네트워킹

오늘:
1,037
어제:
2,474
전체:
2,778,937

고객센타 : 070-7752-2000
팩스 : 070-7752-2001
휴대폰 : 010-9513-0019
email : voipkorea@yahoo.co.kr

국민은행
(주)제이에스솔루션
047101-04-155519

Flag Counter
■ 무료 : 유선 집전화 휴대폰 ( 한국 미국 중국 카나다) ↔ (국내 해외 여행자 상사 주재원 유학생) / 가입무 무제한무료■



https://kimmo.suominen.com/docs/ssh/

Getting started with SSH

The following sections hope to provide enough information to setup a user new to ssh with the appropriate files necessary for accessing remote hosts in a secure manner. Improvements to and comments about this document are welcome.

Updated: The examples now show ssh version 2 commands, using OpenSSH. There are several security vulnerabilities in protocol version 1. Everyone should have already migrated to version 2 by now, so it was about time for me to also reflect best practises in this document. I also updated the link section at the end of the document to better reflect today’s software selection.

Contents

About public key cryptography

Public key cryptography uses a public key to encrypt data and a private key to decrypt it. The name public key comes from the fact that you can make the encryption key public without compromising the secrecy of the data or the decryption key.

What this means is that it is safe to send your public key (i.e. the contents of the ~/.ssh/id_rsa.pubfile) in electronic mail or by other means e.g. to have a system administrator of a remote site install that key into your ~/.ssh/authorized_keys file. For anyone to actually gain access they need the corresponding private key (i.e. the decrypted contents of ~/.ssh/id_rsa) to identify themselves.

To further protect your private key you should enter a passphrase to encrypt the key when it is stored in the filesystem. This will prevent people from using it even if they gain access to your files.

Creating your authentication key

The very first step is to use ssh-keygen to create an authentication key for yourself. In most cases the defaults for this command are what you want.

Always, always, type in a good pass-phrase when prompted for one. It can be multiple words (i.e. spaces are just fine within the phrase), so you could choose a sentence that you can remember. Changing some of the words by misspelling them or by changing some of the letters into digits is highly recommended to increase the strength of your pass phrase.

Here is a sample session, your input is in bold. Note that the pass-phrase is not echoed back as you type it.

  beowulf% ssh-keygen -t rsa
  Generating public/private rsa key pair.
  Enter file in which to save the key (/u/kim/.ssh/id_rsa): [RETURN]
  Enter passphrase (empty for no passphrase): 1amp jumb3d
  Enter same passphrase again: 1amp jumb3d
  Your identification has been saved in /u/kim/.ssh/id_rsa.
  Your public key has been saved in /u/kim/.ssh/id_rsa.pub.
  The key fingerprint is:
  b7:18:ad:3b:0b:50:5c:e1:da:2d:6f:5b:65:82:94:c5 kim@beowulf.gw.com

If you have multiple accounts you might want to create a separate key on each of them. I have separate keys for

  • my office environment
  • my private systems
  • my Internet service provider (ISP) systems
  • my university account

This allows me to limit access between these organizations, e.g. not allowing the university account to access my ISP account or the machines in the office. This enhances the overall security in case any of the authentication keys are compromised for some reason.

Changing your pass-phrase

You can change the pass-phrase at any time by using the -p option of ssh-keygen.

  beowulf% ssh-keygen -p
  Enter file in which the key is (/u/kim/.ssh/id_rsa): [RETURN]
  Enter old passphrase: 1amp jumb3d
  Key has comment '/u/kim/.ssh/id_rsa'
  Enter new passphrase (empty for no passphrase): cow 3ats grass
  Enter same passphrase again: cow 3ats grass
  Your identification has been saved with the new passphrase.

The pass-phrases are not echoed as you type them.

Authorizing access

To allow access to a system for a given identity place the public key in your ~/.ssh/authorized_keysfile on that system. All keys listed in that file are allowed access.

