Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen Revision Vorhergehende Überarbeitung Nächste Überarbeitung | Vorhergehende ÜberarbeitungLetzte ÜberarbeitungBeide Seiten der Revision | ||
centos:ssh-install [12.11.2016 19:43. ] – django | centos:ssh-install [13.11.2016 17:00. ] – alte Version wieder hergestellt (22.11.2013 13:42. ) django | ||
---|---|---|---|
Zeile 4: | Zeile 4: | ||
===== openSSH - Programmsuite ===== | ===== openSSH - Programmsuite ===== | ||
Die für die **// | Die für die **// | ||
- | * openssh : Die OpenSSH-Implementierung der SSH Protokoll-Versionen | + | * openssh.i386 : Die OpenSSH-Implementierung der SSH Protokoll-Versionen 1 und 2 |
- | * openssh-clients : Die OpenSSH-Client-Anwendungen | + | * openssh-clients.i386 : Die OpenSSH-Client-Anwendungen |
- | * openssh-server : Der OpenSSH-Server Daemon | + | * openssh-server.i386 : Der OpenSSH-Server Daemon |
- | * openssh-askpass : Passphrase-Dialog für OpenSSH und X | + | * openssh-askpass.i386 : Passphrase-Dialog für OpenSSH und X |
==== openssh ==== | ==== openssh ==== | ||
- | Mittels | + | Mittels |
+ | < | ||
+ | Name : openssh | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh | + | ... |
- | < | + | Signature |
- | Version | + | Packager |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Wed 23 Mar 2016 07:14:52 PM CET | + | |
- | Group : Applications/ | + | |
- | Size : 1450050 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
SSH (Secure SHell) is a program for logging into and executing | SSH (Secure SHell) is a program for logging into and executing | ||
Zeile 37: | Zeile 28: | ||
OpenSSH is OpenBSD' | OpenSSH is OpenBSD' | ||
- | it up to date in terms of security and features. | + | it up to date in terms of security and features, as well as removing |
+ | all patented algorithms to separate libraries. | ||
This package includes the core files necessary for both the OpenSSH | This package includes the core files necessary for both the OpenSSH | ||
Zeile 46: | Zeile 38: | ||
/ | / | ||
/ | / | ||
- | / | ||
/ | / | ||
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | / |
- | / | + | /usr/share/doc/openssh-4.3p2/WARNING.RNG |
- | / | + | |
- | / | + | |
- | /usr/share/licenses/openssh-6.6.1p1 | + | |
- | /usr/ | + | |
/ | / | ||
/ | / | ||
- | |||
- | |||
==== openssh-clients ==== | ==== openssh-clients ==== | ||
Beim Paket **openssh-clients** wird mitgeliefert: | Beim Paket **openssh-clients** wird mitgeliefert: | ||
+ | < | ||
+ | Name : openssh-clients | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh-clients | + | ... |
- | < | + | Signature |
- | Version | + | Packager |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Wed 23 Mar 2016 07:14:59 PM CET | + | |
- | Group : Applications/ | + | |
- | Size : 2298871 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
OpenSSH is a free version of SSH (Secure SHell), a program for logging | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
into and executing commands on a remote machine. This package includes | into and executing commands on a remote machine. This package includes | ||
the clients necessary to make encrypted connections to SSH servers. | the clients necessary to make encrypted connections to SSH servers. | ||
+ | You'll also need to install the openssh package on OpenSSH clients. | ||
/ | / | ||
/ | / | ||
Zeile 106: | Zeile 83: | ||
/ | / | ||
/ | / | ||
- | / | ||
- | / | ||
/ | / | ||
/ | / | ||
Zeile 116: | Zeile 91: | ||
/ | / | ||
/ | / | ||
- | / | + | / |
- | / | + | |
==== openssh-server ==== | ==== openssh-server ==== | ||
Hingegen liefert uns **openssh-server** folgende Dateien: | Hingegen liefert uns **openssh-server** folgende Dateien: | ||
+ | < | ||
+ | Name : openssh-server | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh-server | + | ... |
- | < | + | Signature |
- | Release | + | Packager |
- | Architecture: | + | |
- | Install Date: Wed 23 Mar 2016 07:14:58 PM CET | + | |
- | Group : System Environment/ | + | |
- | Size : 943088 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
OpenSSH is a free version of SSH (Secure SHell), a program for logging | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
