Thông tin tài liệu
SSH, the Secure Shell
The Definitive Guide
,TITLE.16235 Page 1 Tuesday, March 13, 2001 3:33 PM
,TITLE.16235 Page 2 Tuesday, March 13, 2001 3:33 PM
SSH, the Secure Shell
The Definitive Guide
Daniel J. Barrett and Richard E. Silverman
Beijing
•
Cambridge
•
Farnham
•
Köln
•
Paris
•
Sebastopol
•
Taipei
•
Tokyo
,TITLE.16235 Page 3 Tuesday, March 13, 2001 3:33 PM
SSH, the Secure Shell: The Definitive Guide
by Daniel J. Barrett and Richard E. Silverman
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
Printed in the United States of America.
Published by O’Reilly & Associates, Inc., 101 Morris Street, Sebastopol, CA 95472.
Editor: Mike Loukides
Production Editor: Mary Anne Weeks Mayo
Cover Designer: Ellie Volckhausen
Printing History:
February 2001: First Edition.
Nutshell Handbook, the Nutshell Handbook logo, and the O’Reilly logo are registered
trademarks of O’Reilly & Associates, Inc. Many of the designations used by manufacturers
and sellers to distinguish their products are claimed as trademarks. Where those designations
appear in this book, and O’Reilly & Associates, Inc. was aware of a trademark claim, the
designations have been printed in caps or initial caps. The association between the image of
a land snail and the topic of SSH is a trademark of O’Reilly & Associates, Inc.
While every precaution has been taken in the preparation of this book, the publisher assumes
no responsibility for errors or omissions, or for damages resulting from the use of the
information contained herein.
ISBN: 0-596-00011-1 [3/01]
[M]
,COPYRIGHT.25667 Page 1 Thursday, March 15, 2001 11:41 AM
About the Authors
Daniel J. Barrett, Ph.D., has been immersed in Internet technology since 1985.
Currently a software engineer and vice president at a well-known financial services
company, Dan has also been a heavy metal singer, Unix system administrator,
university lecturer, web designer, and humorist.
Dan has written several other O’Reilly books, including NetResearch: Finding
Information Online and Bandits on the Information Superhighway, as well as
monthly columns for Compute! and Keyboard Magazine. He and his family reside
in Boston.
You may write to Dan at dbarrett@oreilly.com.
Richard E. Silverman first touched a computer as a college junior in 1986, when he
logged into a DEC-20, typed “MM” to send some mail, and was promptly lost to
the world. He eventually resurfaced and discovered he had a career, which was
convenient but somewhat disorienting, since he hadn’t really been looking for
one. Since earning his B.A. in computer science and M.A. in pure mathematics,
Richard has worked in the fields of networking, formal methods in software devel-
opment, public-key infrastructure, routing security, and Unix systems
administration. Outside of work, he loves to read, study languages and mathe-
matics, sing, dance, and exercise.
You may reach Richard at res@oreilly.com.
Colophon
Our look is the result of reader comments, our own experimentation, and feed-
back from distribution channels. Distinctive covers complement our distinctive
approach to technical topics, breathing personality and life into potentially dry
subjects.
The animal on the cover of SSH, the Secure Shell: The Definitive Guide is a land
snail (Mollusca gastropoda).
A member of the mollusk family, a snail has a soft, moist body that is protected by
a hard shell, into which it can retreat when in danger or when in arid or bright
conditions. Snails prefer wet weather and, though not nocturnal, will stay out of
bright sun. At the front of a snail’s long body are two sets of tentacles: its eyes are
at the end of one set, and the other set is used for smelling and navigation.
,AUTHOR.COLO.16090 Page 1 Tuesday, March 13, 2001 3:33 PM
Land snails are hermaphrodites, each having both female and male sex organs,
though a snail must mate with another snail in order for fertilization to occur. A
snail lays eggs approximately six times a year, with almost 100 eggs each time.
Young snails hatch in a month and become adults in two years. A snail’s life span
is approximately 5–10 years.
