练习 27:安全 Shell,sshsshdscp

原文:Exercise 27. Networking: secure shell, ssh, sshd, scp

译者:飞龙

协议:CC BY-NC-SA 4.0

自豪地采用谷歌翻译

你可能已经知道,SSH 是一种网络协议,允许你通过网络登录到vm1。让我们详细研究一下。

安全 Shell(SSH)是一种网络协议,用于安全数据通信,远程 Shell 服务或命令执行,以及其它两个联网计算机之间的网络服务,它们通过不安全网络上的安全通道连接:服务器和客户端(运行 SSH 服务器和 SSH 客户端程序)。协议规范区分了两个主要版本,被称为 SSH-1 和 SSH-2。

协议最著名的应用是,访问类 Unix 操作系统上的 shell 帐户。它为替代 Telnet 和其他不安全的远程 shell 协议而设计,如 Berkeley rsh 和 rexec 协议,它们以明文形式发送信息,特别是密码,使得它们易于使用封包分析来拦截和暴露。SSH 使用的加密 旨在通过不安全的网络(如互联网)提供数据的机密性和完整性。

重要的 SSH 程序,概念和配置文件:

  • OpenSSH - 开源的 ssh 程序实现。
  • ssh - 允许你连接到 SSH 服务器的客户端程序。Putty 就是这样的客户端程序。
  • sshd - 服务器程序,允许你使用ssh连接到它。
  • /etc/ssh/ssh_config - 默认的客户端程序配置文件。
  • /etc/ssh/sshd_config - 默认服务器程序配置文件。
  • 公钥密码系统 - 一种需要两个单独密钥的加密系统,其中一个密钥是私钥,其中一个密钥是公钥。虽然不同,密钥对的两个部分在数学上是相关的。一旦密钥锁定或加密了明文,另一个密钥解锁或解密密文。两个密钥都不能执行这两个功能。其中一个密钥是公开发布的,另一个密钥是保密的。
  • SSH 密钥 - SSH 使用公钥密码系统来认证远程计算机,并允许它对用户进行认证(如有必要)。任何人都可以生成一对匹配的不同密钥(公钥和私钥)。公钥放置在所有计算机上,它们允许访问匹配的私钥的所有者(所有者使私钥保密)。虽然认证基于私钥,但认证期间密钥本身不会通过网络传输。
  • /etc/ssh/moduli - 质数及其生成器,由sshd(8)用于 Diffie-Hellman Group Exchange 密钥交换方法中。
  • /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key - 主机 RSA 和 DSA 私钥。
  • /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub - 主机 RSA 和 DSA 公钥。

SSH 协议非常重要,因此被广泛使用,并且具有如此多的功能,你必须了解它的一些工作原理。这是它的一些用途:

  • scp - 通过 SSH 传输文件。
  • sftp - 类似 ftp 的协议,用于管理远程文件。
  • sshfs - SSH 上的远程文件系统。
  • SSH 隧道 - 一种通过安全连接,传输几乎任何数据的方法。这是非常重要的,因为它可以用于构建受保护系统的基础,以及许多其他用途。

为了了解这个协议,让我们看看,在 SSH 会话中会发生了什么。为此,我们将开始研究vm1vm1的连接的带注解的输出(是的,这是可以做到的,也是完全有效的)。概述:

  1. 输入 SSH VM1
  2. 控制权现在传递给 SSH 客户端
  3. SSH 客户端
  4. 进入明文阶段
  5. 读取配置
  6. SSH 服务器进行协议协商
  7. 进入 SSH 传输阶段
  8. SSH 服务器进行协商
  9. 数据加密密码
  10. 数据完整性算法
  11. 数据压缩算法
  12. 使用 Diffie-Hellman 算法启动密钥交换
  13. 所得共享密钥用于建立安全连接
  14. 进入 SSH-userauth 阶段
  15. 要求你输入密码
  16. 控制权现在传递给你
  17. 输入密码
  18. 控制权现在传递给 SSH 客户端
  19. SSH 客户端
  20. SSH 服务器对你进行认证
  21. 进入 SSH 连接阶段
  22. 为你分配伪终端
  23. 为你启动 shell
  24. 控制权现在传递给你
  25. vm1 上做一些(没)有用的事情
  26. 关闭 shell
  27. 控制全现在传递给 SSH 客户端
  28. SSH 客户端
  29. 关闭伪终端
  30. 关闭连接

