Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende ÜberarbeitungLetzte ÜberarbeitungBeide Seiten der Revision | ||
centos:ssh-install [12.11.2016 19:34. ] – [Dokumentation] django | centos:ssh-install [13.11.2016 17:00. ] – alte Version wieder hergestellt (22.11.2013 13:42. ) django | ||
---|---|---|---|
Zeile 2: | Zeile 2: | ||
{{: | {{: | ||
- | ===== Dokumentation ===== | ||
- | Wichtige Hinweise zur Absicherung von **ssh** finden sich im [[https:// | ||
- | |||
- | Die Optionen rund um opennssh findet amn wie immer, in der manpage zu **ssh**. | ||
- | < | ||
- | |||
- | NAME | ||
- | ssh — OpenSSH SSH client (remote login program) | ||
- | |||
- | SYNOPSIS | ||
- | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address: | ||
- | [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] [-L [bind_address: | ||
- | [-l login_name] [-m mac_spec] [-O ctl_cmd] [-o option] [-p port] | ||
- | [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address: | ||
- | [-W host:port] [-w local_tun[: | ||
- | |||
- | DESCRIPTION | ||
- | ssh (SSH client) is a program for logging into a remote machine and for executing commands on a remote | ||
- | | ||
- | | ||
- | the secure channel. | ||
- | |||
- | ssh connects and logs into the specified hostname (with optional user name). | ||
- | | ||
- | | ||
- | |||
- | If command is specified, it is executed on the remote host instead of a login shell. | ||
- | |||
- | The options are as follows: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | basis in a configuration file. | ||
- | |||
- | Agent forwarding should be enabled with caution. | ||
- | on the remote host (for the agent' | ||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | -b bind_address | ||
- | Use bind_address on the local machine as the source address of the connection. | ||
- | tems with more than one address. | ||
- | |||
- | | ||
- | | ||
- | | ||
- | lines and other slow connections, | ||
- | can be set on a host-by-host basis in the configuration files; see the Compression option. | ||
- | |||
- | -c cipher_spec | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | much faster than 3des. des is only supported in the ssh client for interoperability with legacy pro‐ | ||
- | tocol 1 implementations that do not support the 3des cipher. | ||
- | | ||
- | |||
- | For protocol version 2, cipher_spec is a comma-separated list of ciphers listed in order of prefer‐ | ||
- | | ||
- | |||
- | -D [bind_address: | ||
- | | ||
- | | ||
- | tion is made to this port, the connection is forwarded over the secure channel, and the application | ||
- | | ||
- | and SOCKS5 protocols are supported, and ssh will act as a SOCKS server. | ||
- | leged ports. | ||
- | |||
- | IPv6 addresses can be specified by enclosing the address in square brackets. | ||
- | | ||
- | | ||
- | The bind_address of “localhost” indicates that the listening port be bound for local use only, while | ||
- | an empty address or ‘*’ indicates that the port should be available from all interfaces. | ||
- | |||
- | -E log_file | ||
- | | ||
- | |||
- | -e escape_char | ||
- | Sets the escape character for sessions with a pty (default: ‘~’). | ||
- | | ||
- | tion; followed by control-Z suspends the connection; and followed by itself sends the escape charac‐ | ||
- | ter once. Setting the character to “none” disables any escapes and makes the session fully transpar‐ | ||
- | ent. | ||
- | |||
- | -F configfile | ||
- | | ||
- | mand line, the system-wide configuration file (/ | ||
- | the per-user configuration file is ~/ | ||
- | |||
- | | ||
- | ask for passwords or passphrases, | ||
- | | ||
- | |||
- | If the ExitOnForwardFailure configuration option is set to “yes”, then a client started with -f will | ||
- | wait for all remote port forwards to be successfully established before placing itself in the back‐ | ||
- | | ||
- | |||
- | | ||
- | |||
- | -I pkcs11 | ||
- | | ||
- | | ||
- | |||
- | -i identity_file | ||
- | | ||
- | | ||
- | | ||
- | a per-host basis in the configuration file. It is possible to have multiple -i options (and multiple | ||
- | | ||
- | the filename obtained by appending -cert.pub to identity filenames. | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | -L [bind_address: | ||
- | | ||
- | port on the remote side. This works by allocating a socket to listen to port on the local side, | ||
- | | ||
- | | ||
- | | ||
- | can be specified by enclosing the address in square brackets. | ||
- | leged ports. | ||
- | ever, an explicit bind_address may be used to bind the connection to a specific address. | ||
- | | ||
- | empty address or ‘*’ indicates that the port should be available from all interfaces. | ||
- | |||
- | -l login_name | ||
- | | ||
