NotePublic/Software/Applications/SSH/Linux_SSH_服务的安装和使用.md

275 lines
7.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: post
title: "Linux SSH 服务的安装和使用"
subtitle: ""
description: "本文简要的对 Linux 下 SSH 服务的安装、配置和使用进行说明。"
excerpt: "用于指导 Linux 下 SSH 服务的配置。"
date: 2022-10-10 16:48:00
author: "Rick Chan"
tags: ["Applications", "SSH"]
categories: ["Software"]
published: true
math: false
---
- [1. 安装 SSH Server](#1-安装-ssh-server)
- [2. 开启 SSH 服务](#2-开启-ssh-服务)
- [3. SSH 登陆](#3-ssh-登陆)
- [4. SCP 上传和下载](#4-scp-上传和下载)
- [5. 免密访问](#5-免密访问)
- [6. Client SSH Config 文件](#6-client-ssh-config-文件)
- [6.1. 增加 ssh-rsa 授权方式](#61-增加-ssh-rsa-授权方式)
- [6.2. 设置 Host 用户名和端口](#62-设置-host-用户名和端口)
- [6.3. 关闭授权验证](#63-关闭授权验证)
- [7. SSH 隧道](#7-ssh-隧道)
- [8. 常见问题汇总](#8-常见问题汇总)
- [8.1. timeout in locking authority file /home//.Xauthority](#81-timeout-in-locking-authority-file-homexauthority)
## 1. 安装 SSH Server
```bash
# Ubuntu
sudo apt install openssh-server
# Manjaro
sudo pacman -S openssh
# 生成 Host Key
sudo ssh-keygen -A
```
## 2. 开启 SSH 服务
当目标机上有 SSHD 的情况下,可以开启 SSHD 服务。编写 sshd_config 文件,放置到 /etc/ssh 下,内容如下:
```ini
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
#PermitRootLogin prohibit-password
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
#Subsystem sftp /usr/lib/openssh/sftp-server
Subsystem sftp internal-sftp
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
```
注意以上配置使用了内置 SFTP 服务“Subsystem sftp internal-sftp”。之后既可以使用 SCP 上传和下载文件,也可以使用 SFTP 上传下载文件。
之后在目标机上
```bash
# 开机自运行
sudo systemctl enable sshd.service
# 启动 sshd 服务
sudo systemctl start sshd.service
# 查看 sshd 服务状态
sudo systemctl status sshd.service
# 或ubuntu12
sudo /etc/init.d/ssh restart
```
如果没有 systemd可以使用如下命令
```bash
sudo service ssh start
```
## 3. SSH 登陆
在开发机上
```bash
ssh <User Name>@<IP> -p <port>
```
不加 -p 参数,则默认使用 22 端口。
## 4. SCP 上传和下载
SCP 上传
```bash
scp <Local Path or File> <User Name>@<IP>:<Path or File>
```
SCP 下载
```bash
scp <User Name>@<IP>:<Path or File> <Local Path or File>
```
SCP 一次传输多个文件
```bash
scp <User Name>@<IP>:<Path>/\{file1,file2\} .
# 还可以使用正则表达式,如:
scp <User Name>@<IP>:<Path>/* .
scp <User Name>@<IP>:<Path>/*.txt .
```
## 5. 免密访问
ssh 登陆或 scp 的时候每次都输入密码很麻烦,如果用于访问 SSH 服务器的客户端值得信任的话可以授权该主机用户免密登陆。做法是先在客户端生成密钥对,如果已有密钥对可跳过本步骤:
```bash
ssh-keygen
```
之后在客户端使用:
```bash
ssh-copy-id -p <port> <User Name>@<IP>
# 后续按照提示进行操作即可
```
命令将客户端的 ssh public key 提供给服务器,之后该客户端的授权账号(拥有该密钥对的账号)就可以免密访问服务器了。
在服务器的 \<User Home\>/.ssh/authorized_keys 文件中可以看到已授权客户端公钥,删除公钥可取消对应客户端账户的免密访问权限。
## 6. Client SSH Config 文件
Client SSH Config 一般为 ~/.ssh/config可用于 Host 配置,包括设置授权方式,设置 Host 用户名和端口等。
### 6.1. 增加 ssh-rsa 授权方式
当出现以下问题:
```bash
no matching host key type found. Their offer: ssh-rsa
```
可通过修改 ~/.ssh/config 来解决:
```bash
Host *
HostkeyAlgorithms +ssh-rsa
PubkeyAcceptedKeyTypes +ssh-rsa
```
### 6.2. 设置 Host 用户名和端口
```bash
Host <addr>
HostName <name>
User <usr>
Port <port>
```
### 6.3. 关闭授权验证
SSH 客户端每连接一台新主机都要进行授权验证,并询问用户是否同一,并将主机信息记录到 known_hsots 文件里。有些时候需要使用自动化流程,此时无法处理授权验证过程,此时可修改 ~/.ssh/config 文件(不存在则手动创建),增加如下两行:
```bash
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
```
*关闭授权验证将增加 SSH 的安全隐患。*
## 7. SSH 隧道
可以通过 SSH 隧道创建基于 SSH 加密传输的其他服务。比如通过 SSH 隧道创建远程桌面 VNC示例如下
```bash
# Server 端开启 SSH 服务后再开启 VNC 服务,默认使用 5901 端口
vncserver :1
# Client 端通过 SSH 隧道将 Server 的 5901 端口映射到本地的 5901 端口
ssh -g -L 5901:localhost:5901 [-p <server ssh port>] <user>@<remote addr>
# 输入密码后登录服务器
# Client 通过 VNC 客户端连接 localhost:5901 即可访问 Server 的 VNC 服务
# 使用完毕后退出登录即可关闭 SSH 隧道
```
## 8. 常见问题汇总
### 8.1. timeout in locking authority file /home/<user>/.Xauthority
SSH 客户端连接到服务器时卡顿并出现“/usr/bin/xauth: timeout in locking authority file /home/\<user>/.Xauthority”错误。
通过 strace 可以发现xauth 会不断去访问 .Xauthority-* 文件,这些是用于 xauth 的 lock 文件,可能是某些访问异常中断导致这些文件残留,此时直接删除掉对应的文件即可。
```bash
rm -rf ~/.Xauthority-*
```