现在阅读这个:

并研究 SSH 会话的真实输出:

  1. user1@vm1:~$ ssh -vv vm1
  2. Protocol version selection, plaintext
  3. -------------------------------------
  4. OpenSSH_5.5p1 Debian-6+squeeze2, OpenSSL 0.9.8o 01 Jun 2010
  5. # Speaks for itself, I will mark such entries with -- below
  6. debug1: Reading configuration data /etc/ssh/ssh_config
  7. # Applying default options for all hosts. Additional options for each host may be
  8. # specified in the configuration file
  9. debug1: Applying options for *
  10. debug2: ssh_connect: needpriv 0
  11. debug1: Connecting to vm1 [127.0.1.1] port 22.
  12. debug1: Connection established.
  13. debug1: identity file /home/user1/.ssh/id_rsa type -1 # no such files
  14. debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
  15. debug1: identity file /home/user1/.ssh/id_dsa type -1
  16. debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
  17. debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze2
  18. debug1: match: OpenSSH_5.5p1 Debian-6+squeeze2 pat OpenSSH*
  19. debug1: Enabling compatibility mode for protocol 2.0
  20. debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
  21. debug2: fd 3 setting O_NONBLOCK
  22. SSH-transport, binary packet protocol
  23. -------------------------------------
  24. debug1: SSH2_MSG_KEXINIT sent
  25. debug1: SSH2_MSG_KEXINIT received
  26. # Key exchange algorithms
  27. debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
  28. # SSH host key types
  29. debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
  30. # Data encryption ciphers
  31. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
  32. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
  33. # Data integrity algorithms
  34. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
  35. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
  36. # Data compression algorithms
  37. debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
  38. debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
  39. debug2: kex_parse_kexinit:
  40. debug2: kex_parse_kexinit:
  41. debug2: kex_parse_kexinit: first_kex_follows
  42. debug2: kex_parse_kexinit: reserved 0
  43. # Messages back from server
  44. debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
  45. debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
  46. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
  47. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
  48. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
  49. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
  50. debug2: kex_parse_kexinit: none,zlib@openssh.com
  51. debug2: kex_parse_kexinit: none,zlib@openssh.com
  52. debug2: kex_parse_kexinit:
  53. debug2: kex_parse_kexinit:
  54. debug2: kex_parse_kexinit: first_kex_follows 0
  55. debug2: kex_parse_kexinit: reserved 0
  56. # Message authentication code setup
  57. debug2: mac_setup: found hmac-md5
  58. debug1: kex: server->client aes128-ctr hmac-md5 none
  59. debug2: mac_setup: found hmac-md5
  60. debug1: kex: client->server aes128-ctr hmac-md5 none
  61. # Key exchange
  62. debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  63. debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  64. debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  65. debug2: dh_gen_key: priv key bits set: 135/256
  66. debug2: bits set: 498/1024
  67. debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  68. debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  69. # Server authentication. vm1 host key is not known because it is our first connection
  70. debug2: no key of type 0 for host vm1
  71. debug2: no key of type 2 for host vm1
  72. # Confirmation of host key acceptance
  73. The authenticity of host 'vm1 '(127.0.1.1)' can't be established.
  74. RSA key fingerprint is b6:06:92:5e:04:49:d9:e8:57:90:61:1b:16:87:bb:09.
  75. Are you sure you want to continue connecting (yes/no)? yes
  76. Warning: Permanently added 'vm1' (RSA) to the list of known hosts.
  77. # Key is added to /home/user1/.ssh/known_hosts and checked
  78. debug2: bits set: 499/1024
  79. debug1: ssh_rsa_verify: signature correct
  80. # Based on shared master key, data encryption key and data integrity key are derived
  81. debug2: kex_derive_keys
  82. debug2: set_newkeys: mode 1
  83. # Information about this is sent to server
