Yuav ua li cas rau configure thiab siv SSH chaw nres nkoj? Kauj ruam yog kauj ruam qhia

Muab Plhaub, los yog abbreviated li SSH, nws yog ib tug ntawm cov feem ntau nyuaj cov ntaub ntawv tiv thaiv technologies nyob rau hauv cov kis. Kev siv ntawm xws li ib tug tsoom fwv nyob rau hauv tib router tso cai tsis tau tsuas yog cov tsis pub kis tau ntaub ntawv, tab sis kuj rau kom cov kev pauv ntawm packets. Txawm li cas los, tsis yog txhua tus paub deb li deb tau los qhib lub SSH chaw nres nkoj, thiab yog vim li cas tag nrho cov no yog tsim nyog. Nyob rau hauv cov ntaub ntawv no nws yog tsim nyog los muab ib tug constructive piav.

Chaw nres nkoj SSH: dab tsi yog nws thiab yog vim li cas peb yuav tsum tau?

Txij li thaum peb tham txog kev ruaj ntseg, nyob rau hauv cov ntaub ntawv no, nyob rau hauv lub SSH chaw nres nkoj yuav tsum tau to taub saab channel nyob rau hauv daim ntawv ntawm ib tug qhov, uas muab cov ntaub ntawv encryption.

Qhov tseem txheej thaum ub tswvyim ntawm no qhov no yog hais tias ib tug qhib SSH-chaw nres nkoj yog siv los ntawm lub neej ntawd los encrypt cov ntaub ntawv nyob rau qhov twg los thiab decryption rau lub endpoint. Qhov no yuav tau piav raws li nram no: txawm koj nyiam nws los yog tsis, kis tau tsheb, tsis zoo li lub IPSec, encrypted nyob rau hauv compulsion thiab cov qhov tso zis davhlau ya nyob twg ntawm lub network, thiab nyob rau hauv txais sab ntawm lub qhov rooj nkag. Yuav kom decrypt cov ntaub ntawv kis nyob rau hauv no channel, lub uas tau txais davhlau ya nyob twg siv ib tug tshwj xeeb tseem ceeb. Nyob rau hauv lwm yam lus, los cuam tshuam nyob rau hauv lub hloov lwm lub tsev los yog nruab nrab lub sam xeeb ntawm cov kis cov ntaub ntawv thaum lub caij ib tug yuav tsis muaj ib tug tseem ceeb.

Cia li qhib SSH-chaw nres nkoj nyob rau hauv tej router los yog los ntawm kev siv qhov kev tsim nyog tej chaw ntawm ntxiv neeg ua num ua ke ncaj nraim nrog cov SSH-neeg rau zaub mov, tso cai rau koj mus rau tag nrho siv tag nrho cov yam ntxwv uas niaj hnub network ruaj ntseg tshuab. Peb tseem nyob ntawm no nyob rau hauv yuav ua li cas siv ib tug qhov chaw nres nkoj uas yog muab los ntawm neej ntawd hais los yog kev cai muaj nqis. Cov tsis nyob rau hauv daim ntawv thov yuav zoo tsis yooj yim, tab sis tsis muaj ib tug to taub ntawm lub koom haum ntawm xws li ib tug kev twb kev txuas yog tsis txaus.

Standard SSH chaw nres nkoj

Yog hais tias, tseeb, raws li nyob rau hauv qhov tsis muaj ib yam ntawm cov router yuav tsum xub xyuas seb qhov kev txiav txim, zoo li cas ntawm software yuav siv tau rau activating qhov txuas no. Nyob rau hauv qhov tseeb, lub neej ntawd SSH chaw nres nkoj yuav muaj ntau nqis. Txhua yam yog nyob ntawm seb txoj kev yog siv tau nyob rau lub caij (direct kev twb kev txuas mus rau lub neeg rau zaub mov, txhim kho ntxiv neeg qhov chaw nres nkoj forwarding thiab thiaj li nyob. D.).

