• 练习 27:安全 Shell,sshsshdscp
    • 这样做
    • 你会看到什么
    • 解释
    • 附加题

    练习 27:安全 Shell,sshsshdscp

    原文:Exercise 27. Networking: secure shell, ssh, sshd, scp

    译者:飞龙

    协议:CC BY-NC-SA 4.0

    自豪地采用谷歌翻译

    你可能已经知道,SSH 是一种网络协议,允许你通过网络登录到vm1。让我们详细研究一下。

    安全 Shell(SSH)是一种网络协议,用于安全数据通信,远程 Shell 服务或命令执行,以及其它两个联网计算机之间的网络服务,它们通过不安全网络上的安全通道连接:服务器和客户端(运行 SSH 服务器和 SSH 客户端程序)。协议规范区分了两个主要版本,被称为 SSH-1 和 SSH-2。

    协议最著名的应用是,访问类 Unix 操作系统上的 shell 帐户。它为替代 Telnet 和其他不安全的远程 shell 协议而设计,如 Berkeley rsh 和 rexec 协议,它们以明文形式发送信息,特别是密码,使得它们易于使用封包分析来拦截和暴露。SSH 使用的加密 旨在通过不安全的网络(如互联网)提供数据的机密性和完整性。

    重要的 SSH 程序,概念和配置文件:

    • OpenSSH - 开源的 ssh 程序实现。
    • ssh - 允许你连接到 SSH 服务器的客户端程序。Putty 就是这样的客户端程序。
    • sshd - 服务器程序,允许你使用ssh连接到它。
    • /etc/ssh/ssh_config - 默认的客户端程序配置文件。
    • /etc/ssh/sshd_config - 默认服务器程序配置文件。
    • 公钥密码系统 - 一种需要两个单独密钥的加密系统,其中一个密钥是私钥,其中一个密钥是公钥。虽然不同,密钥对的两个部分在数学上是相关的。一旦密钥锁定或加密了明文,另一个密钥解锁或解密密文。两个密钥都不能执行这两个功能。其中一个密钥是公开发布的,另一个密钥是保密的。
    • SSH 密钥 - SSH 使用公钥密码系统来认证远程计算机,并允许它对用户进行认证(如有必要)。任何人都可以生成一对匹配的不同密钥(公钥和私钥)。公钥放置在所有计算机上,它们允许访问匹配的私钥的所有者(所有者使私钥保密)。虽然认证基于私钥,但认证期间密钥本身不会通过网络传输。
    • /etc/ssh/moduli - 质数及其生成器,由sshd(8)用于 Diffie-Hellman Group Exchange 密钥交换方法中。
    • /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key - 主机 RSA 和 DSA 私钥。
    • /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub - 主机 RSA 和 DSA 公钥。

    SSH 协议非常重要,因此被广泛使用,并且具有如此多的功能,你必须了解它的一些工作原理。这是它的一些用途:

    • scp - 通过 SSH 传输文件。
    • sftp - 类似 ftp 的协议,用于管理远程文件。
    • sshfs - SSH 上的远程文件系统。
    • SSH 隧道 - 一种通过安全连接,传输几乎任何数据的方法。这是非常重要的,因为它可以用于构建受保护系统的基础,以及许多其他用途。

    为了了解这个协议,让我们看看,在 SSH 会话中会发生了什么。为此,我们将开始研究vm1vm1的连接的带注解的输出(是的,这是可以做到的,也是完全有效的)。概述:

