• 练习 27:安全 Shell,sshsshdscp
    • 这样做
    • 你会看到什么
    • 解释
    • 附加题

    练习 27:安全 Shell,sshsshdscp

    原文:Exercise 27. Networking: secure shell, ssh, sshd, scp

    译者:飞龙

    协议:CC BY-NC-SA 4.0

    自豪地采用谷歌翻译

    你可能已经知道,SSH 是一种网络协议,允许你通过网络登录到vm1。让我们详细研究一下。

    安全 Shell(SSH)是一种网络协议,用于安全数据通信,远程 Shell 服务或命令执行,以及其它两个联网计算机之间的网络服务,它们通过不安全网络上的安全通道连接:服务器和客户端(运行 SSH 服务器和 SSH 客户端程序)。协议规范区分了两个主要版本,被称为 SSH-1 和 SSH-2。

    协议最著名的应用是,访问类 Unix 操作系统上的 shell 帐户。它为替代 Telnet 和其他不安全的远程 shell 协议而设计,如 Berkeley rsh 和 rexec 协议,它们以明文形式发送信息,特别是密码,使得它们易于使用封包分析来拦截和暴露。SSH 使用的加密 旨在通过不安全的网络(如互联网)提供数据的机密性和完整性。

    重要的 SSH 程序,概念和配置文件:

    • OpenSSH - 开源的 ssh 程序实现。
    • ssh - 允许你连接到 SSH 服务器的客户端程序。Putty 就是这样的客户端程序。
    • sshd - 服务器程序,允许你使用ssh连接到它。
    • /etc/ssh/ssh_config - 默认的客户端程序配置文件。
    • /etc/ssh/sshd_config - 默认服务器程序配置文件。
    • 公钥密码系统 - 一种需要两个单独密钥的加密系统,其中一个密钥是私钥,其中一个密钥是公钥。虽然不同,密钥对的两个部分在数学上是相关的。一旦密钥锁定或加密了明文,另一个密钥解锁或解密密文。两个密钥都不能执行这两个功能。其中一个密钥是公开发布的,另一个密钥是保密的。
    • SSH 密钥 - SSH 使用公钥密码系统来认证远程计算机,并允许它对用户进行认证(如有必要)。任何人都可以生成一对匹配的不同密钥(公钥和私钥)。公钥放置在所有计算机上,它们允许访问匹配的私钥的所有者(所有者使私钥保密)。虽然认证基于私钥,但认证期间密钥本身不会通过网络传输。
    • /etc/ssh/moduli - 质数及其生成器,由sshd(8)用于 Diffie-Hellman Group Exchange 密钥交换方法中。
    • /etc/ssh/ssh_host_dsa_key, /etc/ssh/ssh_host_rsa_key - 主机 RSA 和 DSA 私钥。
    • /etc/ssh/ssh_host_dsa_key.pub, /etc/ssh/ssh_host_rsa_key.pub - 主机 RSA 和 DSA 公钥。

    SSH 协议非常重要,因此被广泛使用,并且具有如此多的功能,你必须了解它的一些工作原理。这是它的一些用途:

    • scp - 通过 SSH 传输文件。
    • sftp - 类似 ftp 的协议,用于管理远程文件。
    • sshfs - SSH 上的远程文件系统。
    • SSH 隧道 - 一种通过安全连接,传输几乎任何数据的方法。这是非常重要的,因为它可以用于构建受保护系统的基础,以及许多其他用途。

    为了了解这个协议,让我们看看,在 SSH 会话中会发生了什么。为此,我们将开始研究vm1vm1的连接的带注解的输出(是的,这是可以做到的,也是完全有效的)。概述:

    2.     输入 SSH VM1 
    3.     控制权现在传递给 SSH 客户端
    4. SSH 客户端
    5.     进入明文阶段
    6.         读取配置
    7.          SSH 服务器进行协议协商
    8.     进入 SSH 传输阶段
    9.          SSH 服务器进行协商
    10.             数据加密密码 
    11.             数据完整性算法
    12.             数据压缩算法
    13.             使用 Diffie-Hellman 算法启动密钥交换
    14.             所得共享密钥用于建立安全连接
    15.     进入 SSH-userauth 阶段
    16.     要求你输入密码
    17.     控制权现在传递给你
    19.     输入密码
    20.     控制权现在传递给 SSH 客户端
    21. SSH 客户端
    22.      SSH 服务器对你进行认证
    23.     进入 SSH 连接阶段
    24.     为你分配伪终端
    25.     为你启动 shell
    26.     控制权现在传递给你
    28.      vm1 上做一些(没)有用的事情 
    29.     关闭 shell
    30.     控制全现在传递给 SSH 客户端
    31. SSH 客户端
    32.     关闭伪终端
    33.     关闭连接

