OpenSSH

Fampidirana

Na dia efa mipetraka @ ireo Linux/*BSD/MacOsX/Unix maro samihafa aza ny OpenSSH dia matetika tsy manaraka ny dingana farany izany. Tsara ho an'ny mpitantana milina ny mahazo ny fametrahana sy ny fampiasana tsara an'ny OpenSSH. Miezaka hanazavana izay isika amin'ireo andiana lahatsoratra mikasika an'ny OpenSSH.

Rado Ramarotafika <rado@linuxmg.org>

OpenSSH: Mpizara/Mpangataka (Tapany I)

Inona moa OpenSSH

SSH, Secure SHell, dia "protocol" fa tsy kirakira. T@ taona 1995, Tatu Ylönen, avy any Finlande, dia namoaka ny SSH-1. Misy "version" 1.3 sy 1.5 ny SSH-1. Noho ny fisian’ny olana teo @ fampiasana ny SSH-1 dia nivoaka ny SSH-2 taona vitsy taty aoriana.

Maro ireo kirakira nanao ny "implementation" ny SSH. Amin’ny ireo kirakira "Open Source" dia "OpenSSH" no azo lazaina fa matotra indrindra. OpenSSH dia afaka mampiasa ny SSH-1 sy SSH-2.

Atao inona OpenSSH

  Hanoloana ny telnet sy ny rsh izay tsy misy "cryptage"
  Hifanakalozana fichiers eo @ milina 2: scp, sftp
  Famerana ny komandy izay azon’ny mpampiasa ampiasaina (mpampiasa miditra @ milina @ alalan’ny ssh)
  Port Forwarding: fiarovana ireo "services" rehetra izay tsy misy "cryptage" handeha ao anaty tonelina misy "cryptage".

Compilation sy Fametrahana OpenSSH

Kirakira ilaina:

Raha tsy mbola misy ireo kirakira ireo ao @ milina ampiasainao dia apetrao aloha izany alohan’ny hanohizana ny voalaza eto ambany. Azo atao koa ny mametraka avy hatrany ny OpenSSH avy @ fonosan’ny "distribution" ampiasaina.

Fangalana ny source openssh

OpenSSH ho an’ny OpenBSD
Ho an’ny OS hafa ankoatran’ny OpenBSD dia ny "OpenSSH portable" no tsy maintsy alaina.

Aza adino koa ny maka ny sonia pgp ’ny tahiry (openssh-3.8p1.tar.gz.sig).

Fanamarinana ny sonia pgp:

[root@rado src]# gpg openssh-3.8p1.tar.gz.sig
gpg: Signature faite mar 24 fév 2004 07:23:50 CET avec une clé DSA ID 86FF9C48
gpg: Impossible de vérifier la signature: clé publique non trouvée

Arak’io voasoratra io dia mbola tsy azo ny "clé publique" ny sonia "ID 82FF9CF48)

Fangalana ny "clé publique" izay manana ID 86FF9C48

[root@rado src]# gpg --keyserver pgpkeys.mit.edu --recv-keys 86FF9C48
gpg: clé 86FF9C48: clé publique "Damien Miller (Personal Key) <djm@mindrot.org>" importée
gpg: Quantité totale traitée: 1
gpg: importée: 1

Fanamarinana ny fiavin’ny tahiry

[root@rado src]# gpg --verify openssh-3.8p1.tar.gz.sig openssh-3.8p1.tar.gz

gpg: Signature faite mar 24 fév 2004 07:23:50 CET avec une clé DSA ID 86FF9C48
gpg: Bonne signature de "Damien Miller (Personal Key) <djm@mindrot.org>"
gpg: vérifier la base de confiance
gpg: no ultimately trusted keys found
gpg: ATTENTION: Cette clé n'est pas certifiée avec une signature de confiance !
gpg: Rien ne dit que la signature appartient à son propriétaire.
Empreinte de clé principale: 3981 992A 1523 ABA0 79DB FC66 CE8E CB03 86FF 9C48

Vahao ny tahiry
Fanomanana:

[root@linux openssh-3.8p1]# ./configure --prefix=/usr --sysconfdir=/etc/ssh --infodir=/usr/share/info/ --mandir=/usr/share/man --with-mantype=man --enable-utmp --enable-wtmp --with-pam --with-tcp-wrappers --with-ssl-dir=/usr/local/ssl
...

Filazana mivoaka @ faran’ny ./configure izay mamitina ny safidy natao. Hamarino tsara indrindra ny mikasika ny openssl.