    1. 输入 SSH VM1
    2. 控制权现在传递给 SSH 客户端
    3. SSH 客户端
    4. 进入明文阶段
    5. 读取配置
    6. SSH 服务器进行协议协商
    7. 进入 SSH 传输阶段
    8. SSH 服务器进行协商
    9. 数据加密密码
    10. 数据完整性算法
    11. 数据压缩算法
    12. 使用 Diffie-Hellman 算法启动密钥交换
    13. 所得共享密钥用于建立安全连接
    14. 进入 SSH-userauth 阶段
    15. 要求你输入密码
    16. 控制权现在传递给你
    17. 输入密码
    18. 控制权现在传递给 SSH 客户端
    19. SSH 客户端
    20. SSH 服务器对你进行认证
    21. 进入 SSH 连接阶段
    22. 为你分配伪终端
    23. 为你启动 shell
    24. 控制权现在传递给你
    25. vm1 上做一些(没)有用的事情
    26. 关闭 shell
    27. 控制全现在传递给 SSH 客户端
    28. SSH 客户端
    29. 关闭伪终端
    30. 关闭连接

    现在阅读这个:

    • SSH 协议揭秘
    • http://www.cs.ust.hk/faculty/cding/COMP581/SLIDES/slide24.pdf

    并研究 SSH 会话的真实输出:

    1. user1@vm1:~$ ssh -vv vm1
    2. Protocol version selection, plaintext
    3. -------------------------------------
    4. OpenSSH_5.5p1 Debian-6+squeeze2, OpenSSL 0.9.8o 01 Jun 2010
    5. # Speaks for itself, I will mark such entries with -- below
    6. debug1: Reading configuration data /etc/ssh/ssh_config
    7. # Applying default options for all hosts. Additional options for each host may be
    8. # specified in the configuration file
    9. debug1: Applying options for *
    10. debug2: ssh_connect: needpriv 0
    11. debug1: Connecting to vm1 [127.0.1.1] port 22.
    12. debug1: Connection established.
    13. debug1: identity file /home/user1/.ssh/id_rsa type -1 # no such files
    14. debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
    15. debug1: identity file /home/user1/.ssh/id_dsa type -1
    16. debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
    17. debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze2
    18. debug1: match: OpenSSH_5.5p1 Debian-6+squeeze2 pat OpenSSH*
    19. debug1: Enabling compatibility mode for protocol 2.0
    20. debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
    21. debug2: fd 3 setting O_NONBLOCK
    22. SSH-transport, binary packet protocol
    23. -------------------------------------
    24. debug1: SSH2_MSG_KEXINIT sent
    25. debug1: SSH2_MSG_KEXINIT received
    26. # Key exchange algorithms
    27. debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    28. # SSH host key types
    29. debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
    30. # Data encryption ciphers
    31. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    32. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    33. # Data integrity algorithms
    34. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    35. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    36. # Data compression algorithms
    37. debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    38. debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    39. debug2: kex_parse_kexinit:
    40. debug2: kex_parse_kexinit:
    41. debug2: kex_parse_kexinit: first_kex_follows
    42. debug2: kex_parse_kexinit: reserved 0
    43. # Messages back from server
    44. debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    45. debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    46. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    47. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    48. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    49. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    50. debug2: kex_parse_kexinit: none,zlib@openssh.com
    51. debug2: kex_parse_kexinit: none,zlib@openssh.com
    52. debug2: kex_parse_kexinit:
    53. debug2: kex_parse_kexinit:
    54. debug2: kex_parse_kexinit: first_kex_follows 0
    55. debug2: kex_parse_kexinit: reserved 0
    56. # Message authentication code setup
    57. debug2: mac_setup: found hmac-md5
    58. debug1: kex: server->client aes128-ctr hmac-md5 none
    59. debug2: mac_setup: found hmac-md5
    60. debug1: kex: client->server aes128-ctr hmac-md5 none
    61. # Key exchange
    62. debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    63. debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    64. debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    65. debug2: dh_gen_key: priv key bits set: 135/256
    66. debug2: bits set: 498/1024
    67. debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    68. debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    69. # Server authentication. vm1 host key is not known because it is our first connection
    70. debug2: no key of type 0 for host vm1
    71. debug2: no key of type 2 for host vm1
    72. # Confirmation of host key acceptance
    73. The authenticity of host 'vm1 '(127.0.1.1)' can't be established.
    74. RSA key fingerprint is b6:06:92:5e:04:49:d9:e8:57:90:61:1b:16:87:bb:09.
    75. Are you sure you want to continue connecting (yes/no)? yes
    76. Warning: Permanently added 'vm1' (RSA) to the list of known hosts.
    77. # Key is added to /home/user1/.ssh/known_hosts and checked
    78. debug2: bits set: 499/1024
    79. debug1: ssh_rsa_verify: signature correct
    80. # Based on shared master key, data encryption key and data integrity key are derived
    81. debug2: kex_derive_keys
    82. debug2: set_newkeys: mode 1
    83. # Information about this is sent to server
    84. debug1: SSH2_MSG_NEWKEYS sent
    85. debug1: expecting SSH2_MSG_NEWKEYS
    86. debug2: set_newkeys: mode 0
    87. debug1: SSH2_MSG_NEWKEYS received
    88. # IP roaming not enabled? Not sure about this.
    89. debug1: Roaming not allowed by server
    90. SSH-userauth
    91. ------------
    92. debug1: SSH2_MSG_SERVICE_REQUEST sent
    93. debug2: service_accept: ssh-userauth
    94. debug1: SSH2_MSG_SERVICE_ACCEPT received
    95. debug2: key: /home/user1/.ssh/id_rsa ((nil))
    96. debug2: key: /home/user1/.ssh/id_dsa ((nil))
    97. debug1: Authentications that can continue: publickey,password
    98. debug1: Next authentication method: publickey
    99. debug1: Trying private key: /home/user1/.ssh/id_rsa
    100. debug1: Trying private key: /home/user1/.ssh/id_dsa
    101. debug2: we did not send a packet, disable method
    102. debug1: Next authentication method: password
    103. user1@vm1''s password:
    104. debug2: we sent a password packet, wait for reply
    105. debug1: Authentication succeeded (password).
    106. SSH-connection
    107. --------------
    108. debug1: channel 0: new [client-session]
    109. debug2: channel 0: send open
    110. # Disable SSH mutiplexing.
    111. # More info: http://www.linuxjournal.com/content/speed-multiple-ssh-connections-same-server
    112. debug1: Requesting no-more-sessions@openssh.com
    113. debug1: Entering interactive session.
    114. debug2: callback start
    115. debug2: client_session2_setup: id 0
    116. debug2: channel 0: request pty-req confirm 1
    117. # Sending environment variables
    118. debug1: Sending environment.
    119. debug1: Sending env LANG = en_US.UTF-8
    120. debug2: channel 0: request env confirm 0
    121. debug2: channel 0: request shell confirm 1
    122. # Set TCP_NODELAY flag: http://en.wikipedia.org/wiki/Nagle%27s_algorithm
    123. debug2: fd 3 setting TCP_NODELAY
    124. debug2: callback done
    125. # Connection opened
    126. debug2: channel 0: open confirm rwindow 0 rmax 32768
    127. debug2: channel_input_status_confirm: type 99 id 0
    128. # Pseudo terminal allocation
    129. debug2: PTY allocation request accepted on channel 0
    130. debug2: channel 0: rcvd adjust 2097152
    131. debug2: channel_input_status_confirm: type 99 id 0
    132. # Shell is started
    133. debug2: shell request accepted on channel 0
    134. # Loggin in is completed
    135. Linux vm1 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64
    136. The programs included with the Debian GNU/Linux system are free software;
    137. the exact distribution terms for each program are described in the
    138. individual files in /usr/share/doc/*/copyright.
    139. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    140. permitted by applicable law.
    141. You have mail.
    142. Last login: Thu Jul 19 05:14:40 2012 from 10.0.2.2
    143. user1@vm1:~$ debug2: client_check_window_change: changed
    144. debug2: channel 0: request window-change confirm 0
    145. user1@vm1:~$ debug2: client_check_window_change: changed
    146. debug2: channel 0: request window-change confirm 0
    147. user1@vm1:~$ logout
    148. Ending ssh connection
    149. ---------------------
    150. debug2: channel 0: rcvd eof # end of file
    151. debug2: channel 0: output open -> drain
    152. debug2: channel 0: obuf empty
    153. debug2: channel 0: close_write
    154. debug2: channel 0: output drain -> closed
    155. debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    156. # signalling that channels are half-closed for writing, through a channel protocol extension
    157. # notification "eow@openssh.com" http://www.openssh.com/txt/release-5.1
    158. debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
    159. debug2: channel 0: rcvd eow
    160. # Ending connection
    161. debug2: channel 0: close_read
    162. debug2: channel 0: input open -> closed
    163. debug2: channel 0: rcvd close
    164. debug2: channel 0: almost dead
    165. debug2: channel 0: gc: notify user
    166. debug2: channel 0: gc: user detached
    167. debug2: channel 0: send close
    168. debug2: channel 0: is dead
    169. debug2: channel 0: garbage collecting
    170. debug1: channel 0: free: client-session, nchannels 1
    171. Connection to vm1 closed.
    172. Transferred: sent 1928, received 2632 bytes, in 93.2 seconds
    173. Bytes per second: sent 20.7, received 28.2
    174. debug1: Exit status 0
    175. user1@vm1:~$