  84. debug1: SSH2_MSG_NEWKEYS sent
  85. debug1: expecting SSH2_MSG_NEWKEYS
  86. debug2: set_newkeys: mode 0
  87. debug1: SSH2_MSG_NEWKEYS received
  88. # IP roaming not enabled? Not sure about this.
  89. debug1: Roaming not allowed by server
  90. SSH-userauth
  91. ------------
  92. debug1: SSH2_MSG_SERVICE_REQUEST sent
  93. debug2: service_accept: ssh-userauth
  94. debug1: SSH2_MSG_SERVICE_ACCEPT received
  95. debug2: key: /home/user1/.ssh/id_rsa ((nil))
  96. debug2: key: /home/user1/.ssh/id_dsa ((nil))
  97. debug1: Authentications that can continue: publickey,password
  98. debug1: Next authentication method: publickey
  99. debug1: Trying private key: /home/user1/.ssh/id_rsa
  100. debug1: Trying private key: /home/user1/.ssh/id_dsa
  101. debug2: we did not send a packet, disable method
  102. debug1: Next authentication method: password
  103. user1@vm1''s password:
  104. debug2: we sent a password packet, wait for reply
  105. debug1: Authentication succeeded (password).
  106. SSH-connection
  107. --------------
  108. debug1: channel 0: new [client-session]
  109. debug2: channel 0: send open
  110. # Disable SSH mutiplexing.
  111. # More info: http://www.linuxjournal.com/content/speed-multiple-ssh-connections-same-server
  112. debug1: Requesting no-more-sessions@openssh.com
  113. debug1: Entering interactive session.
  114. debug2: callback start
  115. debug2: client_session2_setup: id 0
  116. debug2: channel 0: request pty-req confirm 1
  117. # Sending environment variables
  118. debug1: Sending environment.
  119. debug1: Sending env LANG = en_US.UTF-8
  120. debug2: channel 0: request env confirm 0
  121. debug2: channel 0: request shell confirm 1
  122. # Set TCP_NODELAY flag: http://en.wikipedia.org/wiki/Nagle%27s_algorithm
  123. debug2: fd 3 setting TCP_NODELAY
  124. debug2: callback done
  125. # Connection opened
  126. debug2: channel 0: open confirm rwindow 0 rmax 32768
  127. debug2: channel_input_status_confirm: type 99 id 0
  128. # Pseudo terminal allocation
  129. debug2: PTY allocation request accepted on channel 0
  130. debug2: channel 0: rcvd adjust 2097152
  131. debug2: channel_input_status_confirm: type 99 id 0
  132. # Shell is started
  133. debug2: shell request accepted on channel 0
  134. # Loggin in is completed
  135. Linux vm1 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64
  136. The programs included with the Debian GNU/Linux system are free software;
  137. the exact distribution terms for each program are described in the
  138. individual files in /usr/share/doc/*/copyright.
  139. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
  140. permitted by applicable law.
  141. You have mail.
  142. Last login: Thu Jul 19 05:14:40 2012 from 10.0.2.2
  143. user1@vm1:~$ debug2: client_check_window_change: changed
  144. debug2: channel 0: request window-change confirm 0
  145. user1@vm1:~$ debug2: client_check_window_change: changed
  146. debug2: channel 0: request window-change confirm 0
  147. user1@vm1:~$ logout
  148. Ending ssh connection
  149. ---------------------
  150. debug2: channel 0: rcvd eof # end of file
  151. debug2: channel 0: output open -> drain
  152. debug2: channel 0: obuf empty
  153. debug2: channel 0: close_write
  154. debug2: channel 0: output drain -> closed
  155. debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
  156. # signalling that channels are half-closed for writing, through a channel protocol extension
  157. # notification "eow@openssh.com" http://www.openssh.com/txt/release-5.1
  158. debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
  159. debug2: channel 0: rcvd eow
  160. # Ending connection
  161. debug2: channel 0: close_read
  162. debug2: channel 0: input open -> closed
  163. debug2: channel 0: rcvd close
  164. debug2: channel 0: almost dead
  165. debug2: channel 0: gc: notify user
  166. debug2: channel 0: gc: user detached
  167. debug2: channel 0: send close
  168. debug2: channel 0: is dead
  169. debug2: channel 0: garbage collecting
  170. debug1: channel 0: free: client-session, nchannels 1
  171. Connection to vm1 closed.
  172. Transferred: sent 1928, received 2632 bytes, in 93.2 seconds
  173. Bytes per second: sent 20.7, received 28.2
  174. debug1: Exit status 0
  175. user1@vm1:~$