Piv txwv li, yog hais tias tus neeg siv Jabber, rau yog kev sib txuas, encryption, thiab cov ntaub ntawv hloov lwm lub tsev chaw nres nkoj 443 yog yuav tsum tau siv, tab sis cov embodiment yog teev nyob rau hauv tus txheej txheem qhov chaw nres nkoj 22.

Mus pib dua lub router mus rau lub qee rau ib qho kev pab cuam los yog cov txheej txheem rau qhov tsim nyog tej yam kev mob yuav tsum tau ua qhov chaw nres nkoj forwarding SSH. Yuav ua li cas yog nws? Nws yog lub hom phiaj ntawm ib tug nkag mus rau ib tug ib pab uas yuav siv ib tug Internet kev twb kev txuas, hais txog ntawm uas qhov chaw yog tam sim no raws tu qauv pauv cov ntaub ntawv (IPv4 los yog IPv6).

kev ua neeg ncajncees

Standard SSH chaw nres nkoj 22 yog tsis ib txwm siv raws li nws yog twb ntshiab. Txawm li cas los, ntawm no nws yog tsim nyog los faib ib co ntawm cov yam ntxwv thiab tej chaw siv thaum lub sij hawm teeb.

Yog vim li cas cov ntaub ntawv encrypted pub leej twg paub raws tu qauv yuav siv cov SSH raws li ib tug txhob txwm sab nraud (qhua) tus neeg siv qhov chaw nres nkoj? Tab sis, tsuas vim hais tias tunneling yog thov nws tso cai rau kev siv ntawm ib tug thiaj li hu ua tej thaj chaw deb plhaub (SSH), mus nce nkag tau mus rau lub davhlau ya nyob twg tswj los ntawm tej thaj chaw deb tus ID nkag mus (slogin), thiab thov cov chaw taws teeb daim ntawv txheej txheem (SCP).

Nyob rau hauv tas li ntawd, SSH-chaw nres nkoj yuav qhib kom ua huaj nyob rau hauv lub rooj plaub uas tus neeg siv yog tsim nyog los ua tej thaj chaw deb scripts X qhov rais, uas nyob rau hauv qhov nyuaj rooj plaub yog ib tug hloov lwm lub tsev ntawm cov ntaub ntawv los ntawm ib tug tshuab mus rau lwm lub, raws li tau hais tias, nrog ib tug yuam cov ntaub ntawv encryption. Nyob rau hauv tej lub sijhawm, feem ntau tsim nyog yuav siv raws li nyob rau hauv lub AES algorithm. Qhov no yog ib yam encryption algorithm, uas yog Ameslikas muab nyob rau hauv SSH technology. Thiab siv nws tsis tsuas tau tab sis tsim nyog.

Keeb kwm ntawm lub realization

Lub tshuab muaj nyob rau ib lub sij hawm ntev. Cia peb tawm ib sab qhov lo lus nug ntawm yuav ua li cas yuav ua rau icing SSH chaw nres nkoj, thiab kub siab rau yuav ua li cas nws tag nrho tej hauj lwm.

Feem ntau nws los mus rau, siv ib lub npe rau lub hauv paus ntawm nkawm thom khwm los yog siv VPN tunneling. Nyob rau hauv cov ntaub ntawv ib co software daim ntawv thov yuav ua hauj lwm nrog VPN, zoo dua yuav xaiv qhov kev xaiv no. Lub fact tias yuav luag tag nrho cov paub cov kev pab cuam niaj hnub no siv lub Internet tsheb, lub VPN yuav ua hauj lwm, tab sis yooj yim routing configuration yog tsis. Qhov no, raws li nyob rau hauv cov ntaub ntawv ntawm lub npe servers, tso cai rau tawm lub sab nraud qhov chaw nyob ntawm lub davhlau ya nyob twg los ntawm uas tam sim no ua nyob rau hauv lub tso zis network, unrecognized. Hais tias yog cov ntaub ntawv nrog lub npe chaw nyob yog yeej ib sij hloov, thiab VPN version tseem unchanged nrog lub fixation ntawm ib tug tej thaj av, lwm yam tshaj li ib tug qhov twg muaj ib tug txiav npluav on access.