Usually you will want to authorize access to the local system using the local key (especially in an environment where multiple systems share the same home directory e.g. using NFS). Thus a good start is to copy the public key for your default identity into the ~/.ssh/authorized_keys file.

  beowulf% cd ~/.ssh
  beowulf% cp id_rsa.pub authorized_keys

You could now copy the ~/.ssh/authorized_keys file to other systems to allow access from the local system. One way to copy the file is to use the scp command, like this:

  beowulf% scp -p ~/.ssh/authorized_keys hrothgar:.ssh/
  kim@hrothgar's password: YourPasswordHere
  authorized_keys               100% 1839     1.2MB/s   00:00

As no identities have been authorized yet on the remote system, you will be asked for your regular login password as seen above. It will not be echoed as you type it. The Copying files between systems section has more information about scp.

Use a text editor to add more keys to the file. If you use cut and paste to copy the key make sure each key entry is a single line in the file. The keys to add are always the public keys (from files with the .pubextension).

NOTE: To gain access to restricted systems you might need to send your public key in electronic mail to the administrator of the system. Just include the contents of the ~/.ssh/id_rsa.pub file in the message.

Directory and file permissions

If access to the remote system is still denied you should check the permissions of the following files on it:

  • the home directory itself
  • the ~/.ssh directory
  • the ~/.ssh/authorized_keys file

The permissions should allow writing only by you (the owner). This example shows the most relaxed permissions you could use.

  hrothgar% cd
  hrothgar% ls -ld . .ssh .ssh/authorized_keys
  drwxr-xr-x 36 kim kim 4096 Jul 25 02:24 .
  drwxr-xr-x  2 kim kim  512 Apr 10 02:30 .ssh
  -rw-r--r--  1 kim kim 1674 Apr 10 02:29 .ssh/authorized_keys

To make the remote system allow access you must change the permissions to disallow writing by others than the owner.

  hrothgar% cd
  hrothgar% chmod go-w . .ssh .ssh/authorized_keys

Remember to do this on all the systems you want to have access to.

Logging into remote systems

To establish an interactive connection to a remote system you would use either the slogin or thessh command. The only parameter is the name of the remote system. The pass-phrase is not echoed back to you when you type it.

  beowulf% slogin hrothgar
  Enter passphrase for key '/u/kim/.ssh/id_rsa': 1amp jumb3d
  Last login: Wed Jul 21 00:00:49 2004 from beowulf.gw.com
  [more output from the remote machine]
  hrothgar%

You can avoid the pass-phrase prompts by keeping the authentication keys in memory. You only need to type the pass-phrase when you add a key into memory.

If your account name on the remote system differs from the one on the local system (the system you are connecting from) you can use the -l switch to specify the remote account name.

  beowulf% slogin -l suominen panix.com
  Last login: Sun Jun 13 14:55:17 2004 from beowulf.gw.com
  [more output from the remote machine]
  panix%

You can change the default remote account name by creating a configuration file entry for the host.

Keeping authentication keys in memory

If you frequently open connections to remote systems you can run your session under the ssh-agent. The agent will provide decrypted authentication keys to all the commands when new connections are created.

When you start ssh-agent you need to provide it a command to spawn. This is usually either your shell or a command to start a windowing environment. When you exit the command all keys will be removed from memory.

  beowulf% ssh-agent $SHELL
  beowulf%

You will now need to add keys into memory to have them available for other commands.

Running X on a local display

If you have workstation where you start the X window system after logging in you can have the whole windowing environment benefit from the keys in memory. The X window system is normally started withstartx and the initial clients are in your ~/.xinitrc file.

  beowulf% ssh-agent startx &

If your workstation has virtual consoles it is good to put the X window system in the background so the current virtual console can still be used for more commands if necessary. It won’t hurt to background the command even without virtual consoles.

NOTE: Your system might have a non-standard way of starting the X window system. Replace startxwith the appropriate command if necessary. Please ask your system administrator for the exact command to use.

Running X with an xdm session

If you use an X-terminal or your workstation is running xdm you need to arrange for the clients to run under ssh-agent. The easiest way (which is conveniently compatible with the method used withoutxdm) is to put all initial clients into the ~/.xinitrc file which in turn is called from the ~/.xsessionfile.