    现在阅读这个:

    • SSH 协议揭秘
    • http://www.cs.ust.hk/faculty/cding/COMP581/SLIDES/slide24.pdf

    并研究 SSH 会话的真实输出:

    1. user1@vm1:~$ ssh -vv vm1
    3. Protocol version selection, plaintext
    4. -------------------------------------
    6. OpenSSH_5.5p1 Debian-6+squeeze2, OpenSSL 0.9.8o 01 Jun 2010
    7. # Speaks for itself, I will mark such entries with -- below
    8. debug1: Reading configuration data /etc/ssh/ssh_config
    9. # Applying default options for all hosts. Additional options for each host may be
    10. # specified in the configuration file
    11. debug1: Applying options for *
    12. debug2: ssh_connect: needpriv 0
    13. debug1: Connecting to vm1 [127.0.1.1] port 22.
    14. debug1: Connection established.
    15. debug1: identity file /home/user1/.ssh/id_rsa type -1      # no such files
    16. debug1: identity file /home/user1/.ssh/id_rsa-cert type -1
    17. debug1: identity file /home/user1/.ssh/id_dsa type -1
    18. debug1: identity file /home/user1/.ssh/id_dsa-cert type -1
    19. debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze2
    20. debug1: match: OpenSSH_5.5p1 Debian-6+squeeze2 pat OpenSSH*
    21. debug1: Enabling compatibility mode for protocol 2.0
    22. debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
    23. debug2: fd 3 setting O_NONBLOCK
    25. SSH-transport, binary packet protocol
    26. -------------------------------------
    28. debug1: SSH2_MSG_KEXINIT sent
    29. debug1: SSH2_MSG_KEXINIT received
    30. # Key exchange algorithms
    31. debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    32. # SSH host key types
    33. debug2: kex_parse_kexinit: ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ssh-rsa,ssh-dss
    34. # Data encryption ciphers
    35. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    36. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    37. # Data integrity algorithms
    38. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    39. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    40. # Data compression algorithms
    41. debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    42. debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
    43. debug2: kex_parse_kexinit:
    44. debug2: kex_parse_kexinit:
    45. debug2: kex_parse_kexinit: first_kex_follows
    46. debug2: kex_parse_kexinit: reserved 0
    47. # Messages back from server
    48. debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    49. debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    50. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    51. debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
    52. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    53. debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
    54. debug2: kex_parse_kexinit: none,zlib@openssh.com
    55. debug2: kex_parse_kexinit: none,zlib@openssh.com
    56. debug2: kex_parse_kexinit:
    57. debug2: kex_parse_kexinit:
    58. debug2: kex_parse_kexinit: first_kex_follows 0
    59. debug2: kex_parse_kexinit: reserved 0
    60. # Message authentication code setup
    61. debug2: mac_setup: found hmac-md5
    62. debug1: kex: server->client aes128-ctr hmac-md5 none
    63. debug2: mac_setup: found hmac-md5
    64. debug1: kex: client->server aes128-ctr hmac-md5 none
    65. # Key exchange
    66. debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    67. debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    68. debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    69. debug2: dh_gen_key: priv key bits set: 135/256
    70. debug2: bits set: 498/1024
    71. debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    72. debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    73. # Server authentication. vm1 host key is not known because it is our first connection
    74. debug2: no key of type 0 for host vm1
    75. debug2: no key of type 2 for host vm1
    76. # Confirmation of host key acceptance
    77. The authenticity of host 'vm1 '(127.0.1.1)' can't be established.
    78. RSA key fingerprint is b6:06:92:5e:04:49:d9:e8:57:90:61:1b:16:87:bb:09.
    79. Are you sure you want to continue connecting (yes/no)? yes
    80. Warning: Permanently added 'vm1' (RSA) to the list of known hosts.
    81. # Key is added to /home/user1/.ssh/known_hosts and checked
    82. debug2: bits set: 499/1024
    83. debug1: ssh_rsa_verify: signature correct
    84. # Based on shared master key, data encryption key and data integrity key are derived
    85. debug2: kex_derive_keys