- | basis in the configuration file. | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | -m mac_spec | ||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | is run in the background. | ||
- | For example, ssh -n shadows.cs.hut.fi emacs & will start an emacs on shadows.cs.hut.fi, | ||
- | | ||
- | the background. | ||
- | -f option.) | ||
- | |||
- | -O ctl_cmd | ||
- | | ||
- | | ||
- | that the master process is running), “forward” (request forwardings without command execution), | ||
- | | ||
- | stop accepting further multiplexing requests). | ||
- | |||
- | -o option | ||
- | Can be used to give options in the format used in the configuration file. This is useful for speci‐ | ||
- | fying options for which there is no separate command-line flag. For full details of the options | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | Host | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | IPQoS | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | MACs | ||
- | Match | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | Port | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | User | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | -p port | ||
- | Port to connect to on the remote host. This can be specified on a per-host basis in the configura‐ | ||
- | tion file. | ||
- | |||
- | -Q cipher | cipher-auth | mac | kex | key | ||
- | | ||
- | | ||
- | cated encryption), | ||
- | | ||
- | |||
- | | ||
- | |||
- | -R [bind_address: | ||
- | | ||
- | port on the local side. This works by allocating a socket to listen to port on the remote side, and | ||
- | | ||
- | a connection is made to host port hostport from the local machine. | ||
- | |||
- | Port forwardings can also be specified in the configuration file. Privileged ports can be forwarded | ||
- | only when logging in as root on the remote machine. | ||
- | | ||
- | |||
- | By default, the listening socket on the server will be bound to the loopback interface only. This | ||
- | may be overridden by specifying a bind_address. | ||
- | that the remote socket should listen on all interfaces. | ||
- | | ||
- | |||
- | If the port argument is ‘0’, the listen port will be dynamically allocated on the server and reported | ||
- | to the client at run time. When used together with -O forward the allocated port will be printed to | ||
- | the standard output. | ||
- | |||
- | -S ctl_path | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | the SSH2 protocol which facilitate the use of SSH as a secure transport for other applications (eg. | ||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | tty allocation, even if ssh has no local tty. | ||
- | |||
- | | ||
- | |||
- | | ||
- | ging connection, authentication, | ||
- | | ||
- | |||
- | -W host:port | ||
- | | ||
- | | ||
- | 2 only. | ||
- | |||
- | -w local_tun[: | ||
- | | ||
- | and the server (remote_tun). | ||
- | |||
- | The devices may be specified by numerical ID or the keyword “any”, which uses the next available tun‐ | ||
- | nel device. | ||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | X11 forwarding should be enabled with caution. | ||
- | the remote host (for the user's X authorization database) can access the local X11 display through | ||
- | the forwarded connection. | ||
- | | ||
- | |||
- | For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by default. | ||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | sion controls. | ||
- | |||
- | | ||
- | | ||
- | |||
- | ssh may additionally obtain configuration data from a per-user configuration file and a system-wide configu‐ | ||
- | | ||
- | |||
- | AUTHENTICATION | ||
- | The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to use protocol 2 only, though this | ||
- | can be changed via the Protocol option in ssh_config(5) or the -1 and -2 options (see above). | ||
- | | ||
- | for confidentiality (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour) and integrity | ||
- | | ||
- | | ||
- | |||
- | The methods available for authentication are: GSSAPI-based authentication, | ||
- | key authentication, | ||
- | are tried in the order specified above, though protocol 2 has a configuration option to change the default | ||
- | | ||
- | |||
- | | ||
- | / | ||
- | | ||
- | | ||
- | is considered for login. | ||
- | | ||
- | | ||
- | the administrator: | ||
- | cure and should be disabled if security is desired.] | ||
- | |||
- | | ||
- | tems where encryption and decryption are done using separate keys, and it is unfeasible to derive the decryp‐ | ||
- | tion key from the encryption key. The idea is that each user creates a public/ | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | The file ~/ | ||
