SSH (Secure SHell) 通信协议以安全与可靠为首要考量。以 SSH 连接是安全的:伙伴需认证且数据交换经过加密。
SSH 还涉及两个文件传输服务。 scp 是一个可以像cp命令一样使用的命令行工具,除了指向其他机器的路径需要加机器名冒号前缀。
$ scp file machine:/tmp/
sftp is an interactive command, similar to ftp. In a single session, sftp can transfer several files, and it is possible to manipulate remote files with it (delete, rename, change permissions, etc.). Many FTP clients, including filezilla, support it.
Debian 使用 OpenSSH,一个由 OpenBSD 项目(注重安全,基于 BSD 内核的自由操作系统)维护的自由版本,它效仿了芬兰 SSH Communications Security Corp 公司开发的原始 SSH 软件。该公司最初将 SSH 作为自由软件开发,但是最终决定在专有许可下继续开发。然后,OpenBSD 项目创建了 OpenSSH 维护 SSH 的自由版本。
OpenSSH is split into two packages: the client part is in the openssh-client package, and the server is in the openssh-server package. The ssh meta-package depends on both parts and facilitates installation of both (apt install ssh), while the task-ssh-server, often chosen during the initial installation, depends on the server package only.
每次有人通过 SSH 登入,远程服务器询问密码来授权用户。如果想要自动连接或者使用需要频繁通过 SSH 连接的工具,这就会产生问题。这就是为什么 SSH 提供一种基于密钥的认证系统。
The user generates a key pair on the client machine with ssh-keygen -t rsa; the so generated public key is stored in ~/.ssh/id_rsa.pub, while the corresponding private key is stored in ~/.ssh/id_rsa. The user can then use ssh-copy-id server to add their public key to the ~/.ssh/authorized_keys file on the server, or, if SSH access hasn't been enabled yet, they have to ask the administrator to add their key manually.
If the private key was not protected with a “passphrase” at the time of its creation, all subsequent logins on the server will work without a password. Otherwise, the private key must be decrypted each time by entering the passphrase. Fortunately, ssh-agent allows us to keep private keys in memory to not have to regularly re-enter the password. For this, you simply use ssh-add (once per work session) provided that the session is already associated with a functional instance of ssh-agent. Debian activates it by default in graphical sessions, but this can be deactivated by changing /etc/X11/Xsession.options and commenting out use-ssh-agent. For a console session, you can manually start the agent with eval $(ssh-agent).
9.2.1.2. Cert-Based Authentication
SSH keys cannot just be protected by a password (or not). An often unknown feature is that they can also be signed via certificate, both the host as well as the client keys. This approach comes with several advantages. Instead of maintaining an
authorized_keys file per user as described in the previous section, the SSH server can be configured to trust all client keys signed by the same certificate (see also
第 10.2.2 节 “公钥基础设施:easy-rsa”) by using the
TrustedUserCAKeys and
HostCertificate directives in
/etc/ssh/sshd_config.
TrustedUserCAKeys /etc/ssh/ssh_users_ca.pub
HostKey /etc/ssh/ssh_host_ecdsa_key
HostCertificate /etc/ssh/ssh_host_ecdsa_key-cert.pub
Vice-versa the clients can also be configured to trust the host key signed by the same authority, making it easier to maintain the known_hosts file (even system wide via /etc/ssh/known_hosts).
@cert-authority *.falcot.com ssh-rsa AAAA[..]
Both, public key and certificate authentication, can be used alongside each other.
9.2.1.3. Combining authentication methods
Besides the already mentioned password based, key based, and the certificate based authentication, other methods like using a TOTP exist as well. Not only is this an abundance of options. They can also be combined. On the server side, the AuthenticationMethods directive can define an order of authentication methods a user has to successfully pass, before they are allowed to enter the system. It is even possible to define multiple alternative sequences:
AuthenticationMethods publickey,password publickey,keyboard-interactive:pam
This setting, for example, allows users to login after initially completing the public key authentication, followed by either a successful password authentication or entering a valid TOTP set up via PAM. On the user side, the sequence of methods can be defined using the PreferredAuthentications directive.
The SSH protocol allows forwarding of graphical data (“X11” session, from the name of the most widespread graphical system in Unix); the server then keeps a dedicated channel for those data. Specifically, a graphical program executed remotely can be displayed on the X.org server of the local screen, and the whole session (input and display) will be secure. Since this feature allows remote applications to interfere with the local system, it is disabled by default. You can enable it by specifying X11Forwarding yes in the server configuration file sshd_config(5) or by prepending the public key with the X11-forwarding keyword in the authorized_keys(5) file. Finally, the user must also request it by adding the -X option to the ssh command-line.
-R 和
-L 选项允许
ssh 在两个机器间添加 “加密隧道”,把本地 TCP 端口 (见专栏
基本 TCP/UDP) 映射至远程机器或反之。
运行
ssh -L 8000:server:25 intermediary 命令,将会建立同服务器主机
intermediary 的SSH 会话,并侦听本地端口8000(参考
图 9.3 “使用SSH转发本地端口”)。对于任何建立在该端口的连接,
ssh 将会发起从电脑
intermediary 到
server 端口25 的连接,并将两个连接绑定。
命令
ssh -R 8000:server:25 intermediary也会建立电脑
intermediary 的SSH 会话,但是在本机
ssh 侦听端口8000 (参考
图 9.4 “使用SSH转发远程端口”)。在该端口建立的连接将
ssh 打开本机到
server25 端口的连接,并将两个连接绑定。
两种情况下,连接建立在server 主机的25 端口,它会透过SSH 隧道建立本地机器和中介机器的连接。在前一种情况下,到该隧道的入口是本地端口8000,数据通过 intermediary 定向到公共网络的server。在第二种情况下,隧道输入输出被保留;入口是 intermediary 的8000 端口,输出在本地主机,然后数据被定向到 server。实际上,服务器不是本地机器就是中介机器。这样SSH 保护了一端到另一端的连接。
VNC (Virtual Network Computing)允许远程接入图形桌面。
该工具主要用于技术支持;管理员可以看到用户面临的错误,并演示正确的操作而不必待在他们旁边。
First, the user must authorize sharing their session. The GNOME graphical desktop environment includes that option via → (contrary to previous versions of Debian, where the user had to install and run vino). For this to work network-manager must be managing the network used (e.g. enable the managed mode for devices handled by ifupdown in /etc/NetworkManager/NetworkManager.conf). KDE Plasma still requires using krfb to allow sharing an existing session over VNC. For other graphical desktop environments, the x11vnc or tightvncserver commands (from the Debian packages of the same name) or tigervncserver (tigervnc-standalone-server) serve the same purpose and provide the vnc-server virtual package; you can make either of them available to the user with an explicit menu or desktop entry.
When the graphical session is made available by VNC, the administrator must connect to it with a VNC client. GNOME has vinagre and remmina for that, while the KDE project provides krdc (in the menu at → → ). There are other VNC clients that use the command line, such as xtightvncviewer from the homonym package or xtigervncviewer from the tigervnc-viewer Debian package. Once connected, the administrator can see what is going on, work on the machine remotely, and show the user how to proceed.