Tus heev tib yam technology uas muaj SSH chaw nres nkoj, yog tsim nyob rau hauv 1995 nyob rau hauv lub University of Technology nyob rau hauv Finland (SSH-1). Nyob rau hauv 1996, kev txhim kho tau ntxiv nyob rau hauv daim ntawv ntawm SSH-2 raws tu qauv, uas yog heev ntau nyob rau hauv lub post-Soviet qhov chaw, txawm hais tias rau qhov no, raws li zoo raws li nyob rau hauv ib co Western European lub teb chaws, nws yog tej zaum tsim nyog kom tau kev tso cai rau siv qhov no qhov, thiab los ntawm tsoom fwv cov koom haum.

Lub ntsiab kom zoo dua ntawm qhib SSH-chaw nres nkoj, raws li txwv mus telnet los yog rlogin, yog kev siv ntawm cov kos npe RSA los yog DSA (siv ntawm ib khub qhib thiab faus tseem ceeb). Tsis tas li ntawd, nyob rau hauv no qhov teeb meem koj yuav siv thiaj li hu ua kev sib kho tseem ceeb raws li Diffie-Hellman algorithm, uas yuav siv cov ib yam encryption tso zis, tab sis tsis yog txwv txoj kev siv cov asymmetric encryption algorithms thaum lub sij hawm cov ntaub ntawv kis tau tus mob thiab kev txais tos los ntawm lwm lub tshuab.

Servers thiab plhaub

Nyob rau lub qhov rais los yog Linux SSH-chaw nres nkoj qhib tsis yog li ntawd tsis yooj yim. Cov lus nug tsuas yog, zoo li cas ntawm cov cuab yeej rau lub hom phiaj no yuav tsum tau siv.

Nyob rau hauv qhov kev txiav txim tias nws tsim nyog them sai sai mus rau qhov teeb meem ntawm cov ntaub ntawv kis tau tus mob thiab authentication. Firstly, lub raws tu qauv nws tus kheej yog txaus tiv thaiv los ntawm lub thiaj-hu ua hnia, uas yog lub feem ntau ib txwm "wiretapping" ntawm cov tsheb khiav. SSH-1 muaj pov thawj yuav tsum tau lam tau lam ua mus tawm tsam. Cuam nyob rau hauv tus txheej txheem ntawm Identify cov ntaub ntawv nyob rau hauv daim ntawv ntawm ib tug tswvyim ntawm "txiv neej nyob rau hauv nruab nrab" tau nws cov kev soj ntsuam. Cov ntaub ntawv tsuas cuam tshuam thiab decipher heev elementary. Tab sis lub thib ob version (SSH-2) tau cev tsis mus rau qhov no zoo ntawm cov kev pab, hu ua kev sib kho hijacking, ua tsaug rau dab tsi yog nrov tshaj plaws.

bans kev ruaj ntseg

Raws li rau cov kev ruaj ntseg nyob rau hauv kev sib hwm ntawm cov kis thiab tau txais cov ntaub ntawv, lub koom haum sib txuas tsim muaj nrog rau kev siv ntawm tej tshuab pub tsis txhob muaj cov nram qab no cov teeb meem:

• kev qhia kom paub tseem ceeb rau tus tswv tsev rau ntawm qhov kis tau tus mob kauj ruam, thaum ib tug "snapshot» tuabneeg;
• Kev them nyiaj yug rau lub qhov rais thiab UNIX zoo li systems;
• hloov ntawm tus IP thiab DNS chaw nyob (spoofing);
• intercepting qhib lo lus zais nrog rau kev nkag tau rau cov ntaub ntawv channel.

Ua tau, tag nrho cov koom haum ntawm xws li ib tug system yog ua nyob rau hauv hauv paus ntsiab lus ntawm "neeg neeg rau zaub mov", uas yog, ua ntej ntawm tag nrho cov neeg siv lub computer los ntawm ib tug tshwj xeeb kev pab cuam los yog ntxiv-nyob rau hauv hu mus rau lub neeg rau zaub mov, uas ua ib tug coj mus.

tunneling

Nws mus tsis tau hais tias qhov kev siv ntawm cov kev twb kev txuas ntawm no zoo nyob rau hauv ib tug tshwj xeeb tsav tsheb yuav tsum muab ntsia rau ntawm tus system.