An example ~/.xsession file is below. It runs ssh-agent only if you have a ~/.ssh directory.

  #!/bin/sh
  if [ -d $HOME/.ssh ]
  then EXEC="exec ssh-agent"
  else EXEC="exec"
  fi
  if [ -x $HOME/.xinitrc ]
  then $EXEC $HOME/.xinitrc
  else $EXEC xterm -geometry 80x24+0-60 -ls
  fi

Make sure the files are executable. The following command will change the permissions suitably.

  beowulf% chmod a+x ~/.xinitrc ~/.xsession

NOTE: If you are using an X-terminal keep in mind that your session is most likely not secure. Usually anything you type can be captured on the local area network you are connected to.

Managing keys in memory

Before your connections can be authenticated without prompts for a pass-phrase you have to use ssh-add to add the necessary keys to memory. To add the default key on the current system to memory no options are needed. The pass-phrase is prompted for to decrypt the key. It is not echoed back as you type it.

  beowulf% ssh-add
  Enter passphrase for /u/kim/.ssh/id_rsa: 1amp jumb3d
  Identity added: /u/kim/.ssh/id_rsa (/u/kim/.ssh/id_rsa)

You can specify the file that contains the key if you have other identities than the default. You must use the private key file (the one that does not have the .pub extension).

The -d option will have the key deleted from memory. There is no ssh-delete command.

  beowulf% ssh-add -d ~/.ssh/isp

To list all keys currently in memory use the -l option.

  beowulf% ssh-add -l
  1024 [hex numbers] /u/kim/.ssh/id_rsa (RSA)
  1024 [hex numbers] /u/kim/.ssh/isp (RSA)

You can delete all keys from memory at once with the -D option.

  beowulf% ssh-add -D

This is useful if you have added keys into memory on remote systems and don’t want to reconnect just to delete the keys.

Running commands on remote systems

The ssh command can also be used to run commands on remote systems without logging in. The output of the command is displayed and control returns to the local system. Here is an example which will display all the users logged in on the remote system.

  beowulf% ssh hrothgar who
  christos ttyp8    Oct 17 20:42  (milou)
  beowulf%

If you are using the X Window System you can use this capability to start a terminal window to start an interactive session on the remote system.

  beowulf% ssh -n hrothgar xterm &
  [1] 15866
  beowulf%

Use the -n to prevent the remote system from trying to read from the terminal starting the xterm and put the process in the background. A new window from the remote system should appear shortly on your display.

Copying files between systems

You can copy files from the local system to a remote system or vice versa, or even between two remote systems using the scp command. To specify a file on a remote system simply prefix it with the name of the remote host followed by a colon.

If you leave off the filename of the copy or specify a directory only the name of the source file will be used. An easy way of retrieving a copy of a remote file into the current directory while keeping the name of the source file is to use a single dot as the destination.

  beowulf% scp -p hrothgar:aliases .
  beowulf%

The -p option is not required. It indicates that the modification and access times as well as modes of the source file should be preserved on the copy. This is usually desirable.

You can copy several files in a single command if the destination is a directory.

  beowulf% scp -p hrothgar:.login hrothgar:.logout panix.com:.
  beowulf%

Relative filenames resolve differently on the local system than on the remote system. On the local system the current directory is assumed (as usual with all commands). On the remote system the command runs in the home directory! Thus relative filenames will be relative to the home directory of the remote account.

NOTE: When you specify remote machines in both the source and the destination the connection to copy the files is made directly between those hosts. The files are not copied through the local system. Sometimes this makes a difference in a firewalled or otherwise restricted environment.