OpenSSH has been configured with the following options:
User binaries: /usr/bin
System binaries: /usr/sbin
Configuration files: /etc/ssh
Askpass program: /usr/libexec/ssh-askpass
Manual pages: /usr/share/man/manX
PID file: /var/run
Privilege separation chroot path: /var/empty
sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin
Manpage format: man
PAM support: yes
KerberosV support: no
Smartcard support: no
S/KEY support: no
TCP Wrappers support: yes
MD5 password support: yes
IP address in $DISPLAY hack: no
Translate v4 in v6 hack: yes
BSD Auth support: no
Random number source: OpenSSL internal ONLY

Host: i686-pc-linux-gnu
Compiler: gcc
Compiler flags: -g -O2 -Wall -Wpointer-arith -Wno-uninitialized
Preprocessor flags: -I/usr/local/ssl/include
Linker flags: -L/usr/local/ssl/lib
Libraries: -lwrap -lpam -ldl -lresolv -lcrypto -lutil -lz -lnsl -lcrypt

PAM is enabled. You may need to install a PAM control file
for sshd, otherwise password authentication may fail.
Example PAM control files can be found in the contrib/
subdirectory

Fanazavana ny safidy:

—prefix=/usr	apetraka ao @ /usr/{bin,sbin} ny programa rehetra
—sysconfdir=/etc/ssh	Ny tahiry mikasika ny "configuration ny serveur sshd sy ny client ssh dia ao @ /etc/ssh
—infodir=/usr/share/info/	apetraka ao @ /usr/share/info ny tahiry *.info
—mandir=/usr/share/man —with-mantype=man	apetraka ao @ /usr/share/man ny man rehetra ary atao "format" man (oh: format cat ho an’ny @ *BSD, ...)
—enable-utmp —enable-wtmp	raisina an-tanana ny utmp, wtmp (izy 2 ireo dia hijerena izay mpampiasa miditra eo @ milina: man 5 utmp)
—with-pam —with-tcp-wrappers	raisina an-tanana ny pam sy ny tcp wrappers
—with-ssl-dir=/usr/local/ssl	fanoroana ny misy an’ny openssl ao @ milina

Compilation

[root@linux openssh-3.8p1]# make

"Privilege separation chroot path": OpenSSH dia mampiasa ity teknika ity. Ny tanjona dia ny hamerana ny "privilège" ny zanaka "processus", izany hoe rehefa misy "cient ssh", mba tsy ahafahany maka avy hatrany ny "privilege root" raha misy ny "bug sécurité". Raha tsy diso aho dia ny "protocol SSH-2" ihany no mbola misy azy ito ao @ OpenSSH.

Noho izany dia mila mpampiasa tsy manana "privilege" eo @ "système". Handeha hametraka io mampiasa io isika:

[root@linux openssh-3.8p1]# groupadd -g 76 sshd
[root@linux openssh-3.8p1]# adduser -u 76 -g sshd -d /var/empty -s /bin/true sshd
[root@linux openssh-3.8p1]# chown root:root /var/empty

Fametrahana ny OpenSSH

[root@linux openssh-3.8p1]# make install
...
mkdir /etc/ssh
Generating public/private rsa1 key pair.
Your identification has been saved in /etc/ssh/ssh_host_key.
Your public key has been saved in /etc/ssh/ssh_host_key.pub.
The key fingerprint is:
ed:dc:b6:ca:1b:1a:8e:f4:04:1c:6b:1a:6b:99:22:f6 root@rado.linuxmg.org
Generating public/private dsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_dsa_key.
Your public key has been saved in /etc/ssh/ssh_host_dsa_key.pub.
The key fingerprint is:
6e:2f:41:41:70:c9:f2:6d:37:ee:50:60:bb:31:68:90 root@rado.linuxmg.org
Generating public/private rsa key pair.
Your identification has been saved in /etc/ssh/ssh_host_rsa_key.
Your public key has been saved in /etc/ssh/ssh_host_rsa_key.pub.
The key fingerprint is:
05:b0:b8:e3:d2:37:b0:6b:f8:fc:f3:26:14:20:5f:b3 root@rado.linuxmg.org
/usr/sbin/sshd -t -f /etc/ssh/sshd_config

Fanamarinana

ny client ssh

[r4d0@rado r4d0]$ ssh -V
OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar 2004

ny serveur

[rado@rado ~]$ sudo /usr/sbin/sshd
[rado@rado ~]$ netstat -at |grep ssh
tcp 0 0 *:ssh *:* LISTEN
[rado@linux ~]$ telnet localhost 22
Trying 127.0.0.1...
Connected to localhost (127.0.0.1).
Escape character is '^]'.
SSH-1.99-OpenSSH_3.8p1
^]
telnet> quit
Connection closed.

Ao @ "répertoire" "contrib/" ’ny "source OpenSSH" dia mizy "script" azo ampiasaina apetraka ao @ init.d. Alaivo izay script tandrify ny "distribution" ampiasainao.

Configuration serveur :sshd

Raha nanaraka ny toro-marika tetsy ambony ianao dia ao @ /etc/ssh/sshd_config ny fichier "configuration ny serveur sshd". Handeha ary hijery ny safidy ("options") tsara apetraka momba ny sshd. Tsy ho ary voatanisa eto avokoa ireo safidy ireo saingy izay hazavaina eto ambany dia ireo safidy izay tsara ampisaina indrindra @ lafiny "sécurité".

Araka ny voalaza teo @ fampidirana sy ny resaka "privilege separation" etsy ambony dia tsy hampiasa ny "protocol SSH-1" isika. Tsy io ihany ny antony fa mbola misy hafa koa izay mety ho hitantsika eto @ manaraka.