into and executing commands on a remote machine. This package contains | into and executing commands on a remote machine. This package contains | ||
the secure shell daemon (sshd). The sshd daemon allows SSH clients to | the secure shell daemon (sshd). The sshd daemon allows SSH clients to | ||
- | securely connect to your SSH server. | + | securely connect to your SSH server. You also need to have the openssh |
+ | package installed. | ||
/ | / | ||
+ | / | ||
+ | /etc/ssh | ||
/ | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
/ | / | ||
/ | / | ||
- | / | ||
- | / | ||
/ | / | ||
/ | / | ||
/ | / | ||
- | / | + | / |
+ | / | ||
+ | / | ||
==== openssh-askpass ==== | ==== openssh-askpass ==== | ||
Zu guter Letzt sehen wir uns noch das Paket **openssh-askpass** genauer an: | Zu guter Letzt sehen wir uns noch das Paket **openssh-askpass** genauer an: | ||
+ | < | ||
+ | Name : openssh-askpass | ||
+ | Version | ||
+ | ... | ||
- | # rpm -qil openssh-askpass | + | ... |
- | < | + | Signature |
- | Version | + | Packager |
- | Release | + | |
- | Architecture: | + | |
- | Install Date: Sat 12 Nov 2016 08:22:40 PM CET | + | |
- | Group : Applications/ | + | |
- | Size : 15944 | + | |
- | License | + | |
- | Signature | + | |
- | Source RPM : openssh-6.6.1p1-25.el7_2.src.rpm | + | |
- | Build Date : Mon 21 Mar 2016 11:18:48 PM CET | + | |
- | Build Host : worker1.bsys.centos.org | + | |
- | Relocations : (not relocatable) | + | |
- | Packager | + | |
- | Vendor | + | |
URL : http:// | URL : http:// | ||
- | Summary | + | Summary |
Description : | Description : | ||
OpenSSH is a free version of SSH (Secure SHell), a program for logging | OpenSSH is a free version of SSH (Secure SHell), a program for logging | ||
Zeile 188: | Zeile 142: | ||
/ | / | ||
/ | / | ||
- | |||
- | ===== Dokumentation ===== | ||
- | Wichtige Hinweise zur Absicherung von **ssh** finden sich im [[https:// | ||
- | |||
- | Die Optionen rund um opennssh findet amn wie immer, in der manpage zu **ssh**. | ||
- | < | ||
- | |||
- | NAME | ||
- | ssh — OpenSSH SSH client (remote login program) | ||
- | |||
- | SYNOPSIS | ||
- | ssh [-1246AaCfgKkMNnqsTtVvXxYy] [-b bind_address] [-c cipher_spec] [-D [bind_address: | ||
- | [-E log_file] [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file] | ||
- | [-L [bind_address: | ||
- | [-p port] [-Q cipher | cipher-auth | mac | kex | key] [-R [bind_address: | ||
- | [-S ctl_path] [-W host:port] [-w local_tun[: | ||
- | |||
- | DESCRIPTION | ||
- | ssh (SSH client) is a program for logging into a remote machine and for executing commands on a | ||
- | | ||
- | tions between two untrusted hosts over an insecure network. | ||
- | ports can also be forwarded over the secure channel. | ||
- | |||
- | ssh connects and logs into the specified hostname (with optional user name). | ||
- | | ||
- | sion used (see below). | ||
- | |||
- | If command is specified, it is executed on the remote host instead of a login shell. | ||
- | |||
- | The options are as follows: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | Agent forwarding should be enabled with caution. | ||
- | | ||
- | agent through the forwarded connection. | ||
- | | ||
- | using the identities loaded into the agent. | ||
- | |||
- | | ||
- | |||
- | -b bind_address | ||
- | Use bind_address on the local machine as the source address of the connection. | ||
- | on systems with more than one address. | ||
- | |||
- | | ||
- | X11 and TCP connections). | ||
- | | ||
- | sion is desirable on modem lines and other slow connections, | ||
- | on fast networks. | ||
- | tion files; see the Compression option. | ||
- | |||
- | -c cipher_spec | ||
- | | ||
- | |||
- | | ||
- | | ||
- | three different keys. It is believed to be secure. | ||
- | | ||
- | for interoperability with legacy protocol 1 implementations that do not support the 3des | ||
- | | ||
- | | ||
- | |||
- | For protocol version 2, cipher_spec is a comma-separated list of ciphers listed in order of | ||
- | | ||
- | |||
- | -D [bind_address: | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | the remote machine. | ||
- | act as a SOCKS server. | ||
- | can also be specified in the configuration file. | ||
- | |||
- | IPv6 addresses can be specified by enclosing the address in square brackets. | ||
- | | ||
- | with the GatewayPorts setting. | ||