    86. debug2: set_newkeys: mode 1
    87. # Information about this is sent to server
    88. debug1: SSH2_MSG_NEWKEYS sent
    89. debug1: expecting SSH2_MSG_NEWKEYS
    90. debug2: set_newkeys: mode 0
    91. debug1: SSH2_MSG_NEWKEYS received
    92. # IP roaming not enabled? Not sure about this.
    93. debug1: Roaming not allowed by server
    95. SSH-userauth
    96. ------------
    98. debug1: SSH2_MSG_SERVICE_REQUEST sent
    99. debug2: service_accept: ssh-userauth
    100. debug1: SSH2_MSG_SERVICE_ACCEPT received
    101. debug2: key: /home/user1/.ssh/id_rsa ((nil))
    102. debug2: key: /home/user1/.ssh/id_dsa ((nil))
    103. debug1: Authentications that can continue: publickey,password
    104. debug1: Next authentication method: publickey
    105. debug1: Trying private key: /home/user1/.ssh/id_rsa
    106. debug1: Trying private key: /home/user1/.ssh/id_dsa
    107. debug2: we did not send a packet, disable method
    108. debug1: Next authentication method: password
    109. user1@vm1''s password:
    110. debug2: we sent a password packet, wait for reply
    111. debug1: Authentication succeeded (password).
    113. SSH-connection
    114. --------------
    116. debug1: channel 0: new [client-session]
    117. debug2: channel 0: send open
    118. # Disable SSH mutiplexing.
    119. # More info: http://www.linuxjournal.com/content/speed-multiple-ssh-connections-same-server
    120. debug1: Requesting no-more-sessions@openssh.com
    121. debug1: Entering interactive session.
    122. debug2: callback start
    123. debug2: client_session2_setup: id 0
    124. debug2: channel 0: request pty-req confirm 1
    125. # Sending environment variables
    126. debug1: Sending environment.
    127. debug1: Sending env LANG = en_US.UTF-8
    128. debug2: channel 0: request env confirm 0
    129. debug2: channel 0: request shell confirm 1
    130. # Set TCP_NODELAY flag: http://en.wikipedia.org/wiki/Nagle%27s_algorithm
    131. debug2: fd 3 setting TCP_NODELAY
    132. debug2: callback done
    133. # Connection opened
    134. debug2: channel 0: open confirm rwindow 0 rmax 32768
    135. debug2: channel_input_status_confirm: type 99 id 0
    136. # Pseudo terminal allocation
    137. debug2: PTY allocation request accepted on channel 0
    138. debug2: channel 0: rcvd adjust 2097152
    139. debug2: channel_input_status_confirm: type 99 id 0
    140. # Shell is started
    141. debug2: shell request accepted on channel 0
    142. # Loggin in is completed
    143. Linux vm1 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64
    145. The programs included with the Debian GNU/Linux system are free software;
    146. the exact distribution terms for each program are described in the
    147. individual files in /usr/share/doc/*/copyright.
    149. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    150. permitted by applicable law.
    151. You have mail.
    152. Last login: Thu Jul 19 05:14:40 2012 from 10.0.2.2
    153. user1@vm1:~$ debug2: client_check_window_change: changed
    154. debug2: channel 0: request window-change confirm 0
    155. user1@vm1:~$ debug2: client_check_window_change: changed
    156. debug2: channel 0: request window-change confirm 0
    157. user1@vm1:~$ logout
    159. Ending ssh connection
    160. ---------------------
    162. debug2: channel 0: rcvd eof   # end of file
    163. debug2: channel 0: output open -> drain
    164. debug2: channel 0: obuf empty
    165. debug2: channel 0: close_write
    166. debug2: channel 0: output drain -> closed
    167. debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    168. # signalling that channels are half-closed for writing, through a channel protocol extension
    169. # notification "eow@openssh.com" http://www.openssh.com/txt/release-5.1
    170. debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0
    171. debug2: channel 0: rcvd eow
    172. # Ending connection
    173. debug2: channel 0: close_read
    174. debug2: channel 0: input open -> closed
    175. debug2: channel 0: rcvd close
    176. debug2: channel 0: almost dead
    177. debug2: channel 0: gc: notify user
    178. debug2: channel 0: gc: user detached
    179. debug2: channel 0: send close
    180. debug2: channel 0: is dead
    181. debug2: channel 0: garbage collecting
    182. debug1: channel 0: free: client-session, nchannels 1
    183. Connection to vm1 closed.
    184. Transferred: sent 1928, received 2632 bytes, in 93.2 seconds
    185. Bytes per second: sent 20.7, received 28.2
    186. debug1: Exit status 0
    187. user1@vm1:~$

