今天小編給大家分享一篇Linux安裝OpenSSH配置的詳細(xì)教程，感興趣的朋友跟小編一起來(lái)了解一下吧!

　　Openssh的安裝和啟動(dòng)

　　tony@tonybox:~$ sudo aptitude update

　　tony@tonybox:~$ sudo aptitude install openssh-server

　　Reading package lists... Done

　　Building dependency tree... Done

　　Reading extended state information

　　Initializing package states... Done

　　Reading task descriptions... Done

　　Building tag database... Done

　　The following NEW packages will be automatically installed:

　　libedit2 openssh-client

　　The following NEW packages will be installed:

　　libedit2 openssh-client openssh-server

　　0 packages upgraded, 3 newly installed, 0 to remove and 0 not upgraded.

　　Need to get 55.4kB/879kB of archives. After unpacking 2130kB will be used.

　　Do you want to continue? [Y/n/?]y

　　...

　　Setting up openssh-server (4.3p2-5) ...

　　Creating SSH2 RSA key; this may take some time ...

　　Creating SSH2 DSA key; this may take some time ...

　　Restarting OpenBSD Secure Shell server: sshd.

　　//創(chuàng)建服務(wù)器RSA/DSA密鑰對(duì)

　　tony@tonybox:~$

　　安裝完畢后默認(rèn)生成以下配制文件:

　　tony@tonybox:~$ ls /etc/ssh -l

　　total 160

　　-rw-r--r-- 1 root root 132839 2006-10-07 23:10 moduli //ssh服務(wù)器的Diffie-Hellman密鑰文件

　　-rw-r--r-- 1 root root 1423 2006-10-07 23:10 ssh_config //ssh客戶端配置文件

　　-rw-r--r-- 1 root root 1874 2006-10-20 17:45 sshd_config //ssh服務(wù)器配置文件

　　-rw------- 1 root root 668 2006-10-20 17:46 ssh_host_dsa_key //ssh服務(wù)器dsa算法私鑰

　　-rw-r--r-- 1 root root 602 2006-10-20 17:46 ssh_host_dsa_key.pub //ssh服務(wù)器dsa算法公鑰

　　-rw------- 1 root root 1679 2006-10-20 17:46 ssh_host_rsa_key //ssh服務(wù)器rsa算法私鑰

　　-rw-r--r-- 1 root root 394 2006-10-20 17:46 ssh_host_rsa_key.pub //ssh服務(wù)器rsa算法公鑰

　　tony@tonybox:~$

　　如果沒有特別要求使用默認(rèn)設(shè)置即可滿足使用要求.

　　啟動(dòng)ssh服務(wù)

　　$ sudo /etc/init.d/ssh start

　　停止ssh服務(wù)

　　$ sudo /etc/init.d/ssh stop

　　重啟ssh服務(wù)

　　$ sudo /etc/init.d/ssh restart

　　使用ssh首次連接一個(gè)遠(yuǎn)程ssh服務(wù)器時(shí)，會(huì)出現(xiàn)類似下邊的信息。這是因?yàn)閟sh不能識(shí)別這臺(tái)主機(jī)，鍵入yes將會(huì)把這臺(tái)服務(wù)器的信息寫入 /.ssh/known_hosts文件，下次連入這臺(tái)遠(yuǎn)程服務(wù)器時(shí)就不會(huì)出現(xiàn)這類信息。tony@tonybox:~$ ssh root@192.168.102.50

　　The authenticity of host '192.168.102.50 (192.168.102.50)' can't be established.

　　RSA key fingerprint is c6:d4:e7:23:03:ce:15:2c:08:ec:39:7e:52:29:a5:a6.

　　Are you sure you want to continue connecting (yes/no)? yes

　　Warning: Permanently added '192.168.102.50' (RSA) to the list of known hosts.

　　root@192.168.102.50's password:******

　　Last login: Thu Oct 26 10:38:41 2006

　　Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

　　The programs included with the Debian GNU/Linux system are free software;

　　the exact distribution terms for each program are described in the

　　individual files in /usr/share/doc/*/copyright.

　　Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

　　permitted by applicable law.

　　vmdebian:~#

　　默認(rèn)配置

　　默認(rèn)sshd_config文件

　　# Package generated configuration file

　　# See the sshd(8) manpage for details

　　# What ports, IPs and protocols we listen for

　　Port 22

　　#默認(rèn)使用22端口

　　# Use these options to restrict which interfaces/protocols sshd will bind to

　　#ListenAddress ::

　　#ListenAddress 0.0.0.0

　　Protocol 2

　　#使用ssh2協(xié)議

　　# HostKeys for protocol version 2

　　HostKey /etc/ssh/ssh_host_rsa_key

　　HostKey /etc/ssh/ssh_host_dsa_key

　　#主機(jī)密鑰存儲(chǔ)在此

　　#Privilege Separation is turned on for security

　　UsePrivilegeSeparation yes

　　#需要sshd用戶啟動(dòng)ssh服務(wù)