Changing default settings

The defaults for the ssh-related commands can be altered for each account in a configuration file~/.ssh/config (there is also a system-wide file, usually /etc/ssh/ssh_config). Each entry starts with a Host keyword. You can use wildcards to match all the appropriate systems:

  • ? matches any single character
  • * matches any sequence of zero or more characters

Usual keywords include (defaults in parenthesis):

Compression yes/no (no)
Controls whether compression is used on the connection.
CompressionLevel 1-9 (6)
Level of compression: 1 is fastest, 9 is slowest (achieves best compression). Compression is good for slow links (saves bandwidth) and fast machines.
FallBackToRsh yes/no (yes)
If a secure connection to the remote system cannot be established the commands can try unsecure connections (a warning will be displayed if this happens). On highly secure systems this could be disabled in the system-wide configuration.
KeepAlive yes/no (yes)
Controls whether TCP keepalive messages are used. When enabled it is possible to detect network outages and automatically close your connections (which is good). However, if you are connected over a dialup link that automatically dials when there is traffic, you will want to turn this off to avoid unnecessarily bringing up the line.
User account (local account)
Specify the remote account name. Add this to avoid having to use the -l option when issuing commands.

Here is an example ~/.ssh/config file.

  Host *panix.com
    User suominen
    Compression no

  Host *gw.com
    FallBackToRsh no

  Host *
    Compression yes
    CompressionLevel 9
    FallBackToRsh yes
    KeepAlive no

Options are accumulated over entries, but a more specific entry will override a less specific one. E.g. in the above compression will not be used for hosts that match *panix.com but will be used for hosts that match *gw.com (and all other hosts since the * entry matches all hosts).

For a complete list of options please refer to the manual pages of both ssh and sshd.