Feem ntau, nyob rau hauv lub qhov rais-raws li lub nruab yog ua tau rau hauv qhov kev pab cuam plhaub tsav tsheb Microsoft Teredo, uas yog ib yam ntawm cov virtual emulation txhais tau tias ntawm IPv6 nyob rau hauv tes hauj lwm txhawb IPv4 xwb. Qhov neej ntawd hais adapter yog kom nquag plias. Nyob rau hauv cov kev tshwm sim tsis ua hauj lwm nrog nws, koj yuav cia li ua ib tug system restart los yog ua ib tug shutdown thiab pib dua commands ntawm qhov hais kom ua console. Yuav kom deactivate xws kab yog siv:

• netsh;
• interface Teredo set xeev xiam;
• interface isatap teem lub xeev neeg xiam.

Tom qab nkag mus rau qhov hais kom ua yuav tsum pib dua. Yuav kom rov pab tau tus adapter thiab xyuas tus txheej xwm ntawm cov neeg tsis taus es tsis txhob ntawm lub enabled sau daim ntawv tso cai, tom qab uas, dua, yuav tsum pib dua lub tag nrho qhov system.

SSH-neeg rau zaub mov

Tam sim no cia saib yuav ua li cas lub SSH chaw nres nkoj yog siv raws li cov tub ntxhais, pib los ntawm lub tswvyim "neeg neeg rau zaub mov". Lub neej ntawd yog feem ntau hos 22 feeb chaw nres nkoj, tab sis, raws li hais saum toj no, yuav tsum los siv thiab 443rd. Cov lus nug tsuas nyob rau hauv lub xum ntawm neeg rau zaub mov nws tus kheej.

Cov feem ntau SSH-servers yog xav tau cov nram qab no:

• rau lub qhov rais: Tectia SSH neeg rau zaub mov, OpenSSH nrog Cygwin, MobaSSH, KpyM Telnet / SSH neeg rau zaub mov, WinSSHD, copssh, freeSSHd;
• rau FreeBSD: OpenSSH;
• rau Linux: Tectia SSH neeg rau zaub mov, SSH, openssh-neeg rau zaub mov, lsh-neeg rau zaub mov, dropbear.

Tag nrho cov servers yog free. Txawm li cas los, koj yuav nrhiav tau thiab them cov kev pab cuam uas muab ntau tshaj theem ntawm kev ruaj ntseg, uas yog qhov tseem ceeb rau lub koom haum ntawm network thiab cov lus qhia kev ruaj ntseg nyob rau hauv qhauj. Tus nqi ntawm cov kev pab yog tsis tham txog. Tab sis nyob rau hauv kev peb yuav hais tias nws yog tus pheej yig, txawm nyob rau hauv kev sib piv nrog rau lub installation ntawm tshwj xeeb software los yog "kho vajtse" firewall.

SSH-neeg

Hloov SSH chaw nres nkoj yuav tsum tau nyob rau hauv lub hauv paus ntawm tus neeg qhov kev pab cuam los yog cov uas tsim nyog chaw thaum qhov chaw nres nkoj forwarding rau koj router.

Txawm li cas los, yog tias koj kov tus neeg plhaub, lub nram qab no software khoom yuav siv tau rau ntau yam systems:

• Lub qhov rais - SecureCRT, PuTTY \ daub, Axessh, ShellGuard, SSHWindows, ZOC, XShell, ProSSHD thiab lwm yam.;.
• Mac OS X: iTerm2, vSSH, NiftyTelnet SSH;
• Linux thiab BSD: lsh-neeg, kdessh, openssh-neeg, Vinagre, putty.