    现在,你将学习如何在调试模式下启动sshd,使用scp建立公钥认证和复制文件。

    这样做

    1.  1: mkdir -v ssh_test
    2.  2: cd ssh_test
    3.  3: cp -v /etc/ssh/sshd_config .
    4.  4: sed -i'.bak' 's/^Port 22$/Port 1024/' sshd_config
    5.  5: sed -i 's/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_rsa_key/' sshd_config
    6.  6: sed -i 's/^HostKey \/etc\/ssh\/ssh_host_dsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_dsa_key/' sshd_config
    7.  7: diff sshd_config.bak sshd_config
    8.  8: ssh-keygen -b 4096 -t rsa -N '' -v -h -f ssh_host_rsa_key
    9.  9: ssh-keygen -b 1024 -t dsa -N '' -v -h -f ssh_host_dsa_key
    10. 10: ssh-keygen -b 4096 -t rsa -N '' -v  -f ~/.ssh/id_rsa
    11. 11: cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
    12. 12: /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1 &
    13. 13: ssh-keyscan -H vm1 127.0.0.1 >> ~/.ssh/known_hosts
    14. 14: /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    15. 15: ssh vm1 -v -p 1024 2>ssh.out
    16. 16: ps au --forest
    17. 17: logout
    18. 18: /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    19. 19: scp -v -P 1024 vm1:.bashrc . 2>scp.out