    现在,你将学习如何在调试模式下启动sshd,使用scp建立公钥认证和复制文件。

    这样做

    1. 1: mkdir -v ssh_test
    2. 2: cd ssh_test
    3. 3: cp -v /etc/ssh/sshd_config .
    4. 4: sed -i'.bak' 's/^Port 22$/Port 1024/' sshd_config
    5. 5: sed -i 's/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_rsa_key/' sshd_config
    6. 6: sed -i 's/^HostKey \/etc\/ssh\/ssh_host_dsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_dsa_key/' sshd_config
    7. 7: diff sshd_config.bak sshd_config
    8. 8: ssh-keygen -b 4096 -t rsa -N '' -v -h -f ssh_host_rsa_key
    9. 9: ssh-keygen -b 1024 -t dsa -N '' -v -h -f ssh_host_dsa_key
    10. 10: ssh-keygen -b 4096 -t rsa -N '' -v -f ~/.ssh/id_rsa
    11. 11: cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
    12. 12: /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1 &
    13. 13: ssh-keyscan -H vm1 127.0.0.1 >> ~/.ssh/known_hosts
    14. 14: /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    15. 15: ssh vm1 -v -p 1024 2>ssh.out
    16. 16: ps au --forest
    17. 17: logout
    18. 18: /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    19. 19: scp -v -P 1024 vm1:.bashrc . 2>scp.out