　　# Lifetime and size of ephemeral version 1 server key

　　KeyRegenerationInterval 3600

　　ServerKeyBits 768

　　服務(wù)器在啟動(dòng)時(shí)生成這個(gè)密鑰。并以固定的周期重新生成。這里指定長(zhǎng)度是768位，最小為512，周期為3600。

　　# Logging

　　SyslogFacility AUTH

　　#設(shè)置syslog的facility(KERN,DAEMON,USER,AUTH,MAIL等)

　　LogLevel INFO

　　#指定記錄日志級(jí)別為INFO，該值從低到高順序是：QUIET,FATAL,ERROR,INFO,VERBOSE,DEBUG,使用DEBUG會(huì)侵犯用

　　戶的隱私權(quán)，這個(gè)級(jí)別只能用于診斷，而不能用于普通操作。

　　# Authentication:

　　LoginGraceTime 120

　　#設(shè)置如果用戶不能成功登錄，在切斷連接之前服務(wù)器需要等待的時(shí)間(以秒為單位)。

　　PermitRootLogin yes

　　#允許root登錄

　　StrictModes yes

　　#設(shè)置ssh在接收登錄請(qǐng)求之前是否檢查用戶家目錄和rhosts文件的權(quán)限和所有權(quán)。這通常是必要的，因?yàn)樾率纸?jīng)常會(huì)把自己的目錄和文件設(shè)成任何人都有寫權(quán)限。

　　RSAAuthentication yes

　　PubkeyAuthentication yes

　　#AuthorizedKeysFile %h/.ssh/authorized_keys

　　# Don't read the user's ~/.rhosts and ~/.shosts files

　　IgnoreRhosts yes

　　#完全禁止SSHD使用.rhosts文件

　　# For this to work you will also need host keys in /etc/ssh_known_hosts

　　RhostsRSAAuthentication no

　　#設(shè)置是否使用用RSA算法的基于rhosts的安全驗(yàn)證。

　　# similar for protocol version 2

　　HostbasedAuthentication no

　　# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication

　　#IgnoreUserKnownHosts yes

　　#設(shè)置ssh　daemon是否在進(jìn)行RhostsRSAAuthentication安全驗(yàn)證的時(shí)候忽略用戶的“$HOME/.ssh/known_hosts”

　　# To enable empty passwords, change to yes (NOT RECOMMENDED)

　　PermitEmptyPasswords no

　　#設(shè)置不允許使用空密碼

　　# Change to yes to enable challenge-response passwords (beware issues with

　　# some PAM modules and threads)

　　ChallengeResponseAuthentication no

　　#關(guān)閉挑戰(zhàn)響應(yīng)

　　# Change to no to disable tunnelled clear text passwords

　　#PasswordAuthentication yes

　　#設(shè)置是否使用明文密碼認(rèn)證

　　# Kerberos options

　　#KerberosAuthentication no

　　#KerberosGetAFSToken no

　　#KerberosOrLocalPasswd yes

　　#KerberosTicketCleanup yes

　　#有關(guān)Kerberos的相關(guān)選項(xiàng)

　　# GSSAPI options

　　#GSSAPIAuthentication no

　　#GSSAPICleanupCredentials yes

　　#有關(guān)GSSAPI的相關(guān)選項(xiàng)X11Forwarding yes

　　#允許X轉(zhuǎn)發(fā)

　　X11DisplayOffset 10

　　PrintMotd no

　　PrintLastLog yes

　　TCPKeepAlive yes

　　#UseLogin no

　　#MaxStartups 10:30:60

　　#Banner /etc/issue.net

　　# Allow client to pass locale environment variables

　　AcceptEnv LANG LC_*

　　Subsystem sftp /usr/lib/openssh/sftp-server

　　UsePAM yes

　　如果沒有特別要求使用默認(rèn)設(shè)置即可滿足使用要求.

　　基于口令的認(rèn)證

　　缺省情況下，ssh仍然使用傳統(tǒng)的口令驗(yàn)證，在使用這種認(rèn)證方式時(shí)，我們不需要進(jìn)行任何配置。你可以使用自己帳號(hào)和口令登錄到遠(yuǎn)程主機(jī)。所有傳輸?shù)臄?shù)據(jù)都會(huì)被加密，但是不能保證你正在連接的服務(wù)器就是你想連接的服務(wù)器�？赡軙�(huì)有別的服務(wù)器在冒充真正的服務(wù)器，也就是受到“中間人”這種方式的攻擊。

　　使用以下方法登錄服務(wù)器：

　　$ ssh tony@192.168.102.50

　　tony@192.168.102.50's password:

　　Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

　　The programs included with the Debian GNU/Linux system are free software;

　　the exact distribution terms for each program are described in the

　　individual files in /usr/share/doc/*/copyright.

　　Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

　　permitted by applicable law.