Fanalahidy miafina sshd

HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

Fanalahidy miafina ho an’ny milina misy sshd. Aza hafangaro ny "RSA" izay @ "protocol SSH-2" sy ny RSA1 izay @ "protocol SSH-1"

Momba ny TCP

Port 22	mihaino @ port 22 ny sshd, ny client ssh izay dia tsy maintsy mampiasa ny port 22. Afaka mihaino @ port maro ny sshd. oh : Port 22 Port 2222 Eto dia mihaino @ port 22 sy 2222 sshd
Protocol 2	Tsy mampiasa afa-tsy protocol SSH-2
ListenAddress 0.0.0.0	Ho an’ny milina manana adiresy IP maro, tahaka ny firewall, apetraka eto ny adiresy izay hamalian’ny sshd. 0.0.0.0 dia midika fa mihaino @ adiresy rehetra izay misy eo @ milina sshd. ListenAddress dia azo averina im-betsaka tahaka ny fampiasa ny safidy Port etsy ambony
ClientAliveInterval 60 ClientAliveCountMax 3	sshd dia mandefa hafatra mankany @ mampiasa ssh isaky ny 60 segondra (safidy ClientAliveInterval), raha tsy mamaly izany ny client "ssh" dia manapaka ny fifandriasana ny sshd afaka 180 segondra. 180 segondra = 60 segondra (safidy ClientAliveInterval) ampitomboina 3 (safidy ClientAliveCountMax). Fanamarihana: Ny safidy KeepAlive dia mitovy @ ireto safidy 2 ireto saingy ny tsy ao anatin’ny tonelina ssh no mandeha.

Fidiran’ny mpampiasa ssh

LoginGraceTime 1m	Manana iray minitra (1m) ny mampiasa hampidirany ny fanalahidy
IgnoreRhosts yes HostbasedAuthentication no	Eto dia tsy ekena ny fifankafantaran’ny sshd sy ny "client ssh" mifototra @ fanalahidin’ny milina roa tonta fotsiny ihany izay tsy misy fanamarinana fanampiny.
PermitRootLogin no	Tsy ekena ny fidiran’ny mpampiasa "root" @ alalan’ny ssh. Afaka miditra @ mampiasa tsotra ianao ary mampiasa ny komandy tahaka ny "su" na "sudo" raha mila ny fahefan’ny "root".
PubkeyAuthentication yes	Ekena ny fidirana @ alalan’ny fampiasana ny fanalahidy miafina (clef privée) izay mipetraka ao @ milina "client" sy ny fanalahidy hitam-bahoaka (clef publique) mipetraka ao @ milina misy ny sshd.
PasswordAuthentication yes PermitEmptyPasswords no	Ekena ny fidiran’ny mampiasa @ fampiasany ny teny fanalahidiny. Tsy avela miditra kosa ny mpampiasa izay tsy manana teny fanalahidy (ohatra akaiky eto ny mpampiasa sshd voalaza ery ambony)
AuthorizedKeysFile .ssh/authorized_keys	Ny raki-tsoratra mitahiry ny fanalahidy ho an’ny daholoben’ny mampiasa
AllowUsers rado linus AllowGroups linuxmg	Ny anaran’ny mampiasa afaka miditra eto dia "rado" sy "linus", ny ankoatr’izay dia tsy mahazo miditra. Tahaka izany koa ny momba ny "group", izay mpampiasa tsy ao anatin’ny "groupe" linuxmg dia tsy afaka miditra. Afaka mampiasa ny "*" sy ny "?" @ ireto safidy ireto. Fanamarihana: tsara kokoa ny mampiasa ireo safidy ireo raha oharina @ safidy DenyUsers sy ny DenyGroups

Safidy samihafa

UsePrivilegeSeparation yes	Jereo ery ambony :-))
Compression yes	Mampiasa compression
Subsystem sftp /usr/libexec/sftp-server	Mampiasa ny "sous-système" "/usr/libexec/sftp-server" izay ahafana mifanakalo tahiry @ alalan’ny fampiasana ny kirakira scp/sftp. Tsy mila "serveur ftp" tsotra intsony isika.

Safidy momba ny X11

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes

Raha misy "serveur X" eo @ milina hidirana ka te hampiasa izany ianao dia apetrao ireo safidy ireo.

Raha misy tsy mety

Raha misy tsy mety eo @ "sshd" dia afaka mandefa azy miaraka @ safidy "-d" ianao mandram-pahita ny tsy mety. Azo ampiana ny safidy "-e" koa izany.

[root@linux ~]sshd -d -e

Mbola hitohy

Ho hitantsika @ manaraka ny momba ny:
  "client ssh"
  famoronana ireo fanalahidy sy ny fampiasana azy
  forwarding

Rado Ramarotafika

Vaovao OpenSSH

OpenSSH Dingana 4.7 · Jan 18, 2008 · full story

Valandresaka momba ny SSH

add new topic

Famaritana : Rakitra

No files added yet.