version 2 kam die Datei '' | ||
+ | |||
===== ssh-Daemon ===== | ===== ssh-Daemon ===== |