- | | ||
- | | ||
- | port should be available from all interfaces. | ||
- | |||
- | -E log_file | ||
- | | ||
- | |||
- | -e escape_char | ||
- | Sets the escape character for sessions with a pty (default: ‘~’). | ||
- | only recognized at the beginning of a line. The escape character followed by a dot (‘.’) | ||
- | | ||
- | | ||
- | | ||
- | |||
- | -F configfile | ||
- | | ||
- | the command line, the system-wide configuration file (/ | ||
- | The default for the per-user configuration file is ~/ | ||
- | |||
- | | ||
- | going to ask for passwords or passphrases, | ||
- | | ||
- | like ssh -f host xterm. | ||
- | |||
- | If the ExitOnForwardFailure configuration option is set to “yes”, then a client started | ||
- | with -f will wait for all remote port forwards to be successfully established before plac‐ | ||
- | ing itself in the background. | ||
- | |||
- | | ||
- | |||
- | -I pkcs11 | ||
- | | ||
- | | ||
- | |||
- | -i identity_file | ||
- | | ||
- | The default is ~/ | ||
- | | ||
- | | ||
- | -i options (and multiple identities specified in configuration files). | ||
- | to load certificate information from the filename obtained by appending -cert.pub to iden‐ | ||
- | tity filenames. | ||
- | |||
- | | ||
- | the server. | ||
- | |||
- | | ||
- | |||
- | -L [bind_address: | ||
- | | ||
- | host and port on the remote side. This works by allocating a socket to listen to port on | ||
- | the local side, optionally bound to the specified bind_address. | ||
- | made to this port, the connection is forwarded over the secure channel, and a connection is | ||
- | made to host port hostport from the remote machine. | ||
- | in the configuration file. IPv6 addresses can be specified by enclosing the address in | ||
- | | ||
- | port is bound in accordance with the GatewayPorts setting. | ||
- | | ||
- | | ||
- | | ||
- | |||
- | -l login_name | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | -m mac_spec | ||
- | | ||
- | code) algorithms can be specified in order of preference. | ||
- | | ||
- | |||
- | | ||
- | sion 2 only). | ||
- | |||
- | | ||
- | when ssh is run in the background. | ||
- | | ||
- | | ||
- | | ||
- | to ask for a password or passphrase; see also the -f option.) | ||
- | |||
- | -O ctl_cmd | ||
- | | ||
- | the ctl_cmd argument is interpreted and passed to the master process. | ||
- | | ||
- | | ||
- | | ||
- | |||
- | -o option | ||
- | Can be used to give options in the format used in the configuration file. This is useful | ||
- | for specifying options for which there is no separate command-line flag. For full details | ||
- | of the options listed below, and their possible values, see ssh_config(5). | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | Host | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | IPQoS | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | MACs | ||
- | Match | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | Port | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | User | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | -p port | ||
- | Port to connect to on the remote host. This can be specified on a per-host basis in the | ||
- | | ||
- | |||
- | -Q cipher | cipher-auth | mac | kex | key | ||
- | | ||
- | tures are: cipher (supported symmetric ciphers), cipher-auth (supported symmetric ciphers | ||
- | that support authenticated encryption), | ||
- | | ||
- | |||
- | | ||
- | |||
- | -R [bind_address: | ||
- | | ||
- | host and port on the local side. This works by allocating a socket to listen to port on | ||
- | the remote side, and whenever a connection is made to this port, the connection is for‐ | ||
- | | ||
- | local machine. | ||
- | |||
- | Port forwardings can also be specified in the configuration file. Privileged ports can be | ||
- | | ||
- | fied by enclosing the address in square brackets. | ||
- | |||
- | By default, the listening socket on the server will be bound to the loopback interface | ||
- | | ||
- | | ||
- | a remote bind_address will only succeed if the server' | ||
- | | ||
- | |||
- | If the port argument is ‘0’, the listen port will be dynamically allocated on the server | ||
- | and reported to the client at run time. When used together with -O forward the allocated | ||