现在,你将学习如何在调试模式下启动sshd,使用scp建立公钥认证和复制文件。

这样做

  1. 1: mkdir -v ssh_test
  2. 2: cd ssh_test
  3. 3: cp -v /etc/ssh/sshd_config .
  4. 4: sed -i'.bak' 's/^Port 22$/Port 1024/' sshd_config
  5. 5: sed -i 's/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_rsa_key/' sshd_config
  6. 6: sed -i 's/^HostKey \/etc\/ssh\/ssh_host_dsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_dsa_key/' sshd_config
  7. 7: diff sshd_config.bak sshd_config
  8. 8: ssh-keygen -b 4096 -t rsa -N '' -v -h -f ssh_host_rsa_key
  9. 9: ssh-keygen -b 1024 -t dsa -N '' -v -h -f ssh_host_dsa_key
  10. 10: ssh-keygen -b 4096 -t rsa -N '' -v -f ~/.ssh/id_rsa
  11. 11: cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
  12. 12: /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1 &
  13. 13: ssh-keyscan -H vm1 127.0.0.1 >> ~/.ssh/known_hosts
  14. 14: /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
  15. 15: ssh vm1 -v -p 1024 2>ssh.out
  16. 16: ps au --forest
  17. 17: logout
  18. 18: /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
  19. 19: scp -v -P 1024 vm1:.bashrc . 2>scp.out