Sources of more information

  • OpenSSH is a free ssh suite implementation for Unix-like systems, under a BSD license.
  • The OpenSSH FAQ answers common questions on obtaining and using the OpenSSH suite.
  • LSH is a free ssh suite implementation under a GNU license (protocol version 2 only).
  • PuTTY is a free ssh client suite for 32-bit Windows platforms, under an MIT-license (BSD-like).
  • WinSCP is an open source sftp and scp client for Windows with a drag-and-drop interface.
  • NiftyTelnet SSH is a free ssh terminal client for MacOS. It also supports scp.
  • SSH Communications Security offers commercial implementations of ssh.
  • The Secure Shell FAQ anwers questions on obtaining and using the commercial version.
Copyright © 1996–2013 Kimmo Suominen.
All rights reserved.
https://kimmo.suominen.com/docs/ssh/
조회 수 :
10919
등록일 :
2013.09.05
05:36:34 (*.251.139.158)
엮인글 :
http://webs.co.kr/index.php?document_srl=24706&act=trackback&key=130
게시글 주소 :
http://webs.co.kr/index.php?document_srl=24706
List of Articles
번호 제목 글쓴이 날짜 조회 수
97 How To Install Java with Apt-Get on Ubuntu 16.04 oracle java admin 2017-10-13 1
96 우분투 Linux(Ubuntu)에 Java설치 및 환경 설정하는 방법 admin 2017-10-13 10
95 우분투 다운로드 사이트 주소 ubuntu download 16.04.3 17.04 site link admin 2017-10-13 9
94 How to install Java on linux with no Internet connectivity (using local repository) admin 2017-10-01 257
93 윈도우 ssh 접속 프로그램 admin 2017-09-29 260
92 openvpn Easy Windows Guide admin 2017-09-20 387
91 OpenVPN - Getting started How-To admin 2017-09-20 395
90 openssl 을 이용한 인증서 생성 절차를 정리한다. 개인키 CSR SSL 인증서 파일 생성 admin 2017-09-14 446
89 How to Manually Unblock / Unban IP Address in fail2ban 차단풀기 admin 2017-09-12 443
88 How To Protect SSH with fail2ban on Debian 7 데비안 ssh 방어 무작위 로그인 admin 2017-09-12 462
87 SSH 무작위 로그인 시도 막기(With Fail2Ban on CentOS 6/7 + selinux) admin 2017-09-12 454
86 리눅스 데비안 네트워크 설정 유선랜 무선랜 linux debian network setting 설정 admin 2017-09-07 508
85 linux debian 계열 network 설정 테트워크 데비안 admin 2017-09-07 503
84 PUTTY DOWNLOAD - FREE SSH & TELNET CLIENT admin 2017-09-03 602
83 debian 8.8 download cd1 cd2 cd3 etc admin 2017-09-03 533
82 Debian Download 데비안 리눅스 다운로드 admin 2017-09-02 781
81 데비안 리눅스 부팅시에 방화벽 서버에 자동실행 되게 설정 해보자 admin 2017-08-30 537
80 리눅스 시작시에 부팅시 프로세스 프로그램 자동 실행 설정 admin 2017-08-30 556
79 리눅스 시작시 부팅 시, 프로그램 자동실행 등록하기 admin 2017-08-30 578
78 리눅스 부팅시 시작시 프로그램 명령어 실행하기 (Linux Init script) admin 2017-08-30 548
77 리눅스 부팅시 자동 실행 명령스크립트 실행하기 만들기 이해 linux booting admin 2017-08-30 566
76 부팅시 자동실행 명령어 스크립트, rc.local admin 2017-08-30 548
75 the world’s most widely deployed RADIUS server document admin 2017-08-29 548
74 네트워크 디바이스명 변경 리눅스 eth0 eth1 admin 2017-08-29 568
73 Cloned VMware CentOS6 Server "device eth0 does not seem to be present, admin 2017-08-29 552
72 VMWARE VM Error boot loader install grub - install /dev/sda or /dev/hda MBR linux admin 2016-01-27 1131
71 Linux and Unix touch command admin 2015-11-15 1402
70 Configuration of Red Hat 5.4 Xen for SR-IOV Support admin 2015-08-02 1744
69 apt-get install linux-image-2.6.26-2-686-bigmem admin 2015-06-27 1875
68 intel i210 driver install and compile debian admin 2015-06-27 2497
67 Debian / Ubuntu Linux Install Kernel Headers Package admin 2015-06-27 1820
66 mount -t auto /dev/sdb1 /mnt && ls /mnt admin 2015-06-27 1778
65 kali linux 해킹 hacking attack DDOS etc tools admin 2015-06-24 2201
64 sources.list lenny admin 2015-02-03 2628
63 Ubuntu 14.04 원격 접속(xrdp) 설정 admin 2014-12-21 8327