    你会看到什么

    1. user1@vm1:~$ mkdir -v ssh_test
    2. mkdir: created directory 'ssh_test'
    3. user1@vm1:~$ cd ssh_test
    4. user1@vm1:~/ssh_test$ cp -v /etc/ssh/sshd_config .
    5. '/etc/ssh/sshd_config' -> './sshd_config'
    6. user1@vm1:~/ssh_test$ sed -i'.bak' 's/^Port 22$/Port 1024/' sshd_config
    7. user1@vm1:~/ssh_test$ sed -i 's/^HostKey \/etc\/ssh\/ssh_host_rsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_rsa_key/' sshd_config
    8. user1@vm1:~/ssh_test$ sed -i 's/^HostKey \/etc\/ssh\/ssh_host_dsa_key$/Hostkey \/home\/user1\/ssh_test\/ssh_host_dsa_key/' sshd_config
    9. user1@vm1:~/ssh_test$ diff sshd_config.bak sshd_config
    10. 5c5
    11. < Port 22
    12. ---
    13. > Port 1024
    14. 11,12c11,12
    15. < HostKey /etc/ssh/ssh_host_rsa_key
    16. < HostKey /etc/ssh/ssh_host_dsa_key
    17. ---
    18. > Hostkey /home/user1/ssh_test/ssh_host_rsa_key
    19. > Hostkey /home/user1/ssh_test/ssh_host_dsa_key
    20. user1@vm1:~/ssh_test$ ssh-keygen -b 4096 -t rsa -N '' -v -h -f ssh_host_rsa_key
    21. Generating public/private rsa key pair.
    22. Your identification has been saved in ssh_host_rsa_key.
    23. Your public key has been saved in ssh_host_rsa_key.pub.
    24. The key fingerprint is:
    25. 8c:0a:8d:ae:c7:34:e6:29:9c:c2:14:29:b8:d9:1d:34 user1@vm1
    26. 'The key's randomart image is:
    27. +--[ RSA 4096]----+
    28. |                 |
    29. |    E            |
    30. |. .. .           |
    31. |oo o.  o         |
    32. |.++.... S        |
    33. |oo=...           |
    34. |+=oo.            |
    35. |o==              |
    36. |oo               |
    37. +-----------------+
    38. user1@vm1:~/ssh_test$ ssh-keygen -b 1024 -t dsa -N '' -v -h -f ssh_host_dsa_key
    39. Generating public/private dsa key pair.
    40. Your identification has been saved in ssh_host_dsa_key.
    41. Your public key has been saved in ssh_host_dsa_key.pub.
    42. The key fingerprint is:
    43. cd:6b:2a:a2:ba:80:65:71:85:ef:2e:6a:c0:a7:d9:aa user1@vm1
    44. 'The key's randomart image is:
    45. +--[ DSA 1024]----+
    46. |     ..          |
    47. |    ..           |
    48. |  . ..           |
    49. |   o  .  o       |
    50. |. o  .  S o      |
    51. |o+ .  .    .     |
    52. |o.=  .    o      |
    53. |.o..o o  o       |
    54. |E=+o o ..        |
    55. +-----------------+
    56. user1@vm1:~/ssh_test$ ssh-keygen -b 4096  -t rsa -N '' -v  -f ~/.ssh/id_rsa
    57. Generating public/private rsa key pair.
    58. Your identification has been saved in /home/user1/.ssh/id_rsa.
    59. Your public key has been saved in /home/user1/.ssh/id_rsa.pub.
    60. The key fingerprint is:
    61. 50:65:18:61:3f:41:36:07:4f:40:36:a7:4b:6d:64:28 user1@vm1
    62. 'The key's randomart image is:
    63. +--[ RSA 4096]----+
    64. |        =B&+*    |
    65. |       oE=.&     |
    66. |      .  .= +    |
    67. |       . . +     |
    68. |        S .      |
    69. |                 |
    70. |                 |
    71. |                 |
    72. |                 |
    73. +-----------------+
    74. user1@vm1:~/ssh_test$ cat ~/.ssh/id_rsa.pub > ~/.ssh/authorized_keys
    75. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1 &
    76. [2] 26896
    77. user1@vm1:~/ssh_test$ ssh-keyscan -H vm1 127.0.0.1 >> ~/.ssh/known_hosts
    78. # 127.0.0.1 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
    79. # vm1 SSH-2.0-OpenSSH_5.5p1 Debian-6+squeeze2
    80. [2]+  Exit 255                /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1
    81. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    82. [1] 26957
    83. user1@vm1:~/ssh_test$ ssh vm1 -v -p 1024 2>ssh.out
    84. Linux vm1 2.6.32-5-amd64 #1 SMP Sun May 6 04:00:17 UTC 2012 x86_64
    86. The programs included with the Debian GNU/Linux system are free software;
    87. the exact distribution terms for each program are described in the
    88. individual files in /usr/share/doc/*/copyright.
    90. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    91. permitted by applicable law.
    92. You have mail.
    93. Last login: Fri Jul 20 09:10:30 2012 from vm1.site
    94. Environment:
    95.   LANG=en_US.UTF-8
    96.   USER=user1
    97.   LOGNAME=user1
    98.   HOME=/home/user1
    99.   PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
    100.   MAIL=/var/mail/user1
    101.   SHELL=/bin/bash
    102.   SSH_CLIENT=127.0.1.1 47456 1024
    103.   SSH_CONNECTION=127.0.1.1 47456 127.0.1.1 1024
    104.   SSH_TTY=/dev/pts/0
    105.   TERM=xterm
    106. user1@vm1:~$ ps au --forest
    107. USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
    108. user1    26224  0.0  1.2  23660  6576 pts/2    Ss   09:09   0:01 -bash
    109. user1    27020  1.0  0.6  68392  3236 pts/2    S    09:50   0:00  \_ sshd: user1 [priv]
    110. user1    27025  0.0  0.2  68392  1412 pts/2    S    09:50   0:00  |   \_ sshd: user1@pts/0
    111. user1    27026  9.0  1.2  23564  6404 pts/0    Ss   09:50   0:00  |       \_ -bash
    112. user1    27051  0.0  0.2  16308  1060 pts/0    R+   09:50   0:00  |           \_ ps au --forest
    113. user1    27021  1.1  0.5  38504  2880 pts/2    S+   09:50   0:00  \_ ssh vm1 -v -p 1024
    114. root      1107  0.0  0.1   5932   620 tty6     Ss+  Jul18   0:00 /sbin/getty 38400 tty6
    115. root      1106  0.0  0.1   5932   616 tty5     Ss+  Jul18   0:00 /sbin/getty 38400 tty5
    116. root      1105  0.0  0.1   5932   620 tty4     Ss+  Jul18   0:00 /sbin/getty 38400 tty4
    117. root      1104  0.0  0.1   5932   620 tty3     Ss+  Jul18   0:00 /sbin/getty 38400 tty3
    118. root      1103  0.0  0.1   5932   616 tty2     Ss+  Jul18   0:00 /sbin/getty 38400 tty2
    119. root      1102  0.0  0.1   5932   616 tty1     Ss+  Jul18   0:00 /sbin/getty 38400 tty1
    120. user1@vm1:~$ logout
    121. user1@vm1:~/ssh_test$
    122. [1]+  Exit 255                /usr/sbin/sshd -Ddf sshd_config > sshd.out 2>&1
    123. user1@vm1:~/ssh_test$ /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1 &
    124. [1] 27067
    125. user1@vm1:~/ssh_test$ scp -v -P 1024 vm1:.bashrc . 2>scp.out
    126. Environment:
    127.   LANG=en_US.UTF-8
    128.   USER=user1
    129.   LOGNAME=user1
    130.   HOME=/home/user1
    131.   PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games
    132.   MAIL=/var/mail/user1
    133.   SHELL=/bin/bash
    134.   SSH_CLIENT=127.0.1.1 47459 1024
    135.   SSH_CONNECTION=127.0.1.1 47459 127.0.1.1 1024
    136. .bashrc                                                                                                                     100% 3184     3.1KB/s   00:00
    137. [1]+  Exit 255                /usr/sbin/sshd -Ddf sshd_config >> sshd.out 2>&1