Known as a slow mover, a snail moves by muscles on its underside that contract
and expand, propelling the snail along at a slow pace. It leaves a wet trail of
mucus, which protects the snail from anything sharp it may need to crawl over as
it searches for food. The snail’s diet of plants, bark, and fruits causes it to be a pest
in many parts of the world where it is notorious for destroying crops.
Mary Anne Weeks Mayo was the production editor and copyeditor for SSH, the
Secure Shell: The Definitive Guide. Colleen Gorman proofread the book. Rachel
Wheeler and Jane Ellin provided quality control. Matt Hutchinson and Lucy
Muellner provided production assistance. John Bickelhaupt revised the index.
Ellie Volckhausen designed the cover of this book, based on a series design by
Edie Freedman. The cover image is an original engraving from the book Natural
History of Animals by Sanborn Tenney and Abby A. Tenney, published by
Scribner, Armstrong & Co. in 1873. Emma Colby produced the cover layout with
QuarkXPress 4.1 using Adobe’s ITC Garamond font.
David Futato and Melanie Wang designed the interior layout based on a series
design by Nancy Priest. Mike Sierra implemented the design in FrameMaker 5.5.6.
The text and heading fonts are ITC Garamond Light and Garamond Book; the
code font is Constant Willison. The illustrations that appear in the book were
produced by Robert Romano using Macromedia FreeHand 8 and Adobe Photo-
shop 5. This colophon was written by Nicole Arigo.
Whenever possible, our books use a durable and flexible lay-flat binding. If the
page count exceeds this binding’s limit, perfect binding is used.
,AUTHOR.COLO.16090 Page 2 Tuesday, March 13, 2001 3:33 PM
v
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
Table of Contents
Preface ix
1. Introduction to SSH 1
1.1. What Is SSH? 2
1.2. What SSH Is Not 2
1.3. The SSH Protocol 4
1.4. Overview of SSH Features 5
1.5. History of SSH 10
1.6. Related Technologies 12
1.7. Summary 18
2. Basic Client Use 19
2.1. A Running Example 19
2.2. Remote Terminal Sessions with ssh 20
2.3. Adding Complexity to the Example 22
2.4. Authentication by Cryptographic Key 26
2.5. The SSH Agent 32
2.6. Connecting Without a Password or Passphrase 37
2.7. Miscellaneous Clients 38
2.8. Summary 40
3. Inside SSH 41
3.1. Overview of Features 42
3.2. A Cryptography Primer 45
3.3. The Architecture of an SSH System 49
3.4. Inside SSH-1 52
,sshTOC.fm.11051 Page v Tuesday, February 20, 2001 2:14 PM
vi Table of Contents
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
3.5. Inside SSH-2 72
3.6. As-User Access (userfile) 85
3.7. Randomness 86
3.8. SSH and File Transfers (scp and sftp) 88
3.9. Algorithms Used by SSH 91
3.10. Threats SSH Can Counter 100
3.11. Threats SSH Doesn’t Prevent 103
3.12. Summary 107
4. Installation and Compile-Time Configuration 108
4.1. SSH1 and SSH2 108
4.2. F-Secure SSH Server 129
4.3. OpenSSH 130
4.4. Software Inventory 134
4.5. Replacing R-Commands with SSH 135
4.6. Summary 138
5. Serverwide Configuration 139
5.1. The Name of the Server 140
5.2. Running the Server 141
5.3. Server Configuration: An Overview 143
5.4. Getting Ready: Initial Setup 148
5.5. Letting People in: Authentication and Access Control 166
5.6. User Logins and Accounts 187
5.7. Subsystems 190
5.8. History, Logging, and Debugging 192
5.9. Compatibility Between SSH-1 and SSH-2 Servers 201
5.10. Summary 203
6. Key Management and Agents 204
6.1. What Is an Identity? 205
6.2. Creating an Identity 209
6.3. SSH Agents 216
6.4. Multiple Identities 235
6.5. Summary 238
7. Advanced Client Use 240
7.1. How to Configure Clients 240
7.2. Precedence 250
7.3. Introduction to Verbose Mode 251
,sshTOC.fm.11051 Page vi Tuesday, February 20, 2001 2:14 PM