62 Remote Desktop Connection from Windows 7/8 to Ubuntu 14.04 admin 2014-12-21 3210
61 Using Windows RDP to Access your Ubuntu Instance admin 2014-12-21 2840
60 Install GUI on Ubuntu Server admin 2014-12-21 3040
59 How to start GUI from command line? admin 2014-12-21 3022
58 Download all files in a directory using WGET admin 2014-12-16 3003
57 문서 편집기 vi vim command 명령어 정리 admin 2014-10-29 4408
56 find 명령 사용 예제들 admin 2014-10-29 3559
55 특정 IP 엑세스 못하게 하는방법 admin 2014-10-29 3748
54 scp 명령어를 이용한 파일 복사 및 전송 admin 2014-10-29 4392
53 [리눅스] 소프트웨어 레이드의 리빌딩 및 리싱킹 속도를 높이는 5가지 방법 admin 2014-10-17 3970
52 /bin/false, /sbin/nologin 의 차이점 admin 2014-10-13 4772
51 리눅스 시스템 유저 추가 명령어 useradd 사용하기 admin 2014-08-09 4124
50 리눅스 시스템 시작시에 자동 실행할 파일 등록하기 admin 2014-03-22 18785
49 linux 에티터 명령어 정리 포그라운드 전환 : ctrl + z 다시 vi 모드로 돌아오려면 fg admin 2014-03-05 6727
48 Linux Memory Management – Virtual Memory and Demand Paging admin 2014-03-03 5996
47 iptables rules tcp drop all port except tcp 22 admin 2014-02-26 7305
46 seagate HD 시게이트 하드 디스크 A/S 에이에스 기간 조회 및 받는 3가지 방법 admin 2013-12-09 7557
45 SSH Without Authentication Using Key Files (CentOS 5.6) admin 2013-11-22 6751
» Getting started with SSH public key cryptography admin 2013-09-05 10919
43 암호 없이 SSH 접속하기 admin 2013-09-05 7055
42 Linux Date Command Examples to Display and Set System Date Time admin 2013-07-11 8657
41 FreeRADIUS 설치(freeradius-sever-2.1.8) admin 2013-04-19 14636
40 Radius를 이용한 ssh 인증 서버 구축하기 admin 2013-04-19 11121
39 CentOS 5.4에서 RADIUS 서버 설치하기 admin 2013-04-19 19539
38 Event IP 20187 admin 2013-04-08 6981
37 리눅스에서 자바(JDK) 설치하기 admin 2013-04-08 7954
36 리눅스 네트워크 설정 멸령어 Linux admin 2013-04-08 7944
35 [linux]리눅스 버전및 CPU등 환경정보 확인하기 admin 2013-04-08 22557
34 Linux 시스템 백업과 복원 admin 2013-04-04 7329
33 tar로 전체시스템 백업 LINUX Backup admin 2013-04-04 16705
32 다운된 리눅스서버 응급복구 admin 2013-03-28 10533
31 Build a RADIUS server on Linux admin 2013-03-23 9218
30 Deploying FreeRADIUS with the MySQL Cluster Database file admin 2013-03-22 7631
29 FREE RADIUS 활용및 응용 admin 2013-02-23 18029
28 리눅스에 RADIUS 서버 구현하기 admin 2012-09-01 37917
27 Debian CD DVD 다운로드 링크 헤메지말고 바로 다운로드하지요 admin 2012-08-18 8238
26 Site builder shootout: Drupal vs. Joomla vs. WordPress admin 2012-07-15 27575
25 WinXP 부팅안되는 현상 NTLDR is missing 메세지 admin 2012-07-12 8851
24 윈도우XP 알면 정말 편한 숨겨진 기능 60가지 admin 2012-05-11 11289
23 한국인/국내기업은 얼마나 Linux Kernel에 기여할까? admin 2012-04-29 9561
22 scp, ssh, rsync등을 사용할때에 SSH 비밀번호 묻는것 피하기 admin 2012-04-15 9349
21 [Linux/SSL] 리눅스 서버에 Apache 2 설치 및 SSL 설정하기(mod_ssl, openssl) admin 2012-04-15 10158
20 리눅스의 막강한 네트워크 필터 iptables admin 2012-04-15 8461
19 Centos net install web http admin 2012-03-02 12204
18 Linux 시스템 백업과 복원 admin 2012-02-28 9507
17 검색 파일리스트 만든 다음 여러파일 한방에 압축하기 admin 2012-02-14 10277
16 linux 파티션 디렉토리 용량 확인방법 전체 폴더 크기 사이즈 admin 2012-01-05 10621
15 How to disable IPv6 in Debian Lenny and Squeeze admin 2011-12-29 8811
14 리눅스 네트워크 설정 LINUX admin 2011-12-19 9544
13 다양한 사운드 파일있는곳 admin 2011-12-19 7937
12 모든 CPU 벤치마크 수치 admin 2011-12-16 9759
11 Wireshark admin 2011-12-16 8196
10 스트리밍서버 / 윈도우서버 admin 2011-12-16 9402
9 무료백신 여러가지 분류해놓은곳 admin 2011-12-16 8373
8 윈도우 2003 작업 스케줄러 설정 admin 2011-12-16 12810
7 파이썬 설치 및 사용하기 admin 2011-12-16 10723
6 How to disable IPv6 in Debian , 리눅스 아이피설정 admin 2011-12-16 12994
5 리눅스 서버 이전시 고려할 사항들 admin 2011-12-16 11412
4 ftp 파일전송 여러파일을 한번에 통째로 전송 admin 2011-12-16 11288
3 리눅스 tar 압축 백업복원시 소유자 문제해결 admin 2011-12-16 10328
2 서버이전시 고려할 사항들 admin 2011-12-13 10993
1 Name Server 설정및 이해 admin 2011-12-13 7554