    你会看到什么

    1. user1@vm1:~$ mkdir -v ssh_test
    2. mkdir: created directory 'ssh_test'
    3. user1@vm1:~$ cd ssh_test
    4. user1@vm1:~/ssh_test$ cp -v /etc/ssh/sshd_config .
    5. '/etc/ssh/sshd_config' -> './sshd_config'
    6. user1@vm1:~/ssh_test$ sed -i'.bak' 's/^Port 22$/Port 1024/' sshd_config
    7. user1@vm1:~/ssh_test$ sed -i 's/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_rsa_key/' sshd_config
    8. user1@vm1:~/ssh_test$ sed -i 's/^HostKey \/etc\/ssh\/ssh_host_dsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_dsa_key/' sshd_config
    9. user1@vm1:~/ssh_test$ diff sshd_config.bak sshd_config
    10. 5c5
    11. < Port 22
    12. ---
    13. > Port 1024
    14. 11,12c11,12
    15. < HostKey /etc/ssh/ssh_host_rsa_key
    16. < HostKey /etc/ssh/ssh_host_dsa_key
    17. ---
    18. > Hostkey /home/user1/ssh_test/ssh_host_rsa_key
    19. > Hostkey /home/user1/ssh_test/ssh_host_dsa_key
    20. user1@vm1:~/ssh_test$ ssh-keygen -b 4096 -t rsa -N '' -v -h -f ssh_host_rsa_key
    21. Generating public/private rsa key pair.
    22. Your identification has been saved in ssh_host_rsa_key.
    23. Your public key has been saved in ssh_host_rsa_key.pub.
    24. The key fingerprint is:
    25. 8c:0a:8d:ae:c7:34:e6:29:9c:c2:14:29:b8:d9:1d:34 user1@vm1
    26. 'The key's randomart image is:
    27. +--[ RSA 4096]----+
    28. | |
    29. | E |
    30. |. .. . |
    31. |oo o. o |
    32. |.++.... S |
    33. |oo=... |
    34. |+=oo. |
    35. |o== |
    36. |oo |
    37. +-----------------+
    38. user1@vm1:~/ssh_test$ ssh-keygen -b 1024 -t dsa -N '' -v -h -f ssh_host_dsa_key
    39. Generating public/private dsa key pair.
    40. Your identification has been saved in ssh_host_dsa_key.
    41. Your public key has been saved in ssh_host_dsa_key.pub.
    42. The key fingerprint is:
    43. cd:6b:2a:a2:ba:80:65:71:85:ef:2e:6a:c0:a7:d9:aa user1@vm1
    44. 'The key's randomart image is:
    45. +--[ DSA 1024]----+
    46. | .. |
    47. | .. |
    48. | . .. |
    49. | o . o |
    50. |. o . S o |
    51. |o+ . . . |
    52. |o.= . o |
    53. |.o..o o o |
    54. |E=+o o .. |
    55. +-----------------+
    56. user1@vm1:~/ssh_test$ ssh-keygen -b 4096 -t rsa -N '' -v -f ~/.ssh/id_rsa
    57. Generating public/private rsa key pair.
    58. Your identification has been saved in /home/user1/.ssh/id_rsa.
    59. Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
    60. The key fingerprint is:
    61. 50:65:18:61:3f:41:36:07:4f:40:36:a7:4b:6d:64:28 user1@vm1
    62. 'The key's randomart image is:
    63. +--[ RSA 4096]----+
    64. | =B&+* |
    65. | oE=.& |
    66. | . .= + |
    67. | . . + |
    68. | S . |
    69. | |
    70. | |
    71. | |
    72. | |
    73. +-----------------+
    74. user1@vm1:~/ssh_test$ cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
    75. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1 &
    76. [2] 26896
    77. user1@vm1:~/ssh_test$ ssh-keyscan -H vm1 127.0.0.1 >> ~/.ssh/known_hosts
    78. # 127.0.0.1 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
    79. # vm1 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
    80. [2]+ Exit 255 /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1
    81. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    82. [1] 26957
    83. user1@vm1:~/ssh_test$ ssh vm1 -v -p 1024 2>ssh.out
    84. Linux vm1 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64
    85. The programs included with the Debian GNU/Linux system are free software;
    86. the exact distribution terms for each program are described in the
    87. individual files in /usr/share/doc/*/copyright.
    88. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    89. permitted by applicable law.
    90. You have mail.
    91. Last login: Fri Jul 20 09:10:30 2012 from vm1.site
    92. Environment:
    93. LANG=en_US.UTF-8
    94. USER=user1
    95. LOGNAME=user1
    96. HOME=/home/user1
    97. PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
    98. MAIL=/var/mail/user1
    99. SHELL=/bin/bash
    100. SSH_CLIENT=127.0.1.1 47456 1024
    101. SSH_CONNECTION=127.0.1.1 47456 127.0.1.1 1024
    102. SSH_TTY=/dev/pts/0
    103. TERM=xterm
    104. user1@vm1:~$ ps au --forest
    105. USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
    106. user1 26224 0.0 1.2 23660 6576 pts/2 Ss 09:09 0:01 -bash
    107. user1 27020 1.0 0.6 68392 3236 pts/2 S 09:50 0:00 \_ sshd: user1 [priv]
    108. user1 27025 0.0 0.2 68392 1412 pts/2 S 09:50 0:00 | \_ sshd: user1@pts/0
    109. user1 27026 9.0 1.2 23564 6404 pts/0 Ss 09:50 0:00 | \_ -bash
    110. user1 27051 0.0 0.2 16308 1060 pts/0 R+ 09:50 0:00 | \_ ps au --forest
    111. user1 27021 1.1 0.5 38504 2880 pts/2 S+ 09:50 0:00 \_ ssh vm1 -v -p 1024
    112. root 1107 0.0 0.1 5932 620 tty6 Ss+ Jul18 0:00 /sbin/getty 38400 tty6
    113. root 1106 0.0 0.1 5932 616 tty5 Ss+ Jul18 0:00 /sbin/getty 38400 tty5
    114. root 1105 0.0 0.1 5932 620 tty4 Ss+ Jul18 0:00 /sbin/getty 38400 tty4
    115. root 1104 0.0 0.1 5932 620 tty3 Ss+ Jul18 0:00 /sbin/getty 38400 tty3
    116. root 1103 0.0 0.1 5932 616 tty2 Ss+ Jul18 0:00 /sbin/getty 38400 tty2
    117. root 1102 0.0 0.1 5932 616 tty1 Ss+ Jul18 0:00 /sbin/getty 38400 tty1
    118. user1@vm1:~$ logout
    119. user1@vm1:~/ssh_test$
    120. [1]+ Exit 255 /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1
    121. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    122. [1] 27067
    123. user1@vm1:~/ssh_test$ scp -v -P 1024 vm1:.bashrc . 2>scp.out
    124. Environment:
    125. LANG=en_US.UTF-8
    126. USER=user1
    127. LOGNAME=user1
    128. HOME=/home/user1
    129. PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
    130. MAIL=/var/mail/user1
    131. SHELL=/bin/bash
    132. SSH_CLIENT=127.0.1.1 47459 1024
    133. SSH_CONNECTION=127.0.1.1 47459 127.0.1.1 1024
    134. .bashrc 100% 3184 3.1KB/s 00:00
    135. [1]+ Exit 255 /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1