你会看到什么

  1. user1@vm1:~$ mkdir -v ssh_test
  2. mkdir: created directory 'ssh_test'
  3. user1@vm1:~$ cd ssh_test
  4. user1@vm1:~/ssh_test$ cp -v /etc/ssh/sshd_config .
  5. '/etc/ssh/sshd_config' -> './sshd_config'
  6. user1@vm1:~/ssh_test$ sed -i'.bak' 's/^Port 22$/Port 1024/' sshd_config
  7. user1@vm1:~/ssh_test$ sed -i 's/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_rsa_key/' sshd_config
  8. user1@vm1:~/ssh_test$ sed -i 's/^HostKey \/etc\/ssh\/ssh_host_dsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_dsa_key/' sshd_config
  9. user1@vm1:~/ssh_test$ diff sshd_config.bak sshd_config
  10. 5c5
  11. < Port 22
  12. ---
  13. > Port 1024
  14. 11,12c11,12
  15. < HostKey /etc/ssh/ssh_host_rsa_key
  16. < HostKey /etc/ssh/ssh_host_dsa_key
  17. ---
  18. > Hostkey /home/user1/ssh_test/ssh_host_rsa_key
  19. > Hostkey /home/user1/ssh_test/ssh_host_dsa_key
  20. user1@vm1:~/ssh_test$ ssh-keygen -b 4096 -t rsa -N '' -v -h -f ssh_host_rsa_key
  21. Generating public/private rsa key pair.
  22. Your identification has been saved in ssh_host_rsa_key.
  23. Your public key has been saved in ssh_host_rsa_key.pub.
  24. The key fingerprint is:
  25. 8c:0a:8d:ae:c7:34:e6:29:9c:c2:14:29:b8:d9:1d:34 user1@vm1
  26. 'The key's randomart image is:
  27. +--[ RSA 4096]----+
  28. | |
  29. | E |
  30. |. .. . |
  31. |oo o. o |
  32. |.++.... S |
  33. |oo=... |
  34. |+=oo. |
  35. |o== |
  36. |oo |
  37. +-----------------+
  38. user1@vm1:~/ssh_test$ ssh-keygen -b 1024 -t dsa -N '' -v -h -f ssh_host_dsa_key
  39. Generating public/private dsa key pair.
  40. Your identification has been saved in ssh_host_dsa_key.
  41. Your public key has been saved in ssh_host_dsa_key.pub.
  42. The key fingerprint is:
  43. cd:6b:2a:a2:ba:80:65:71:85:ef:2e:6a:c0:a7:d9:aa user1@vm1
  44. 'The key's randomart image is:
  45. +--[ DSA 1024]----+
  46. | .. |
  47. | .. |
  48. | . .. |
  49. | o . o |
  50. |. o . S o |
  51. |o+ . . . |
  52. |o.= . o |
  53. |.o..o o o |
  54. |E=+o o .. |
  55. +-----------------+
  56. user1@vm1:~/ssh_test$ ssh-keygen -b 4096 -t rsa -N '' -v -f ~/.ssh/id_rsa
  57. Generating public/private rsa key pair.
  58. Your identification has been saved in /home/user1/.ssh/id_rsa.
  59. Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
  60. The key fingerprint is:
  61. 50:65:18:61:3f:41:36:07:4f:40:36:a7:4b:6d:64:28 user1@vm1
  62. 'The key's randomart image is:
  63. +--[ RSA 4096]----+
  64. | =B&+* |
  65. | oE=.& |
  66. | . .= + |
  67. | . . + |
  68. | S . |
  69. | |
  70. | |
  71. | |
  72. | |
  73. +-----------------+
  74. user1@vm1:~/ssh_test$ cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
  75. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1 &
  76. [2] 26896
  77. user1@vm1:~/ssh_test$ ssh-keyscan -H vm1 127.0.0.1 >> ~/.ssh/known_hosts
  78. # 127.0.0.1 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
  79. # vm1 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
  80. [2]+ Exit 255 /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1
  81. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
  82. [1] 26957
  83. user1@vm1:~/ssh_test$ ssh vm1 -v -p 1024 2>ssh.out
  84. Linux vm1 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64
  85. The programs included with the Debian GNU/Linux system are free software;
  86. the exact distribution terms for each program are described in the
  87. individual files in /usr/share/doc/*/copyright.
  88. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
  89. permitted by applicable law.
  90. You have mail.
  91. Last login: Fri Jul 20 09:10:30 2012 from vm1.site
  92. Environment:
  93. LANG=en_US.UTF-8
  94. USER=user1
  95. LOGNAME=user1
  96. HOME=/home/user1
  97. PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
  98. MAIL=/var/mail/user1
  99. SHELL=/bin/bash
  100. SSH_CLIENT=127.0.1.1 47456 1024
  101. SSH_CONNECTION=127.0.1.1 47456 127.0.1.1 1024
  102. SSH_TTY=/dev/pts/0
  103. TERM=xterm
  104. user1@vm1:~$ ps au --forest
  105. USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
  106. user1 26224 0.0 1.2 23660 6576 pts/2 Ss 09:09 0:01 -bash
  107. user1 27020 1.0 0.6 68392 3236 pts/2 S 09:50 0:00 \_ sshd: user1 [priv]
  108. user1 27025 0.0 0.2 68392 1412 pts/2 S 09:50 0:00 | \_ sshd: user1@pts/0
  109. user1 27026 9.0 1.2 23564 6404 pts/0 Ss 09:50 0:00 | \_ -bash
  110. user1 27051 0.0 0.2 16308 1060 pts/0 R+ 09:50 0:00 | \_ ps au --forest
  111. user1 27021 1.1 0.5 38504 2880 pts/2 S+ 09:50 0:00 \_ ssh vm1 -v -p 1024
  112. root 1107 0.0 0.1 5932 620 tty6 Ss+ Jul18 0:00 /sbin/getty 38400 tty6
  113. root 1106 0.0 0.1 5932 616 tty5 Ss+ Jul18 0:00 /sbin/getty 38400 tty5
  114. root 1105 0.0 0.1 5932 620 tty4 Ss+ Jul18 0:00 /sbin/getty 38400 tty4
  115. root 1104 0.0 0.1 5932 620 tty3 Ss+ Jul18 0:00 /sbin/getty 38400 tty3
  116. root 1103 0.0 0.1 5932 616 tty2 Ss+ Jul18 0:00 /sbin/getty 38400 tty2
  117. root 1102 0.0 0.1 5932 616 tty1 Ss+ Jul18 0:00 /sbin/getty 38400 tty1
  118. user1@vm1:~$ logout
  119. user1@vm1:~/ssh_test$
  120. [1]+ Exit 255 /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1
  121. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
  122. [1] 27067
  123. user1@vm1:~/ssh_test$ scp -v -P 1024 vm1:.bashrc . 2>scp.out
  124. Environment:
  125. LANG=en_US.UTF-8
  126. USER=user1
  127. LOGNAME=user1
  128. HOME=/home/user1
  129. PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
  130. MAIL=/var/mail/user1
  131. SHELL=/bin/bash
  132. SSH_CLIENT=127.0.1.1 47459 1024
  133. SSH_CONNECTION=127.0.1.1 47459 127.0.1.1 1024
  134. .bashrc 100% 3184 3.1KB/s 00:00
  135. [1]+ Exit 255 /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1