- | in, the ssh program tells the server which key pair it would like to use for authentication. | ||
- | | ||
- | | ||
- | |||
- | The user creates his/her key pair by running ssh-keygen(1). | ||
- | | ||
- | 2 ED25519), or ~/ | ||
- | | ||
- | | ||
- | | ||
- | file corresponds to the conventional ~/.rhosts file, and has one key per line, though the lines can be very | ||
- | | ||
- | |||
- | A variation on public key authentication is available in the form of certificate authentication: | ||
- | set of public/ | ||
- | | ||
- | | ||
- | |||
- | The most convenient way to use public key or certificate authentication may be with an authentication agent. | ||
- | See ssh-agent(1) for more information. | ||
- | |||
- | | ||
- | | ||
- | just one challenge/ | ||
- | | ||
- | |||
- | | ||
- | the remote host for checking; however, since all communications are encrypted, the password cannot be seen by | ||
- | | ||
- | |||
- | ssh automatically maintains and checks a database containing identification for all hosts it has ever been | ||
- | used with. Host keys are stored in ~/ | ||
- | / | ||
- | the user's file. If a host's identification ever changes, ssh warns about this and disables password authen‐ | ||
- | | ||
- | the encryption. | ||
- | not known or has changed. | ||
- | |||
- | When the user's identity has been accepted by the server, the server either executes the given command, or | ||
- | logs into the machine and gives the user a normal shell on the remote machine. | ||
- | | ||
- | |||
- | If a pseudo-terminal has been allocated (normal login session), the user may use the escape characters noted | ||
- | | ||
- | |||
- | If no pseudo-tty has been allocated, the session is transparent and can be used to reliably transfer binary | ||
- | | ||
- | a tty is used. | ||
- | |||
- | The session terminates when the command or shell on the remote machine exits and all X11 and TCP connections | ||
- | have been closed. | ||
- | |||
- | ESCAPE CHARACTERS | ||
- | When a pseudo-terminal has been requested, ssh supports a number of functions through the use of an escape | ||
- | | ||
- | |||
- | A single tilde character can be sent as ~~ or by following the tilde by a character other than those | ||
- | | ||
- | | ||
- | mand line by the -e option. | ||
- | |||
- | The supported escapes (assuming the default ‘~’) are: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | it). | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | it). | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | TCP FORWARDING | ||
- | | ||
- | or in a configuration file. One possible application of TCP forwarding is a secure connection to a mail | ||
- | | ||
- | |||
- | In the example below, we look at encrypting communication between an IRC client and server, even though the | ||
- | IRC server does not directly support encrypted communications. | ||
- | the remote host using ssh, specifying a port to be used to forward connections to the remote server. | ||
- | that it is possible to start the service which is to be encrypted on the client machine, connecting to the | ||
- | same local port, and ssh will encrypt and forward the connection. | ||
- | |||
- | The following example tunnels an IRC session from client machine “127.0.0.1” (localhost) to remote server | ||
- | | ||
- | |||
- | $ ssh -f -L 1234: | ||
- | $ irc -c '# | ||
- | |||
- | This tunnels a connection to IRC server “server.example.com”, | ||
- | using port 1234. It doesn' | ||
- | root can open sockets on privileged ports) and doesn' | ||
- | tion is forwarded to port 6667 on the remote server, since that's the standard port for IRC services. | ||
- | |||
- | The -f option backgrounds ssh and the remote command “sleep 10” is specified to allow an amount of time (10 | ||
- | | ||
- | the time specified, ssh will exit. | ||
- | |||
- | X11 FORWARDING | ||
- | If the ForwardX11 variable is set to “yes” (or see the description of the -X, -x, and -Y options above) and | ||
- | the user is using X11 (the DISPLAY environment variable is set), the connection to the X11 display is auto‐ | ||
- | | ||
- | mand) will go through the encrypted channel, and the connection to the real X server will be made from the | ||
- | local machine. | ||
- | the command line or in configuration files. | ||
- | |||
- | The DISPLAY value set by ssh will point to the server machine, but with a display number greater than zero. | ||
- | This is normal, and happens because ssh creates a “proxy” X server on the server machine for forwarding the | ||
- | | ||
- | |||
- | ssh will also automatically set up Xauthority data on the server machine. | ||
- | a random authorization cookie, store it in Xauthority on the server, and verify that any forwarded connec‐ | ||