- | port will be printed to the standard output. | ||
- | |||
- | -S ctl_path | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | other applications (eg. sftp(1)). | ||
- | |||
- | | ||
- | |||
- | | ||
- | on a remote machine, which can be very useful, e.g. when implementing menu services. | ||
- | tiple -t options force tty allocation, even if ssh has no local tty. | ||
- | |||
- | | ||
- | |||
- | | ||
- | in debugging connection, authentication, | ||
- | | ||
- | |||
- | -W host:port | ||
- | | ||
- | | ||
- | | ||
- | |||
- | -w local_tun[: | ||
- | | ||
- | | ||
- | |||
- | The devices may be specified by numerical ID or the keyword “any”, which uses the next | ||
- | | ||
- | the Tunnel and TunnelDevice directives in ssh_config(5). | ||
- | it is set to the default tunnel mode, which is “point-to-point”. | ||
- | |||
- | | ||
- | file. | ||
- | |||
- | X11 forwarding should be enabled with caution. | ||
- | | ||
- | X11 display through the forwarded connection. | ||
- | | ||
- | |||
- | For this reason, X11 forwarding is subjected to X11 SECURITY extension restrictions by | ||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | RITY extension controls. | ||
- | |||
- | | ||
- | sent to stderr. | ||
- | |||
- | ssh may additionally obtain configuration data from a per-user configuration file and a system-wide | ||
- | | ||
- | |||
- | AUTHENTICATION | ||
- | The OpenSSH SSH client supports SSH protocols 1 and 2. The default is to use protocol 2 only, | ||
- | | ||
- | | ||
- | it provides additional mechanisms for confidentiality (the traffic is encrypted using AES, 3DES, | ||
- | | ||
- | | ||
- | of the connection. | ||
- | |||
- | The methods available for authentication are: GSSAPI-based authentication, | ||
- | tion, public key authentication, | ||
- | | ||
- | tion option to change the default order: PreferredAuthentications. | ||
- | |||
- | | ||
- | / | ||
- | both sides, or if the files ~/.rhosts or ~/.shosts exist in the user's home directory on the remote | ||
- | | ||
- | that machine, the user is considered for login. | ||
- | the client' | ||
- | | ||
- | | ||
- | | ||
- | if security is desired.] | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | user knows the private key. ssh implements public key authentication protocol automatically, | ||
- | one of the DSA, ECDSA, ED25519 or RSA algorithms. | ||
- | but protocol 2 may use any. The HISTORY section of ssl(8) contains a brief discussion of the DSA | ||
- | and RSA algorithms. | ||
- | |||
- | The file ~/ | ||
- | user logs in, the ssh program tells the server which key pair it would like to use for authentica‐ | ||
- | | ||
- | | ||
- | |||
- | The user creates his/her key pair by running ssh-keygen(1). | ||
- | | ||
- | | ||
- | in ~/ | ||
- | tocol 2 ECDSA), ~/ | ||
- | in the user's home directory. | ||
- | in his/her home directory on the remote machine. | ||
- | | ||
- | the user can log in without giving the password. | ||
- | |||
- | A variation on public key authentication is available in the form of certificate authentication: | ||
- | | ||
- | a single trusted certification authority can be used in place of many public/ | ||
- | | ||
- | |||
- | The most convenient way to use public key or certificate authentication may be with an authentica‐ | ||
- | tion agent. | ||
- | |||
- | | ||
- | and prompts for a response. | ||
- | | ||
- | BSD Authentication (see login.conf(5)) and PAM (some non-OpenBSD systems). | ||
- | |||
- | | ||
- | is sent to the remote host for checking; however, since all communications are encrypted, the pass‐ | ||
- | word cannot be seen by someone listening on the network. | ||
- | |||
- | ssh automatically maintains and checks a database containing identification for all hosts it has | ||
- | ever been used with. Host keys are stored in ~/ | ||
- | | ||
- | hosts are automatically added to the user's file. If a host's identification ever changes, ssh | ||
- | warns about this and disables password authentication to prevent server spoofing or man-in-the-mid‐ | ||
- | dle attacks, which could otherwise be used to circumvent the encryption. | ||
- | | ||
- | |||
- | When the user's identity has been accepted by the server, the server either executes the given com‐ | ||