Authentication yog raws li nyob rau hauv cov pej xeem tseem ceeb, thiab hloov qhov chaw nres nkoj

Tam sim no ib ob peb lo lus hais txog yuav ua li cas lub pov thawj thiab teem tau ib neeg rau zaub mov. Nyob rau hauv lub nyuaj cov ntaub ntawv, koj yuav tsum siv ib tug configuration ntaub ntawv (sshd_config). Txawm li cas los, koj yuav ua tsis tau nws, piv txwv li, nyob rau hauv cov ntaub ntawv ntawm cov kev pab cuam xws li PuTTY. Hloov SSH chaw nres nkoj ntawm lub neej ntawd tus nqi (22) mus rau lwm yam yog kiag li elementary.

Qhov loj tshaj plaws - mus qhib ib tug qhov chaw nres nkoj tooj tsis pub tshaj tus nqi ntawm 65535 (dua ports tsuas tsis muaj nyob rau hauv cov xwm). Nyob rau hauv tas li ntawd, yuav tsum xyuam xim rau tej qhib ports los ntawm neej ntawd hais, uas yuav siv tau los ntawm cov neeg zoo li MySQL los yog FTPD databases. Yog hais tias koj qhia kom meej lawv rau SSH configuration, ntawm chav kawm, lawv cia li tsis ua haujlwm lawm.

Nws yog tsim nyog sau cia hais tias tib Jabber neeg yuav tsum tau khiav nyob rau hauv tib cheeb tsam siv SSH-neeg rau zaub mov, piv txwv li, rau ib tug virtual tshuab. Thiab feem ntau neeg rau zaub mov localhost yuav tsum tau muab ib tug nqi rau 4430 (es tsis txhob ntawm 443, raws li hais saum toj no). Qhov no configuration yuav siv tau thaum nkag mus rau lub ntsiab ntaub ntawv jabber.example.com sim los ntawm lub firewall.

Nyob rau lwm cov tes, hloov mus rau lwm ports yuav ua tau rau lub router siv cov configuration ntawm nws cov interface nrog cov creation ntawm kev zam rau cov kev cai. Nyob rau hauv feem ntau cov qauv tswv yim los ntawm cov tswv yim chaw nyob yuav pib nrog 192,168 supplemented nrog 0.1 los yog 1.1, tab sis routers combining tuition ADSL-modems li Mikrotik, kawg qhov chaw nyob yuav siv cov 88,1.

Nyob rau hauv cov ntaub ntawv no, tsim ib tug tshiab txoj cai, ces teem cov kev tsim nyog tsis, piv txwv li, rau nruab rau lwm kev twb kev txuas dst-leej, raws li zoo raws li manually kho ports tsis nyob rau hauv cov kev nqis thiab nyob rau hauv lub seem ntawm activism nyiam (Action). Tsis muaj dab tsi ib yam nkaus thiab nyuab no. Qhov loj tshaj plaws - kom meej qhov yuav tsum tau qhov tseem ceeb ntawm chaw thiab teem caij rau kom yog chaw nres nkoj. Yog lub neej ntawd, koj yuav siv tau qhov chaw nres nkoj 22, tab sis yog hais tias tus neeg siv cov ib tug tshwj xeeb (ib co ntawm cov saum toj no rau txawv systems), tus nqi yuav raug hloov arbitrarily, tiam sis tsuas yog li ntawd no parameter tsis pub dhau lub tshaj tawm hais tias tus nqi, saum toj no uas qhov chaw nres nkoj xov tooj yog tsuas yog tsis muaj.

Thaum koj teem kev sib txuas kuj yuav tsum xyuam xim rau cov ciaj ciam ntawm tus neeg qhov kev pab cuam. Zaum nws yuav zoo yog hais tias nyob rau hauv nws cov chaw muaj qhia kom meej rau yam tsawg kawg nkaus ntev ntawm lub qhov tseem ceeb (512), txawm hais tias lub neej ntawd yog feem ntau yog teem 768. Nws tseem yog ntshaw kom muab cov timeout teev rau hauv mus rau theem ntawm 600 vib nas this thiab lub tej thaj chaw deb tso cai nrog cov hauv paus hniav txoj cai. Tom qab ua ntawv thov cov chaw, koj yuav tsum kuj tso cai rau kev siv ntawm tag nrho cov authentication cai, lwm yam tshaj li cov neeg raws li nyob rau kev siv .rhost (tab sis nws yog tsim nyog xwb los system cov thawj coj).