- | tions carry this cookie and replace it by the real cookie when the connection is opened. | ||
- | | ||
- | |||
- | If the ForwardAgent variable is set to “yes” (or see the description of the -A and -a options above) and the | ||
- | user is using an authentication agent, the connection to the agent is automatically forwarded to the remote | ||
- | side. | ||
- | |||
- | VERIFYING HOST KEYS | ||
- | When connecting to a server for the first time, a fingerprint of the server' | ||
- | user (unless the option StrictHostKeyChecking has been disabled). | ||
- | | ||
- | |||
- | $ ssh-keygen -l -f / | ||
- | |||
- | If the fingerprint is already known, it can be matched and the key can be accepted or rejected. | ||
- | the difficulty of comparing host keys just by looking at hex strings, there is also support to compare host | ||
- | keys visually, using random art. By setting the VisualHostKey option to “yes”, a small ASCII graphic gets | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | To get a listing of the fingerprints along with their random art for all known hosts, the following command | ||
- | line can be used: | ||
- | |||
- | $ ssh-keygen -lv -f ~/ | ||
- | |||
- | If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints verified | ||
- | by DNS. An additional resource record (RR), SSHFP, is added to a zonefile and the connecting client is able | ||
- | to match the fingerprint with that of the key presented. | ||
- | |||
- | In this example, we are connecting a client to a server, “host.example.com”. | ||
- | | ||
- | |||
- | $ ssh-keygen -r host.example.com. | ||
- | |||
- | The output lines will have to be added to the zonefile. | ||
- | | ||
- | |||
- | $ dig -t SSHFP host.example.com | ||
- | |||
- | | ||
- | |||
- | $ ssh -o " | ||
- | [...] | ||
- | | ||
- | Are you sure you want to continue connecting (yes/no)? | ||
- | |||
- | See the VerifyHostKeyDNS option in ssh_config(5) for more information. | ||
- | |||
- | SSH-BASED VIRTUAL PRIVATE NETWORKS | ||
- | ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo-device, | ||
- | | ||
- | | ||
- | |||
- | The following example would connect client network 10.0.50.0/ | ||
- | | ||
- | the remote network, at 192.168.1.15, | ||
- | |||
- | On the client: | ||
- | |||
- | # ssh -f -w 0:1 192.168.1.15 true | ||
- | # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252 | ||
- | # route add 10.0.99.0/ | ||
- | |||
- | On the server: | ||
- | |||
- | # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252 | ||
- | # route add 10.0.50.0/ | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary setups, such | ||
- | as for wireless VPNs. More permanent VPNs are better provided by tools such as ipsecctl(8) and isakmpd(8). | ||
- | |||
- | ENVIRONMENT | ||
- | ssh will normally set the following environment variables: | ||
- | |||
- | | ||
- | by ssh to point to a value of the form “hostname: | ||
- | host where the shell runs, and ‘n’ is an integer ≥ 1. ssh uses this special value to | ||
- | | ||
- | | ||
- | the user to manually copy any required authorization cookies). | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | was run from a terminal. | ||
- | | ||
- | and open an X11 window to read the passphrase. | ||
- | ing ssh from a .xsession or related script. | ||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | can be used to extract the original arguments. | ||
- | |||
- | | ||
- | shell or command. | ||
- | |||
- | | ||
- | was started (i.e. the daemon passes the value on to new connections). | ||
- | |||
- | | ||
- | |||
- | | ||
- | if the file exists and users are allowed to change their environment. | ||
- | | ||
- | |||
- | ENVIRONMENT | ||
- | | ||
- | The reseeding of the OpenSSL random generator is usually done from / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | FILES | ||
- | | ||
- | This file is used for host-based authentication (see above). | ||
- | be world-readable if the user's home directory is on an NFS partition, because sshd(8) reads it as | ||
- | | ||
- | | ||
- | sible by others. | ||
- | |||
- | | ||
- | This file is used in exactly the same way as .rhosts, but allows host-based authentication without | ||
- | | ||
- | |||
- | | ||
- | This directory is the default location for all user-specific configuration and authentication infor‐ | ||
- | | ||
- | the recommended permissions are read/ | ||
- | |||
- | | ||
- | Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used for logging in as this user. The | ||
- | | ||
- | the recommended permissions are read/write for the user, and not accessible by others. | ||
- | |||
- | | ||
- | This is the per-user configuration file. The file format and configuration options are described in | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | able by the user but not accessible by others (read/ | ||