- | mand, or logs into the machine and gives the user a normal shell on the remote machine. | ||
- | | ||
- | |||
- | If a pseudo-terminal has been allocated (normal login session), the user may use the escape charac‐ | ||
- | ters noted below. | ||
- | |||
- | If no pseudo-tty has been allocated, the session is transparent and can be used to reliably trans‐ | ||
- | fer binary data. On most systems, setting the escape character to “none” will also make the ses‐ | ||
- | sion transparent even if a tty is used. | ||
- | |||
- | The session terminates when the command or shell on the remote machine exits and all X11 and TCP | ||
- | | ||
- | |||
- | ESCAPE CHARACTERS | ||
- | When a pseudo-terminal has been requested, ssh supports a number of functions through the use of an | ||
- | | ||
- | |||
- | A single tilde character can be sent as ~~ or by following the tilde by a character other than | ||
- | those described below. | ||
- | | ||
- | tion directive or on the command line by the -e option. | ||
- | |||
- | The supported escapes (assuming the default ‘~’) are: | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | and -D options (see above). | ||
- | with -KL[bind_address: | ||
- | | ||
- | local command if the PermitLocalCommand option is enabled in ssh_config(5). | ||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | TCP FORWARDING | ||
- | | ||
- | mand line or in a configuration file. One possible application of TCP forwarding is a secure con‐ | ||
- | | ||
- | |||
- | In the example below, we look at encrypting communication between an IRC client and server, even | ||
- | | ||
- | the user connects to the remote host using ssh, specifying a port to be used to forward connections | ||
- | to the remote server. | ||
- | the client machine, connecting to the same local port, and ssh will encrypt and forward the connec‐ | ||
- | tion. | ||
- | |||
- | The following example tunnels an IRC session from client machine “127.0.0.1” (localhost) to remote | ||
- | | ||
- | |||
- | $ ssh -f -L 1234: | ||
- | $ irc -c '# | ||
- | |||
- | This tunnels a connection to IRC server “server.example.com”, | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | The -f option backgrounds ssh and the remote command “sleep 10” is specified to allow an amount of | ||
- | time (10 seconds, in the example) to start the service which is to be tunnelled. | ||
- | are made within the time specified, ssh will exit. | ||
- | |||
- | X11 FORWARDING | ||
- | If the ForwardX11 variable is set to “yes” (or see the description of the -X, -x, and -Y options | ||
- | | ||
- | X11 display is automatically forwarded to the remote side in such a way that any X11 programs | ||
- | | ||
- | the real X server will be made from the local machine. | ||
- | | ||
- | |||
- | The DISPLAY value set by ssh will point to the server machine, but with a display number greater | ||
- | than zero. This is normal, and happens because ssh creates a “proxy” X server on the server | ||
- | | ||
- | |||
- | ssh will also automatically set up Xauthority data on the server machine. | ||
- | will generate a random authorization cookie, store it in Xauthority on the server, and verify that | ||
- | any forwarded connections carry this cookie and replace it by the real cookie when the connection | ||
- | is opened. | ||
- | sent in the plain). | ||
- | |||
- | If the ForwardAgent variable is set to “yes” (or see the description of the -A and -a options | ||
- | | ||
- | | ||
- | |||
- | VERIFYING HOST KEYS | ||
- | When connecting to a server for the first time, a fingerprint of the server' | ||
- | | ||
- | be determined using ssh-keygen(1): | ||
- | |||
- | $ ssh-keygen -l -f / | ||
- | |||
- | If the fingerprint is already known, it can be matched and the key can be accepted or rejected. | ||
- | | ||
- | port to compare host keys visually, using random art. By setting the VisualHostKey option to | ||
- | | ||
- | | ||
- | find out that the host key has changed when a completely different pattern is displayed. | ||
- | these patterns are not unambiguous however, a pattern that looks similar to the pattern remembered | ||
- | only gives a good probability that the host key is the same, not guaranteed proof. | ||
- | |||