Table of Contents vii
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
7.4. Client Configuration in Depth 252
7.5. Secure Copy with scp 284
7.6. Summary 292
8. Per-Account Server Configuration 293
8.1. Limits of This Technique 294
8.2. Public Key-Based Configuration 295
8.3. Trusted-Host Access Control 313
8.4. The User rc File 315
8.5. Summary 315
9. Port Forwarding and X Forwarding 316
9.1. What Is Forwarding? 317
9.2. Port Forwarding 318
9.3. X Forwarding 340
9.4. Forwarding Security: TCP-wrappers and libwrap 353
9.5. Summary 359
10. A Recommended Setup 360
10.1. The Basics 360
10.2. Compile-Time Configuration 361
10.3. Serverwide Configuration 362
10.4. Per-Account Configuration 366
10.5. Key Management 367
10.6. Client Configuration 367
10.7. Remote Home Directories (NFS, AFS) 368
10.8. Summary 371
11. Case Studies 372
11.1. Unattended SSH: Batch or cron Jobs 372
11.2. FTP Forwarding 379
11.3. Pine, IMAP, and SSH 400
11.4. Kerberos and SSH 408
11.5. Connecting Through a GatewayHost 428
12. Troubleshooting and FAQ 437
12.1. Debug Messages: Your First Line of Defense 437
12.2. Problems and Solutions 440
12.3. Other SSH Resources 459
12.4. Reporting Bugs 460
,sshTOC.fm.11051 Page vii Tuesday, February 20, 2001 2:14 PM
viii Table of Contents
Oracle 8i Internal Services for Waits, Latches, Locks, and Memory, eMatter Edition
Copyright © 2001 O’Reilly & Associates, Inc. All rights reserved.
13. Overview of Other Implementations 461
13.1. Common Features 461
13.2. Covered Products 462
13.3. Table of Products 462
13.4. Other SSH-Related Products 470
14. SSH1 Port by Sergey Okhapkin (Windows) 471
14.1. Obtaining and Installing Clients 471
14.2. Client Use 475
14.3. Obtaining and Installing the Server 476
14.4. Troubleshooting 478
14.5. Summary 479
15. SecureCRT (Windows) 480
15.1. Obtaining and Installing 480
15.2. Basic Client Use 481
15.3. Key Management 482
15.4. Advanced Client Use 483
15.5. Forwarding 484
15.6. Troubleshooting 486
15.7. Summary 487
16. F-Secure SSH Client (Windows, Macintosh) 488
16.1. Obtaining and Installing 488
16.2. Basic Client Use 489
16.3. Key Management 490
16.4. Advanced Client Use 491
16.5. Forwarding 493
16.6. Troubleshooting 495
16.7. Summary 497
17. NiftyTelnet SSH (Macintosh) 498
17.1. Obtaining and Installing 498
17.2. Basic Client Use 499
17.3. Troubleshooting 501
17.4. Summary 502
A. SSH2 Manpage for sshregex 503
B. SSH Quick Reference 506
Index 521
,sshTOC.fm.11051 Page viii Tuesday, February 20, 2001 2:14 PM
[...]... OpenSSH The product OpenSSH from the OpenBSD project (see http:// www.openssh.com/), which implements both the SSH- 1 and SSH- 2 protocols OpenSSH/1 OpenSSH, referring specifically to its behavior when using the SSH- 1 protocol OpenSSH/2 OpenSSH, referring specifically to its behavior when using the SSH- 2 protocol SSH completely avoids these problems Rather than running the insecure telnet program, you run the. .. 1.5 are the best known, and we will write SSH1 .3 and SSH- 1.5 should the distinction be necessary SSH- 2 The SSH protocol, Version 2, as defined by several draft standards documents of the IETF SECSH working group [3.5.1] SSH1 Tatu Ylönen’s software implementing the SSH- 1 protocol; the original SSH Now distributed and maintained (minimally) by SSH Communications Security, Inc SSH2 The SSH Secure Shell ... book is current for the following Unix SSH versions” SSH1 1.2.30 F -Secure SSH1 1.3.7 OpenSSH 2.2.0 SSH Secure Shell (a.k.a SSH2 ) 2.3.0 F -Secure SSH2 2.0.13 The F -Secure products for Unix differ little from SSH1 and SSH2 , so we won’t discuss them separately except for unique features See Appendix B for a summary of the differences Version