- | key file if it is accessible by others. | ||
- | key which will be used to encrypt the sensitive part of this file using 3DES. | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | This file is for host-based authentication (see above). | ||
- | |||
- | / | ||
- | This file is used in exactly the same way as hosts.equiv, | ||
- | out permitting login with rlogin/rsh. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | These files contain the private parts of the host keys and are used for host-based authentication. | ||
- | If protocol version 1 is used, ssh must be setuid root, since the host key is readable only by root. | ||
- | For protocol version 2, ssh uses ssh-keysign(8) to access the host keys, eliminating the requirement | ||
- | that ssh be setuid root when host-based authentication is used. By default ssh is not setuid root. | ||
- | |||
- | / | ||
- | | ||
- | tain the public host keys of all machines in the organization. | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | |||
- | EXIT STATUS | ||
- | ssh exits with the exit status of the remote command or with 255 if an error occurred. | ||
- | |||
- | IPV6 | ||
- | IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address enclosed in | ||
- | | ||
- | |||
- | SEE ALSO | ||
- | | ||
- | | ||
- | |||
- | STANDARDS | ||
- | S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, January 2006. | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture, | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Authentication Protocol, RFC 4252, January 2006. | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, January 2006. | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC 4254, January 2006. | ||
- | |||
- | J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, | ||
- | | ||
- | |||
- | F. Cusack and M. Forssen, Generic Message Exchange Authentication for the Secure Shell Protocol (SSH), RFC | ||
- | 4256, January 2006. | ||
- | |||
- | J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, January 2006. | ||
- | |||
- | M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport Layer Encryption Modes, RFC 4344, | ||
- | | ||
- | |||
- | B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol, RFC 4345, January | ||
- | 2006. | ||
- | |||
- | M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport | ||
- | Layer Protocol, RFC 4419, March 2006. | ||
- | |||
- | J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File Format, RFC 4716, November 2006. | ||
- | |||
- | D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, RFC 5656, | ||
- | | ||
- | |||
- | A. Perrig and D. Song, Hash Visualization: | ||
- | | ||
- | |||
- | AUTHORS | ||
- | | ||
- | Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added newer features and | ||
- | | ||
- | |||
- | BSD November 12, 2016 BSD | ||
- | </ | ||
===== openSSH - Programmsuite ===== | ===== openSSH - Programmsuite ===== | ||
Die für die **// | Die für die **// | ||
- | * openssh : Die OpenSSH-Implementierung der SSH Protokoll-Versionen | + | * openssh.i386 : Die OpenSSH-Implementierung der SSH Protokoll-Versionen 1 und 2 |
- | * openssh-clients : Die OpenSSH-Client-Anwendungen | + | * openssh-clients.i386 : Die OpenSSH-Client-Anwendungen |
- | * openssh-server : Der OpenSSH-Server Daemon | + | * openssh-server.i386 : Der OpenSSH-Server Daemon |
- | * openssh-askpass : Passphrase-Dialog für OpenSSH und X | + | * openssh-askpass.i386 : Passphrase-Dialog für OpenSSH und X |
==== openssh ==== | ==== openssh ==== | ||
- | Mittels | + | Mittels |
+ | < | ||
+ | Name : openssh | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh | + | ... |
- | < | + | Signature |
- | Version | + | Packager |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Wed 23 Mar 2016 07:14:52 PM CET | + | |
- | Group : Applications/ | + | |
- | Size : 1450050 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
SSH (Secure SHell) is a program for logging into and executing | SSH (Secure SHell) is a program for logging into and executing | ||
Zeile 816: | Zeile 28: | ||
OpenSSH is OpenBSD' | OpenSSH is OpenBSD' | ||
- | it up to date in terms of security and features. | + | it up to date in terms of security and features, as well as removing |
+ | all patented algorithms to separate libraries. | ||
This package includes the core files necessary for both the OpenSSH | This package includes the core files necessary for both the OpenSSH | ||
Zeile 825: | Zeile 38: | ||
/ | / | ||
/ | / | ||
- | / | ||
/ | / | ||
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | /usr/share/doc/openssh-4.3p2/WARNING.RNG |
- | / | + | |
- | / | + | |