解释

  1. 创建/home/user1/ssh_test目录。
  2. 使其成为当前工作目录。
  3. sshd_config复制到此目录。
  4. sshd监听端口从 22 更改为 1024,将副本命名为sshd_config.bak
  5. 替换 RSA 主机密钥位置。
  6. 替换 DSA 主机密钥位置。
  7. 显示sshd_config的旧版本和新版本之间的差异。
  8. 生成具有空密码的,新的 4096 位 RSA 主机密钥对,将其保存到/home/user1/ssh_test/ssh_host_rsa_key/home/user1/ssh_test/ssh_host_rsa_key.pub
  9. 同样的,但是对 DSA 密钥执行。
  10. 生成新的认证密钥对,将其保存到/home/user1/.ssh/id_rsa/home/user1/.ssh/id_rsa.pub
  11. id_rsa.pub复制到/home/user1/.ssh/authorized_keys,来允许无密码认证。
  12. 在调试模式下,在端口 1024 上启动新的 SSH 服务器,将所有输出保存到sshd.log
  13. 提取 SSH 客户端的主机认证密钥,并将其提供给/home/user1/.ssh/known_hosts
  14. 在调试模式下,在端口 1024 上启动新的 SSH 服务器,将所有输出附加到sshd.log。这是因为在调试模式下, SSH 服务器只维护一个连接。
  15. 使用ssh客户端连接到此服务器。
  16. 以树形式打印当前正在运行的进程。你可以看到,你正在使用sshd启动的 bash,它服务于你的连接,而sshd又是由sshd启动,你在几行之前启动了你自己。。
  17. 退出ssh会话。
  18. 再次启动 SSH 服务器。
  19. 将文件.bashrc从你的主目录复制到当前目录。

附加题

观看此视频,它解释了加密如何工作:http://www.youtube.com/watch?v=3QnD2c4Xovk
阅读:http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_04.htm
阅读文件ssh.outscp.outsshd.out中的调试输出。向你自己解释发生了什么。