    解释

    1. 创建/home/user1/ssh_test目录。
    2. 使其成为当前工作目录。
    3. sshd_config复制到此目录。
    4. sshd监听端口从 22 更改为 1024,将副本命名为sshd_config.bak
    5. 替换 RSA 主机密钥位置。
    6. 替换 DSA 主机密钥位置。
    7. 显示sshd_config的旧版本和新版本之间的差异。
    8. 生成具有空密码的,新的 4096 位 RSA 主机密钥对,将其保存到/home/user1/ssh_test/ssh_host_rsa_key/home/user1/ssh_test/ssh_host_rsa_key.pub
    9. 同样的,但是对 DSA 密钥执行。
    10. 生成新的认证密钥对,将其保存到/home/user1/.ssh/id_rsa/home/user1/.ssh/id_rsa.pub
    11. id_rsa.pub复制到/home/user1/.ssh/authorized_keys,来允许无密码认证。
    12. 在调试模式下,在端口 1024 上启动新的 SSH 服务器,将所有输出保存到sshd.log
    13. 提取 SSH 客户端的主机认证密钥,并将其提供给/home/user1/.ssh/known_hosts
    14. 在调试模式下,在端口 1024 上启动新的 SSH 服务器,将所有输出附加到sshd.log。这是因为在调试模式下, SSH 服务器只维护一个连接。
    15. 使用ssh客户端连接到此服务器。
    16. 以树形式打印当前正在运行的进程。你可以看到,你正在使用sshd启动的 bash,它服务于你的连接,而sshd又是由sshd启动,你在几行之前启动了你自己。。
    17. 退出ssh会话。
    18. 再次启动 SSH 服务器。
    19. 将文件.bashrc从你的主目录复制到当前目录。

    附加题

    观看此视频,它解释了加密如何工作:http://www.youtube.com/watch?v=3QnD2c4Xovk
    阅读:http://docstore.mik.ua/orelly/networking_2ndEd/ssh/ch03_04.htm
    阅读文件ssh.outscp.outsshd.out中的调试输出。向你自己解释发生了什么。