　　Last login: Fri Dec 8 12:31:58 2006 from 192.168.102.249

　　$

　　基于密鑰的認(rèn)證

　　密匙認(rèn)證需要依靠密匙，可以使用ssh-keygen 命令生成密鑰對(duì)，將會(huì)把生成的私鑰存儲(chǔ)在 /.ssh/id_rsa文件中，公鑰存儲(chǔ)在/.ssh/id_rsa.pub文件中,需要將其復(fù)制到遠(yuǎn)程服務(wù)器上, 這樣當(dāng)?shù)卿涍h(yuǎn)程服務(wù)器時(shí)，客戶端軟件就會(huì)向服務(wù)器發(fā)出請(qǐng)求，請(qǐng)求用你的密匙進(jìn)行認(rèn)證,服務(wù)器收到請(qǐng)求之后，先在你在該服務(wù)器的宿主目錄下尋找你的公匙,進(jìn)行身份認(rèn)證. ssh-keygen 默認(rèn)使用rsa算法生成密鑰，如果要使用dsa算法，則需要使用-t 指定比如($ ssh-keygen -t dsa)

　　tony@tonybox:~$ ssh-keygen

　　Generating public/private rsa key pair.

　　Enter file in which to save the key (/home/tony/.ssh/id_rsa):

　　Enter passphrase (empty for no passphrase):

　　Enter same passphrase again:

　　Your identification has been saved in /home/tony/.ssh/id_rsa.

　　Your public key has been saved in /home/tony/.ssh/id_rsa.pub.

　　The key fingerprint is:

　　5e:25:fe:32:af:96:e5:e2:c9:55:ad:f9:d2:f1:67:5d tony@tonybox

　　tony@tonybox:~$

　　然后使用scp 命令將公鑰上傳到遠(yuǎn)程SSH服務(wù)器的對(duì)應(yīng)用戶的.ssh目錄下，并更名為authorized_keys并確保權(quán)限為644

　　tony@tonybox:~/.ssh$ scp id_rsa.pub tony@192.168.102.50:.ssh/authorized_keys

　　tony@192.168.102.50's password:

　　id_rsa.pub 100% 394 0.4KB/s 00:00

　　tony@tonybox:~/.ssh$

　　這樣，以后登錄這臺(tái)SSH服務(wù)器的時(shí)候，就會(huì)使用您上傳的公鑰進(jìn)行身份認(rèn)證。

　　tony@tonybox:~$ ssh tony@192.168.102.50

　　Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

　　The programs included with the Debian GNU/Linux system are free software;

　　the exact distribution terms for each program are described in the

　　individual files in /usr/share/doc/*/copyright.

　　Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

　　permitted by applicable law.

　　Last login: Thu Oct 26 12:59:12 2006 from 192.168.102.43

　　tony@vmdebian:~$

　　如果為密鑰設(shè)置了 passphrase, 則登錄過(guò)程如下:

　　tony@tonybox:~$ ssh tony@192.168.102.50

　　Enter passphrase for key '/home/tony/.ssh/id_rsa':

　　Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

　　The programs included with the Debian GNU/Linux system are free software;

　　the exact distribution terms for each program are described in the

　　individual files in /usr/share/doc/*/copyright.

　　Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

　　permitted by applicable law.

　　Last login: Thu Oct 26 14:27:58 2006 from 192.168.102.43

　　tony@vmdebian:~$

　　如果將客戶端私鑰 id_rsa 更名, 并在服務(wù)器端sshd_config文件中做如下設(shè)置:

　　PasswordAuthentication no

　　tony@tonybox:$ mv /home/tony/.ssh/id_rsa /home/tony/.ssh/id_rsa.bak

　　tony@tonybox:$ ssh tony@192.168.102.50

　　Permission denied (publickey).

　　tony@tonybox:~$

　　如果在服務(wù)器端sshd_config文件中做如下設(shè)置:

　　PasswordAuthentication yes

　　則當(dāng)密鑰口令輸入錯(cuò)誤, 或密鑰不存在是,就會(huì)使用口令認(rèn)證

　　tony@tonybox:~$ ssh tony@192.168.102.50

　　Enter passphrase for key '/home/tony/.ssh/id_rsa':

　　tony@192.168.102.50's password:

　　Linux vmdebian 2.6.16-2-486 #1 Fri Aug 18 18:39:04 UTC 2006 i686

　　The programs included with the Debian GNU/Linux system are free software;

　　the exact distribution terms for each program are described in the

　　individual files in /usr/share/doc/*/copyright.

　　Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent

　　permitted by applicable law.

　　Last login: Thu Oct 26 17:30:43 2006 from 192.168.102.43

　　tony@vmdebian:~$

　　以上就是Linux安裝OpenSSH配置的詳細(xì)教程，想必都了解了吧，更多相關(guān)內(nèi)容請(qǐng)繼續(xù)關(guān)注愛站技術(shù)頻道。

標(biāo)簽： isp linux 安全 服務(wù)器 服務(wù)器端 權(quán)限

版權(quán)申明：本站文章部分自網(wǎng)絡(luò)，如有侵權(quán)，請(qǐng)聯(lián)系：west999com@outlook.com
特別注意：本站所有轉(zhuǎn)載文章言論不代表本站觀點(diǎn)！
本站所提供的圖片等素材，版權(quán)歸原作者所有，如需使用，請(qǐng)與原作者聯(lián)系。