information for non-Unix products is found in their respective chapters... public interest The SECSH working group submitted the first Internet Draft for the SSH- 2.0 protocol in February 1997 In 1998, SCS released the software product SSH Secure Shell (SSH2 ), based on the superior SSH- 2 protocol However, SSH2 didn’t replace SSH1 in the field, for two reasons First, SSH2 was missing a number of useful, practical features and configuration options of SSH1 Second, SSH2 had a more... This refers to SCS’s SSH1 and SSH2 , F -Secure SSH Server (Versions 1 and 2), OpenSSH, and any other ports of the SSH1 or SSH2 code base for Unix or other operating systems The term doesn’t encompass other SSH products (SecureCRT, NiftyTelnet SSH, F -Secure s Windows and Macintosh clients, etc.) 1.6 Related Technologies SSH is popular and convenient, but we certainly don’t claim it is the ultimate security... SSH Communications Security, Inc (http://www .ssh. com) This is a commercial SSH- 2 protocol implementation, though it is licensed free of charge in some circumstances ssh (all lowercase letters) A client program included in SSH1 , SSH2 , OpenSSH, F -Secure SSH, and other products, for running secure terminal sessions and remote commands In SSH1 and SSH2 , it is also named ssh1 or ssh2 , respectively OpenSSH... denoted with dashes: SSH- 1, SSH- 2 • Products are denoted in uppercase, without dashes: SSH1 , SSH2 • Client programs are in lowercase: ssh, ssh1 , ssh2 , etc 1.4 Overview of SSH Features So, what can SSH do? Let’s run through some examples that demonstrate the major features of SSH, such as secure remote logins, secure file copying, and secure invocation of remote commands We use SSH1 in the examples, but... use only for qualifying educational and non-profit entities As a result, when SSH2 first appeared, most existing SSH1 users saw few advantages to SSH2 and continued to use SSH1 As of this writing, three years after the introduction of the SSH- 2 protocol, SSH- 1 is still the most widely deployed version on the Internet, even though SSH- 2 is a better and more secure protocol This situation promises to... discovered as the software grew in popularity These problems couldn’t be fixed without losing backward compatibility, so in 1996, SCS introduced a new, major version of the protocol, SSH 2.0 or SSH- 2, that incorporates new algorithms and is incompatible with SSH- 1 In response, the IETF formed a working group called SECSH (Secure Shell) to standardize the protocol and guide its development in the public... of those insecure rhosts and hosts.equiv files! (Though SSH can work with them as well, if you like.) If you’re still using the r-commands, switch to SSH immediately: the learning curve is small, and security is far better 1.2 What SSH Is Not Although SSH stands for Secure Shell, it is not a true shell in the sense of the Unix Bourne shell and C shell It is not a command interpreter, nor does it provide . on the context. If A is secured using multiple keys (say K and L), they will be listed in the subscript, separated by commas: A K, L SSH1 1.2.30 F -Secure SSH1 1.3.7 OpenSSH 2.2.0 SSH Secure Shell. forth. Rather, SSH creates a chan- * SSH is pronounced by spelling it aloud: S-S-H. You might find the name Secure Shell a little puzzling, because it is not, in fact, a shell at all. The name. reserved. 1.1. What Is SSH? SSH, the Secure Shell, is a popular, powerful, software-based approach to net- work security. * Whenever data is sent by a computer to the network, SSH automat- ically encrypts
Ngày đăng: 31/03/2014, 17:17
Xem thêm: o'reilly - ssh the secure shell the definitive guide -2, o'reilly - ssh the secure shell the definitive guide -2