- | /usr/share/licenses/openssh-6.6.1p1 | + | |
- | /usr/ | + | |
/ | / | ||
/ | / | ||
- | |||
- | |||
==== openssh-clients ==== | ==== openssh-clients ==== | ||
Beim Paket **openssh-clients** wird mitgeliefert: | Beim Paket **openssh-clients** wird mitgeliefert: | ||
+ | < | ||
+ | Name : openssh-clients | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh-clients | + | ... |
- | < | + | Signature |
- | Version | + | Packager |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Wed 23 Mar 2016 07:14:59 PM CET | + | |
- | Group : Applications/ | + | |
- | Size : 2298871 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
OpenSSH is a free version of SSH (Secure SHell), a program for logging | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
into and executing commands on a remote machine. This package includes | into and executing commands on a remote machine. This package includes | ||
the clients necessary to make encrypted connections to SSH servers. | the clients necessary to make encrypted connections to SSH servers. | ||
+ | You'll also need to install the openssh package on OpenSSH clients. | ||
/ | / | ||
/ | / | ||
Zeile 885: | Zeile 83: | ||
/ | / | ||
/ | / | ||
- | / | ||
- | / | ||
/ | / | ||
/ | / | ||
Zeile 895: | Zeile 91: | ||
/ | / | ||
/ | / | ||
- | / | + | / |
- | / | + | |
==== openssh-server ==== | ==== openssh-server ==== | ||
Hingegen liefert uns **openssh-server** folgende Dateien: | Hingegen liefert uns **openssh-server** folgende Dateien: | ||
+ | < | ||
+ | Name : openssh-server | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh-server | + | ... |
- | < | + | Signature |
- | Release | + | Packager |
- | Architecture: | + | |
- | Install Date: Wed 23 Mar 2016 07:14:58 PM CET | + | |
- | Group : System Environment/ | + | |
- | Size : 943088 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
OpenSSH is a free version of SSH (Secure SHell), a program for logging | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
into and executing commands on a remote machine. This package contains | into and executing commands on a remote machine. This package contains | ||
the secure shell daemon (sshd). The sshd daemon allows SSH clients to | the secure shell daemon (sshd). The sshd daemon allows SSH clients to | ||
- | securely connect to your SSH server. | + | securely connect to your SSH server. You also need to have the openssh |
+ | package installed. | ||
/ | / | ||
+ | / | ||
+ | /etc/ssh | ||
/ | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
/ | / | ||
/ | / | ||
- | / | ||
- | / | ||
/ | / | ||
/ | / | ||
/ | / | ||
- | / | + | / |
+ | / | ||
+ | / | ||
==== openssh-askpass ==== | ==== openssh-askpass ==== | ||
Zu guter Letzt sehen wir uns noch das Paket **openssh-askpass** genauer an: | Zu guter Letzt sehen wir uns noch das Paket **openssh-askpass** genauer an: | ||
+ | < | ||
+ | Name : openssh-askpass | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh-askpass | + | ... |
- | < | + | Signature |
- | Version | + | Packager |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Sat 12 Nov 2016 08:22:40 PM CET | + | |
- | Group : Applications/ | + | |
- | Size : 15944 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
OpenSSH is a free version of SSH (Secure SHell), a program for logging | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
Zeile 967: | Zeile 142: | ||
/ | / | ||
/ | / | ||
- | ===== Konfiguration ===== | ||
- | ==== ssh Daemon ==== | ||
===== ssh in der Praxis ===== | ===== ssh in der Praxis ===== | ||
Auch wenn das Passwort bei **ssh** verschlüsselt übertragen wird, lohnt ein Blick auf die Alternative | Auch wenn das Passwort bei **ssh** verschlüsselt übertragen wird, lohnt ein Blick auf die Alternative | ||
Zeile 983: | Zeile 156: | ||
The key fingerprint is: | The key fingerprint is: | ||
2b: | 2b: | ||
- | |||
- | $ ssh-keygen -t ed25519 -o -a 100 -C django@nausch.org -f ~/ | ||
- | |||
- | |||
Die // | Die // | ||
Zeile 1020: | Zeile 189: | ||
</ | </ | ||
==== authorized_keys vs. authorized_keys2 ==== | ==== authorized_keys vs. authorized_keys2 ==== | ||
- | <WRAP round tip>Bei der Einführung von SSH Version 2 kam die Datei '' | + | <WRAP round info>Bei der Einführung von SSH Version 2 kam die Datei '' |
===== ssh-Daemon ===== | ===== ssh-Daemon ===== | ||
Zeile 1152: | Zeile 321: | ||
} | } | ||
state Workstation { | state Workstation { | ||
- | Workstation : Gerät: | + | Workstation : Gerät: |
Workstation : Hostname: pml010040 | Workstation : Hostname: pml010040 | ||
Workstation : CNAME: office-work | Workstation : CNAME: office-work | ||
Zeile 1227: | Zeile 396: | ||
Host daxie | Host daxie | ||
Hostname < | Hostname < | ||
- | ProxyCommand | + | ProxyCommand |
</ | </ | ||