Ntawm lwm yam, yog hais tias tus neeg siv lub npe sau npe rau hauv qhov system, tsis yog tib yam li qhia nyob rau lub sij hawm ntawd, nws yuav tsum tau teev ntsees siv tus neeg siv SSH tswv hais kom ua nrog cov kev taw qhia ntxiv tsis (rau cov neeg uas to taub dab tsi yog ceg txheem ntseeg).

Team ~ / .ssh / id_dsa yuav siv tau rau transformation ntawm tus yuam sij thiab cov encryption txoj kev (los yog RSA). Yuav kom tsim tau ib tug pej xeem tseem ceeb uas siv los ntawm lub hloov dua siab tshiab siv rau hauv txoj kab ~ / .ssh / identity.pub (tiam sis tsis tas). Tab sis, raws li kev xyaum qhia, qhov uas yooj yim txoj kev uas yuav siv commands li SSH-keygen. Ntawm no yog lub essence ntawm qhov teeb meem yog txo tsuas rau lub fact, ntxiv tus yuam sij rau cov muaj authentication cov cuab yeej (~ / .ssh / authorized_keys).

Tab sis peb twb mus deb heev. Yog hais tias koj rov qab mus rau qhov chaw nres nkoj nqis SSH qhov teeb meem, raws li tau meej hloov SSH chaw nres nkoj yog tsis yog li ntawd tsis yooj yim. Txawm li cas los, nyob rau hauv tej lub sijhawm, lawv hais tias, yuav tau tawm hws, vim hais tias cov kev xav tau coj mus rau hauv tus account tag nrho cov qhov tseem ceeb ntawm tseem ceeb tsis. Tus so ntawm lub configuration qhov teeb meem boils down mus rau lub nkag ntawm tej neeg rau zaub mov los yog thov kev pab kev pab cuam (yog hais tias nws yog muab chiv), los yog siv qhov chaw nres nkoj forwarding rau lub router. Tab sis txawm nyob rau hauv cov ntaub ntawv ntawm kev hloov ntawm qhov chaw nres nkoj 22, lub neej ntawd, ib yam 443rd, yuav tsum tau kom meej meej to taub hais tias xws li ib tug tswvyim tsis yeej ib txwm ua hauj lwm, tiam sis tsuas yog nyob rau hauv cov ntaub ntawv ntawm kev txhim kho cov tib add-nyob rau hauv Jabber (lwm analogs tau qhib thiab lawv cov ports, nws txawv ntawm tus qauv). Nyob rau hauv tas li ntawd, tshwj xeeb mloog yuav tsum tau muab parameter qhov chaw SSH-neeg, uas yuav ncaj qha mus sib tham nrog rau cov SSH-neeg rau zaub mov, yog hais tias nws yog tiag tiag yuav tsum siv lub tam sim no kev twb kev txuas.

Raws li rau tus so, yog tias qhov chaw nres nkoj forwarding yog tsis muab chiv (txawm tias nws yog ntshaw kom ua tau tej yam ua), cov chaw thiab cov kev xaiv rau kev nkag mus ntawm SSH, koj yuav hloov tsis tau. Muaj tej yam teeb meem thaum uas tsim ib kev twb kev txuas, thiab nws ntxiv siv, nyob rau hauv Feem ntau, yog tsis leej twg (tshwj tsis yog tias, ntawm chav kawm, yuav siv tsis tau los manually kho cov configuration neeg rau zaub mov-raws thiab tus thov kev pab). Cov feem ntau tsis suav rau hauv creation ntawm cov kev cai nyob rau hauv lub router tso cai rau koj mus kho tej teeb meem los yog tsis txhob rau lawv.