- | To get a listing of the fingerprints along with their random art for all known hosts, the following | ||
- | | ||
- | |||
- | $ ssh-keygen -lv -f ~/ | ||
- | |||
- | If the fingerprint is unknown, an alternative method of verification is available: SSH fingerprints | ||
- | | ||
- | | ||
- | |||
- | In this example, we are connecting a client to a server, “host.example.com”. | ||
- | | ||
- | |||
- | $ ssh-keygen -r host.example.com. | ||
- | |||
- | The output lines will have to be added to the zonefile. | ||
- | | ||
- | |||
- | $ dig -t SSHFP host.example.com | ||
- | |||
- | | ||
- | |||
- | $ ssh -o " | ||
- | [...] | ||
- | | ||
- | Are you sure you want to continue connecting (yes/no)? | ||
- | |||
- | See the VerifyHostKeyDNS option in ssh_config(5) for more information. | ||
- | |||
- | SSH-BASED VIRTUAL PRIVATE NETWORKS | ||
- | ssh contains support for Virtual Private Network (VPN) tunnelling using the tun(4) network pseudo- | ||
- | | ||
- | | ||
- | |||
- | The following example would connect client network 10.0.50.0/ | ||
- | using a point-to-point connection from 10.1.1.1 to 10.1.1.2, provided that the SSH server running | ||
- | on the gateway to the remote network, at 192.168.1.15, | ||
- | |||
- | On the client: | ||
- | |||
- | # ssh -f -w 0:1 192.168.1.15 true | ||
- | # ifconfig tun0 10.1.1.1 10.1.1.2 netmask 255.255.255.252 | ||
- | # route add 10.0.99.0/ | ||
- | |||
- | On the server: | ||
- | |||
- | # ifconfig tun1 10.1.1.2 10.1.1.1 netmask 255.255.255.252 | ||
- | # route add 10.0.50.0/ | ||
- | |||
- | | ||
- | | ||
- | from user “jane” and on tun device 2 from user “john”, if PermitRootLogin is set to | ||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | Since an SSH-based setup entails a fair amount of overhead, it may be more suited to temporary set‐ | ||
- | ups, such as for wireless VPNs. More permanent VPNs are better provided by tools such as | ||
- | | ||
- | |||
- | ENVIRONMENT | ||
- | ssh will normally set the following environment variables: | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | copy any required authorization cookies). | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | minal if it was run from a terminal. | ||
- | ated with it but DISPLAY and SSH_ASKPASS are set, it will execute the program | ||
- | | ||
- | is particularly useful when calling ssh from a .xsession or related script. | ||
- | (Note that on some machines it may be necessary to redirect the input from | ||
- | / | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | tains four space-separated values: client IP address, client port number, | ||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | is not set. | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | |||
- | ENVIRONMENT | ||
- | | ||
- | The reseeding of the OpenSSL random generator is usually done from / | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | |||
- | FILES | ||
- | | ||
- | This file is used for host-based authentication (see above). | ||
- | may need to be world-readable if the user's home directory is on an NFS partition, because | ||
- | | ||
- | have write permissions for anyone else. The recommended permission for most machines is | ||
- | | ||
- | |||
- | | ||
- | This file is used in exactly the same way as .rhosts, but allows host-based authentication | ||
- | | ||
- | |||
- | | ||
- | This directory is the default location for all user-specific configuration and authentica‐ | ||
- | tion information. | ||
- | | ||
- | not accessible by others. | ||
- | |||
- | | ||
- | Lists the public keys (DSA, ECDSA, ED25519, RSA) that can be used for logging in as this | ||
- | | ||
- | | ||
- | | ||
- | |||
- | | ||
- | This is the per-user configuration file. The file format and configuration options are | ||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | be readable by the user but not accessible by others (read/ | ||
- | | ||
- | | ||
- | file using 3DES. | ||
- | |||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | | ||
- | need not) be readable by anyone. | ||
- | |||
- | | ||
- | | ||
- | the systemwide list of known host keys. See sshd(8) for further details of the format of | ||
- | this file. | ||
- | |||
- | | ||
- | | ||
- | shell (or command) is started. | ||