    解释

    1. 创建/home/user1/ssh_test目录。
    2. 使其成为当前工作目录。
    3. sshd_config复制到此目录。
    4. sshd监听端口从 22 更改为 1024,将副本命名为sshd_config.bak
    5. 替换 RSA 主机密钥位置。
    6. 替换 DSA 主机密钥位置。
    7. 显示sshd_config的旧版本和新版本之间的差异。
    8. 生成具有空密码的,新的 4096 位 RSA 主机密钥对,将其保存到/home/user1/ssh_test/ssh_host_rsa_key/home/user1/ssh_test/ssh_host_rsa_key.pub
    9. 同样的,但是对 DSA 密钥执行。
    10. 生成新的认证密钥对,将其保存到/home/user1/.ssh/id_rsa/home/user1/.ssh/id_rsa.pub
    11. id_rsa.pub复制到/home/user1/.ssh/authorized_keys,来允许无密码认证。
    12. 在调试模式下,在端口 1024 上启动新的 SSH 服务器,将所有输出保存到sshd.log
    13. 提取 SSH 客户端的主机认证密钥,并将其提供给/home/user1/.ssh/known_hosts
    14. 在调试模式下,在端口 1024 上启动新的 SSH 服务器,将所有输出附加到sshd.log。这是因为在调试模式下, SSH 服务器只维护一个连接。
    15. 使用ssh客户端连接到此服务器。
    16. 以树形式打印当前正在运行的进程。你可以看到,你正在使用sshd启动的 bash,它服务于你的连接,而sshd又是由sshd启动,你在几行之前启动了你自己。。
    17. 退出ssh会话。
    18. 再次启动 SSH 服务器。
    19. 将文件.bashrc从你的主目录复制到当前目录。

    附加题

    观看此视频,它解释了加密如何工作:http://www.youtube.com/watch?v=3QnD2c4Xovk
    阅读:http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_04.htm
    阅读文件ssh.outscp.outsshd.out中的调试输出。向你自己解释发生了什么。