- | |||
- | / | ||
- | This file is for host-based authentication (see above). | ||
- | root. | ||
- | |||
- | / | ||
- | This file is used in exactly the same way as hosts.equiv, | ||
- | tion without permitting login with rlogin/rsh. | ||
- | |||
- | / | ||
- | | ||
- | | ||
- | |||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | / | ||
- | These files contain the private parts of the host keys and are used for host-based authen‐ | ||
- | | ||
- | | ||
- | keys, eliminating the requirement that ssh be setuid root when host-based authentication is | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | tor to contain the public host keys of all machines in the organization. | ||
- | | ||
- | |||
- | / | ||
- | | ||
- | shell (or command) is started. | ||
- | |||
- | EXIT STATUS | ||
- | ssh exits with the exit status of the remote command or with 255 if an error occurred. | ||
- | |||
- | IPV6 | ||
- | IPv6 address can be used everywhere where IPv4 address. In all entries must be the IPv6 address | ||
- | | ||
- | | ||
- | |||
- | SEE ALSO | ||
- | | ||
- | | ||
- | |||
- | STANDARDS | ||
- | S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned Numbers, RFC 4250, January | ||
- | 2006. | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Protocol Architecture, | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Authentication Protocol, RFC 4252, January 2006. | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Transport Layer Protocol, RFC 4253, January 2006. | ||
- | |||
- | T. Ylonen and C. Lonvick, The Secure Shell (SSH) Connection Protocol, RFC 4254, January 2006. | ||
- | |||
- | J. Schlyter and W. Griffin, Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints, | ||
- | 4255, January 2006. | ||
- | |||
- | F. Cusack and M. Forssen, Generic Message Exchange Authentication for the Secure Shell Protocol | ||
- | | ||
- | |||
- | J. Galbraith and P. Remaker, The Secure Shell (SSH) Session Channel Break Extension, RFC 4335, | ||
- | | ||
- | |||
- | M. Bellare, T. Kohno, and C. Namprempre, The Secure Shell (SSH) Transport Layer Encryption Modes, | ||
- | RFC 4344, January 2006. | ||
- | |||
- | B. Harris, Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol, RFC 4345, | ||
- | | ||
- | |||
- | M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for the Secure Shell (SSH) | ||
- | | ||
- | |||
- | J. Galbraith and R. Thayer, The Secure Shell (SSH) Public Key File Format, RFC 4716, November 2006. | ||
- | |||
- | D. Stebila and J. Green, Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, | ||
- | RFC 5656, December 2009. | ||
- | |||
- | A. Perrig and D. Song, Hash Visualization: | ||
- | | ||
- | |||
- | AUTHORS | ||
- | | ||
- | bell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt and Dug Song removed many bugs, re-added | ||
- | newer features and created OpenSSH. | ||
- | sions 1.5 and 2.0. | ||
- | |||
- | BSD | ||
- | |||
- | |||
- | |||
- | |||
- | ===== Konfiguration ===== | ||
- | ==== ssh Daemon ==== | ||
===== ssh in der Praxis ===== | ===== ssh in der Praxis ===== | ||
Auch wenn das Passwort bei **ssh** verschlüsselt übertragen wird, lohnt ein Blick auf die Alternative | Auch wenn das Passwort bei **ssh** verschlüsselt übertragen wird, lohnt ein Blick auf die Alternative | ||
Zeile 1025: | Zeile 156: | ||
The key fingerprint is: | The key fingerprint is: | ||
2b: | 2b: | ||
- | |||
- | $ ssh-keygen -t ed25519 -o -a 100 -C django@nausch.org -f ~/ | ||
- | |||
- | |||
Die // | Die // | ||
Zeile 1062: | Zeile 189: | ||
</ | </ | ||
==== authorized_keys vs. authorized_keys2 ==== | ==== authorized_keys vs. authorized_keys2 ==== | ||
- | <WRAP round tip>Bei der Einführung von SSH Version 2 kam die Datei '' | + | <WRAP round info>Bei der Einführung von SSH Version 2 kam die Datei '' |
===== ssh-Daemon ===== | ===== ssh-Daemon ===== | ||
Zeile 1194: | Zeile 321: | ||
} | } | ||
state Workstation { | state Workstation { | ||
- | Workstation : Gerät: | + | Workstation : Gerät: |
Workstation : Hostname: pml010040 | Workstation : Hostname: pml010040 | ||
Workstation : CNAME: office-work | Workstation : CNAME: office-work | ||
Zeile 1269: | Zeile 396: | ||
Host daxie | Host daxie | ||
Hostname < | Hostname < | ||
- | ProxyCommand | + | ProxyCommand |
</ | </ | ||